diff --git a/2017/15xxx/CVE-2017-15288.json b/2017/15xxx/CVE-2017-15288.json index 879c1ab3a3d..d25d1d6d320 100644 --- a/2017/15xxx/CVE-2017-15288.json +++ b/2017/15xxx/CVE-2017-15288.json @@ -141,6 +141,11 @@ "refsource": "MLIST", "name": "[druid-commits] 20210302 [GitHub] [druid] abhishekagarwal87 opened a new pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on", "url": "https://lists.apache.org/thread.html/r32e0b1d5ff43ac3ed4b179a4e663022d1c5ccac77884a99ea149e633@%3Ccommits.druid.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[druid-commits] 20210302 [GitHub] [druid] maytasm merged pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on", + "url": "https://lists.apache.org/thread.html/r1d51eae81ceb7bfd1780936a48b460ab31d53ff2ed526a88a7f60fe4@%3Ccommits.druid.apache.org%3E" } ] } diff --git a/2020/10xxx/CVE-2020-10519.json b/2020/10xxx/CVE-2020-10519.json index d1a72ddf789..7e7d37af8e7 100644 --- a/2020/10xxx/CVE-2020-10519.json +++ b/2020/10xxx/CVE-2020-10519.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "product-cna@github.com", "ID": "CVE-2020-10519", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Unsafe configuration options in GitHub Pages leading to remote code execution on GitHub Enterprise Server" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "GitHub Enterprise Server", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "2.20", + "version_value": "2.20.24" + }, + { + "version_affected": "<", + "version_name": "2.21", + "version_value": "2.21.15" + }, + { + "version_affected": "<", + "version_name": "2.22", + "version_value": "2.22.7" + } + ] + } + } + ] + }, + "vendor_name": "GitHub" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "yvvdwf" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22.7 and was fixed in 2.22.7, 2.21.15, and 2.20.24. The underlying issues contributing to this vulnerability were identified through the GitHub Security Bug Bounty program." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-77: Command Injection - Generic" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24", + "name": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15", + "name": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7", + "name": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/12xxx/CVE-2020-12527.json b/2020/12xxx/CVE-2020-12527.json index 21c57a82233..134f58fef03 100644 --- a/2020/12xxx/CVE-2020-12527.json +++ b/2020/12xxx/CVE-2020-12527.json @@ -1,18 +1,112 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "info@cert.vde.com", + "DATE_PUBLIC": "2021-02-15T13:50:00.000Z", "ID": "CVE-2020-12527", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "mymbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + }, + { + "product_name": "mbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + } + ] + }, + "vendor_name": "MB connect line" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to interact with devices in the account he should not have access to." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-269 Improper Privilege Management" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert.vde.com/de-de/advisories/vde-2021-003", + "refsource": "CONFIRM", + "url": "https://cert.vde.com/de-de/advisories/vde-2021-003" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to v2.7.1" + } + ], + "source": { + "advisory": "VDE-2021-003", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/12xxx/CVE-2020-12528.json b/2020/12xxx/CVE-2020-12528.json index 07fc7b4674a..4f02a608743 100644 --- a/2020/12xxx/CVE-2020-12528.json +++ b/2020/12xxx/CVE-2020-12528.json @@ -1,18 +1,112 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "info@cert.vde.com", + "DATE_PUBLIC": "2021-02-15T13:50:00.000Z", "ID": "CVE-2020-12528", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "mymbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + }, + { + "product_name": "mbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + } + ] + }, + "vendor_name": "MB connect line" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-269 Improper Privilege Management" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert.vde.com/de-de/advisories/vde-2021-003", + "refsource": "CONFIRM", + "url": "https://cert.vde.com/de-de/advisories/vde-2021-003" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to v2.7.1" + } + ], + "source": { + "advisory": "VDE-2021-003", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/12xxx/CVE-2020-12529.json b/2020/12xxx/CVE-2020-12529.json index a47bc61ef5a..79bec704c9b 100644 --- a/2020/12xxx/CVE-2020-12529.json +++ b/2020/12xxx/CVE-2020-12529.json @@ -1,18 +1,112 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "info@cert.vde.com", + "DATE_PUBLIC": "2021-02-15T13:50:00.000Z", "ID": "CVE-2020-12529", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "mymbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + }, + { + "product_name": "mbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + } + ] + }, + "vendor_name": "MB connect line" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert.vde.com/de-de/advisories/vde-2021-003", + "refsource": "CONFIRM", + "url": "https://cert.vde.com/de-de/advisories/vde-2021-003" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to v2.7.1" + } + ], + "source": { + "advisory": "VDE-2021-003", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/12xxx/CVE-2020-12530.json b/2020/12xxx/CVE-2020-12530.json index 7c1c7926ae4..1c5f6c67afc 100644 --- a/2020/12xxx/CVE-2020-12530.json +++ b/2020/12xxx/CVE-2020-12530.json @@ -1,18 +1,112 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "info@cert.vde.com", + "DATE_PUBLIC": "2021-02-15T13:50:00.000Z", "ID": "CVE-2020-12530", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "mymbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + }, + { + "product_name": "mbCONNECT24", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.6.2", + "version_value": "2.6.2" + } + ] + } + } + ] + }, + "vendor_name": "MB connect line" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "OTORIO reported the vulnerabilities to MB connect line. CERT@VDE coordinated." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert.vde.com/de-de/advisories/vde-2021-003", + "refsource": "CONFIRM", + "url": "https://cert.vde.com/de-de/advisories/vde-2021-003" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to v2.7.1" + } + ], + "source": { + "advisory": "VDE-2021-003", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2020/13xxx/CVE-2020-13949.json b/2020/13xxx/CVE-2020-13949.json index d711264f090..672f5df8726 100644 --- a/2020/13xxx/CVE-2020-13949.json +++ b/2020/13xxx/CVE-2020-13949.json @@ -123,6 +123,21 @@ "refsource": "MLIST", "name": "[hbase-issues] 20210302 [jira] [Updated] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949", "url": "https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400bbb11d@%3Cissues.hbase.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hbase-issues] 20210302 [GitHub] [hbase] Apache9 commented on a change in pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949", + "url": "https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d5860038e@%3Cissues.hbase.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hbase-issues] 20210302 [GitHub] [hbase] pankaj72981 commented on a change in pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949", + "url": "https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36ad88311@%3Cissues.hbase.