Auto-Update: 2024-07-26T12:00:17.147041+00:00

2025-07-09 16:05:11 +00:00 · 2024-07-26 12:03:14 +00:00 · 2024-07-26 12:03:14 +00:00 · 382cc1c020
commit 382cc1c020
parent 1e352e4863
7 changed files with 143 additions and 17 deletions
--- a/CVE-2023/CVE-2023-385xx/CVE-2023-38522.json
+++ b/CVE-2023/CVE-2023-385xx/CVE-2023-38522.json
@ -0,0 +1,37 @@
+{
+  "id": "CVE-2023-38522",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2024-07-26T10:15:01.923",
+  "lastModified": "2024-07-26T10:15:01.923",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue."
+    },
+    {
+      "lang": "es",
+      "value": "Apache Traffic Server acepta caracteres que no est\u00e1n permitidos para los nombres de campos HTTP y reenv\u00eda las solicitudes malformadas a los servidores de origen. Esto se puede utilizar para el contrabando de solicitudes y tambi\u00e9n puede provocar un envenenamiento de la cach\u00e9 si los servidores de origen son vulnerables. Este problema afecta a Apache Traffic Server: desde la versi\u00f3n 8.0.0 hasta la 8.1.10, desde la 9.0.0 hasta la 9.2.4. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema."
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-20"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0",
+      "source": "security@apache.org"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json
+++ b/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json
@ -9,6 +9,10 @@
    {
      "lang": "en",
      "value": "Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3.\n\nThis issue affects Apache Roller: from 5.0.0 before 6.1.3.\n\nUsers are recommended to upgrade to version 6.1.3, which fixes the issue."
+    },
+    {
+      "lang": "es",
+      "value": "La validaci\u00f3n de entrada y sanitizaci\u00f3n insuficientes de las funciones Profile name &amp; screenname, Bookmark name &amp; description and blogroll name en todas las versiones de Apache Roller en todas las plataformas permite que un usuario autenticado realice un ataque de XSS. Mitigaci\u00f3n: si no tiene Roller configurado para usuarios no confiables, entonces no necesita hacer nada porque conf\u00eda en que sus usuarios creen HTML sin formato y otro contenido web. Si est\u00e1 ejecutando con usuarios no confiables, entonces debe actualizar a Roller 6.1.3. Este problema afecta a Apache Roller: desde 5.0.0 hasta 6.1.3. Se recomienda a los usuarios que actualicen a la versi\u00f3n 6.1.3, que soluciona el problema."
    }
  ],
  "metrics": {},
--- a/CVE-2024/CVE-2024-351xx/CVE-2024-35161.json
+++ b/CVE-2024/CVE-2024-351xx/CVE-2024-35161.json
@ -0,0 +1,37 @@
+{
+  "id": "CVE-2024-35161",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2024-07-26T10:15:02.567",
+  "lastModified": "2024-07-26T10:15:02.567",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue."
+    },
+    {
+      "lang": "es",
+      "value": "Apache Traffic Server reenv\u00eda la secci\u00f3n fragmentada HTTP mal formada a los servidores de origen. Esto se puede utilizar para el contrabando de solicitudes y tambi\u00e9n puede provocar un envenenamiento de la cach\u00e9 si los servidores de origen son vulnerables. Este problema afecta a Apache Traffic Server: desde la versi\u00f3n 8.0.0 hasta la 8.1.10, desde la versi\u00f3n 9.0.0 hasta la 9.2.4. Los usuarios pueden establecer una nueva configuraci\u00f3n (proxy.config.http.drop_chunked_trailers) para no reenviar la secci\u00f3n fragmentada del tr\u00e1iler. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema."
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-20"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0",
+      "source": "security@apache.org"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-352xx/CVE-2024-35296.json
+++ b/CVE-2024/CVE-2024-352xx/CVE-2024-35296.json
@ -0,0 +1,37 @@
+{
+  "id": "CVE-2024-35296",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2024-07-26T10:15:02.713",
+  "lastModified": "2024-07-26T10:15:02.713",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue."
+    },
+    {
+      "lang": "es",
+      "value": "Un encabezado Invalid Accept-Encoding puede provocar que Apache Traffic Server no pueda realizar una b\u00fasqueda en cach\u00e9 y fuerce el reenv\u00edo de solicitudes. Este problema afecta a Apache Traffic Server: de la versi\u00f3n 8.0.0 a la 8.1.10 y de la versi\u00f3n 9.0.0 a la 9.2.4. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema."
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-20"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0",
+      "source": "security@apache.org"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json
+++ b/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json
@ -2,13 +2,17 @@
  "id": "CVE-2024-7079",
  "sourceIdentifier": "secalert@redhat.com",
  "published": "2024-07-24T16:15:07.613",
-  "lastModified": "2024-07-25T17:31:23.670",
-  "vulnStatus": "Analyzed",
+  "lastModified": "2024-07-26T10:15:02.840",
+  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint."
+    },
+    {
+      "lang": "es",
+      "value": "Se encontr\u00f3 una falla en la consola Openshift. El endpoint /API/helm/verify tiene la tarea de buscar y verificar la instalaci\u00f3n de un gr\u00e1fico Helm desde un URI que sea HTTP/HTTPS remoto o local. El acceso a este endpoint est\u00e1 controlado por la funci\u00f3n de middleware authHandlerWithUser(). Al contrario de lo que sugiere su nombre, esta funci\u00f3n de middleware no verifica la validez de las credenciales del usuario. Como resultado, los usuarios no autenticados pueden acceder a este endpoint."
    }
  ],
  "metrics": {
@ -38,20 +42,20 @@
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
-          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
-          "privilegesRequired": "LOW",
+          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
-          "confidentialityImpact": "NONE",
+          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "LOW",
-          "baseScore": 5.4,
-          "baseSeverity": "MEDIUM"
+          "baseScore": 7.1,
+          "baseSeverity": "HIGH"
        },
-        "exploitabilityScore": 2.3,
-        "impactScore": 2.7
+        "exploitabilityScore": 2.8,
+        "impactScore": 3.7
      }
    ]
  },
--- a/README.md
+++ b/README.md
@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2024-07-26T10:00:17.266954+00:00
+2024-07-26T12:00:17.147041+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2024-07-26T09:15:09.700000+00:00
+2024-07-26T10:15:02.840000+00:00
 ```

 ### Last Data Feed Release
@ -33,20 +33,24 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs

