From 544874e5282e73f1c352a8ea19c896ad89103319 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Mon, 9 Oct 2023 18:00:28 +0000 Subject: [PATCH] Auto-Update: 2023-10-09T18:00:24.981599+00:00 --- CVE-2019/CVE-2019-56xx/CVE-2019-5638.json | 50 +++++++++------- CVE-2023/CVE-2023-309xx/CVE-2023-30910.json | 55 ++++++++++++++++++ CVE-2023/CVE-2023-410xx/CVE-2023-41047.json | 63 +++++++++++++++++++++ CVE-2023/CVE-2023-424xx/CVE-2023-42455.json | 63 +++++++++++++++++++++ CVE-2023/CVE-2023-444xx/CVE-2023-44400.json | 63 +++++++++++++++++++++ CVE-2023/CVE-2023-51xx/CVE-2023-5169.json | 6 +- CVE-2023/CVE-2023-51xx/CVE-2023-5171.json | 6 +- CVE-2023/CVE-2023-51xx/CVE-2023-5176.json | 8 ++- CVE-2023/CVE-2023-52xx/CVE-2023-5217.json | 8 ++- CVE-2023/CVE-2023-53xx/CVE-2023-5365.json | 20 +++++++ README.md | 28 ++++----- 11 files changed, 329 insertions(+), 41 deletions(-) create mode 100644 CVE-2023/CVE-2023-309xx/CVE-2023-30910.json create mode 100644 CVE-2023/CVE-2023-410xx/CVE-2023-41047.json create mode 100644 CVE-2023/CVE-2023-424xx/CVE-2023-42455.json create mode 100644 CVE-2023/CVE-2023-444xx/CVE-2023-44400.json create mode 100644 CVE-2023/CVE-2023-53xx/CVE-2023-5365.json diff --git a/CVE-2019/CVE-2019-56xx/CVE-2019-5638.json b/CVE-2019/CVE-2019-56xx/CVE-2019-5638.json index 7df65dc45eb..ed44f7b113c 100644 --- a/CVE-2019/CVE-2019-56xx/CVE-2019-5638.json +++ b/CVE-2019/CVE-2019-56xx/CVE-2019-5638.json @@ -2,12 +2,12 @@ "id": "CVE-2019-5638", "sourceIdentifier": "cve@rapid7.con", "published": "2019-08-21T20:15:13.007", - "lastModified": "2019-10-09T23:51:01.747", + "lastModified": "2023-10-09T16:15:10.183", "vulnStatus": "Modified", "descriptions": [ { "lang": "en", - "value": "Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage." + "value": "Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.\n\n" }, { "lang": "es", @@ -15,6 +15,28 @@ } ], "metrics": { + "cvssMetricV31": [ + { + "source": "cve@rapid7.con", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 8.7, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 2.3, + "impactScore": 5.8 + } + ], "cvssMetricV30": [ { "source": "nvd@nist.gov", @@ -35,26 +57,6 @@ }, "exploitabilityScore": 2.8, "impactScore": 5.9 - }, - { - "source": "cve@rapid7.con", - "type": "Secondary", - "cvssData": { - "version": "3.0", - "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", - "attackVector": "NETWORK", - "attackComplexity": "LOW", - "privilegesRequired": "LOW", - "userInteraction": "REQUIRED", - "scope": "CHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "availabilityImpact": "NONE", - "baseScore": 8.7, - "baseSeverity": "HIGH" - }, - "exploitabilityScore": 2.3, - "impactScore": 5.8 } ], "cvssMetricV2": [ @@ -124,6 +126,10 @@ } ], "references": [ + { + "url": "https://docs.rapid7.com/insightvm/enable-insightvm-platform-login", + "source": "cve@rapid7.con" + }, { "url": "https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/", "source": "cve@rapid7.con", diff --git a/CVE-2023/CVE-2023-309xx/CVE-2023-30910.json b/CVE-2023/CVE-2023-309xx/CVE-2023-30910.json new file mode 100644 index 00000000000..8223e007e86 --- /dev/null +++ b/CVE-2023/CVE-2023-309xx/CVE-2023-30910.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-30910", + "sourceIdentifier": "security-alert@hpe.com", + "published": "2023-10-09T16:15:10.400", + "lastModified": "2023-10-09T16:15:10.400", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "HPE MSA Controller prior to version\u00a0IN210R004 could be remotely exploited to allow inconsistent interpretation of HTTP requests.\u00a0" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-alert@hpe.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security-alert@hpe.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-444" + } + ] + } + ], + "references": [ + { + "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbst04539en_us", + "source": "security-alert@hpe.