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hbase-issues] 20210303 [GitHub] [hbase] Apache-HBase commented on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949", + "url": "https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6ea18b80@%3Cissues.hbase.apache.org%3E" } ] }, diff --git a/2020/13xxx/CVE-2020-13956.json b/2020/13xxx/CVE-2020-13956.json index 77c6c5e12ac..05d3a0398e0 100644 --- a/2020/13xxx/CVE-2020-13956.json +++ b/2020/13xxx/CVE-2020-13956.json @@ -113,6 +113,11 @@ "refsource": "MLIST", "name": "[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", "url": "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", + "url": "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E" } ] }, diff --git a/2020/14xxx/CVE-2020-14871.json b/2020/14xxx/CVE-2020-14871.json index c3421d969ec..83d36a27d28 100644 --- a/2020/14xxx/CVE-2020-14871.json +++ b/2020/14xxx/CVE-2020-14871.json @@ -83,6 +83,11 @@ "refsource": "MISC", "name": "http://packetstormsecurity.com/files/160609/Oracle-Solaris-SunSSH-PAM-parse_user_name-Buffer-Overflow.html", "url": "http://packetstormsecurity.com/files/160609/Oracle-Solaris-SunSSH-PAM-parse_user_name-Buffer-Overflow.html" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20210302 Announce: OpenSSH 8.5 released", + "url": "http://www.openwall.com/lists/oss-security/2021/03/03/1" } ] } diff --git a/2020/15xxx/CVE-2020-15705.json b/2020/15xxx/CVE-2020-15705.json index 494d3e2cd24..3f7dff66f8a 100644 --- a/2020/15xxx/CVE-2020-15705.json +++ b/2020/15xxx/CVE-2020-15705.json @@ -170,6 +170,11 @@ "refsource": "SUSE", "name": "openSUSE-SU-2020:1282", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html" + }, + { + "refsource": "MLIST", + "name": "[oss-security] 20210302 Multiple GRUB2 vulnerabilities", + "url": "http://www.openwall.com/lists/oss-security/2021/03/02/3" } ] }, diff --git a/2020/15xxx/CVE-2020-15937.json b/2020/15xxx/CVE-2020-15937.json index c638537f667..5023d47a736 100644 --- a/2020/15xxx/CVE-2020-15937.json +++ b/2020/15xxx/CVE-2020-15937.json @@ -4,14 +4,74 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-15937", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@fortinet.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Fortinet", + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiOS", + "version": { + "version_data": [ + { + "version_value": "FortiOS 6.4.1, 6.2.5" + } + ] + } + } + ] + } + } + ] + } + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 4.6, + "baseSeverity": "Medium", + "confidentialityImpact": "None", + "integrityImpact": "Low", + "privilegesRequired": "None", + "scope": "Changed", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Execute unauthorized code or commands" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://fortiguard.com/advisory/FG-IR-20-068", + "url": "https://fortiguard.com/advisory/FG-IR-20-068" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard." } ] } diff --git a/2020/23xxx/CVE-2020-23518.json b/2020/23xxx/CVE-2020-23518.json index 4aaf2e67792..7e4189ba8de 100644 --- a/2020/23xxx/CVE-2020-23518.json +++ b/2020/23xxx/CVE-2020-23518.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-23518", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-23518", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.exploit-db.com/exploits/47289", + "url": "https://www.exploit-db.com/exploits/47289" } ] } diff --git a/2020/25xxx/CVE-2020-25787.json b/2020/25xxx/CVE-2020-25787.json index 8f35380ffa2..40aebbb5bde 100644 --- a/2020/25xxx/CVE-2020-25787.json +++ b/2020/25xxx/CVE-2020-25787.json @@ -61,6 +61,11 @@ "url": "https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799", "refsource": "MISC", "name": "https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.html", + "url": "http://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.html" } ] } diff --git a/2020/27xxx/CVE-2020-27216.json b/2020/27xxx/CVE-2020-27216.json index 2fe1e23f2ef..cec7aba85de 100644 --- a/2020/27xxx/CVE-2020-27216.json +++ b/2020/27xxx/CVE-2020-27216.json @@ -355,6 +355,31 @@ "refsource": "MLIST", "name": "[beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216", "url": "https://lists.apache.org/thread.html/r4179c71908778cc0598ee8ee1eaed9b88fc5483c65373f45e087f650@%3Cissues.beam.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216", + "url": "https://lists.apache.org/thread.html/rb81a018f83fe02c95a2138a7bb4f1e1677bd7e1fc1e7024280c2292d@%3Cissues.beam.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216", + "url": "https://lists.apache.org/thread.html/rcfb95a7c69c4b9c082ea1918e812dfc45aa0d1e120fd47f68251a336@%3Cissues.beam.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216", + "url": "https://lists.apache.org/thread.html/rcdd56ab4255801a0964dcce3285e87f2c6994e6469e189f6836f34e3@%3Cnotifications.iotdb.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216", + "url": "https://lists.apache.org/thread.html/rc8dd95802be0cca8d7d0929c0c8484ede384ecb966b2a9dc7197b089@%3Creviews.iotdb.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216", + "url": "https://lists.apache.org/thread.html/r503045a75f4419d083cb63ac89e765d6fb8b10c7dacc0c54fce07cff@%3Creviews.iotdb.apache.org%3E" } ] } diff --git a/2020/27xxx/CVE-2020-27223.json b/2020/27xxx/CVE-2020-27223.json index 6abed6e28aa..bddb83de006 100644 --- a/2020/27xxx/CVE-2020-27223.json +++ b/2020/27xxx/CVE-2020-27223.json @@ -99,6 +99,56 @@ "refsource": "MLIST", "name": "[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223", "url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version", + "url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43@%3Ccommits.druid.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a@%3Cdev.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c@%3Ccommits.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e@%3Ccommits.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223", + "url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c@%3Ccommits.kafka.apache.org%3E" + }, + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E", + "url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E" + }, + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E", + "url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E" } ] } diff --git a/2020/28xxx/CVE-2020-28243.json b/2020/28xxx/CVE-2020-28243.json index d59653fb3a5..fbfa9195565 100644 --- a/2020/28xxx/CVE-2020-28243.json +++ b/2020/28xxx/CVE-2020-28243.json @@ -66,6 +66,16 @@ "refsource": "MISC", "name": "https://sec.stealthcopter.com/cve-2020-28243/", "url": "https://sec.stealthcopter.com/cve-2020-28243/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2020/28xxx/CVE-2020-28657.json b/2020/28xxx/CVE-2020-28657.json index f6b41c60d68..a33d7dcf689 100644 --- a/2020/28xxx/CVE-2020-28657.json +++ b/2020/28xxx/CVE-2020-28657.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-28657", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-28657", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In bPanel 2.0, the administrative ajax endpoints (aka ajax/aj_*.php) are accessible without authentication and allow SQL injections, which could lead to platform compromise." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-28657", + "url": "https://github.com/blackarrowsec/advisories/tree/master/2020/CVE-2020-28657" } ] } diff --git a/2020/28xxx/CVE-2020-28972.json b/2020/28xxx/CVE-2020-28972.json index 0accdad5848..38321041188 100644 --- a/2020/28xxx/CVE-2020-28972.json +++ b/2020/28xxx/CVE-2020-28972.json @@ -56,6 +56,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2020/35xxx/CVE-2020-35296.json b/2020/35xxx/CVE-2020-35296.json index 7ede4de8d37..429b7a55073 100644 --- a/2020/35xxx/CVE-2020-35296.json +++ b/2020/35xxx/CVE-2020-35296.json @@ -1,17 +1,71 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2020-35296", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2020-35296", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/zoujingli/ThinkAdmin", + "refsource": "MISC", + "name": "https://github.com/zoujingli/ThinkAdmin" + }, + { + "refsource": "MISC", + "name": "https://github.com/Shrimant12/CVE-References/blob/main/CVE-2020-35296.md", + "url": "https://github.com/Shrimant12/CVE-References/blob/main/CVE-2020-35296.md" + }, + { + "refsource": "MISC", + "name": "https://smshrimant.com/admin-panel-access-using-default-credentials/", + "url": "https://smshrimant.com/admin-panel-access-using-default-credentials/" } ] } diff --git a/2020/35xxx/CVE-2020-35662.json b/2020/35xxx/CVE-2020-35662.json index 2331aea00fd..0bf6944280b 100644 --- a/2020/35xxx/CVE-2020-35662.json +++ b/2020/35xxx/CVE-2020-35662.json @@ -56,6 +56,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] }, diff --git a/2020/36xxx/CVE-2020-36079.json b/2020/36xxx/CVE-2020-36079.json index 2f0d4834684..8b8059aa7b7 100644 --- a/2020/36xxx/CVE-2020-36079.json +++ b/2020/36xxx/CVE-2020-36079.