 ```plain
-257998
+258001
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `1`
+Recently added CVEs: `3`

- [CVE-2024-25090](CVE-2024/CVE-2024-250xx/CVE-2024-25090.json) (`2024-07-26T09:15:09.700`)
+- [CVE-2023-38522](CVE-2023/CVE-2023-385xx/CVE-2023-38522.json) (`2024-07-26T10:15:01.923`)
+- [CVE-2024-35161](CVE-2024/CVE-2024-351xx/CVE-2024-35161.json) (`2024-07-26T10:15:02.567`)
+- [CVE-2024-35296](CVE-2024/CVE-2024-352xx/CVE-2024-35296.json) (`2024-07-26T10:15:02.713`)


 ### CVEs modified in the last Commit

-Recently modified CVEs: `0`
+Recently modified CVEs: `2`

+- [CVE-2024-25090](CVE-2024/CVE-2024-250xx/CVE-2024-25090.json) (`2024-07-26T09:15:09.700`)
+- [CVE-2024-7079](CVE-2024/CVE-2024-70xx/CVE-2024-7079.json) (`2024-07-26T10:15:02.840`)


 ## Download and Usage
--- a/_state.csv
+++ b/_state.csv
@ -228819,6 +228819,7 @@ CVE-2023-38519,0,0,6feaff72ade735a2704fe8b8d9fef165f38317b422d397afb665c1d949162
 CVE-2023-3852,0,0,2e1924f99097894c16104baab278a5a9ebf2db30430b465cf669815f850b7012,2024-05-17T02:27:53.627000
 CVE-2023-38520,0,0,197a50cf0e44468d0337f27c399e1eb786a843546ac6c93f4b96fc50b52947ed,2024-06-04T16:57:41.053000
 CVE-2023-38521,0,0,db18a9cb610e915922179831c59c7c6fe34d72db737eedb8a3400ffd344e745d,2023-09-08T06:42:06.290000
+CVE-2023-38522,1,1,83abd391f475a726f77b69a9ceaf9383593998ab37ec2591405f0457884e086b,2024-07-26T10:15:01.923000
 CVE-2023-38523,0,0,4aeddda5cda4b987f05bc442064079c7a51cd36ed6a7d399ee18b0f7f42fa30b,2023-08-01T15:24:35.470000
 CVE-2023-38524,0,0,c9e82639b2360f7e976dd3c089d1e601c218712b31ea68380c38a40a316e9b16,2024-06-11T12:15:10.860000
 CVE-2023-38525,0,0,a4b40a45af79e11e4c16594d15803bcacdf8a6cc50b68a023dfce812a89911bf,2024-06-11T12:15:11.073000
@ -245894,7 +245895,7 @@ CVE-2024-25087,0,0,c72ecbfe33bc1bedb424c3a8db8ed1e75d362fa6fbd3c127b6373b38910f7
 CVE-2024-25088,0,0,9b1375c3c781149325c14c39fa835c2c88a69323c212b1013c4ad4d387aa77de,2024-07-05T17:04:50.340000
 CVE-2024-25089,0,0,4d3ddaeeeaf0e005a5320fd57126d38836ae358b9586c6957758efb8e6b78742,2024-02-13T00:38:12.137000
 CVE-2024-2509,0,0,e1632462213f3b340d9efadccdf81857ddba6b28ec7154489106797e9e1ad3ed,2024-07-03T01:53:19.050000
-CVE-2024-25090,1,1,af195bd25126d0f8d62b334cb8f260e12aae7bfe4a1dc1cbf05893e15452706d,2024-07-26T09:15:09.700000
+CVE-2024-25090,0,1,4f383aad3fd8b41c9ac65546440d8ef51b44144f46f2c0df347820a2796e6cb2,2024-07-26T09:15:09.700000
 CVE-2024-25091,0,0,dea1cc9b372ccb28bdcce1ba1190ac3b21c3361d4c64bb82853a0d551bd6db2f,2024-03-01T14:04:04.827000
 CVE-2024-25092,0,0,93228461014d21e76377d62123a9b74976fcddddff96fb9097cb4fcb49528f7c,2024-06-10T02:52:08.267000
 CVE-2024-25093,0,0,b8e6c12d6bc03129058956c6365ec4ac1bf71d6b0585045592f329dee7756d25,2024-02-29T13:49:29.390000
