diff --git a/CVE-2023/CVE-2023-471xx/CVE-2023-47122.json b/CVE-2023/CVE-2023-471xx/CVE-2023-47122.json new file mode 100644 index 00000000000..a0e9e2c54d5 --- /dev/null +++ b/CVE-2023/CVE-2023-471xx/CVE-2023-47122.json @@ -0,0 +1,67 @@ +{ + "id": "CVE-2023-47122", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-11-10T22:15:14.250", + "lastModified": "2023-11-10T22:15:14.250", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "HIGH", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 4.2, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 0.5, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-347" + } + ] + } + ], + "references": [ + { + "url": "https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/sigstore/gitsign/pull/399", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 5b468b2d6e8..54fd06eb9e1 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-11-10T21:00:18.809981+00:00 +2023-11-10T23:00:19.312599+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-11-10T20:15:07.263000+00:00 +2023-11-10T22:15:14.250000+00:00 ``` ### Last Data Feed Release @@ -29,16 +29,14 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -230343 +230344 ``` ### CVEs added in the last Commit -Recently added CVEs: `3` +Recently added CVEs: `1` -* [CVE-2023-47108](CVE-2023/CVE-2023-471xx/CVE-2023-47108.json) (`2023-11-10T19:15:16.410`) -* [CVE-2023-47129](CVE-2023/CVE-2023-471xx/CVE-2023-47129.json) (`2023-11-10T19:15:16.617`) -* [CVE-2023-36027](CVE-2023/CVE-2023-360xx/CVE-2023-36027.json) (`2023-11-10T20:15:07.263`) +* [CVE-2023-47122](CVE-2023/CVE-2023-471xx/CVE-2023-47122.json) (`2023-11-10T22:15:14.250`) ### CVEs modified in the last Commit