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory." + "value": "** DISPUTED ** Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has \"lots of other possibilities to harm a site.\"" } ] }, @@ -56,6 +56,16 @@ "refsource": "MISC", "name": "http://packetstormsecurity.com/files/161569/Zenphoto-CMS-1.5.7-Shell-Upload.html", "url": "http://packetstormsecurity.com/files/161569/Zenphoto-CMS-1.5.7-Shell-Upload.html" + }, + { + "refsource": "MISC", + "name": "https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/", + "url": "https://www.zenphoto.org/news/why-not-every-security-issue-is-really-an-issue/" + }, + { + "refsource": "MISC", + "name": "https://github.com/zenphoto/zenphoto/issues/1292", + "url": "https://github.com/zenphoto/zenphoto/issues/1292" } ] } diff --git a/2020/4xxx/CVE-2020-4719.json b/2020/4xxx/CVE-2020-4719.json index 35817e73623..a2e585a1c12 100644 --- a/2020/4xxx/CVE-2020-4719.json +++ b/2020/4xxx/CVE-2020-4719.json @@ -1,18 +1,90 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-4719", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "ASSIGNER": "psirt@us.ibm.com", + "DATE_PUBLIC": "2021-02-26T00:00:00" }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Bypass Security" + } + ] + } + ] + }, + "data_type": "CVE", "description": { "description_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861.", + "lang": "eng" } ] - } + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Cloud APM", + "version": { + "version_data": [ + { + "version_value": "8.1.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/6417137", + "title": "IBM Security Bulletin 6417137 (Cloud APM)", + "refsource": "CONFIRM", + "name": "https://www.ibm.com/support/pages/node/6417137" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187861", + "name": "ibm-monitoring-cve20204719-sec-bypass (187861)", + "title": "X-Force Vulnerability Report", + "refsource": "XF" + } + ] + }, + "impact": { + "cvssv3": { + "BM": { + "UI": "N", + "SCORE": "4.900", + "PR": "H", + "I": "H", + "AV": "N", + "A": "N", + "S": "U", + "C": "N", + "AC": "L" + }, + "TM": { + "RL": "O", + "RC": "C", + "E": "U" + } + } + }, + "data_version": "4.0", + "data_format": "MITRE" } \ No newline at end of file diff --git a/2020/4xxx/CVE-2020-4725.json b/2020/4xxx/CVE-2020-4725.json index aacd5bbb924..6aa79015ee4 100644 --- a/2020/4xxx/CVE-2020-4725.json +++ b/2020/4xxx/CVE-2020-4725.json @@ -1,18 +1,90 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-4725", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Cloud APM", + "version": { + "version_data": [ + { + "version_value": "8.1.4" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "IBM Monitoring (IBM Cloud APM 8.1.4 ) could allow an authenticated user to modify HTML content by sending a specially crafted HTTP request to the APM UI, which could mislead another user. IBM X-Force ID: 187974." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "value": "Data Manipulation", + "lang": "eng" + } + ] + } + ] + }, + "CVE_data_meta": { + "STATE": "PUBLIC", + "ID": "CVE-2020-4725", + "ASSIGNER": "psirt@us.ibm.com", + "DATE_PUBLIC": "2021-02-26T00:00:00" + }, + "data_type": "CVE", + "data_version": "4.0", + "data_format": "MITRE", + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/6417137", + "refsource": "CONFIRM", + "title": "IBM Security Bulletin 6417137 (Cloud APM)", + "name": "https://www.ibm.com/support/pages/node/6417137" + }, + { + "title": "X-Force Vulnerability Report", + "name": "ibm-monitoring-cve20204725-content-spoofing (187974)", + "refsource": "XF", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187974" + } + ] + }, + "impact": { + "cvssv3": { + "BM": { + "UI": "N", + "I": "L", + "AV": "N", + "PR": "L", + "SCORE": "4.300", + "S": "U", + "A": "N", + "AC": "L", + "C": "N" + }, + "TM": { + "RL": "O", + "E": "U", + "RC": "C" + } + } } } \ No newline at end of file diff --git a/2020/4xxx/CVE-2020-4726.json b/2020/4xxx/CVE-2020-4726.json index 9e8efdc3f0c..9dd262a8dd1 100644 --- a/2020/4xxx/CVE-2020-4726.json +++ b/2020/4xxx/CVE-2020-4726.json @@ -1,17 +1,89 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2020-4726", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "IBM", + "product": { + "product_data": [ + { + "product_name": "Cloud APM", + "version": { + "version_data": [ + { + "version_value": "8.1.4" + } + ] + } + } + ] + } + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 187975." + } + ] + }, + "data_type": "CVE", + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Obtain Information" + } + ] + } + ] + }, + "CVE_data_meta": { + "DATE_PUBLIC": "2021-02-26T00:00:00", + "ASSIGNER": "psirt@us.ibm.com", + "ID": "CVE-2020-4726", + "STATE": "PUBLIC" + }, + "data_format": "MITRE", + "data_version": "4.0", + "impact": { + "cvssv3": { + "TM": { + "RL": "O", + "E": "U", + "RC": "C" + }, + "BM": { + "UI": "N", + "AV": "L", + "I": "N", + "PR": "N", + "SCORE": "4.000", + "S": "U", + "A": "N", + "AC": "L", + "C": "L" + } + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.ibm.com/support/pages/node/6417137", + "refsource": "CONFIRM", + "name": "https://www.ibm.com/support/pages/node/6417137", + "title": "IBM Security Bulletin 6417137 (Cloud APM)" + }, + { + "name": "ibm-monitoring-cve20204726-info-disc (187975)", + "refsource": "XF", + "title": "X-Force Vulnerability Report", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187975" } ] } diff --git a/2021/0xxx/CVE-2021-0215.json b/2021/0xxx/CVE-2021-0215.json index ee5b94c9647..4474c80e9d1 100644 --- a/2021/0xxx/CVE-2021-0215.json +++ b/2021/0xxx/CVE-2021-0215.json @@ -4,7 +4,7 @@ "DATE_PUBLIC": "2021-01-13T17:00:00.000Z", "ID": "CVE-2021-0215", "STATE": "PUBLIC", - "TITLE": "Junos OS: EX Series, QFX Series, SRX Branch Series: Memory leak in packet forwarding engine due to 802.1X authenticator port interface flaps" + "TITLE": "Junos OS: EX Series, QFX Series, SRX Branch Series, MX Series: Memory leak in packet forwarding engine due to 802.1X authenticator port interface flaps" }, "affects": { "vendor": { @@ -45,73 +45,73 @@ "version_value": "15.1X53-D593" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "16.1", "version_value": "16.1R7-S8" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "17.2", "version_value": "17.2R3-S4" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "17.3", "version_value": "17.3R3-S8" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "17.4", "version_value": "17.4R2-S11, 17.4R3-S2" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "18.1", "version_value": "18.1R3-S10" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "18.2", "version_value": "18.2R2-S7, 18.2R3-S3" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "18.3", "version_value": "18.3R2-S4, 18.3R3-S2" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "18.4", "version_value": "18.4R1-S7, 18.4R2-S4, 18.4R3-S2" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "19.1", "version_value": "19.1R1-S5, 19.1R2-S2, 19.1R3" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "19.2", "version_value": "19.2R1-S5, 19.2R2" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "19.3", "version_value": "19.3R2-S3, 19.3R3" }, { - "platform": "SRX Branch Series, EX Series, QFX Series", + "platform": "SRX Branch Series, EX Series, QFX Series, MX Series", "version_affected": "<", "version_name": "19.4", "version_value": "19.4R1-S2, 19.4R2" @@ -139,7 +139,7 @@ "description_data": [ { "lang": "eng", - "value": "On Juniper Networks Junos EX series, QFX Series and