Auto-Update: 2023-12-21T11:00:24.198106+00:00

CVE-2023/CVE-2023-25xx/CVE-2023-2585.json

@@ -0,0 +1,79 @@
+{
+  "id": "CVE-2023-2585",
+  "sourceIdentifier": "secalert@redhat.com",
+  "published": "2023-12-21T10:15:34.533",
+  "lastModified": "2023-12-21T10:15:34.533",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "secalert@redhat.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "REQUIRED",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "NONE",
+          "baseScore": 3.5,
+          "baseSeverity": "LOW"
+        },
+        "exploitabilityScore": 0.9,
+        "impactScore": 2.5
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "secalert@redhat.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-358"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2023:3883",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2023:3884",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2023:3885",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2023:3888",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://access.redhat.com/errata/RHSA-2023:3892",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://access.redhat.com/security/cve/CVE-2023-2585",
+      "source": "secalert@redhat.com"
+    },
+    {
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196335",
+      "source": "secalert@redhat.com"
+    }
+  ]
+}

CVE-2023/CVE-2023-472xx/CVE-2023-47265.json

@@ -0,0 +1,36 @@
+{
+  "id": "CVE-2023-47265",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-12-21T10:15:35.713",
+  "lastModified": "2023-12-21T10:15:35.713",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG.\u00a0This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability\n"
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-79"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/35460",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr",
+      "source": "security@apache.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-482xx/CVE-2023-48291.json

@@ -0,0 +1,36 @@
+{
+  "id": "CVE-2023-48291",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-12-21T10:15:36.043",
+  "lastModified": "2023-12-21T10:15:36.043",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.\n\nThis is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2\u00a0\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability."
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-668"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/34366",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3",
+      "source": "security@apache.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-499xx/CVE-2023-49920.json

@@ -0,0 +1,36 @@
+{
+  "id": "CVE-2023-49920",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-12-21T10:15:36.330",
+  "lastModified": "2023-12-21T10:15:36.330",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.\u00a0As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.\nUsers are advised to upgrade to version 2.8.0 or later which is not affected"
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-352"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/36026",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq",
+      "source": "security@apache.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-507xx/CVE-2023-50783.json

@@ -0,0 +1,36 @@
+{
+  "id": "CVE-2023-50783",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-12-21T10:15:36.607",
+  "lastModified": "2023-12-21T10:15:36.607",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue"
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-284"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/33932",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn",
+      "source": "security@apache.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-516xx/CVE-2023-51655.json

@@ -0,0 +1,55 @@
+{
+  "id": "CVE-2023-51655",
+  "sourceIdentifier": "cve@jetbrains.com",
+  "published": "2023-12-21T10:15:36.850",
+  "lastModified": "2023-12-21T10:15:36.850",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "cve@jetbrains.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
+          "attackVector": "LOCAL",
+          "attackComplexity": "HIGH",
+          "privilegesRequired": "NONE",
+          "userInteraction": "REQUIRED",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "NONE",
+          "baseScore": 6.3,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 1.0,
+        "impactScore": 5.2
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "cve@jetbrains.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-349"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://www.jetbrains.com/privacy-security/issues-fixed/",
+      "source": "cve@jetbrains.com"
+    }
+  ]
+}

CVE-2023/CVE-2023-59xx/CVE-2023-5988.json

@@ -0,0 +1,55 @@
+{
+  "id": "CVE-2023-5988",
+  "sourceIdentifier": "iletisim@usom.gov.tr",
+  "published": "2023-12-21T10:15:37.383",
+  "lastModified": "2023-12-21T10:15:37.383",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Reflected XSS.This issue affects LioXERP: before v.146.\n\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "iletisim@usom.gov.tr",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "REQUIRED",
+          "scope": "CHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "NONE",
+          "baseScore": 6.1,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 2.7
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "iletisim@usom.gov.tr",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-79"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://www.usom.gov.tr/bildirim/tr-23-0721",
+      "source": "iletisim@usom.gov.tr"
+    }
+  ]
+}

CVE-2023/CVE-2023-59xx/CVE-2023-5989.json

@@ -0,0 +1,55 @@
+{
+  "id": "CVE-2023-5989",
+  "sourceIdentifier": "iletisim@usom.gov.tr",
+  "published": "2023-12-21T10:15:37.990",
+  "lastModified": "2023-12-21T10:15:37.990",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Stored XSS.This issue affects LioXERP: before v.146.\n\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "iletisim@usom.gov.tr",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "REQUIRED",
+          "scope": "CHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "NONE",
+          "baseScore": 5.4,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 2.3,
+        "impactScore": 2.7
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "iletisim@usom.gov.tr",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-79"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://www.usom.gov.tr/bildirim/tr-23-0721",
+      "source": "iletisim@usom.gov.tr"
+    }
+  ]
+}

README.md

@@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update
 
 ```plain
-2023-12-21T07:00:24.396298+00:00
+2023-12-21T11:00:24.198106+00:00
 ```
 
 ### Most recent CVE Modification Timestamp synchronized with NVD
 
 ```plain
-2023-12-21T06:15:44.030000+00:00
+2023-12-21T10:15:37.990000+00:00
 ```
 
 ### Last Data Feed Release
@@ -29,21 +29,27 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs
 
 ```plain
-233920
+233928
 ```
 
 ### CVEs added in the last Commit
 
-Recently added CVEs: `1`
+Recently added CVEs: `8`
 
-* [CVE-2023-7026](CVE-2023/CVE-2023-70xx/CVE-2023-7026.json) (`2023-12-21T05:15:08.733`)
+* [CVE-2023-2585](CVE-2023/CVE-2023-25xx/CVE-2023-2585.json) (`2023-12-21T10:15:34.533`)
+* [CVE-2023-47265](CVE-2023/CVE-2023-472xx/CVE-2023-47265.json) (`2023-12-21T10:15:35.713`)
+* [CVE-2023-48291](CVE-2023/CVE-2023-482xx/CVE-2023-48291.json) (`2023-12-21T10:15:36.043`)
+* [CVE-2023-49920](CVE-2023/CVE-2023-499xx/CVE-2023-49920.json) (`2023-12-21T10:15:36.330`)
+* [CVE-2023-50783](CVE-2023/CVE-2023-507xx/CVE-2023-50783.json) (`2023-12-21T10:15:36.607`)
+* [CVE-2023-51655](CVE-2023/CVE-2023-516xx/CVE-2023-51655.json) (`2023-12-21T10:15:36.850`)
+* [CVE-2023-5988](CVE-2023/CVE-2023-59xx/CVE-2023-5988.json) (`2023-12-21T10:15:37.383`)
+* [CVE-2023-5989](CVE-2023/CVE-2023-59xx/CVE-2023-5989.json) (`2023-12-21T10:15:37.990`)
 
 
 ### CVEs modified in the last Commit
 
-Recently modified CVEs: `1`
+Recently modified CVEs: `0`
 
-* [CVE-2023-6622](CVE-2023/CVE-2023-66xx/CVE-2023-6622.json) (`2023-12-21T06:15:44.030`)
 
 
 ## Download and Usage