@ -252675,6 +252676,7 @@ CVE-2024-35154,0,0,7c994b7a6d7158efefd5e2d9a1e0bdd18fbe7152cacfbfaf67e2a7f91ec12
 CVE-2024-35155,0,0,c326cd4166d9cbfa34efa54fd988e1d407d8925369f9983f14750e709112308a,2024-07-01T12:37:24.220000
 CVE-2024-35156,0,0,e6fb36f1f810f4a246d710cbf82055f27ccde015fb0476ace50a7457c7ac5ea7,2024-07-01T12:37:24.220000
 CVE-2024-3516,0,0,61323fc04733960d047e16de47c6d5cda2ae2931ba7c42276f6e75842f73a295,2024-07-03T02:06:20.027000
+CVE-2024-35161,1,1,12c5d7e2d1230c95de71fe1fdeb3125e44382625e8bb3bb3fa8e838f5a1ae4ed,2024-07-26T10:15:02.567000
 CVE-2024-35162,0,0,898115932dab71d396aafa3d3e8a79f10b6e8ca121500758707a59e848faab9f,2024-05-22T12:46:53.887000
 CVE-2024-35165,0,0,a5a2ced0aefc202025ce7b223ffafe3ffc4109906dfd07a5a8a0577e3f72ac5b,2024-05-14T16:11:39.510000
 CVE-2024-35166,0,0,288535809aded0d0429463b3203e908304fa856ed04133053a9493366e89b509,2024-05-14T16:11:39.510000
@ -252778,6 +252780,7 @@ CVE-2024-35284,0,0,3a94c448d00dd5059f3fd361118e6cd65d80e9412861f2d6774f390c6aa71
 CVE-2024-3529,0,0,b7433b023ce9172d03becfe0cc0d18595c43e3d8737e87c779d288c2827cf3e8,2024-05-17T02:39:59.247000
 CVE-2024-35291,0,0,5225c2a0abe81b64c53a235e59e3157e49cd9481d5912145de7f4fa19255770a,2024-05-28T12:39:28.377000
 CVE-2024-35292,0,0,e3b3d736ef0c9425797f6a5a9790b2cb56e0a53578005725786d8a247ceee1f2,2024-06-11T13:54:12.057000
+CVE-2024-35296,1,1,0f061a870fc4bcab09bee7638e796310786bc76affc4da7a85d0e69c57648395,2024-07-26T10:15:02.713000
 CVE-2024-35297,0,0,a17fd925b730fd9803b93156d1a4f0f1baa604bce402fb65f95c09819b0a7763,2024-05-28T12:39:28.377000
 CVE-2024-35298,0,0,767802677800ceed2390ec4b021eb4a1bb445bf1aba3154a6ba4d4e3eb13ec79,2024-07-03T02:01:32.613000
 CVE-2024-35299,0,0,243cc758e93ac683f2ab1068e78446f59938832d5b992bf674806bf0216e461c,2024-05-16T13:03:05.353000
@ -257983,7 +257986,7 @@ CVE-2024-7066,0,0,f0b9597030c216e17a91b9bbd330c3ccd1220fd3a9abefaf98fb6df981dc96
 CVE-2024-7067,0,0,cd81f5e59f5ccc969e002fbd0535f928704dbb9e13b2c7b953cab40d6b4980c7,2024-07-24T17:12:32.367000
 CVE-2024-7068,0,0,cac04426a823885bf463d5cf48bd0b19bdd9f06486030fe1d0967c67ee664aca,2024-07-25T17:47:18.717000
 CVE-2024-7069,0,0,78b88a4dfaca203680acecf4b770bf67b674c773d2cef9278ec8b5ea1e8b95a5,2024-07-25T17:33:53.777000
-CVE-2024-7079,0,0,68e61be40519330b32f107a33f12ffbe08d3803318162cc3f95b14c0cf6f3c17,2024-07-25T17:31:23.670000
+CVE-2024-7079,0,1,432b6c38d04c17da8e2aeea6e5677915e33a84f70f04ebe0988a953bc8892b6d,2024-07-26T10:15:02.840000
 CVE-2024-7080,0,0,0e8be1f5ff49b98f2e12f041d9740e0c98dcb4e55d2c6eaebafa31aadf939e95,2024-07-25T12:36:39.947000
 CVE-2024-7081,0,0,4fe1e74e2e72cdc5207c5caa9565efa26fd09299ada94965c4896e36b361ec5f,2024-07-25T12:36:39.947000
 CVE-2024-7091,0,0,e8d0dd8bb435701b961e03b8d58836a663b21eec4a32e53ec9bb349c72e7294b,2024-07-25T12:36:39.947000