SRX branch series devices, a memory leak occurs every time the 802.1X authenticator port interface flaps which can lead to other processes, such as the pfex process, responsible for packet forwarding, to crash and restart. An administrator can use the following CLI command to monitor the status of memory consumption: user@device> show task memory detail Please refer to https://kb.juniper.net/KB31522 for details. This issue affects Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D54; 15.1X49 versions prior to 15.1X49-D240 ; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10 ; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2. This issue does not affect Juniper Networks Junos OS 12.3, 15.1." + "value": "On Juniper Networks Junos EX series, QFX Series, MX Series and SRX branch series devices, a memory leak occurs every time the 802.1X authenticator port interface flaps which can lead to other processes, such as the pfex process, responsible for packet forwarding, to crash and restart. An administrator can use the following CLI command to monitor the status of memory consumption: user@device> show task memory detail Please refer to https://kb.juniper.net/KB31522 for details. This issue affects Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D54; 15.1X49 versions prior to 15.1X49-D240 ; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10 ; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2. This issue does not affect Juniper Networks Junos OS 12.3, 15.1." } ] }, diff --git a/2021/21xxx/CVE-2021-21255.json b/2021/21xxx/CVE-2021-21255.json index 9df1979fed1..a1ed5ec80a3 100644 --- a/2021/21xxx/CVE-2021-21255.json +++ b/2021/21xxx/CVE-2021-21255.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21255", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "entities switch IDOR" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "glpi", + "version": { + "version_data": [ + { + "version_value": "= 9.5.3" + } + ] + } + } + ] + }, + "vendor_name": "glpi-project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j", + "refsource": "CONFIRM", + "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j" + }, + { + "name": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc", + "refsource": "MISC", + "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc" + } + ] + }, + "source": { + "advisory": "GHSA-v3m5-r3mx-ff9j", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/21xxx/CVE-2021-21258.json b/2021/21xxx/CVE-2021-21258.json index 9fd3368de42..03aba590a02 100644 --- a/2021/21xxx/CVE-2021-21258.json +++ b/2021/21xxx/CVE-2021-21258.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21258", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "XSS injection in ajax/kanban" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "glpi", + "version": { + "version_data": [ + { + "version_value": ">= 9.5.0, < 9.5.4" + } + ] + } + } + ] + }, + "vendor_name": "glpi-project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j4xj-4qmc-mmmx", + "refsource": "CONFIRM", + "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j4xj-4qmc-mmmx" + }, + { + "name": "https://github.com/glpi-project/glpi/commit/e7802fc051696de1f76108ea8dc3bd4e2c880f15", + "refsource": "MISC", + "url": "https://github.com/glpi-project/glpi/commit/e7802fc051696de1f76108ea8dc3bd4e2c880f15" + } + ] + }, + "source": { + "advisory": "GHSA-j4xj-4qmc-mmmx", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/21xxx/CVE-2021-21290.json b/2021/21xxx/CVE-2021-21290.json index 8198c2682a1..bd03e862e2f 100644 --- a/2021/21xxx/CVE-2021-21290.json +++ b/2021/21xxx/CVE-2021-21290.json @@ -116,6 +116,41 @@ "refsource": "MLIST", "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E" + }, + { + "refsource": "MLIST", + "name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", + "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E" + }, + { + "refsource": "MISC", + "name": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", + "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E" } ] }, diff --git a/2021/21xxx/CVE-2021-21311.json b/2021/21xxx/CVE-2021-21311.json index 7cdd4eaf92e..114684c8ae1 100644 --- a/2021/21xxx/CVE-2021-21311.json +++ b/2021/21xxx/CVE-2021-21311.json @@ -88,6 +88,11 @@ "name": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351", "refsource": "MISC", "url": "https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351" + }, + { + "refsource": "MLIST", + "name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2580-1] adminer security update", + "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00002.html" } ] }, diff --git a/2021/21xxx/CVE-2021-21352.json b/2021/21xxx/CVE-2021-21352.json index b3174c751f2..a5b0c6de407 100644 --- a/2021/21xxx/CVE-2021-21352.json +++ b/2021/21xxx/CVE-2021-21352.json @@ -1,18 +1,93 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21352", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Predictable tokens used for password resets" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "timetracker", + "version": { + "version_data": [ + { + "version_value": "< 1.19.24.5415" + } + ] + } + } + ] + }, + "vendor_name": "anuko" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing)." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-330: Use of Insufficiently Random Values" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.anuko.com/time-tracker/index.htm", + "refsource": "MISC", + "url": "https://www.anuko.com/time-tracker/index.htm" + }, + { + "name": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq", + "refsource": "CONFIRM", + "url": "https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq" + }, + { + "name": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5", + "refsource": "MISC", + "url": "https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5" + } + ] + }, + "source": { + "advisory": "GHSA-43c9-rx4h-4gqq", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/21xxx/CVE-2021-21353.json b/2021/21xxx/CVE-2021-21353.json index fe488986c0d..e21347ceefc 100644 --- a/2021/21xxx/CVE-2021-21353.json +++ b/2021/21xxx/CVE-2021-21353.json @@ -1,18 +1,113 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21353", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Remote code execution in pug" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "pug", + "version": { + "version_data": [ + { + "version_value": "< 3.0.1" + } + ] + } + } + ] + }, + "vendor_name": "pugjs" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including \"pug\", \"pug-code-gen\". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr", + "refsource": "CONFIRM", + "url": "https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr" + }, + { + "name": "https://github.com/pugjs/pug/issues/3312", + "refsource": "MISC", + "url": "https://github.com/pugjs/pug/issues/3312" + }, + { + "name": "https://github.com/pugjs/pug/pull/3314", + "refsource": "MISC", + "url": "https://github.com/pugjs/pug/pull/3314" + }, + { + "name": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0", + "refsource": "MISC", + "url": "https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0" + }, + { + "name": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1", + "refsource": "MISC", + "url": "https://github.com/pugjs/pug/releases/tag/pug%403.0.1" + }, + { + "name": "https://www.npmjs.com/package/pug", + "refsource": "MISC", + "url": "https://www.npmjs.com/package/pug" + }, + { + "name": "https://www.npmjs.com/package/pug-code-gen", + "refsource": "MISC", + "url": "https://www.npmjs.com/package/pug-code-gen" + } + ] + }, + "source": { + "advisory": "GHSA-p493-635q-r6gr", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2021/21xxx/CVE-2021-21476.json b/2021/21xxx/CVE-2021-21476.json index 610c227d7c7..94f5eea331b 100644 --- a/2021/21xxx/CVE-2021-21476.json +++ b/2021/21xxx/CVE-2021-21476.json @@ -63,7 +63,7 @@ "description_data": [ { "lang": "eng", - "value": "SAP UI5, versions - 