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-410xx/CVE-2023-41047.json b/CVE-2023/CVE-2023-410xx/CVE-2023-41047.json new file mode 100644 index 00000000000..4bfe97d45dc --- /dev/null +++ b/CVE-2023/CVE-2023-410xx/CVE-2023-41047.json @@ -0,0 +1,63 @@ +{ + "id": "CVE-2023-41047", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-10-09T16:15:10.480", + "lastModified": "2023-10-09T16:15:10.480", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", + "attackVector": "ADJACENT_NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "LOW", + "baseScore": 6.2, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 0.7, + "impactScore": 5.5 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-1336" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-424xx/CVE-2023-42455.json b/CVE-2023/CVE-2023-424xx/CVE-2023-42455.json new file mode 100644 index 00000000000..fd72d809ebe --- /dev/null +++ b/CVE-2023/CVE-2023-424xx/CVE-2023-42455.json @@ -0,0 +1,63 @@ +{ + "id": "CVE-2023-42455", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-10-09T17:15:09.923", + "lastModified": "2023-10-09T17:15:09.923", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-639" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/wazuh/wazuh-kibana-app/pull/5428", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-444xx/CVE-2023-44400.json b/CVE-2023/CVE-2023-444xx/CVE-2023-44400.json new file mode 100644 index 00000000000..09cfa5fdb8b --- /dev/null +++ b/CVE-2023/CVE-2023-444xx/CVE-2023-44400.json @@ -0,0 +1,63 @@ +{ + "id": "CVE-2023-44400", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-10-09T16:15:10.567", + "lastModified": "2023-10-09T16:15:10.567", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the issue." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 6.7, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 0.8, + "impactScore": 5.9 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-384" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/louislam/uptime-kuma/commit/88afab6571ef7d4d41bb395cdb6ecd3968835a4a", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/louislam/uptime-kuma/issues/3481", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-51xx/CVE-2023-5169.json b/CVE-2023/CVE-2023-51xx/CVE-2023-5169.json index 1aa3e15536e..58757b528d0 100644 --- a/CVE-2023/CVE-2023-51xx/CVE-2023-5169.json +++ b/CVE-2023/CVE-2023-51xx/CVE-2023-5169.json @@ -2,7 +2,7 @@ "id": "CVE-2023-5169", "sourceIdentifier": "security@mozilla.org", "published": "2023-09-27T15:19:42.127", - "lastModified": "2023-10-05T23:15:09.523", + "lastModified": "2023-10-09T16:15:10.647", "vulnStatus": "Undergoing Analysis", "descriptions": [ { @@ -122,6 +122,10 @@ "Third Party Advisory" ] }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", + "source": "security@mozilla.org" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/", "source": "security@mozilla.org" diff --git a/CVE-2023/CVE-2023-51xx/CVE-2023-5171.json b/CVE-2023/CVE-2023-51xx/CVE-2023-5171.json index 8587895a4da..ffdadd174bb 100644 --- a/CVE-2023/CVE-2023-51xx/CVE-2023-5171.json +++ b/CVE-2023/CVE-2023-51xx/CVE-2023-5171.json @@ -2,7 +2,7 @@ "id": "CVE-2023-5171", "sourceIdentifier": "security@mozilla.org", "published": "2023-09-27T15:19:42.227", - "lastModified": "2023-10-05T23:15:09.640", + "lastModified": "2023-10-09T16:15:10.783", "vulnStatus": "Undergoing Analysis", "descriptions": [ { @@ -123,6 +123,10 @@ "Third Party Advisory" ] }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", + "source": "security@mozilla.org" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/", "source": "security@mozilla.org" diff --git a/CVE-2023/CVE-2023-51xx/CVE-2023-5176.json b/CVE-2023/CVE-2023-51xx/CVE-2023-5176.json index 9e7e8b42e79..9196f472849 100644 --- a/CVE-2023/CVE-2023-51xx/CVE-2023-5176.json +++ b/CVE-2023/CVE-2023-51xx/CVE-2023-5176.json @@ -2,8 +2,8 @@ "id": "CVE-2023-5176", "sourceIdentifier": "security@mozilla.org", "published": "2023-09-27T15:19:42.767", - "lastModified": "2023-10-03T22:15:10.717", - "vulnStatus": "Modified", + "lastModified": "2023-10-09T16:15:10.870", + "vulnStatus": "Undergoing Analysis", "descriptions": [ { "lang": "en", @@ -116,6 +116,10 @@ "Third Party