From 382cc1c0205eb6c84c9b8db01b15a770347931ee Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Fri, 26 Jul 2024 12:03:14 +0000 Subject: [PATCH] Auto-Update: 2024-07-26T12:00:17.147041+00:00 --- CVE-2023/CVE-2023-385xx/CVE-2023-38522.json | 37 +++++++++++++++++++++ CVE-2024/CVE-2024-250xx/CVE-2024-25090.json | 4 +++ CVE-2024/CVE-2024-351xx/CVE-2024-35161.json | 37 +++++++++++++++++++++ CVE-2024/CVE-2024-352xx/CVE-2024-35296.json | 37 +++++++++++++++++++++ CVE-2024/CVE-2024-70xx/CVE-2024-7079.json | 22 +++++++----- README.md | 16 +++++---- _state.csv | 7 ++-- 7 files changed, 143 insertions(+), 17 deletions(-) create mode 100644 CVE-2023/CVE-2023-385xx/CVE-2023-38522.json create mode 100644 CVE-2024/CVE-2024-351xx/CVE-2024-35161.json create mode 100644 CVE-2024/CVE-2024-352xx/CVE-2024-35296.json diff --git a/CVE-2023/CVE-2023-385xx/CVE-2023-38522.json b/CVE-2023/CVE-2023-385xx/CVE-2023-38522.json new file mode 100644 index 00000000000..d02df28a472 --- /dev/null +++ b/CVE-2023/CVE-2023-385xx/CVE-2023-38522.json @@ -0,0 +1,37 @@ +{ + "id": "CVE-2023-38522", + "sourceIdentifier": "security@apache.org", + "published": "2024-07-26T10:15:01.923", + "lastModified": "2024-07-26T10:15:01.923", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue." + }, + { + "lang": "es", + "value": "Apache Traffic Server acepta caracteres que no est\u00e1n permitidos para los nombres de campos HTTP y reenv\u00eda las solicitudes malformadas a los servidores de origen. Esto se puede utilizar para el contrabando de solicitudes y tambi\u00e9n puede provocar un envenenamiento de la cach\u00e9 si los servidores de origen son vulnerables. Este problema afecta a Apache Traffic Server: desde la versi\u00f3n 8.0.0 hasta la 8.1.10, desde la 9.0.0 hasta la 9.2.4. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema." + } + ], + "metrics": {}, + "weaknesses": [ + { + "source": "security@apache.org", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", + "source": "security@apache.org" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json b/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json index 5463a819569..3f98053eaad 100644 --- a/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json +++ b/CVE-2024/CVE-2024-250xx/CVE-2024-25090.json @@ -9,6 +9,10 @@ { "lang": "en", "value": "Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3.\n\nThis issue affects Apache Roller: from 5.0.0 before 6.1.3.\n\nUsers are recommended to upgrade to version 6.1.3, which fixes the issue." + }, + { + "lang": "es", + "value": "La validaci\u00f3n de entrada y sanitizaci\u00f3n insuficientes de las funciones Profile name & screenname, Bookmark name & description and blogroll name en todas las versiones de Apache Roller en todas las plataformas permite que un usuario autenticado realice un ataque de XSS. Mitigaci\u00f3n: si no tiene Roller configurado para usuarios no confiables, entonces no necesita hacer nada porque conf\u00eda en que sus usuarios creen HTML sin formato y otro contenido web. Si est\u00e1 ejecutando con usuarios no confiables, entonces debe actualizar a Roller 6.1.3. Este problema afecta a Apache Roller: desde 5.0.0 hasta 6.1.3. Se recomienda a los usuarios que actualicen a la versi\u00f3n 6.1.3, que soluciona el problema." } ], "metrics": {}, diff --git a/CVE-2024/CVE-2024-351xx/CVE-2024-35161.json b/CVE-2024/CVE-2024-351xx/CVE-2024-35161.json new file mode 100644 index 00000000000..93f9fd4302e --- /dev/null +++ b/CVE-2024/CVE-2024-351xx/CVE-2024-35161.json @@ -0,0 +1,37 @@ +{ + "id": "CVE-2024-35161", + "sourceIdentifier": "security@apache.org", + "published": "2024-07-26T10:15:02.567", + "lastModified": "2024-07-26T10:15:02.567", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section.