Auto-Update: 2024-03-09T03:00:31.217266+00:00

2025-07-09 16:05:11 +00:00 · 2024-03-09 03:03:18 +00:00 · 2024-03-09 03:03:18 +00:00 · 5e10b988b5
commit 5e10b988b5
parent a564441237
6 changed files with 267 additions and 9 deletions
--- a/CVE-2024/CVE-2024-281xx/CVE-2024-28122.json
+++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28122.json
@ -0,0 +1,63 @@
+{
+  "id": "CVE-2024-28122",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-03-09T01:15:06.940",
+  "lastModified": "2024-03-09T01:15:06.940",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": " JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "NONE",
+          "scope": "CHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "HIGH",
+          "baseScore": 6.8,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 2.3,
+        "impactScore": 4.0
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-400"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-281xx/CVE-2024-28176.json
+++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28176.json
@ -0,0 +1,63 @@
+{
+  "id": "CVE-2024-28176",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-03-09T01:15:07.147",
+  "lastModified": "2024-03-09T01:15:07.147",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has \n been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "HIGH",
+          "baseScore": 4.9,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 1.2,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-400"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-281xx/CVE-2024-28180.json
+++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28180.json
@ -0,0 +1,67 @@
+{
+  "id": "CVE-2024-28180",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-03-09T01:15:07.340",
+  "lastModified": "2024-03-09T01:15:07.340",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "LOW",
+          "baseScore": 4.3,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 1.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-409"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-281xx/CVE-2024-28184.json
+++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28184.json
@ -0,0 +1,59 @@
+{
+  "id": "CVE-2024-28184",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-03-09T01:15:07.573",
+  "lastModified": "2024-03-09T01:15:07.573",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "CHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "LOW",
+          "baseScore": 7.4,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 3.1,
+        "impactScore": 3.7
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-829"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/README.md
+++ b/README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2024-03-09T00:55:30.152523+00:00
+2024-03-09T03:00:31.217266+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2024-03-09T00:15:59.987000+00:00
+2024-03-09T01:15:07.573000+00:00
 ```

 ### Last Data Feed Release
@ -23,21 +23,23 @@ Repository synchronizes with the NVD every 2 hours.
 Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest)

 ```plain
-2024-03-08T01:00:20.252904+00:00
+2024-03-09T01:00:20.293605+00:00
 ```

 ### Total Number of included CVEs

 ```plain
-240915
+240919
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `2`
+Recently added CVEs: `4`

-* [CVE-2024-28753](CVE-2024/CVE-2024-287xx/CVE-2024-28753.json) (`2024-03-09T00:15:59.923`)
-* [CVE-2024-28754](CVE-2024/CVE-2024-287xx/CVE-2024-28754.json) (`2024-03-09T00:15:59.987`)
+* [CVE-2024-28122](CVE-2024/CVE-2024-281xx/CVE-2024-28122.json) (`2024-03-09T01:15:06.940`)
+* [CVE-2024-28176](CVE-2024/CVE-2024-281xx/CVE-2024-28176.json) (`2024-03-09T01:15:07.147`)
+* [CVE-2024-28180](CVE-2024/CVE-2024-281xx/CVE-2024-28180.json) (`2024-03-09T01:15:07.340`)
+* [CVE-2024-28184](CVE-2024/CVE-2024-281xx/CVE-2024-28184.json) (`2024-03-09T01:15:07.573`)


