From 74fb1f3e47e0b12a804cd43db24a913c73c34b40 Mon Sep 17 00:00:00 2001 From: cad-safe-bot Date: Tue, 25 Jul 2023 23:55:28 +0000 Subject: [PATCH] Auto-Update: 2023-07-25T23:55:25.534260+00:00 --- CVE-2022/CVE-2022-314xx/CVE-2022-31457.json | 20 +++++ CVE-2022/CVE-2022-419xx/CVE-2022-41906.json | 10 +-- CVE-2023/CVE-2023-384xx/CVE-2023-38496.json | 67 ++++++++++++++++ CVE-2023/CVE-2023-385xx/CVE-2023-38501.json | 59 +++++++++++++++ CVE-2023/CVE-2023-385xx/CVE-2023-38502.json | 55 ++++++++++++++ CVE-2023/CVE-2023-385xx/CVE-2023-38503.json | 59 +++++++++++++++ CVE-2023/CVE-2023-39xx/CVE-2023-3945.json | 84 +++++++++++++++++++++ README.md | 41 +++------- 8 files changed, 361 insertions(+), 34 deletions(-) create mode 100644 CVE-2022/CVE-2022-314xx/CVE-2022-31457.json create mode 100644 CVE-2023/CVE-2023-384xx/CVE-2023-38496.json create mode 100644 CVE-2023/CVE-2023-385xx/CVE-2023-38501.json create mode 100644 CVE-2023/CVE-2023-385xx/CVE-2023-38502.json create mode 100644 CVE-2023/CVE-2023-385xx/CVE-2023-38503.json create mode 100644 CVE-2023/CVE-2023-39xx/CVE-2023-3945.json diff --git a/CVE-2022/CVE-2022-314xx/CVE-2022-31457.json b/CVE-2022/CVE-2022-314xx/CVE-2022-31457.json new file mode 100644 index 00000000000..fc0fb575398 --- /dev/null +++ b/CVE-2022/CVE-2022-314xx/CVE-2022-31457.json @@ -0,0 +1,20 @@ +{ + "id": "CVE-2022-31457", + "sourceIdentifier": "cve@mitre.org", + "published": "2023-07-25T22:15:10.410", + "lastModified": "2023-07-25T22:15:10.410", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "RTX TRAP v1.0 allows attackers to perform a directory traversal via a crafted request sent to the endpoint /data/." + } + ], + "metrics": {}, + "references": [ + { + "url": "https://medium.com/@rohitgautam26/cve-2022-31457-2027b7678af7", + "source": "cve@mitre.org" + } + ] +} \ No newline at end of file diff --git a/CVE-2022/CVE-2022-419xx/CVE-2022-41906.json b/CVE-2022/CVE-2022-419xx/CVE-2022-41906.json index 390a140eb3e..a38b10b194c 100644 --- a/CVE-2022/CVE-2022-419xx/CVE-2022-41906.json +++ b/CVE-2022/CVE-2022-419xx/CVE-2022-41906.json @@ -2,12 +2,12 @@ "id": "CVE-2022-41906", "sourceIdentifier": "security-advisories@github.com", "published": "2022-11-11T19:15:11.613", - "lastModified": "2022-11-16T17:08:30.367", - "vulnStatus": "Analyzed", + "lastModified": "2023-07-25T23:15:10.037", + "vulnStatus": "Modified", "descriptions": [ { "lang": "en", - "value": "OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds." + "value": "OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin starting in 2.0.0 and prior to 2.2.1 could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds. \n" } ], "metrics": { @@ -58,7 +58,7 @@ }, "weaknesses": [ { - "source": "nvd@nist.gov", + "source": "security-advisories@github.com", "type": "Primary", "description": [ { @@ -68,7 +68,7 @@ ] }, { - "source": "security-advisories@github.com", + "source": "nvd@nist.gov", "type": "Secondary", "description": [ { diff --git a/CVE-2023/CVE-2023-384xx/CVE-2023-38496.json b/CVE-2023/CVE-2023-384xx/CVE-2023-38496.json new file mode 100644 index 00000000000..78b2b2711f1 --- /dev/null +++ b/CVE-2023/CVE-2023-384xx/CVE-2023-38496.json @@ -0,0 +1,67 @@ +{ + "id": "CVE-2023-38496", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-07-25T22:15:10.503", + "lastModified": "2023-07-25T22:15:10.503", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root privileges, the attack surface is rather limited for users but an attacker could possibly craft a starter config to delete any directory on the host filesystems. A security fix has been included in Apptainer 1.2.1. There is no known workaround outside of upgrading to Apptainer 1.2.1." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "availabilityImpact": "HIGH", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 1.8, + "impactScore": 4.2 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-269" + }, + { + "lang": "en", + "value": "CWE-271" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/apptainer/apptainer/pull/1523", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/apptainer/apptainer/pull/1578", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-385xx/CVE-2023-38501.json b/CVE-2023/CVE-2023-385xx/CVE-2023-38501.json new file mode 100644 index 00000000000..54ca059eca9 --- /dev/null +++ b/CVE-2023/CVE-2023-385xx/CVE-2023-38501.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2023-38501", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-07-25T22:15:10.600", + "lastModified": "2023-07-25T22:15:10.600", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 3.4 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-385xx/CVE-2023-38502.json b/CVE-2023/CVE-2023-385xx/CVE-2023-38502.json new file mode 100644 index 00000000000..f259a006bcd --- /dev/null +++ b/CVE-2023/CVE-2023-385xx/CVE-2023-38502.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-38502", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-07-25T22:15:10.693", + "lastModified": "2023-07-25T22:15:10.693", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to version 3.0.7.1, TDengine DataBase crashes on UDF nested query. This issue affects TDengine Databases which let users connect and run arbitrary queries. Version 3.0.7.1 has a patch for this issue." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/taosdata/TDengine/security/advisories/GHSA-w23f-r2fm-27hf", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-385xx/CVE-2023-38503.json b/CVE-2023/CVE-2023-385xx/CVE-2023-38503.json new file mode 100644 index 00000000000..eb18a8ce73f --- /dev/null +++ b/CVE-2023/CVE-2023-385xx/CVE-2023-38503.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2023-38503", + "sourceIdentifier": "security-advisories@github.com", + "published": "2023-07-25T23:15:10.183", + "lastModified": "2023-07-25T23:15:10.183", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "security-advisories@github.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 5.7, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.1, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "security-advisories@github.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-200" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/directus/directus/pull/19155", + "source": "security-advisories@github.com" + }, + { + "url": "https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98", + "source": "security-advisories@github.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-39xx/CVE-2023-3945.json b/CVE-2023/CVE-2023-39xx/CVE-2023-3945.json new file mode 100644 index 00000000000..e0ebc70829b --- /dev/null +++ b/CVE-2023/CVE-2023-39xx/CVE-2023-3945.json @@ -0,0 +1,84 @@ +{ + "id": "CVE-2023-3945", + "sourceIdentifier": "cna@vuldb.com", + "published": "2023-07-25T22:15:10.780", + "lastModified": "2023-07-25T22:15:10.780", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability was found in phpscriptpoint Lawyer 1.6. It has been classified as problematic. This affects an unknown part of the file search.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-235401 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way." + } + ], + "metrics": { + "cvssMetricV30": [ + { + "source": "cna@vuldb.com", + "type": "Secondary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW" + }, + "exploitabilityScore": 2.1, + "impactScore": 1.4 + } + ], + "cvssMetricV2": [ + { + "source": "cna@vuldb.com", + "type": "Secondary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "accessVector": "NETWORK", + "accessComplexity": "LOW", + "authentication": "SINGLE", + "confidentialityImpact": "NONE", + "integrityImpact": "PARTIAL", + "availabilityImpact": "NONE", + "baseScore": 4.0 + }, + "baseSeverity": "MEDIUM", + "exploitabilityScore": 8.0, + "impactScore": 2.9, + "acInsufInfo": false, + "obtainAllPrivilege": false, + "obtainUserPrivilege": false, + "obtainOtherPrivilege": false, + "userInteractionRequired": false + } + ] + }, + "weaknesses": [ + { + "source": "cna@vuldb.