admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-30 18:04:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2021-02-11 19:01:24 +00:00
parent beb5885685
commit f316ee135d
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
12 changed files with 147 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
2019/17xxx/CVE-2019-17571.json
View File

@ -443,6 +443,11 @@
"refsource": "MLIST",
"name": "[kafka-users] 20210210 Security: CVE-2019-17571 (log4j)",
"url": "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[kafka-jira] 20210211 [GitHub] [kafka] ch4rl353y commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2",
"url": "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E"
}
]
},

12
2021/21xxx/CVE-2021-21299.json
View File

@ -38,7 +38,7 @@
"description_data": [
{
"lang": "eng",
"value": "hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in \"request smuggling\" or \"desync attacks\".\n\nTo determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding.\n\nThis is fixed in versions 0.14.3 and 0.13.10.\n\nAs a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly.\n"
"value": "hyper is an open-source HTTP library for Rust (crates.io). In hyper from version 0.12.0 and before versions 0.13.10 and 0.14.3 there is a vulnerability that can enable a request smuggling attack. The HTTP server code had a flaw that incorrectly understands some requests with multiple transfer-encoding headers to have a chunked payload, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that understands the request payload boundary differently can result in \"request smuggling\" or \"desync attacks\". To determine if vulnerable, all these things must be true: 1) Using hyper as an HTTP server (the client is not affected), 2) Using HTTP/1.1 (HTTP/2 does not use transfer-encoding), 3) Using a vulnerable HTTP proxy upstream to hyper. If an upstream proxy correctly rejects the illegal transfer-encoding headers, the desync attack cannot succeed. If there is no proxy upstream of hyper, hyper cannot start the desync attack, as the client will repair the headers before forwarding. This is fixed in versions 0.14.3 and 0.13.10. As a workaround one can take the following options: 1) Reject requests that contain a `transfer-encoding` header, 2) Ensure any upstream proxy handles `transfer-encoding` correctly."
}
]
},
@ -72,6 +72,11 @@
},
"references": {
"reference_data": [
{
"name": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn",
"refsource": "MISC",
"url": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn"
},
{
"name": "https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf",
"refsource": "CONFIRM",
@ -82,11 +87,6 @@
"refsource": "MISC",
"url": "https://crates.io/crates/hyper"
},
{
"name": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn",
"refsource": "MISC",
"url": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn"
},
{
"name": "https://github.com/hyperium/hyper/commit/8f93123efef5c1361086688fe4f34c83c89cec02",
"refsource": "MISC",

2
2021/21xxx/CVE-2021-21301.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it.\nIt's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. \n\nThis is fixed in version 3.75."
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75."
}
]
},

2
2021/21xxx/CVE-2021-21307.json
View File

@ -41,7 +41,7 @@
"description_data": [
{
"lang": "eng",
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit.\n\nThis is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96.\n\nAs a workaround, one can block access to the Lucee Administrator."
"value": "Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator."
}
]
},

2
2021/25xxx/CVE-2021-25251.json
View File

@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program\ufffds password protection and disable protection. An attacker must already have administrator privileges on the machine to exploit this vulnerability."
"value": "The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program's password protection and disable protection. An attacker must already have administrator privileges on the machine to exploit this vulnerability."
}
]
},

2
2021/26xxx/CVE-2021-26939.json
View File

@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "An information disclosure issue exists in henriquedornas 5.2.17 because an attacker can dump phpMyAdmin SQL content."
"value": "** DISPUTED ** An information disclosure issue exists in henriquedornas 5.2.17 because an attacker can dump phpMyAdmin SQL content. NOTE: third parties report that this is a site-specific problem."
}
]
},

61
2021/27xxx/CVE-2021-27184.json
View File

@ -1,17 +1,66 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-27184",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2021-27184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\\Pelco directory) when DSControlPoint.exe is executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history",
"refsource": "MISC",
"name": "https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history"
},
{
"refsource": "MISC",
"name": "https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server.txt",
"url": "https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server.txt"
}
]
}

5
2021/27xxx/CVE-2021-27186.json
View File

@ -61,6 +61,11 @@
"url": "https://github.com/fluent/fluent-bit/pull/3045",
"refsource": "MISC",
"name": "https://github.com/fluent/fluent-bit/pull/3045"
},
{
"refsource": "MISC",
"name": "https://github.com/fluent/fluent-bit/pull/3047",
"url": "https://github.com/fluent/fluent-bit/pull/3047"
}
]
}

18
2021/27xxx/CVE-2021-27192.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-27192",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2021/27xxx/CVE-2021-27193.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-27193",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2021/27xxx/CVE-2021-27194.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-27194",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2021/27xxx/CVE-2021-27195.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-27195",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}