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1, allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities." + "value": "SAP UI5 versions before 1.38.49, 1.52.49, 1.60.34, 1.71.31, 1.78.18, 1.84.5, 1.85.4, 1.86.1 allows an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities." } ] }, diff --git a/2021/21xxx/CVE-2021-21513.json b/2021/21xxx/CVE-2021-21513.json index 4bc5b416d47..9c19228cfdd 100644 --- a/2021/21xxx/CVE-2021-21513.json +++ b/2021/21xxx/CVE-2021-21513.json @@ -1,10 +1,10 @@ { "CVE_data_meta": { - "ASSIGNER": "secure@dell.com", - "DATE_PUBLIC": "2021-03-01", - "ID": "CVE-2021-21513", + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2021-03-01", + "ID": "CVE-2021-21513", "STATE": "PUBLIC" - }, + }, "affects": { "vendor": { "vendor_data": [ @@ -12,59 +12,60 @@ "product": { "product_data": [ { - "product_name": "Dell Open Manage Server Administrator", + "product_name": "Dell Open Manage Server Administrator", "version": { "version_data": [ { - "version_affected": "<=", + "version_affected": "<=", "version_value": "9.5" } ] } } ] - }, + }, "vendor_name": "Dell" } ] } - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { - "lang": "eng", - "value": "Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. \r\n\r\nA remote unauthenticated attacker could potentially exploit this vulnerability to gain admin access on the affected system." + "lang": "eng", + "value": "Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain admin access on the affected system." } ] - }, + }, "impact": { "cvss": { - "baseScore": 8.6, - "baseSeverity": "High", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "baseScore": 8.6, + "baseSeverity": "High", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" } - }, + }, "problemtype": { "problemtype_data": [ { "description": [ { - "lang": "eng", + "lang": "eng", "value": "CWE-287: Improper Authentication" } ] } ] - }, + }, "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities" + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities", + "name": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities" } ] } diff --git a/2021/21xxx/CVE-2021-21514.json b/2021/21xxx/CVE-2021-21514.json index 6d88fe20f54..1f7ecc6feb6 100644 --- a/2021/21xxx/CVE-2021-21514.json +++ b/2021/21xxx/CVE-2021-21514.json @@ -1,10 +1,10 @@ { "CVE_data_meta": { - "ASSIGNER": "secure@dell.com", - "DATE_PUBLIC": "2021-03-01", - "ID": "CVE-2021-21514", + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2021-03-01", + "ID": "CVE-2021-21514", "STATE": "PUBLIC" - }, + }, "affects": { "vendor": { "vendor_data": [ @@ -12,59 +12,60 @@ "product": { "product_data": [ { - "product_name": "Dell Open Manage Server Administrator", + "product_name": "Dell Open Manage Server Administrator", "version": { "version_data": [ { - "version_affected": "<=", + "version_affected": "<=", "version_value": "9.5" } ] } } ] - }, + }, "vendor_name": "Dell" } ] } - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { - "lang": "eng", - "value": "Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files on the target system by sending a specially crafted URL request." + "lang": "eng", + "value": "Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files on the target system by sending a specially crafted URL request." } ] - }, + }, "impact": { "cvss": { - "baseScore": 4.9, - "baseSeverity": "Medium", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 4.9, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } - }, + }, "problemtype": { "problemtype_data": [ { "description": [ { - "lang": "eng", + "lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" } ] } ] - }, + }, "references": { "reference_data": [ { - "refsource": "CONFIRM", - "url": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities" + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities", + "name": "https://www.dell.com/support/kbdoc/en-us/000183670/dsa-2021-040-dell-emc-openmanage-server-administrator-omsa-security-update-for-multiple-vulnerabilities" } ] } diff --git a/2021/22xxx/CVE-2021-22187.json b/2021/22xxx/CVE-2021-22187.json index cf0fc9900fb..f960623cde1 100644 --- a/2021/22xxx/CVE-2021-22187.json +++ b/2021/22xxx/CVE-2021-22187.json @@ -4,15 +4,86 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22187", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cve@gitlab.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "GitLab", + "product": { + "product_data": [ + { + "product_name": "GitLab", + "version": { + "version_data": [ + { + "version_value": "<=X.Y" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Uncontrolled resource consumption in GitLab" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/300452", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/300452", + "refsource": "MISC" + }, + { + "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22187.json", + "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22187.json", + "refsource": "CONFIRM" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted." } ] - } + }, + "impact": { + "cvss": { + "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "version": "3.1", + "baseScore": 4.2, + "baseSeverity": "MEDIUM" + } + }, + "credit": [ + { + "lang": "eng", + "value": "This vulnerability has been discovered internally by the GitLab team" + } + ] } \ No newline at end of file diff --git a/2021/22xxx/CVE-2021-22294.json b/2021/22xxx/CVE-2021-22294.json index beeabe3b912..91bb2916911 100644 --- a/2021/22xxx/CVE-2021-22294.json +++ b/2021/22xxx/CVE-2021-22294.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22294", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@huawei.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "HarmonyOS", + "version": { + "version_data": [ + { + "version_value": "HarmonyOS 2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Authentication Bypass by Spoofing" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A component API of the HarmonyOS 2.0 has a permission bypass vulnerability. Local attackers may exploit this vulnerability to issue commands repeatedly, exhausting system service resources." } ] } diff --git a/2021/22xxx/CVE-2021-22296.json b/2021/22xxx/CVE-2021-22296.json index 4e82a6134ea..97d71b89cbe 100644 --- a/2021/22xxx/CVE-2021-22296.json +++ b/2021/22xxx/CVE-2021-22296.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-22296", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@huawei.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "HarmonyOS", + "version": { + "version_data": [ + { + "version_value": "HarmonyOS 2.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Attempt to Access Child of a Non-structure Pointer" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md", + "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A component of the HarmonyOS 2.0 has a DoS vulnerability. Local attackers may exploit this vulnerability to mount a file system to the target device, causing DoS of the file system." } ] } diff --git a/2021/22xxx/CVE-2021-22861.json b/2021/22xxx/CVE-2021-22861.json index efc8409ae94..e9c11c00210 100644 --- a/2021/22xxx/CVE-2021-22861.json +++ b/2021/22xxx/CVE-2021-22861.json @@ -1,18 +1,104 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "product-cna@github.com", "ID": "CVE-2021-22861", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Improper access control in GitHub Enterprise Server leading to unauthorized write access to forkable repositories" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "GitHub Enterprise Server", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "2.20", + "version_value": "2.20.24" + }, + { + "version_affected": "<", + "version_name": "2.21", + "version_value": "2.21.15" + }, + { + "version_affected": "<", + "version_name": "2.22", + "version_value": "2.22.7" + }, + { + "version_affected": "<", + "version_name": "3.0", + "version_value": "3.0.1" + } + ] + } + } + ] + }, + "vendor_name": "GitHub" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Teddy