Advisory" ] }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", + "source": "security@mozilla.org" + }, { "url": "https://www.debian.org/security/2023/dsa-5506", "source": "security@mozilla.org", diff --git a/CVE-2023/CVE-2023-52xx/CVE-2023-5217.json b/CVE-2023/CVE-2023-52xx/CVE-2023-5217.json index 905d89560f1..a9bacd83655 100644 --- a/CVE-2023/CVE-2023-52xx/CVE-2023-5217.json +++ b/CVE-2023/CVE-2023-52xx/CVE-2023-5217.json @@ -2,8 +2,8 @@ "id": "CVE-2023-5217", "sourceIdentifier": "chrome-cve-admin@google.com", "published": "2023-09-28T16:15:10.980", - "lastModified": "2023-10-06T06:15:12.867", - "vulnStatus": "Undergoing Analysis", + "lastModified": "2023-10-09T16:15:10.960", + "vulnStatus": "Modified", "cisaExploitAdd": "2023-10-02", "cisaActionDue": "2023-10-23", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", @@ -254,6 +254,10 @@ "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html", "source": "chrome-cve-admin@google.com" }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html", + "source": "chrome-cve-admin@google.com" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/", "source": "chrome-cve-admin@google.com" diff --git a/CVE-2023/CVE-2023-53xx/CVE-2023-5365.json b/CVE-2023/CVE-2023-53xx/CVE-2023-5365.json new file mode 100644 index 00000000000..a59d9fd0c02 --- /dev/null +++ b/CVE-2023/CVE-2023-53xx/CVE-2023-5365.json @@ -0,0 +1,20 @@ +{ + "id": "CVE-2023-5365", + "sourceIdentifier": "hp-security-alert@hp.com", + "published": "2023-10-09T16:15:11.117", + "lastModified": "2023-10-09T16:15:11.117", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "HP LIFE Android Mobile application is potentially vulnerable to escalation of privilege and/or information disclosure." + } + ], + "metrics": {}, + "references": [ + { + "url": "https://support.hp.com/us-en/document/ish_9393937-9393961-16/hpsbgn03870", + "source": "hp-security-alert@hp.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 56a060f0b04..1f051784e46 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-10-09T16:00:24.330729+00:00 +2023-10-09T18:00:24.981599+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-10-09T15:15:10.057000+00:00 +2023-10-09T17:15:09.923000+00:00 ``` ### Last Data Feed Release @@ -29,27 +29,29 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -227233 +227238 ``` ### CVEs added in the last Commit -Recently added CVEs: `7` +Recently added CVEs: `5` -* [CVE-2022-35950](CVE-2022/CVE-2022-359xx/CVE-2022-35950.json) (`2023-10-09T14:15:10.437`) -* [CVE-2023-25822](CVE-2023/CVE-2023-258xx/CVE-2023-25822.json) (`2023-10-09T14:15:10.547`) -* [CVE-2023-36820](CVE-2023/CVE-2023-368xx/CVE-2023-36820.json) (`2023-10-09T14:15:10.640`) -* [CVE-2023-41660](CVE-2023/CVE-2023-416xx/CVE-2023-41660.json) (`2023-10-09T14:15:10.723`) -* [CVE-2023-43643](CVE-2023/CVE-2023-436xx/CVE-2023-43643.json) (`2023-10-09T14:15:10.797`) -* [CVE-2023-44378](CVE-2023/CVE-2023-443xx/CVE-2023-44378.json) (`2023-10-09T14:15:10.873`) -* [CVE-2023-44393](CVE-2023/CVE-2023-443xx/CVE-2023-44393.json) (`2023-10-09T15:15:10.057`) +* [CVE-2023-30910](CVE-2023/CVE-2023-309xx/CVE-2023-30910.json) (`2023-10-09T16:15:10.400`) +* [CVE-2023-41047](CVE-2023/CVE-2023-410xx/CVE-2023-41047.json) (`2023-10-09T16:15:10.480`) +* [CVE-2023-44400](CVE-2023/CVE-2023-444xx/CVE-2023-44400.json) (`2023-10-09T16:15:10.567`) +* [CVE-2023-5365](CVE-2023/CVE-2023-53xx/CVE-2023-5365.json) (`2023-10-09T16:15:11.117`) +* [CVE-2023-42455](CVE-2023/CVE-2023-424xx/CVE-2023-42455.json) (`2023-10-09T17:15:09.923`) ### CVEs modified in the last Commit -Recently modified CVEs: `1` +Recently modified CVEs: `5` -* [CVE-2023-39928](CVE-2023/CVE-2023-399xx/CVE-2023-39928.json) (`2023-10-09T15:15:09.890`) +* [CVE-2019-5638](CVE-2019/CVE-2019-56xx/CVE-2019-5638.json) (`2023-10-09T16:15:10.183`) +* [CVE-2023-5169](CVE-2023/CVE-2023-51xx/CVE-2023-5169.json) (`2023-10-09T16:15:10.647`) +* [CVE-2023-5171](CVE-2023/CVE-2023-51xx/CVE-2023-5171.json) (`2023-10-09T16:15:10.783`) +* [CVE-2023-5176](CVE-2023/CVE-2023-51xx/CVE-2023-5176.json) (`2023-10-09T16:15:10.870`) +* [CVE-2023-5217](CVE-2023/CVE-2023-52xx/CVE-2023-5217.json) (`2023-10-09T16:15:10.960`) ## Download and Usage