From 6111b518ad9d9689d087d9fa21e6038f28ea1557 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Tue, 19 Sep 2023 10:00:28 +0000 Subject: [PATCH] Auto-Update: 2023-09-19T10:00:24.712860+00:00 --- CVE-2023/CVE-2023-39xx/CVE-2023-3935.json | 24 ++++++--- CVE-2023/CVE-2023-413xx/CVE-2023-41387.json | 24 +++++++++ CVE-2023/CVE-2023-47xx/CVE-2023-4701.json | 34 +++++++----- CVE-2023/CVE-2023-50xx/CVE-2023-5009.json | 59 +++++++++++++++++++++ README.md | 16 +++--- 5 files changed, 129 insertions(+), 28 deletions(-) create mode 100644 CVE-2023/CVE-2023-413xx/CVE-2023-41387.json create mode 100644 CVE-2023/CVE-2023-50xx/CVE-2023-5009.json diff --git a/CVE-2023/CVE-2023-39xx/CVE-2023-3935.json b/CVE-2023/CVE-2023-39xx/CVE-2023-3935.json index 317413e0369..5231e50e028 100644 --- a/CVE-2023/CVE-2023-39xx/CVE-2023-3935.json +++ b/CVE-2023/CVE-2023-39xx/CVE-2023-3935.json @@ -2,18 +2,22 @@ "id": "CVE-2023-3935", "sourceIdentifier": "info@cert.vde.com", "published": "2023-09-13T14:15:09.147", - "lastModified": "2023-09-15T14:53:30.693", - "vulnStatus": "Analyzed", + "lastModified": "2023-09-19T08:15:44.727", + "vulnStatus": "Modified", "descriptions": [ { "lang": "en", "value": "A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system." + }, + { + "lang": "es", + "value": "Una vulnerabilidad de Desbordamiento del B\u00fafer en el servicio de red Wibu CodeMeter Runtime hasta la versi\u00f3n 7.60b permite a un atacante remoto no autenticado lograr RCE y obtener acceso completo al sistema anfitri\u00f3n." } ], "metrics": { "cvssMetricV31": [ { - "source": "nvd@nist.gov", + "source": "info@cert.vde.com", "type": "Primary", "cvssData": { "version": "3.1", @@ -33,24 +37,24 @@ "impactScore": 5.9 }, { - "source": "info@cert.vde.com", + "source": "nvd@nist.gov", "type": "Secondary", "cvssData": { "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", - "scope": "CHANGED", + "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", - "baseScore": 10.0, + "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "exploitabilityScore": 3.9, - "impactScore": 6.0 + "impactScore": 5.9 } ] }, @@ -217,6 +221,10 @@ "Vendor Advisory" ] }, + { + "url": "https://cert.vde.com/en/advisories/VDE-2023-030/", + "source": "info@cert.vde.com" + }, { "url": "https://cert.vde.com/en/advisories/VDE-2023-031/", "source": "info@cert.vde.com", diff --git a/CVE-2023/CVE-2023-413xx/CVE-2023-41387.json b/CVE-2023/CVE-2023-413xx/CVE-2023-41387.json new file mode 100644 index 00000000000..2a8b6f3ad4c --- /dev/null +++ b/CVE-2023/CVE-2023-413xx/CVE-2023-41387.json @@ -0,0 +1,24 @@ +{ + "id": "CVE-2023-41387", + "sourceIdentifier": "cve@mitre.org", + "published": "2023-09-19T09:15:07.860", + "lastModified": "2023-09-19T09:15:07.860", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "A SQL injection in the flutter_downloader component through 1.11.1 for iOS allows remote attackers to steal session tokens and overwrite arbitrary files inside the app's container. The internal database of the framework is exposed to the local user if an app uses UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace properties. As a result, local users can obtain the same attack primitives as remote attackers by tampering with the internal database of the framework on the device." + } + ], + "metrics": {}, + "references": [ + { + "url": "https://pub.dev/packages/flutter_downloader/changelog", + "source": "cve@mitre.org" + }, + { + "url": "https://seredynski.com/articles/exploiting-ios-apps-to-extract-session-tokens-and-overwrite-user-data", + "source": "cve@mitre.org" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-47xx/CVE-2023-4701.json b/CVE-2023/CVE-2023-47xx/CVE-2023-4701.json index 5f07cacd304..1dbebbcec93 100644 --- a/CVE-2023/CVE-2023-47xx/CVE-2023-4701.json +++ b/CVE-2023/CVE-2023-47xx/CVE-2023-4701.json @@ -2,18 +2,22 @@ "id": "CVE-2023-4701", "sourceIdentifier": "info@cert.vde.com", "published": "2023-09-13T14:15:09.297", - "lastModified": "2023-09-15T15:17:23.393", - "vulnStatus": "Analyzed", + "lastModified": "2023-09-19T08:15:57.143", + "vulnStatus": "Modified", "descriptions": [ { "lang": "en", "value": "A Improper Privilege Management vulnerability through an incorrect use of privileged APIs in CodeMeter Runtime versions prior to 7.60c allow a local, low privileged attacker to use an API call for escalation of privileges in order gain full admin access on the host system." + }, + { + "lang": "es", + "value": "Una vulnerabilidad de Gesti\u00f3n de Privilegios Inadecuada a trav\u00e9s de un uso incorrecto de API privilegiadas en versiones de CodeMeter Runtime anteriores a 7.60c permite a un atacante local con pocos privilegios utilizar una llamada API para escalar privilegios con el fin de obtener acceso completo de administrador en el sistema host." } ], "metrics": { "cvssMetricV31": [ { - "source": "nvd@nist.gov", + "source": "info@cert.vde.com", "type": "Primary", "cvssData": { "version": "3.1", @@ -33,45 +37,45 @@ "impactScore": 5.9 }, { - "source": "info@cert.vde.com", + "source": "nvd@nist.gov", "type": "Secondary", "cvssData": { "version": "3.1", - "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", - "scope": "CHANGED", + "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", - "baseScore": 8.8, + "baseScore": 7.8, "baseSeverity": "HIGH" }, - "exploitabilityScore": 2.0, - "impactScore": 6.0 + "exploitabilityScore": 1.8, + "impactScore": 5.9 } ] }, "weaknesses": [ { - "source": "nvd@nist.gov", + "source": "info@cert.vde.com", "type": "Primary", "description": [ { "lang": "en", - "value": "NVD-CWE-noinfo" + "value": "CWE-269" } ] }, { - "source": "info@cert.vde.com", + "source": "nvd@nist.gov", "type": "Secondary", "description": [ { "lang": "en", - "value": "CWE-269" + "value": "NVD-CWE-noinfo" } ] } @@ -227,6 +231,10 @@ "Vendor Advisory" ] }, + { + "url": "https://cert.vde.com/en/advisories/VDE-2023-030/", + "source": "info@cert.vde.com" + }, { "url": "https://cert.vde.com/en/advisories/VDE-2023-031/", "source": "info@cert.vde.com", diff --git a/CVE-2023/CVE-2023-50xx/CVE-2023-5009.json b/CVE-2023/CVE-2023-50xx/CVE-2023-5009.json new file mode 100644 index 00000000000..4cd60857453 --- /dev/null +++ b/CVE-2023/CVE-2023-50xx/CVE-2023-5009.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2023-5009", + "sourceIdentifier": "cve@gitlab.com", + "published": "2023-09-19T08:16:07.203", + "lastModified": "2023-09-19T08:16:07.203", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "cve@gitlab.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "baseScore": 9.6, + "baseSeverity": "CRITICAL" + }, + "exploitabilityScore": 3.1, + "impactScore": 5.8 + } + ] + }, + "weaknesses": [ + { + "source": "cve@gitlab.com", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-284" + } + ] + } + ], + "references": [ + { + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/425304", + "source": "cve@gitlab.com" + }, + { + "url": "https://hackerone.com/reports/2147126", + "source": "cve@gitlab.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index a7a3b3ce88f..cfad68fb014 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-09-19T08:00:25.430890+00:00 +2023-09-19T10:00:24.712860+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-09-19T07:15:51.917000+00:00 +2023-09-19T09:15:07.860000+00:00 ``` ### Last Data Feed Release @@ -29,21 +29,23 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -225796 +225798 ``` ### CVEs added in the last Commit -Recently added CVEs: `1` +Recently added CVEs: `2` -* [CVE-2023-5054](CVE-2023/CVE-2023-50xx/CVE-2023-5054.json) (`2023-09-19T07:15:51.917`) +* [CVE-2023-5009](CVE-2023/CVE-2023-50xx/CVE-2023-5009.json) (`2023-09-19T08:16:07.203`) +* [CVE-2023-41387](CVE-2023/CVE-2023-413xx/CVE-2023-41387.json) (`2023-09-19T09:15:07.860`) ### CVEs modified in the last Commit -Recently modified CVEs: `1` +Recently modified CVEs: `2` -* [CVE-2023-0125](CVE-2023/CVE-2023-01xx/CVE-2023-0125.json) (`2023-09-19T06:15:45.807`) +* [CVE-2023-3935](CVE-2023/CVE-2023-39xx/CVE-2023-3935.json) (`2023-09-19T08:15:44.727`) +* [CVE-2023-4701](CVE-2023/CVE-2023-47xx/CVE-2023-4701.json) (`2023-09-19T08:15:57.143`) ## Download and Usage