Katz" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.4.21 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285 Improper Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24", + "name": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15", + "name": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7", + "name": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1", + "name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/22xxx/CVE-2021-22862.json b/2021/22xxx/CVE-2021-22862.json index bbf0318a3dc..c283dfaed09 100644 --- a/2021/22xxx/CVE-2021-22862.json +++ b/2021/22xxx/CVE-2021-22862.json @@ -1,18 +1,74 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "product-cna@github.com", "ID": "CVE-2021-22862", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "GitHub Enterprise Server", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "3.0", + "version_value": "3.0.1" + } + ] + } + } + ] + }, + "vendor_name": "GitHub" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Teddy Katz" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285: Improper Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1", + "name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/22xxx/CVE-2021-22863.json b/2021/22xxx/CVE-2021-22863.json index a1af7e8360d..00d71562fd7 100644 --- a/2021/22xxx/CVE-2021-22863.json +++ b/2021/22xxx/CVE-2021-22863.json @@ -1,18 +1,104 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "product-cna@github.com", "ID": "CVE-2021-22863", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Improper access control in GitHub Enterprise Server leading to unauthorized changes to maintainer permissions on pull requests" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "GitHub Enterprise Server", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "2.20", + "version_value": "2.20.24" + }, + { + "version_affected": "<", + "version_name": "2.21", + "version_value": "2.21.15" + }, + { + "version_affected": "<", + "version_name": "2.22", + "version_value": "2.22.7" + }, + { + "version_affected": "<", + "version_name": "3.0", + "version_value": "3.0.1" + } + ] + } + } + ] + }, + "vendor_name": "GitHub" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Teddy Katz" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.12.22 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285 Improper Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24", + "name": "https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15", + "name": "https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7", + "name": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7" + }, + { + "refsource": "MISC", + "url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1", + "name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1" + } + ] + }, + "source": { + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2021/23xxx/CVE-2021-23347.json b/2021/23xxx/CVE-2021-23347.json index 936f51cd1a8..346f5ec0240 100644 --- a/2021/23xxx/CVE-2021-23347.json +++ b/2021/23xxx/CVE-2021-23347.json @@ -3,16 +3,98 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "report@snyk.io", + "DATE_PUBLIC": "2021-03-03T09:52:51.235817Z", "ID": "CVE-2021-23347", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Cross-site Scripting (XSS)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "github.com/argoproj/argo-cd/cmd", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "1.7.13" + }, + { + "version_affected": ">=", + "version_value": "1.8.0" + }, + { + "version_affected": "<", + "version_value": "1.8.6" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291", + "name": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDCMD-1078291" + }, + { + "refsource": "MISC", + "url": "https://github.com/argoproj/argo-cd/pull/5563", + "name": "https://github.com/argoproj/argo-cd/pull/5563" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user." } ] - } + }, + "impact": { + "cvss": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW" + } + }, + "credit": [ + { + "lang": "eng", + "value": "jannfis" + } + ] } \ No newline at end of file diff --git a/2021/23xxx/CVE-2021-23840.json b/2021/23xxx/CVE-2021-23840.json index 913005865fa..ec5432b0a38 100644 --- a/2021/23xxx/CVE-2021-23840.json +++ b/2021/23xxx/CVE-2021-23840.json @@ -94,6 +94,11 @@ "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20210219-0009/", "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "refsource": "CONFIRM", + "name": "https://www.tenable.com/security/tns-2021-03", + "url": "https://www.tenable.com/security/tns-2021-03" } ] } diff --git a/2021/23xxx/CVE-2021-23841.json b/2021/23xxx/CVE-2021-23841.json index 19be2c06627..f825046ad84 100644 --- a/2021/23xxx/CVE-2021-23841.json +++ b/2021/23xxx/CVE-2021-23841.json @@ -94,6 +94,11 @@ "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20210219-0009/", "url": "https://security.netapp.com/advisory/ntap-20210219-0009/" + }, + { + "refsource": "CONFIRM", + "name": "https://www.tenable.com/security/tns-2021-03", + "url": "https://www.tenable.com/security/tns-2021-03" } ] } diff --git a/2021/25xxx/CVE-2021-25252.json b/2021/25xxx/CVE-2021-25252.json index 8be85103bbd..e979763f9d9 100644 --- a/2021/25xxx/CVE-2021-25252.json +++ b/2021/25xxx/CVE-2021-25252.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@trendmicro.com", "ID": "CVE-2021-25252", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Trend Micro Virus Scan API (VSAPI) Engine\r\n", + "version": { + "version_data": [ + { + "version_value": "12.0" + } + ] + } + } + ] + }, + "vendor_name": "Trend Micro" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Memory Exhaustion" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://success.trendmicro.com/solution/000285675", + "refsource": "MISC", + "name": "https://success.trendmicro.com/solution/000285675" } ] } diff --git a/2021/25xxx/CVE-2021-25281.json b/2021/25xxx/CVE-2021-25281.json index eb92071476f..2bddf8ee10b 100644 --- a/2021/25xxx/CVE-2021-25281.json +++ b/2021/25xxx/CVE-2021-25281.json @@ -66,6 +66,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/25xxx/CVE-2021-25282.json b/2021/25xxx/CVE-2021-25282.json index 5342a712859..410aca23bbe 100644 --- a/2021/25xxx/CVE-2021-25282.json +++ b/2021/25xxx/CVE-2021-25282.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/25xxx/CVE-2021-25283.json b/2021/25xxx/CVE-2021-25283.json index a87e793e1c8..895ed10535a 100644 --- a/2021/25xxx/CVE-2021-25283.json +++ b/2021/25xxx/CVE-2021-25283.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/25xxx/CVE-2021-25284.json b/2021/25xxx/CVE-2021-25284.json index eed735718af..f22e14df102 100644 --- a/2021/25xxx/CVE-2021-25284.json +++ b/2021/25xxx/CVE-2021-25284.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/25xxx/CVE-2021-25315.json b/2021/25xxx/CVE-2021-25315.json index 46d337f740b..107e3777ede 100644 --- a/2021/25xxx/CVE-2021-25315.json +++ b/2021/25xxx/CVE-2021-25315.json @@ -1,18 +1,111 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@suse.com", + "DATE_PUBLIC": "2021-03-01T00:00:00.000Z", "ID": "CVE-2021-25315", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "salt-api unauthenticated remote code execution" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SUSE Linux Enterprise Server 15 SP 3", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "salt", + "version_value": "3002.2-3" + } + ] + } + } + ] + }, + "vendor_name": "SUSE" + }, + { + "product": { + "product_data": [ + { + "product_name": "Tumbleweed", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "salt", + "version_value": "3002.2-2.1" + } + ] + } + } + ] + }, + "vendor_name": "openSUSE" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-303: Incorrect Implementation of Authentication Algorithm" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://bugzilla.suse.com/show_bug.cgi?id=1182382", + "refsource": "CONFIRM", + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1182382" + } + ] + }, + "source": { + "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1182382", + "defect": [ + "1182382" + ], + "discovery": "INTERNAL" } } \ No newline at end of file diff --git a/2021/25xxx/CVE-2021-25330.json b/2021/25xxx/CVE-2021-25330.json index f78770c796d..d77164406e6 100644 --- a/2021/25xxx/CVE-2021-25330.json +++ b/2021/25xxx/CVE-2021-25330.