From f88475da40850f7bdf18a0951ab28f42a4dc8b6d Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 22 Dec 2020 14:01:54 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/13xxx/CVE-2020-13931.json | 5 +++++ 2020/1xxx/CVE-2020-1953.json | 5 +++++ 2020/22xxx/CVE-2020-22083.json | 12 +++++++++++- 2020/28xxx/CVE-2020-28448.json | 12 +++++++----- 2020/28xxx/CVE-2020-28460.json | 12 +++++++----- 5 files changed, 35 insertions(+), 11 deletions(-) diff --git a/2020/13xxx/CVE-2020-13931.json b/2020/13xxx/CVE-2020-13931.json index a901e7581b1..0e7f85575d2 100644 --- a/2020/13xxx/CVE-2020-13931.json +++ b/2020/13xxx/CVE-2020-13931.json @@ -48,6 +48,11 @@ "refsource": "MISC", "name": "https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E", "url": "https://lists.apache.org/thread.html/ref088c4732e1a8dd0bbbb96e13ffafcfe65f984238ffa55f438d78fe%40%3Cdev.tomee.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[tomee-dev] 20201222 Re: CVE-2020-13931 is Fake vulnerability", + "url": "https://lists.apache.org/thread.html/r7f98907165b355dc65f28a57f15103a06173ce03261115fa46d569b4@%3Cdev.tomee.apache.org%3E" } ] }, diff --git a/2020/1xxx/CVE-2020-1953.json b/2020/1xxx/CVE-2020-1953.json index 07ecf845d3a..527defa852e 100644 --- a/2020/1xxx/CVE-2020-1953.json +++ b/2020/1xxx/CVE-2020-1953.json @@ -70,6 +70,11 @@ "url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E", + "url": "https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E" } ] }, diff --git a/2020/22xxx/CVE-2020-22083.json b/2020/22xxx/CVE-2020-22083.json index 3253c0e3a74..2dee3c4f02a 100644 --- a/2020/22xxx/CVE-2020-22083.json +++ b/2020/22xxx/CVE-2020-22083.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function." + "value": "** DISPUTED ** jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data." } ] }, @@ -71,6 +71,16 @@ "refsource": "MISC", "name": "https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874", "url": "https://gist.github.com/j0lt-github/bb543e77a1a10c33cb56cf23d0837874" + }, + { + "refsource": "MISC", + "name": "https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494", + "url": "https://github.com/jsonpickle/jsonpickle/issues/332#issuecomment-747807494" + }, + { + "refsource": "MISC", + "name": "https://access.redhat.com/security/cve/CVE-2020-22083", + "url": "https://access.redhat.com/security/cve/CVE-2020-22083" } ] } diff --git a/2020/28xxx/CVE-2020-28448.json b/2020/28xxx/CVE-2020-28448.json index b17c1027722..85654f724c0 100644 --- a/2020/28xxx/CVE-2020-28448.json +++ b/2020/28xxx/CVE-2020-28448.json @@ -48,12 +48,14 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1048969" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1048969", + "name": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1048969" }, { - "refsource": "CONFIRM", - "url": "https://github.com/evangelion1204/multi-ini/pull/37" + "refsource": "MISC", + "url": "https://github.com/evangelion1204/multi-ini/pull/37", + "name": "https://github.com/evangelion1204/multi-ini/pull/37" } ] }, @@ -61,7 +63,7 @@ "description_data": [ { "lang": "eng", - "value": "This affects the package multi-ini before 2.1.1.\n It is possible to pollute an object's prototype by specifying the proto object as part of an array. \r\n\r\n" + "value": "This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array." } ] }, diff --git a/2020/28xxx/CVE-2020-28460.json b/2020/28xxx/CVE-2020-28460.json index c407db32a7e..a63bb73f530 100644 --- a/2020/28xxx/CVE-2020-28460.json +++ b/2020/28xxx/CVE-2020-28460.json @@ -48,12 +48,14 @@ "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229" + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229", + "name": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229" }, { - "refsource": "CONFIRM", - "url": "https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde" + "refsource": "MISC", + "url": "https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde", + "name": "https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde" } ] }, @@ -61,7 +63,7 @@ "description_data": [ { "lang": "eng", - "value": "This affects the package multi-ini before 2.1.2.\n It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.\r\n\r\n" + "value": "This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448." } ] },