From f682e21f562df9f9f3b9a39e310566f4dcfd6a37 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Thu, 13 Jul 2023 09:00:37 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/29xxx/CVE-2023-29449.json | 148 ++++++++++++++++++++++++++++++++- 2023/29xxx/CVE-2023-29450.json | 139 ++++++++++++++++++++++++++++++- 2 files changed, 279 insertions(+), 8 deletions(-) diff --git a/2023/29xxx/CVE-2023-29449.json b/2023/29xxx/CVE-2023-29449.json index 099a155111f..279366c4064 100644 --- a/2023/29xxx/CVE-2023-29449.json +++ b/2023/29xxx/CVE-2023-29449.json @@ -1,17 +1,157 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-29449", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@zabbix.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. " + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400 Uncontrolled Resource Consumption", + "cweId": "CWE-400" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Zabbix", + "product": { + "product_data": [ + { + "product_name": "Zabbix", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "lessThanOrEqual": "4.4.*", + "status": "affected", + "version": "4.4.4", + "versionType": "git" + }, + { + "changes": [ + { + "at": "5.0.32rc1", + "status": "unaffected" + } + ], + "lessThanOrEqual": "5.0.31", + "status": "affected", + "version": "5.0.0alpha1", + "versionType": "git" + }, + { + "lessThanOrEqual": "5.2.*", + "status": "affected", + "version": "5.2.0alpha1", + "versionType": "git" + }, + { + "lessThanOrEqual": "5.4.*", + "status": "affected", + "version": "5.4.0alpha1", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.0.14rc1 (6.0.16 is recommended)", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.0.13", + "status": "affected", + "version": "6.0.0alpha1", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.2.8rc1", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.2.7", + "status": "affected", + "version": "6.2.0alpha1", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.4.0rc2", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.4.0beta6", + "status": "affected", + "version": "6.4.0alpha1 ", + "versionType": "git" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.zabbix.com/browse/ZBX-22589", + "refsource": "MISC", + "name": "https://support.zabbix.com/browse/ZBX-22589" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ] } diff --git a/2023/29xxx/CVE-2023-29450.json b/2023/29xxx/CVE-2023-29450.json index 9b06b9fa4ac..424f601e78f 100644 --- a/2023/29xxx/CVE-2023-29450.json +++ b/2023/29xxx/CVE-2023-29450.json @@ -1,17 +1,148 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-29450", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@zabbix.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user \"zabbix\") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-552 Files or Directories Accessible to External Parties", + "cweId": "CWE-552" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Zabbix", + "product": { + "product_data": [ + { + "product_name": "Zabbix", + "version": { + "version_data": [ + { + "version_value": "not down converted", + "x_cve_json_5_version_data": { + "versions": [ + { + "changes": [ + { + "at": "5.0.32rc1", + "status": "unaffected" + } + ], + "lessThanOrEqual": "5.0.31", + "status": "affected", + "version": "5.0", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.0.14rc1 (6.0.16 is recommended)", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.0.13", + "status": "affected", + "version": "6.0", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.2.8rc1", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.2.7", + "status": "affected", + "version": "6.2", + "versionType": "git" + }, + { + "changes": [ + { + "at": "6.4.0rc2", + "status": "unaffected" + } + ], + "lessThanOrEqual": "6.4.0rc1", + "status": "affected", + "version": "6.4", + "versionType": "git" + } + ], + "defaultStatus": "unaffected" + } + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.zabbix.com/browse/ZBX-22588", + "refsource": "MISC", + "name": "https://support.zabbix.com/browse/ZBX-22588" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" } ] }