\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue." + }, + { + "lang": "es", + "value": "Apache Traffic Server reenv\u00eda la secci\u00f3n fragmentada HTTP mal formada a los servidores de origen. Esto se puede utilizar para el contrabando de solicitudes y tambi\u00e9n puede provocar un envenenamiento de la cach\u00e9 si los servidores de origen son vulnerables. Este problema afecta a Apache Traffic Server: desde la versi\u00f3n 8.0.0 hasta la 8.1.10, desde la versi\u00f3n 9.0.0 hasta la 9.2.4. Los usuarios pueden establecer una nueva configuraci\u00f3n (proxy.config.http.drop_chunked_trailers) para no reenviar la secci\u00f3n fragmentada del tr\u00e1iler. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema." + } + ], + "metrics": {}, + "weaknesses": [ + { + "source": "security@apache.org", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", + "source": "security@apache.org" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-352xx/CVE-2024-35296.json b/CVE-2024/CVE-2024-352xx/CVE-2024-35296.json new file mode 100644 index 00000000000..d794aeecb99 --- /dev/null +++ b/CVE-2024/CVE-2024-352xx/CVE-2024-35296.json @@ -0,0 +1,37 @@ +{ + "id": "CVE-2024-35296", + "sourceIdentifier": "security@apache.org", + "published": "2024-07-26T10:15:02.713", + "lastModified": "2024-07-26T10:15:02.713", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.\n\nThis issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.\n\nUsers are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue." + }, + { + "lang": "es", + "value": "Un encabezado Invalid Accept-Encoding puede provocar que Apache Traffic Server no pueda realizar una b\u00fasqueda en cach\u00e9 y fuerce el reenv\u00edo de solicitudes. Este problema afecta a Apache Traffic Server: de la versi\u00f3n 8.0.0 a la 8.1.10 y de la versi\u00f3n 9.0.0 a la 9.2.4. Se recomienda a los usuarios que actualicen a la versi\u00f3n 8.1.11 o 9.2.5, que soluciona el problema." + } + ], + "metrics": {}, + "weaknesses": [ + { + "source": "security@apache.org", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/c4mcmpblgl8kkmyt56t23543gp8v56m0", + "source": "security@apache.org" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json b/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json index 42adeb6c757..56b6f6c8d92 100644 --- a/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json +++ b/CVE-2024/CVE-2024-70xx/CVE-2024-7079.json @@ -2,13 +2,17 @@ "id": "CVE-2024-7079", "sourceIdentifier": "secalert@redhat.com", "published": "2024-07-24T16:15:07.613", - "lastModified": "2024-07-25T17:31:23.670", - "vulnStatus": "Analyzed", + "lastModified": "2024-07-26T10:15:02.840", + "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", "value": "A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint." + }, + { + "lang": "es", + "value": "Se encontr\u00f3 una falla en la consola Openshift. El endpoint /API/helm/verify tiene la tarea de buscar y verificar la instalaci\u00f3n de un gr\u00e1fico Helm desde un URI que sea HTTP/HTTPS remoto