From fa0a0402da76ada9034fcdbd204d45f08cf08c6f Mon Sep 17 00:00:00 2001 From: CVE Team Date: Tue, 5 Oct 2021 12:01:00 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2021/35xxx/CVE-2021-35503.json | 61 ++++++++++++++++++++--- 2021/35xxx/CVE-2021-35504.json | 61 ++++++++++++++++++++--- 2021/35xxx/CVE-2021-35505.json | 61 ++++++++++++++++++++--- 2021/37xxx/CVE-2021-37223.json | 61 ++++++++++++++++++++--- 2021/39xxx/CVE-2021-39887.json | 90 ++++++++++++++++++++++++++++++++-- 2021/41xxx/CVE-2021-41524.json | 5 ++ 2021/41xxx/CVE-2021-41773.json | 5 ++ 7 files changed, 316 insertions(+), 28 deletions(-) diff --git a/2021/35xxx/CVE-2021-35503.json b/2021/35xxx/CVE-2021-35503.json index 432a08ff200..812aeeb3d61 100644 --- a/2021/35xxx/CVE-2021-35503.json +++ b/2021/35xxx/CVE-2021-35503.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-35503", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-35503", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Afian FileRun 2021.03.26 allows stored XSS via an HTTP X-Forwarded-For header that is mishandled when rendering Activity Logs." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "http://blog.filerun.com", + "refsource": "MISC", + "name": "http://blog.filerun.com" + }, + { + "refsource": "MISC", + "name": "https://syntegris-sec.github.io/filerun-advisory", + "url": "https://syntegris-sec.github.io/filerun-advisory" } ] } diff --git a/2021/35xxx/CVE-2021-35504.json b/2021/35xxx/CVE-2021-35504.json index 8d0714ad805..19b0870bf3f 100644 --- a/2021/35xxx/CVE-2021-35504.json +++ b/2021/35xxx/CVE-2021-35504.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-35504", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-35504", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the ffmpeg binary." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "http://blog.filerun.com", + "refsource": "MISC", + "name": "http://blog.filerun.com" + }, + { + "refsource": "MISC", + "name": "https://syntegris-sec.github.io/filerun-advisory", + "url": "https://syntegris-sec.github.io/filerun-advisory" } ] } diff --git a/2021/35xxx/CVE-2021-35505.json b/2021/35xxx/CVE-2021-35505.json index 485de477aab..d3a6eb06655 100644 --- a/2021/35xxx/CVE-2021-35505.json +++ b/2021/35xxx/CVE-2021-35505.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-35505", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-35505", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Afian FileRun 2021.03.26 allows Remote Code Execution (by administrators) via the Check Path value for the magick binary." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "http://blog.filerun.com", + "refsource": "MISC", + "name": "http://blog.filerun.com" + }, + { + "refsource": "MISC", + "name": "https://syntegris-sec.github.io/filerun-advisory", + "url": "https://syntegris-sec.github.io/filerun-advisory" } ] } diff --git a/2021/37xxx/CVE-2021-37223.json b/2021/37xxx/CVE-2021-37223.json index c6ee0fbb318..a3186777b72 100644 --- a/2021/37xxx/CVE-2021-37223.json +++ b/2021/37xxx/CVE-2021-37223.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-37223", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-37223", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.nagios.com/downloads/nagios-xi/change-log/", + "url": "https://www.nagios.com/downloads/nagios-xi/change-log/" + }, + { + "url": "http://nagios.com", + "refsource": "MISC", + "name": "http://nagios.com" } ] } diff --git a/2021/39xxx/CVE-2021-39887.json b/2021/39xxx/CVE-2021-39887.json index 5865f95393f..bba198be322 100644 --- a/2021/39xxx/CVE-2021-39887.json +++ b/2021/39xxx/CVE-2021-39887.json @@ -4,15 +4,97 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-39887", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": ">=8.4, <14.1.7" + }, + { + "version_value": ">=14.2, <14.2.5" + }, + { + "version_value": ">=14.3, <14.3.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper neutralization of input during web page generation ('cross-site scripting') in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/332903", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/332903", + "refsource": "MISC" + }, + { + "name": "https://hackerone.com/reports/1218174", + "url": "https://hackerone.com/reports/1218174", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39887.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39887.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "version": "3.1", + "baseScore": 7.2, + "baseSeverity": "HIGH" + } + }, + "credit": [ + { + "lang": "eng", + "value": "Thanks saleemrashid for reporting this vulnerability through our HackerOne bug bounty program" + } + ] } \ No newline at end of file diff --git a/2021/41xxx/CVE-2021-41524.json b/2021/41xxx/CVE-2021-41524.json index 6917ed708b6..cdd7e804abb 100644 --- a/2021/41xxx/CVE-2021-41524.json +++ b/2021/41xxx/CVE-2021-41524.json @@ -72,6 +72,11 @@ "refsource": "MISC", "url": "https://httpd.apache.org/security/vulnerabilities_24.html", "name": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "refsource": "MLIST", + "name": "[httpd-users] 20211005 [users@httpd] CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing", + "url": "https://lists.apache.org/thread.html/rc24a83c51a4ccf32155341301d513f8b6035405f84f9501cfa8117d4@%3Cusers.httpd.apache.org%3E" } ] }, diff --git a/2021/41xxx/CVE-2021-41773.json b/2021/41xxx/CVE-2021-41773.json index e11632195cd..b9c61bcc7dc 100644 --- a/2021/41xxx/CVE-2021-41773.json +++ b/2021/41xxx/CVE-2021-41773.json @@ -73,6 +73,11 @@ "refsource": "MISC", "url": "https://httpd.apache.org/security/vulnerabilities_24.html", "name": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "refsource": "MLIST", + "name": "[httpd-users] 20211005 [users@httpd] CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49", + "url": "https://lists.apache.org/thread.html/r6abf5f2ba6f1aa8b1030f95367aaf17660c4e4c78cb2338aee18982f@%3Cusers.httpd.apache.org%3E" } ] },