diff --git a/CVE-2024/CVE-2024-281xx/CVE-2024-28122.json b/CVE-2024/CVE-2024-281xx/CVE-2024-28122.json new file mode 100644 index 00000000000..6f2d3cec544 --- /dev/null +++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28122.json @@ -0,0 +1,63 @@ +{ + "id": "CVE-2024-28122", + "sourceIdentifier": "security-advisories@github.com", + "published": "2024-03-09T01:15:06.940", + "lastModified": "2024-03-09T01:15:06.940", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": " JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.8, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.3, + "impactScore": 4.0 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-400" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-281xx/CVE-2024-28176.json b/CVE-2024/CVE-2024-281xx/CVE-2024-28176.json new file mode 100644 index 00000000000..634a946a87c --- /dev/null +++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28176.json @@ -0,0 +1,63 @@ +{ + "id": "CVE-2024-28176", + "sourceIdentifier": "security-advisories@github.com", + "published": "2024-03-09T01:15:07.147", + "lastModified": "2024-03-09T01:15:07.147", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has \n been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 4.9, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.2, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-400" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-281xx/CVE-2024-28180.json b/CVE-2024/CVE-2024-281xx/CVE-2024-28180.json new file mode 100644 index 00000000000..b3c4de00c79 --- /dev/null +++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28180.json @@ -0,0 +1,67 @@ +{ + "id": "CVE-2024-28180", + "sourceIdentifier": "security-advisories@github.com", + "published": "2024-03-09T01:15:07.340", + "lastModified": "2024-03-09T01:15:07.340", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.\n" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "LOW", + "baseScore": 4.3, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 1.4 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-409" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2024/CVE-2024-281xx/CVE-2024-28184.json b/CVE-2024/CVE-2024-281xx/CVE-2024-28184.json new file mode 100644 index 00000000000..278876b5187 --- /dev/null +++ b/CVE-2024/CVE-2024-281xx/CVE-2024-28184.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2024-28184", + "sourceIdentifier": "security-advisories@github.com", + "published": "2024-03-09T01:15:07.573", + "lastModified": "2024-03-09T01:15:07.573", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.\n" + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "baseScore": 7.4, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.1, + "impactScore": 3.7 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-829" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 7bc1bd6946c..98b0fea471f 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2024-03-09T00:55:30.152523+00:00 +2024-03-09T03:00:31.217266+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2024-03-09T00:15:59.987000+00:00 +2024-03-09T01:15:07.573000+00:00 ``` ### Last Data Feed Release @@ -23,21 +23,23 @@ Repository synchronizes with the NVD every 2 hours. Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest) ```plain -2024-03-08T01:00:20.252904+00:00 +2024-03-09T01:00:20.293605+00:00 ``` ### Total Number of included CVEs ```plain -240915 +240919 ``` ### CVEs added in the last Commit -Recently added CVEs: `2` +Recently added CVEs: `4` -* [CVE-2024-28753](CVE-2024/CVE-2024-287xx/CVE-2024-28753.json) (`2024-03-09T00:15:59.923`) -* [CVE-2024-28754](CVE-2024/CVE-2024-287xx/CVE-2024-28754.json) (`2024-03-09T00:15:59.987`) +* [CVE-2024-28122](CVE-2024/CVE-2024-281xx/CVE-2024-28122.json) (`2024-03-09T01:15:06.940`) +* [CVE-2024-28176](CVE-2024/CVE-2024-281xx/CVE-2024-28176.json) (`2024-03-09T01:15:07.147`) +* [CVE-2024-28180](CVE-2024/CVE-2024-281xx/CVE-2024-28180.json) (`2024-03-09T01:15:07.340`) +* [CVE-2024-28184](CVE-2024/CVE-2024-281xx/CVE-2024-28184.json) (`2024-03-09T01:15:07.573`) ### CVEs modified in the last Commit diff --git a/_state.csv b/_state.csv index e985aa15333..ec3a55233b5 100644 --- a/_state.csv +++ b/_state.csv @@ -240886,6 +240886,7 @@ CVE-2024-28097,0,0,ad0a3d7a6b96970687d28d32c41921c3200422c4265f25f269de512c4cb80 CVE-2024-28110,0,0,0aa63c709bee34101fee09332c67840fa8b7d5aea01ed58b7f238cd7f26f2f87,2024-03-07T13:52:27.110000 CVE-2024-28111,0,0,ef109000cb681b8950a504435d888106cd334990070bd9ca1f33bba165c1974a,2024-03-07T13:52:27.110000 CVE-2024-28115,0,0,3e0e705412ec4ecfb9fabefcb95634cd838a6bf7c9c03087d677ba199986f693,2024-03-08T14:02:57.420000 +CVE-2024-28122,1,1,fda19940cddf3c43c85f1263bb21fd0f3c6eda799819a07018fd0196480f432e,2024-03-09T01:15:06.940000 CVE-2024-28149,0,0,bb1327eb2ceb44ae2cc8e952fde2f54b109f1740591e1ece1b912c644025402b,2024-03-06T21:42:54.697000 CVE-2024-28150,0,0,bd9c785686979f74fc956d3a9d80b65ba208ec849a10e17a7f0c9226761980a2,2024-03-06T21:42:54.697000 CVE-2024-28151,0,0,473d59d35d2166d8f0877541c6be6e5f16e5683e6e89c2ed65e060f312f6c9a8,2024-03-06T21:42:54.697000 @@ -240902,6 +240903,9 @@ CVE-2024-28161,0,0,a8b5439e973c7cdb8f91b0ae68db3c77b6c3c773d21694d3bca0cd7aa2867 CVE-2024-28162,0,0,9f95dea899a301f3d7e776202ce6567032bc57cf37ea2c387cd5d210ccf05a4b,2024-03-06T21:42:54.697000 CVE-2024-28173,0,0,e0fed71b03fa1080cdfc47a71a0b80da5e87b19e624557c11c0e172f4b2c098a,2024-03-06T21:42:54.697000 CVE-2024-28174,0,0,fa1674b985861bddf4d0ff5ab075ec0e4328a9665c668bfe339f9f0de580d6b1,2024-03-06T21:42:54.697000 +CVE-2024-28176,1,1,ec66585e52c3c8e3b4fb9f83e97cc916a02934873883e31c12138152edd61a21,2024-03-09T01:15:07.147000 +CVE-2024-28180,1,1,36948ee811f0956f6903e72d9246c3ebee20cdd663526ac3d8c5fb4fc67d1cd0,2024-03-09T01:15:07.340000 +CVE-2024-28184,1,1,175c0a55aefc92aa2382d5f4b6fba98002e10cf3cfcd47cb089861bb42bf966f,2024-03-09T01:15:07.573000 CVE-2024-28211,0,0,c1ed1ddd829861cccd703be6254c437e62099ef974f2a29a31d06b3aa407dda5,2024-03-07T13:52:27.110000 CVE-2024-28212,0,0,5a2751cb50b15d5c440d2b8966e76c727b56c2f7e1085394c9464fe62a449a7f,2024-03-07T13:52:27.110000 CVE-2024-28213,0,0,123dce2bcd1dc69568d6c5cbaff040ae81dbab0468f48456713cfbf9a03f5945,2024-03-07T13:52:27.110000 @@ -240912,5 +240916,5 @@ CVE-2024-28222,0,0,fc2bb6625872999de46c3fec787964c81811fbafba85fd6aa0a9c0c190c12 CVE-2024-28228,0,0,fafeac90b4103ecc037c0d15d4376f652ba43048a680a73a3c13807568e40859,2024-03-07T13:52:27.110000 CVE-2024-28229,0,0,7bfc3b59e790a5126732ec4d8d480f9938166a41475488b32e066c1e064ccb9f,2024-03-07T13:52:27.110000 CVE-2024-28230,0,0,3036aa70102b53b9cc695265dc4a11e5a4f5b8d26f6120835dbd1a9c3d93e7ec,2024-03-07T13:52:27.110000 -CVE-2024-28753,1,1,125d1396e6c6b0e66335f7e7b1bd0a96847c075a3105c05c042d4fa16177854d,2024-03-09T00:15:59.923000 -CVE-2024-28754,1,1,0369a848ec0f7eb40f27bf58345615a77048218f0bda34f00547c17f43514791,2024-03-09T00:15:59.987000 +CVE-2024-28753,0,0,125d1396e6c6b0e66335f7e7b1bd0a96847c075a3105c05c042d4fa16177854d,2024-03-09T00:15:59.923000 +CVE-2024-28754,0,0,0369a848ec0f7eb40f27bf58345615a77048218f0bda34f00547c17f43514791,2024-03-09T00:15:59.987000