Auto-Update: 2023-08-28T10:00:32.685210+00:00

CVE-2020/CVE-2020-199xx/CVE-2020-19909.json

@@ -2,12 +2,12 @@
   "id": "CVE-2020-19909",
   "sourceIdentifier": "cve@mitre.org",
   "published": "2023-08-22T19:16:06.480",
-  "lastModified": "2023-08-25T02:47:15.417",
-  "vulnStatus": "Analyzed",
+  "lastModified": "2023-08-28T09:15:08.850",
+  "vulnStatus": "Modified",
   "descriptions": [
     {
       "lang": "en",
-      "value": "Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay."
+      "value": "** DISPUTED ** Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error."
     }
   ],
   "metrics": {
@@ -64,6 +64,10 @@
     }
   ],
   "references": [
+    {
+      "url": "https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/",
+      "source": "cve@mitre.org"
+    },
     {
       "url": "https://github.com/curl/curl/pull/4166",
       "source": "cve@mitre.org",

CVE-2023/CVE-2023-276xx/CVE-2023-27604.json

@@ -0,0 +1,36 @@
+{
+  "id": "CVE-2023-27604",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-08-28T08:15:14.697",
+  "lastModified": "2023-08-28T08:15:14.697",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via \u2018sqoop import --connect\u2019, obtain airflow server permissions, etc. The attacker needs to be logged in and have authorization (permissions) to create/edit connections.\n\n It is recommended to upgrade to a version that is not affected.\nThis issue was reported independently by happyhacking-k, And Xie Jianming and LiuHui of Caiji Sec Team also reported it."
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-20"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/33039",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/lswlxf11do51ob7f6xyyg8qp3n7wdrgd",
+      "source": "security@apache.org"
+    }
+  ]
+}

CVE-2023/CVE-2023-401xx/CVE-2023-40195.json

@@ -0,0 +1,40 @@
+{
+  "id": "CVE-2023-40195",
+  "sourceIdentifier": "security@apache.org",
+  "published": "2023-08-28T08:15:14.797",
+  "lastModified": "2023-08-28T08:15:14.797",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider.\n\nWhen the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users.\n\nTo view the warning in the docs please visit\u00a0 https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html \n\n"
+    }
+  ],
+  "metrics": {},
+  "weaknesses": [
+    {
+      "source": "security@apache.org",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-502"
+        },
+        {
+          "lang": "en",
+          "value": "CWE-829"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/apache/airflow/pull/33233",
+      "source": "security@apache.org"
+    },
+    {
+      "url": "https://lists.apache.org/thread/fzy95b1d6zv31j5wrx3znhzcscck2o24",
+      "source": "security@apache.org"
+    }
+  ]
+}

README.md

@@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update
 
 ```plain
-2023-08-28T08:00:31.677577+00:00
+2023-08-28T10:00:32.685210+00:00
 ```
 
 ### Most recent CVE Modification Timestamp synchronized with NVD
 
 ```plain
-2023-08-28T07:15:09.513000+00:00
+2023-08-28T09:15:08.850000+00:00
 ```
 
 ### Last Data Feed Release
@@ -29,21 +29,22 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs
 
 ```plain
-223529
+223531
 ```
 
 ### CVEs added in the last Commit
 
 Recently added CVEs: `2`
 
-* [CVE-2023-38029](CVE-2023/CVE-2023-380xx/CVE-2023-38029.json) (`2023-08-28T06:15:07.857`)
-* [CVE-2023-38030](CVE-2023/CVE-2023-380xx/CVE-2023-38030.json) (`2023-08-28T07:15:09.513`)
+* [CVE-2023-27604](CVE-2023/CVE-2023-276xx/CVE-2023-27604.json) (`2023-08-28T08:15:14.697`)
+* [CVE-2023-40195](CVE-2023/CVE-2023-401xx/CVE-2023-40195.json) (`2023-08-28T08:15:14.797`)
 
 
 ### CVEs modified in the last Commit
 
-Recently modified CVEs: `0`
+Recently modified CVEs: `1`
 
+* [CVE-2020-19909](CVE-2020/CVE-2020-199xx/CVE-2020-19909.json) (`2023-08-28T09:15:08.850`)
 
 
 ## Download and Usage