Auto-Update: 2024-02-19T21:00:24.193777+00:00

2025-07-09 16:05:11 +00:00 · 2024-02-19 21:00:27 +00:00 · 2024-02-19 21:00:27 +00:00 · 6eb2f31103
commit 6eb2f31103
parent fc16368b09
7 changed files with 373 additions and 15 deletions
--- a/CVE-2023/CVE-2023-502xx/CVE-2023-50257.json
+++ b/CVE-2023/CVE-2023-502xx/CVE-2023-50257.json
@ -0,0 +1,71 @@
+{
+  "id": "CVE-2023-50257",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:45.310",
+  "lastModified": "2024-02-19T20:15:45.310",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+          "attackVector": "ADJACENT_NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "CHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 9.6,
+          "baseSeverity": "CRITICAL"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 6.0
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-284"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-256xx/CVE-2024-25626.json
+++ b/CVE-2024/CVE-2024-256xx/CVE-2024-25626.json
@ -0,0 +1,55 @@
+{
+  "id": "CVE-2024-25626",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:45.513",
+  "lastModified": "2024-02-19T20:15:45.513",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "REQUIRED",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 8.8,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 5.9
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-78"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/yoctoproject/poky/security/advisories/GHSA-75xw-78mm-72r4",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-256xx/CVE-2024-25634.json
+++ b/CVE-2024/CVE-2024-256xx/CVE-2024-25634.json
@ -0,0 +1,55 @@
+{
+  "id": "CVE-2024-25634",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:45.707",
+  "lastModified": "2024-02-19T20:15:45.707",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 7.2,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 1.2,
+        "impactScore": 5.9
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-497"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/alfio-event/alf.io/security/advisories/GHSA-5wcv-pjc6-mxvv",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-256xx/CVE-2024-25635.json
+++ b/CVE-2024/CVE-2024-256xx/CVE-2024-25635.json
@ -0,0 +1,55 @@
+{
+  "id": "CVE-2024-25635",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:45.890",
+  "lastModified": "2024-02-19T20:15:45.890",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 8.8,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 5.9
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-612"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/alfio-event/alf.io/security/advisories/GHSA-ffr5-g3qg-gp4f",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-256xx/CVE-2024-25636.json
+++ b/CVE-2024/CVE-2024-256xx/CVE-2024-25636.json
@ -0,0 +1,71 @@
+{
+  "id": "CVE-2024-25636",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:46.077",
+  "lastModified": "2024-02-19T20:15:46.077",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "NONE",
+          "baseScore": 7.1,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 4.2
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-434"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2024/CVE-2024-256xx/CVE-2024-25640.json
+++ b/CVE-2024/CVE-2024-256xx/CVE-2024-25640.json
@ -0,0 +1,55 @@
+{
+  "id": "CVE-2024-25640",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2024-02-19T20:15:46.270",
+  "lastModified": "2024-02-19T20:15:46.270",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Iris is a web collaborative platform that helps incident responders share technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.4.0. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities. An attacker need to be authenticated on the application to exploit this vulnerability. The issue is fixed in version v2.4.0 of iris-web. No workarounds are available."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "REQUIRED",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "NONE",
+          "baseScore": 4.6,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 2.1,
+        "impactScore": 2.5
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-87"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-2xq6-qc74-w5vp",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/README.md
+++ b/README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2024-02-19T19:00:34.546187+00:00
+2024-02-19T21:00:24.193777+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2024-02-19T17:15:09.697000+00:00
+2024-02-19T20:15:46.270000+00:00
 ```

 ### Last Data Feed Release
@ -29,29 +29,25 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs

 ```plain
-238889
+238895
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `7`
+Recently added CVEs: `6`

-* [CVE-2024-1633](CVE-2024/CVE-2024-16xx/CVE-2024-1633.json) (`2024-02-19T17:15:08.347`)
-* [CVE-2024-25978](CVE-2024/CVE-2024-259xx/CVE-2024-25978.json) (`2024-02-19T17:15:08.567`)
-* [CVE-2024-25979](CVE-2024/CVE-2024-259xx/CVE-2024-25979.json) (`2024-02-19T17:15:08.793`)
-* [CVE-2024-25980](CVE-2024/CVE-2024-259xx/CVE-2024-25980.json) (`2024-02-19T17:15:09.023`)
-* [CVE-2024-25981](CVE-2024/CVE-2024-259xx/CVE-2024-25981.json) (`2024-02-19T17:15:09.230`)
-* [CVE-2024-25982](CVE-2024/CVE-2024-259xx/CVE-2024-25982.json) (`2024-02-19T17:15:09.467`)
-* [CVE-2024-25983](CVE-2024/CVE-2024-259xx/CVE-2024-25983.json) (`2024-02-19T17:15:09.697`)
+* [CVE-2023-50257](CVE-2023/CVE-2023-502xx/CVE-2023-50257.json) (`2024-02-19T20:15:45.310`)
+* [CVE-2024-25626](CVE-2024/CVE-2024-256xx/CVE-2024-25626.json) (`2024-02-19T20:15:45.513`)
+* [CVE-2024-25634](CVE-2024/CVE-2024-256xx/CVE-2024-25634.json) (`2024-02-19T20:15:45.707`)
+* [CVE-2024-25635](CVE-2024/CVE-2024-256xx/CVE-2024-25635.json) (`2024-02-19T20:15:45.890`)
+* [CVE-2024-25636](CVE-2024/CVE-2024-256xx/CVE-2024-25636.json) (`2024-02-19T20:15:46.077`)
+* [CVE-2024-25640](CVE-2024/CVE-2024-256xx/CVE-2024-25640.json) (`2024-02-19T20:15:46.270`)


 ### CVEs modified in the last Commit

-Recently modified CVEs: `3`
+Recently modified CVEs: `0`

-* [CVE-2021-3860](CVE-2021/CVE-2021-38xx/CVE-2021-3860.json) (`2024-02-19T17:15:07.953`)
-* [CVE-2023-3897](CVE-2023/CVE-2023-38xx/CVE-2023-3897.json) (`2024-02-19T17:15:08.113`)
-* [CVE-2024-0811](CVE-2024/CVE-2024-08xx/CVE-2024-0811.json) (`2024-02-19T17:15:08.233`)


 ## Download and Usage