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-25330", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "mobile.security@samsung.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices", + "version": { + "version_data": [ + { + "version_value": "Selected Q(10.0) prior to SMR Feb-2021 Release 1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://security.samsungmobile.com/securityUpdate.smsb", + "url": "https://security.samsungmobile.com/securityUpdate.smsb" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Calling of non-existent provider in MobileWips application prior to SMR Feb-2021 Release 1 allows unauthorized actions including denial of service attack by hijacking the provider." } ] } diff --git a/2021/25xxx/CVE-2021-25758.json b/2021/25xxx/CVE-2021-25758.json index 93016f75bba..1bb26de6483 100644 --- a/2021/25xxx/CVE-2021-25758.json +++ b/2021/25xxx/CVE-2021-25758.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to code execution." + "value": "In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution." } ] }, diff --git a/2021/26xxx/CVE-2021-26412.json b/2021/26xxx/CVE-2021-26412.json index e6ef8c8fb7d..cac5e81202e 100644 --- a/2021/26xxx/CVE-2021-26412.json +++ b/2021/26xxx/CVE-2021-26412.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-26412", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412" } ] } diff --git a/2021/26xxx/CVE-2021-26813.json b/2021/26xxx/CVE-2021-26813.json index 36b9f02a553..09b5fcebcce 100644 --- a/2021/26xxx/CVE-2021-26813.json +++ b/2021/26xxx/CVE-2021-26813.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-26813", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-26813", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/trentm/python-markdown2/pull/387", + "refsource": "MISC", + "name": "https://github.com/trentm/python-markdown2/pull/387" } ] } diff --git a/2021/26xxx/CVE-2021-26854.json b/2021/26xxx/CVE-2021-26854.json index 07fe67dc645..4abaa3b27cf 100644 --- a/2021/26xxx/CVE-2021-26854.json +++ b/2021/26xxx/CVE-2021-26854.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-26854", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854" } ] } diff --git a/2021/26xxx/CVE-2021-26855.json b/2021/26xxx/CVE-2021-26855.json index 1ee0e40eea6..e48881925d7 100644 --- a/2021/26xxx/CVE-2021-26855.json +++ b/2021/26xxx/CVE-2021-26855.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-26855", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855" } ] } diff --git a/2021/26xxx/CVE-2021-26857.json b/2021/26xxx/CVE-2021-26857.json index 3b2c96c332f..948b7dfaaf1 100644 --- a/2021/26xxx/CVE-2021-26857.json +++ b/2021/26xxx/CVE-2021-26857.json @@ -3,15 +3,109 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-26857", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server", + "version": { + "version_data": [ + { + "version_value": "2010 Service Pack 3" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857" } ] } diff --git a/2021/26xxx/CVE-2021-26858.json b/2021/26xxx/CVE-2021-26858.json index c86dd90eed1..185fdbf8d3d 100644 --- a/2021/26xxx/CVE-2021-26858.json +++ b/2021/26xxx/CVE-2021-26858.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-26858", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858" } ] } diff --git a/2021/27xxx/CVE-2021-27065.json b/2021/27xxx/CVE-2021-27065.json index 3e692cf77fd..86b8770111d 100644 --- a/2021/27xxx/CVE-2021-27065.json +++ b/2021/27xxx/CVE-2021-27065.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-27065", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065" } ] } diff --git a/2021/27xxx/CVE-2021-27078.json b/2021/27xxx/CVE-2021-27078.json index c6aaa350b48..0ef388118d5 100644 --- a/2021/27xxx/CVE-2021-27078.json +++ b/2021/27xxx/CVE-2021-27078.json @@ -3,15 +3,99 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secure@microsoft.com", "ID": "CVE-2021-27078", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 19", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 8", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2013", + "version": { + "version_data": [ + { + "version_value": "Cumulative Update 23" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2019 Cumulative Update 7", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + }, + { + "product_name": "Microsoft Exchange Server 2016 Cumulative Update 18", + "version": { + "version_data": [ + { + "version_value": "" + } + ] + } + } + ] + }, + "vendor_name": "Microsoft" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote Code Execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078", + "refsource": "MISC", + "name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078" } ] } diff --git a/2021/27xxx/CVE-2021-27215.json b/2021/27xxx/CVE-2021-27215.json index 83ed86ed7e5..656703e3884 100644 --- a/2021/27xxx/CVE-2021-27215.json +++ b/2021/27xxx/CVE-2021-27215.json @@ -1,17 +1,71 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-27215", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-27215", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the provided data (when a certain manipulation occurs) and returns OK for any authentication request. This allows an attacker to login to the admin panel as a user of his choice, e.g., the root user (with highest privileges) or even a non-existing user." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate", + "refsource": "MISC", + "name": "https://www.genua.de/en/it-security-solutions/high-resistance-firewall-genugate" + }, + { + "refsource": "MISC", + "name": "https://kunde.genua.de/en/overview/genugate.html", + "url": "https://kunde.genua.de/en/overview/genugate.html" + }, + { + "refsource": "MISC", + "name": "https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-genua-genugate/", + "url": "https://sec-consult.com/vulnerability-lab/advisory/authentication-bypass-genua-genugate/" } ] } diff --git a/2021/27xxx/CVE-2021-27803.json b/2021/27xxx/CVE-2021-27803.json index e48f7c4003a..82c6e921253 100644 --- a/2021/27xxx/CVE-2021-27803.json +++ b/2021/27xxx/CVE-2021-27803.json @@ -71,6 +71,16 @@ "refsource": "MLIST", "name": "[oss-security] 20210227 Re: wpa_supplicant P2P provision discovery processing vulnerability", "url": "http://www.openwall.com/lists/oss-security/2021/02/27/1" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-3430f96019", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOGP2VIVVXXQ6CZ2HU4DKGPDB4WR24XF/" + }, + { + "refsource": "MLIST", + "name": "[debian-lts-announce] 20210302 [SECURITY] [DLA 2581-1] wpa security update", + "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00003.html" } ] } diff --git a/2021/27xxx/CVE-2021-27804.json b/2021/27xxx/CVE-2021-27804.json index a80f76fcd97..de1fe305978 100644 --- a/2021/27xxx/CVE-2021-27804.json +++ b/2021/27xxx/CVE-2021-27804.json @@ -61,6 +61,11 @@ "refsource": "MISC", "name": "http://www.openwall.com/lists/oss-security/2021/03/01/3", "url": "http://www.openwall.com/lists/oss-security/2021/03/01/3" + }, + { + "refsource": "FULLDISC", + "name": "20210302 Multiple Vulnerabilities in jpeg-xl (CVE-2021-27804)", + "url": "http://seclists.org/fulldisclosure/2021/Mar/2" } ] } diff --git a/2021/27xxx/CVE-2021-27885.json b/2021/27xxx/CVE-2021-27885.json index 3d19af7af8a..d1b3a47c50f 100644 --- a/2021/27xxx/CVE-2021-27885.json +++ b/2021/27xxx/CVE-2021-27885.json @@ -1,17 +1,66 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-27885", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-27885", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/e107inc/e107/releases", + "refsource": "MISC", + "name": "https://github.com/e107inc/e107/releases" + }, + { + "refsource": "MISC", + "name": "https://github.com/e107inc/e107/commit/d9efdb9b5f424b4996c276e754a380a5e251f472", + "url": "https://github.com/e107inc/e107/commit/d9efdb9b5f424b4996c276e754a380a5e251f472" } ] } diff --git a/2021/27xxx/CVE-2021-27918.json b/2021/27xxx/CVE-2021-27918.json new file mode 100644 index 00000000000..26c3cc3c816 --- /dev/null +++ b/2021/27xxx/CVE-2021-27918.