From fb4109391874c4ecd31d0680020b3c319946e5d5 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 7 Feb 2024 10:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2023/51xxx/CVE-2023-51437.json | 107 +++++++++++++++++++++++++++++++-- 2024/25xxx/CVE-2024-25552.json | 18 ++++++ 2024/25xxx/CVE-2024-25553.json | 18 ++++++ 2024/25xxx/CVE-2024-25554.json | 18 ++++++ 4 files changed, 157 insertions(+), 4 deletions(-) create mode 100644 2024/25xxx/CVE-2024-25552.json create mode 100644 2024/25xxx/CVE-2024-25553.json create mode 100644 2024/25xxx/CVE-2024-25554.json diff --git a/2023/51xxx/CVE-2023-51437.json b/2023/51xxx/CVE-2023-51437.json index 9fa20d70ee9..5ffe009f1e2 100644 --- a/2023/51xxx/CVE-2023-51437.json +++ b/2023/51xxx/CVE-2023-51437.json @@ -1,17 +1,116 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-51437", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.\nUsers are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file.\n\nAny component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.\n\n2.11 Pulsar users should upgrade to at least 2.11.3.\n3.0 Pulsar users should upgrade to at least 3.0.2.\n3.1 Pulsar users should upgrade to at least 3.1.1.\nAny users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\n\nFor additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .\n\n" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Apache Software Foundation", + "product": { + "product_data": [ + { + "product_name": "Apache Pulsar", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "2.10.5" + }, + { + "version_affected": "<=", + "version_name": "2.11.0", + "version_value": "2.11.2" + }, + { + "version_affected": "<=", + "version_name": "3.0.0", + "version_value": "3.0.1" + }, + { + "version_affected": "=", + "version_value": "3.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5", + "refsource": "MISC", + "name": "https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.1.0-dev" + }, + "source": { + "discovery": "EXTERNAL" + }, + "credits": [ + { + "lang": "en", + "value": "Yiheng Cao" + }, + { + "lang": "en", + "value": "Chenhao Lu " + }, + { + "lang": "en", + "value": "Kaifeng Huang" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" } ] } diff --git a/2024/25xxx/CVE-2024-25552.json b/2024/25xxx/CVE-2024-25552.json new file mode 100644 index 00000000000..15df1d50da1 --- /dev/null +++ b/2024/25xxx/CVE-2024-25552.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-25552", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/25xxx/CVE-2024-25553.json b/2024/25xxx/CVE-2024-25553.json new file mode 100644 index 00000000000..a60ffa12300 --- /dev/null +++ b/2024/25xxx/CVE-2024-25553.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-25553", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2024/25xxx/CVE-2024-25554.json b/2024/25xxx/CVE-2024-25554.json new file mode 100644 index 00000000000..baad4d70aef --- /dev/null +++ b/2024/25xxx/CVE-2024-25554.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2024-25554", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file