o local. El acceso a este endpoint est\u00e1 controlado por la funci\u00f3n de middleware authHandlerWithUser(). Al contrario de lo que sugiere su nombre, esta funci\u00f3n de middleware no verifica la validez de las credenciales del usuario. Como resultado, los usuarios no autenticados pueden acceder a este endpoint." } ], "metrics": { @@ -38,20 +42,20 @@ "type": "Secondary", "cvssData": { "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", - "privilegesRequired": "LOW", + "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", - "confidentialityImpact": "NONE", + "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", - "baseScore": 5.4, - "baseSeverity": "MEDIUM" + "baseScore": 7.1, + "baseSeverity": "HIGH" }, - "exploitabilityScore": 2.3, - "impactScore": 2.7 + "exploitabilityScore": 2.8, + "impactScore": 3.7 } ] }, diff --git a/README.md b/README.md index 5289acf2d4c..dc0cdb60d84 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2024-07-26T10:00:17.266954+00:00 +2024-07-26T12:00:17.147041+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2024-07-26T09:15:09.700000+00:00 +2024-07-26T10:15:02.840000+00:00 ``` ### Last Data Feed Release @@ -33,20 +33,24 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -257998 +258001 ``` ### CVEs added in the last Commit -Recently added CVEs: `1` +Recently added CVEs: `3` -- [CVE-2024-25090](CVE-2024/CVE-2024-250xx/CVE-2024-25090.json) (`2024-07-26T09:15:09.700`) +- [CVE-2023-38522](CVE-2023/CVE-2023-385xx/CVE-2023-38522.json) (`2024-07-26T10:15:01.923`) +- [CVE-2024-35161](CVE-2024/CVE-2024-351xx/CVE-2024-35161.json) (`2024-07-26T10:15:02.567`) +- [CVE-2024-35296](CVE-2024/CVE-2024-352xx/CVE-2024-35296.json) (`2024-07-26T10:15:02.713`) ### CVEs modified in the last Commit -Recently modified CVEs: `0` +Recently modified CVEs: `2` +- [CVE-2024-25090](CVE-2024/CVE-2024-250xx/CVE-2024-25090.json) (`2024-07-26T09:15:09.700`) +- [CVE-2024-7079](CVE-2024/CVE-2024-70xx/CVE-2024-7079.json) (`2024-07-26T10:15:02.840`) ## Download and Usage diff --git a/_state.csv b/_state.csv index 5ce65621df8..6dcb3d40340 100644 --- a/_state.csv +++ b/_state.csv @@ -228819,6 +228819,7 @@ CVE-2023-38519,0,0,6feaff72ade735a2704fe8b8d9fef165f38317b422d397afb665c1d949162 CVE-2023-3852,0,0,2e1924f99097894c16104baab278a5a9ebf2db30430b465cf669815f850b7012,2024-05-17T02:27:53.627000 CVE-2023-38520,0,0,197a50cf0e44468d0337f27c399e1eb786a843546ac6c93f4b96fc50b52947ed,2024-06-04T16:57:41.053000 CVE-2023-38521,0,0,db18a9cb610e915922179831c59c7c6fe34d72db737eedb8a3400ffd344e745d,2023-09-08T06:42:06.290000 +CVE-2023-38522,1,1,83abd391f475a726f77b69a9ceaf9383593998ab37ec2591405f0457884e086b,2024-07-26T10:15:01.923000 CVE-2023-38523,0,0,4aeddda5cda4b987f05bc442064079c7a51cd36ed6a7d399ee18b0f7f42fa30b,2023-08-01T15:24:35.470000 CVE-2023-38524,0,0,c9e82639b2360f7e976dd3c089d1e601c218712b31ea68380c38a40a316e9b16,2024-06-11T12:15:10.860000 CVE-2023-38525,0,0,a4b40a45af79e11e4c16594d15803bcacdf8a6cc50b68a023dfce812a89911bf,2024-06-11T12:15:11.073000 @@ -245894,7 +245895,7 @@ CVE-2024-25087,0,0,c72ecbfe33bc1bedb424c3a8db8ed1e75d362fa6fbd3c127b6373b38910f7 CVE-2024-25088,0,0,9b1375c3c781149325c14c39fa835c2c88a69323c212b1013c4ad4d387aa77de,2024-07-05T17:04:50.340000 CVE-2024-25089,0,0,4d3ddaeeeaf0e005a5320fd57126d38836ae358b9586c6957758efb8e6b78742,2024-02-13T00:38:12.137000 