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27918", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27919.json b/2021/27xxx/CVE-2021-27919.json new file mode 100644 index 00000000000..20b0c8015e5 --- /dev/null +++ b/2021/27xxx/CVE-2021-27919.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27919", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27920.json b/2021/27xxx/CVE-2021-27920.json new file mode 100644 index 00000000000..b8298c8340a --- /dev/null +++ b/2021/27xxx/CVE-2021-27920.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27920", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27921.json b/2021/27xxx/CVE-2021-27921.json new file mode 100644 index 00000000000..af9346f3e9f --- /dev/null +++ b/2021/27xxx/CVE-2021-27921.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2021-27921", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html", + "refsource": "MISC", + "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html" + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27922.json b/2021/27xxx/CVE-2021-27922.json new file mode 100644 index 00000000000..a39d1913306 --- /dev/null +++ b/2021/27xxx/CVE-2021-27922.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2021-27922", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html", + "refsource": "MISC", + "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html" + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27923.json b/2021/27xxx/CVE-2021-27923.json new file mode 100644 index 00000000000..c7d47362767 --- /dev/null +++ b/2021/27xxx/CVE-2021-27923.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2021-27923", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html", + "refsource": "MISC", + "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html" + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27924.json b/2021/27xxx/CVE-2021-27924.json new file mode 100644 index 00000000000..be048e6fb35 --- /dev/null +++ b/2021/27xxx/CVE-2021-27924.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27924", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27925.json b/2021/27xxx/CVE-2021-27925.json new file mode 100644 index 00000000000..3aebb99d926 --- /dev/null +++ b/2021/27xxx/CVE-2021-27925.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27925", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/27xxx/CVE-2021-27926.json b/2021/27xxx/CVE-2021-27926.json new file mode 100644 index 00000000000..feb0c9b4b0a --- /dev/null +++ b/2021/27xxx/CVE-2021-27926.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2021-27926", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2021/2xxx/CVE-2021-2138.json b/2021/2xxx/CVE-2021-2138.json index b7331e4855d..32a4e5bcbe2 100644 --- a/2021/2xxx/CVE-2021-2138.json +++ b/2021/2xxx/CVE-2021-2138.json @@ -3,15 +3,66 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2021-2138", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Oracle Cloud Infrastructure Data Science Notebook Sessions", + "version": { + "version_data": [ + { + "version_value": "*" + } + ] + } + } + ] + }, + "vendor_name": "Oracle Corporation" + } + ] + } }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Vulnerability in the Oracle Cloud Infrastructure Data Science Notebook Sessions. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the Oracle Cloud Infrastructure Data Science Notebook Sessions executes to compromise Oracle Cloud Infrastructure Data Science Notebook Sessions. Successful attacks of this vulnerability can resultin unauthorized update, insert or delete access to some of Oracle Cloud Infrastructure Data Science Notebook Sessions accessible data as well as unauthorized read access to a subset of Oracle Cloud Infrastructure Data Science Notebook Sessions accessible data. All affected customers were notified of CVE-2021-2138 by Oracle. CVSS 3.1 Base Score 4.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)" + } + ] + }, + "impact": { + "cvss": { + "baseScore": "4.6", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the Oracle Cloud Infrastructure Data Science Notebook Sessions executes to compromise Oracle Cloud Infrastructure Data Science Notebook Sessions. Successful attacks of this vulnerability can resultin unauthorized update, insert or delete access to some of Oracle Cloud Infrastructure Data Science Notebook Sessions accessible data as well as unauthorized read access to a subset of Oracle Cloud Infrastructure Data Science Notebook Sessions accessible data. All affected customers were notified of CVE-2021-2138 by Oracle." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://support.oracle.com", + "name": "https://support.oracle.com", + "refsource": "MISC" } ] } diff --git a/2021/3xxx/CVE-2021-3144.json b/2021/3xxx/CVE-2021-3144.json index 674a1e2419c..df2f7750d83 100644 --- a/2021/3xxx/CVE-2021-3144.json +++ b/2021/3xxx/CVE-2021-3144.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/3xxx/CVE-2021-3148.json b/2021/3xxx/CVE-2021-3148.json index 40900bedb40..1eb576b7ad1 100644 --- a/2021/3xxx/CVE-2021-3148.json +++ b/2021/3xxx/CVE-2021-3148.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/3xxx/CVE-2021-3197.json b/2021/3xxx/CVE-2021-3197.json index 5095bb00aef..bc15ade03cb 100644 --- a/2021/3xxx/CVE-2021-3197.json +++ b/2021/3xxx/CVE-2021-3197.json @@ -61,6 +61,16 @@ "refsource": "CONFIRM", "name": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/", "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-904a2dbc0c", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/" + }, + { + "refsource": "FEDORA", + "name": "FEDORA-2021-5756fbf8a6", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/" } ] } diff --git a/2021/3xxx/CVE-2021-3291.json b/2021/3xxx/CVE-2021-3291.json index 815e6befcf0..a8ddf503105 100644 --- a/2021/3xxx/CVE-2021-3291.json +++ b/2021/3xxx/CVE-2021-3291.json @@ -56,6 +56,11 @@ "refsource": "MISC", "name": "https://github.com/MucahitSaratar/zencart_auth_rce_poc", "url": "https://github.com/MucahitSaratar/zencart_auth_rce_poc" + }, + { + "refsource": "MISC", + "name": "http://packetstormsecurity.com/files/161613/Zen-Cart-1.5.7b-Remote-Code-Execution.html", + "url": "http://packetstormsecurity.com/files/161613/Zen-Cart-1.5.7b-Remote-Code-Execution.html" } ] } diff --git a/2021/3xxx/CVE-2021-3384.json b/2021/3xxx/CVE-2021-3384.json index c134aa681d6..8ef4dc2eae7 100644 --- a/2021/3xxx/CVE-2021-3384.json +++ b/2021/3xxx/CVE-2021-3384.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-3384", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ID": "CVE-2021-3384", + "STATE": "PUBLIC" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability in Stormshield Network Security could allow an attacker to trigger a protection related to ARP/NDP tables management, which would temporarily prevent the system to contact new hosts via IPv4 or IPv6. This affects versions 2.0.0 to 2.7.7, 2.8.0 to 2.16.0, 3.0.0 to 3.7.16, 3.8.0 to 3.11.4, and 4.0.0 to 4.1.5. Fixed in versions 2.7.8, 3.7.17, 3.11.5, and 4.2.0." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "name": "https://advisories.stormshield.eu/2020-049/", + "url": "https://advisories.stormshield.eu/2020-049/" } ] } diff --git a/2021/3xxx/CVE-2021-3419.json b/2021/3xxx/CVE-2021-3419.json index d1250f7984d..7bd133f8556 100644 --- a/2021/3xxx/CVE-2021-3419.json +++ b/2021/3xxx/CVE-2021-3419.json @@ -5,13 +5,13 @@ "CVE_data_meta": { "ID": "CVE-2021-3419", "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none." } ] }