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://vuldb.com/?ctiid.235401", + "source": "cna@vuldb.com" + }, + { + "url": "https://vuldb.com/?id.235401", + "source": "cna@vuldb.com" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 81b656ff656..017167bfe91 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2023-07-25T22:00:27.797414+00:00 +2023-07-25T23:55:25.534260+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-07-25T21:15:11.177000+00:00 +2023-07-25T23:15:10.183000+00:00 ``` ### Last Data Feed Release @@ -29,43 +29,26 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -221028 +221034 ``` ### CVEs added in the last Commit -Recently added CVEs: `20` +Recently added CVEs: `6` -* [CVE-2020-35698](CVE-2020/CVE-2020-356xx/CVE-2020-35698.json) (`2023-07-25T20:15:12.643`) -* [CVE-2022-31458](CVE-2022/CVE-2022-314xx/CVE-2022-31458.json) (`2023-07-25T20:15:12.783`) -* [CVE-2022-46898](CVE-2022/CVE-2022-468xx/CVE-2022-46898.json) (`2023-07-25T20:15:12.887`) -* [CVE-2022-46899](CVE-2022/CVE-2022-468xx/CVE-2022-46899.json) (`2023-07-25T20:15:12.997`) -* [CVE-2022-46900](CVE-2022/CVE-2022-469xx/CVE-2022-46900.json) (`2023-07-25T20:15:13.087`) -* [CVE-2022-46901](CVE-2022/CVE-2022-469xx/CVE-2022-46901.json) (`2023-07-25T20:15:13.157`) -* [CVE-2022-46902](CVE-2022/CVE-2022-469xx/CVE-2022-46902.json) (`2023-07-25T20:15:13.227`) -* [CVE-2023-34798](CVE-2023/CVE-2023-347xx/CVE-2023-34798.json) (`2023-07-25T20:15:13.313`) -* [CVE-2023-37257](CVE-2023/CVE-2023-372xx/CVE-2023-37257.json) (`2023-07-25T20:15:13.423`) -* [CVE-2023-37258](CVE-2023/CVE-2023-372xx/CVE-2023-37258.json) (`2023-07-25T20:15:13.560`) -* [CVE-2023-37460](CVE-2023/CVE-2023-374xx/CVE-2023-37460.json) (`2023-07-25T20:15:13.703`) -* [CVE-2023-37677](CVE-2023/CVE-2023-376xx/CVE-2023-37677.json) (`2023-07-25T20:15:13.823`) -* [CVE-2023-3944](CVE-2023/CVE-2023-39xx/CVE-2023-3944.json) (`2023-07-25T20:15:14.027`) -* [CVE-2023-37902](CVE-2023/CVE-2023-379xx/CVE-2023-37902.json) (`2023-07-25T21:15:10.550`) -* [CVE-2023-37907](CVE-2023/CVE-2023-379xx/CVE-2023-37907.json) (`2023-07-25T21:15:10.647`) -* [CVE-2023-37919](CVE-2023/CVE-2023-379xx/CVE-2023-37919.json) (`2023-07-25T21:15:10.733`) -* [CVE-2023-37920](CVE-2023/CVE-2023-379xx/CVE-2023-37920.json) (`2023-07-25T21:15:10.827`) -* [CVE-2023-38493](CVE-2023/CVE-2023-384xx/CVE-2023-38493.json) (`2023-07-25T21:15:10.913`) -* [CVE-2023-38499](CVE-2023/CVE-2023-384xx/CVE-2023-38499.json) (`2023-07-25T21:15:10.997`) -* [CVE-2023-38500](CVE-2023/CVE-2023-385xx/CVE-2023-38500.json) (`2023-07-25T21:15:11.083`) +* [CVE-2022-31457](CVE-2022/CVE-2022-314xx/CVE-2022-31457.json) (`2023-07-25T22:15:10.410`) +* [CVE-2023-38496](CVE-2023/CVE-2023-384xx/CVE-2023-38496.json) (`2023-07-25T22:15:10.503`) +* [CVE-2023-38501](CVE-2023/CVE-2023-385xx/CVE-2023-38501.json) (`2023-07-25T22:15:10.600`) +* [CVE-2023-38502](CVE-2023/CVE-2023-385xx/CVE-2023-38502.json) (`2023-07-25T22:15:10.693`) +* [CVE-2023-3945](CVE-2023/CVE-2023-39xx/CVE-2023-3945.json) (`2023-07-25T22:15:10.780`) +* [CVE-2023-38503](CVE-2023/CVE-2023-385xx/CVE-2023-38503.json) (`2023-07-25T23:15:10.183`) ### CVEs modified in the last Commit -Recently modified CVEs: `4` +Recently modified CVEs: `1` -* [CVE-2023-38403](CVE-2023/CVE-2023-384xx/CVE-2023-38403.json) (`2023-07-25T20:15:13.897`) -* [CVE-2023-20593](CVE-2023/CVE-2023-205xx/CVE-2023-20593.json) (`2023-07-25T21:15:10.333`) -* [CVE-2023-35936](CVE-2023/CVE-2023-359xx/CVE-2023-35936.json) (`2023-07-25T21:15:10.427`) -* [CVE-2023-38745](CVE-2023/CVE-2023-387xx/CVE-2023-38745.json) (`2023-07-25T21:15:11.177`) +* [CVE-2022-41906](CVE-2022/CVE-2022-419xx/CVE-2022-41906.json) (`2023-07-25T23:15:10.037`) ## Download and Usage