 ### CVEs modified in the last Commit
--- a/_state.csv
+++ b/_state.csv
@ -240886,6 +240886,7 @@ CVE-2024-28097,0,0,ad0a3d7a6b96970687d28d32c41921c3200422c4265f25f269de512c4cb80
 CVE-2024-28110,0,0,0aa63c709bee34101fee09332c67840fa8b7d5aea01ed58b7f238cd7f26f2f87,2024-03-07T13:52:27.110000
 CVE-2024-28111,0,0,ef109000cb681b8950a504435d888106cd334990070bd9ca1f33bba165c1974a,2024-03-07T13:52:27.110000
 CVE-2024-28115,0,0,3e0e705412ec4ecfb9fabefcb95634cd838a6bf7c9c03087d677ba199986f693,2024-03-08T14:02:57.420000
+CVE-2024-28122,1,1,fda19940cddf3c43c85f1263bb21fd0f3c6eda799819a07018fd0196480f432e,2024-03-09T01:15:06.940000
 CVE-2024-28149,0,0,bb1327eb2ceb44ae2cc8e952fde2f54b109f1740591e1ece1b912c644025402b,2024-03-06T21:42:54.697000
 CVE-2024-28150,0,0,bd9c785686979f74fc956d3a9d80b65ba208ec849a10e17a7f0c9226761980a2,2024-03-06T21:42:54.697000
 CVE-2024-28151,0,0,473d59d35d2166d8f0877541c6be6e5f16e5683e6e89c2ed65e060f312f6c9a8,2024-03-06T21:42:54.697000
@ -240902,6 +240903,9 @@ CVE-2024-28161,0,0,a8b5439e973c7cdb8f91b0ae68db3c77b6c3c773d21694d3bca0cd7aa2867
 CVE-2024-28162,0,0,9f95dea899a301f3d7e776202ce6567032bc57cf37ea2c387cd5d210ccf05a4b,2024-03-06T21:42:54.697000
 CVE-2024-28173,0,0,e0fed71b03fa1080cdfc47a71a0b80da5e87b19e624557c11c0e172f4b2c098a,2024-03-06T21:42:54.697000
 CVE-2024-28174,0,0,fa1674b985861bddf4d0ff5ab075ec0e4328a9665c668bfe339f9f0de580d6b1,2024-03-06T21:42:54.697000
+CVE-2024-28176,1,1,ec66585e52c3c8e3b4fb9f83e97cc916a02934873883e31c12138152edd61a21,2024-03-09T01:15:07.147000
+CVE-2024-28180,1,1,36948ee811f0956f6903e72d9246c3ebee20cdd663526ac3d8c5fb4fc67d1cd0,2024-03-09T01:15:07.340000
+CVE-2024-28184,1,1,175c0a55aefc92aa2382d5f4b6fba98002e10cf3cfcd47cb089861bb42bf966f,2024-03-09T01:15:07.573000
 CVE-2024-28211,0,0,c1ed1ddd829861cccd703be6254c437e62099ef974f2a29a31d06b3aa407dda5,2024-03-07T13:52:27.110000
 CVE-2024-28212,0,0,5a2751cb50b15d5c440d2b8966e76c727b56c2f7e1085394c9464fe62a449a7f,2024-03-07T13:52:27.110000
 CVE-2024-28213,0,0,123dce2bcd1dc69568d6c5cbaff040ae81dbab0468f48456713cfbf9a03f5945,2024-03-07T13:52:27.110000
@ -240912,5 +240916,5 @@ CVE-2024-28222,0,0,fc2bb6625872999de46c3fec787964c81811fbafba85fd6aa0a9c0c190c12
 CVE-2024-28228,0,0,fafeac90b4103ecc037c0d15d4376f652ba43048a680a73a3c13807568e40859,2024-03-07T13:52:27.110000
 CVE-2024-28229,0,0,7bfc3b59e790a5126732ec4d8d480f9938166a41475488b32e066c1e064ccb9f,2024-03-07T13:52:27.110000
 CVE-2024-28230,0,0,3036aa70102b53b9cc695265dc4a11e5a4f5b8d26f6120835dbd1a9c3d93e7ec,2024-03-07T13:52:27.110000
-CVE-2024-28753,1,1,125d1396e6c6b0e66335f7e7b1bd0a96847c075a3105c05c042d4fa16177854d,2024-03-09T00:15:59.923000
-CVE-2024-28754,1,1,0369a848ec0f7eb40f27bf58345615a77048218f0bda34f00547c17f43514791,2024-03-09T00:15:59.987000
+CVE-2024-28753,0,0,125d1396e6c6b0e66335f7e7b1bd0a96847c075a3105c05c042d4fa16177854d,2024-03-09T00:15:59.923000
+CVE-2024-28754,0,0,0369a848ec0f7eb40f27bf58345615a77048218f0bda34f00547c17f43514791,2024-03-09T00:15:59.987000