CVE-2024-2509,0,0,e1632462213f3b340d9efadccdf81857ddba6b28ec7154489106797e9e1ad3ed,2024-07-03T01:53:19.050000 -CVE-2024-25090,1,1,af195bd25126d0f8d62b334cb8f260e12aae7bfe4a1dc1cbf05893e15452706d,2024-07-26T09:15:09.700000 +CVE-2024-25090,0,1,4f383aad3fd8b41c9ac65546440d8ef51b44144f46f2c0df347820a2796e6cb2,2024-07-26T09:15:09.700000 CVE-2024-25091,0,0,dea1cc9b372ccb28bdcce1ba1190ac3b21c3361d4c64bb82853a0d551bd6db2f,2024-03-01T14:04:04.827000 CVE-2024-25092,0,0,93228461014d21e76377d62123a9b74976fcddddff96fb9097cb4fcb49528f7c,2024-06-10T02:52:08.267000 CVE-2024-25093,0,0,b8e6c12d6bc03129058956c6365ec4ac1bf71d6b0585045592f329dee7756d25,2024-02-29T13:49:29.390000 @@ -252675,6 +252676,7 @@ CVE-2024-35154,0,0,7c994b7a6d7158efefd5e2d9a1e0bdd18fbe7152cacfbfaf67e2a7f91ec12 CVE-2024-35155,0,0,c326cd4166d9cbfa34efa54fd988e1d407d8925369f9983f14750e709112308a,2024-07-01T12:37:24.220000 CVE-2024-35156,0,0,e6fb36f1f810f4a246d710cbf82055f27ccde015fb0476ace50a7457c7ac5ea7,2024-07-01T12:37:24.220000 CVE-2024-3516,0,0,61323fc04733960d047e16de47c6d5cda2ae2931ba7c42276f6e75842f73a295,2024-07-03T02:06:20.027000 +CVE-2024-35161,1,1,12c5d7e2d1230c95de71fe1fdeb3125e44382625e8bb3bb3fa8e838f5a1ae4ed,2024-07-26T10:15:02.567000 CVE-2024-35162,0,0,898115932dab71d396aafa3d3e8a79f10b6e8ca121500758707a59e848faab9f,2024-05-22T12:46:53.887000 CVE-2024-35165,0,0,a5a2ced0aefc202025ce7b223ffafe3ffc4109906dfd07a5a8a0577e3f72ac5b,2024-05-14T16:11:39.510000 CVE-2024-35166,0,0,288535809aded0d0429463b3203e908304fa856ed04133053a9493366e89b509,2024-05-14T16:11:39.510000 @@ -252778,6 +252780,7 @@ CVE-2024-35284,0,0,3a94c448d00dd5059f3fd361118e6cd65d80e9412861f2d6774f390c6aa71 CVE-2024-3529,0,0,b7433b023ce9172d03becfe0cc0d18595c43e3d8737e87c779d288c2827cf3e8,2024-05-17T02:39:59.247000 CVE-2024-35291,0,0,5225c2a0abe81b64c53a235e59e3157e49cd9481d5912145de7f4fa19255770a,2024-05-28T12:39:28.377000 CVE-2024-35292,0,0,e3b3d736ef0c9425797f6a5a9790b2cb56e0a53578005725786d8a247ceee1f2,2024-06-11T13:54:12.057000 +CVE-2024-35296,1,1,0f061a870fc4bcab09bee7638e796310786bc76affc4da7a85d0e69c57648395,2024-07-26T10:15:02.713000 CVE-2024-35297,0,0,a17fd925b730fd9803b93156d1a4f0f1baa604bce402fb65f95c09819b0a7763,2024-05-28T12:39:28.377000 CVE-2024-35298,0,0,767802677800ceed2390ec4b021eb4a1bb445bf1aba3154a6ba4d4e3eb13ec79,2024-07-03T02:01:32.613000 CVE-2024-35299,0,0,243cc758e93ac683f2ab1068e78446f59938832d5b992bf674806bf0216e461c,2024-05-16T13:03:05.353000 @@ -257983,7 +257986,7 @@ CVE-2024-7066,0,0,f0b9597030c216e17a91b9bbd330c3ccd1220fd3a9abefaf98fb6df981dc96 CVE-2024-7067,0,0,cd81f5e59f5ccc969e002fbd0535f928704dbb9e13b2c7b953cab40d6b4980c7,2024-07-24T17:12:32.367000 CVE-2024-7068,0,0,cac04426a823885bf463d5cf48bd0b19bdd9f06486030fe1d0967c67ee664aca,2024-07-25T17:47:18.717000 CVE-2024-7069,0,0,78b88a4dfaca203680acecf4b770bf67b674c773d2cef9278ec8b5ea1e8b95a5,2024-07-25T17:33:53.777000 -CVE-2024-7079,0,0,68e61be40519330b32f107a33f12ffbe08d3803318162cc3f95b14c0cf6f3c17,2024-07-25T17:31:23.670000 +CVE-2024-7079,0,1,432b6c38d04c17da8e2aeea6e5677915e33a84f70f04ebe0988a953bc8892b6d,2024-07-26T10:15:02.840000 CVE-2024-7080,0,0,0e8be1f5ff49b98f2e12f041d9740e0c98dcb4e55d2c6eaebafa31aadf939e95,2024-07-25T12:36:39.947000 CVE-2024-7081,0,0,4fe1e74e2e72cdc5207c5caa9565efa26fd09299ada94965c4896e36b361ec5f,2024-07-25T12:36:39.947000 CVE-2024-7091,0,0,e8d0dd8bb435701b961e03b8d58836a663b21eec4a32e53ec9bb349c72e7294b,2024-07-25T12:36:39.947000