Auto-Update: 2023-11-10T21:00:18.809981+00:00

2025-05-08 03:27:17 +00:00 · 2023-11-10 21:00:22 +00:00 · 2023-11-10 21:00:22 +00:00 · 88712814a9
commit 88712814a9
parent 927cf083c1
4 changed files with 189 additions and 23 deletions
--- a/CVE-2023/CVE-2023-360xx/CVE-2023-36027.json
+++ b/CVE-2023/CVE-2023-360xx/CVE-2023-36027.json
@ -0,0 +1,43 @@
+{
+  "id": "CVE-2023-36027",
+  "sourceIdentifier": "secure@microsoft.com",
+  "published": "2023-11-10T20:15:07.263",
+  "lastModified": "2023-11-10T20:15:07.263",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "secure@microsoft.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "REQUIRED",
+          "scope": "CHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "LOW",
+          "baseScore": 7.1,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 3.7
+      }
+    ]
+  },
+  "references": [
+    {
+      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36027",
+      "source": "secure@microsoft.com"
+    }
+  ]
+}
--- a/CVE-2023/CVE-2023-471xx/CVE-2023-47108.json
+++ b/CVE-2023/CVE-2023-471xx/CVE-2023-47108.json
@ -0,0 +1,75 @@
+{
+  "id": "CVE-2023-47108",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-11-10T19:15:16.410",
+  "lastModified": "2023-11-10T19:15:16.410",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "HIGH",
+          "baseScore": 7.5,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-770"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2023/CVE-2023-471xx/CVE-2023-47129.json
+++ b/CVE-2023/CVE-2023-471xx/CVE-2023-47129.json
@ -0,0 +1,63 @@
+{
+  "id": "CVE-2023-47129",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-11-10T19:15:16.617",
+  "lastModified": "2023-11-10T19:15:16.617",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the \"Forms\" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.\n"
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "HIGH",
+          "privilegesRequired": "NONE",
+          "userInteraction": "REQUIRED",
+          "scope": "CHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 8.3,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 1.6,
+        "impactScore": 6.0
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-434"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/statamic/cms/commit/098ef8024d97286ca501273c18ae75b646262d75",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/statamic/cms/commit/f6c688154f6bdbd0b67039f8f11dcd98ba061e77",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/README.md
+++ b/README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2023-11-10T19:00:18.971640+00:00
+2023-11-10T21:00:18.809981+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2023-11-10T18:15:10.280000+00:00
+2023-11-10T20:15:07.263000+00:00
 ```

 ### Last Data Feed Release
@ -29,37 +29,22 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs

 ```plain
-230340
+230343
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `6`
+Recently added CVEs: `3`

-* [CVE-2023-47611](CVE-2023/CVE-2023-476xx/CVE-2023-47611.json) (`2023-11-10T17:15:07.380`)
-* [CVE-2023-4949](CVE-2023/CVE-2023-49xx/CVE-2023-4949.json) (`2023-11-10T17:15:07.570`)
-* [CVE-2023-46733](CVE-2023/CVE-2023-467xx/CVE-2023-46733.json) (`2023-11-10T18:15:09.050`)
-* [CVE-2023-46734](CVE-2023/CVE-2023-467xx/CVE-2023-46734.json) (`2023-11-10T18:15:09.360`)
-* [CVE-2023-46735](CVE-2023/CVE-2023-467xx/CVE-2023-46735.json) (`2023-11-10T18:15:09.657`)
-* [CVE-2023-47128](CVE-2023/CVE-2023-471xx/CVE-2023-47128.json) (`2023-11-10T18:15:09.870`)
+* [CVE-2023-47108](CVE-2023/CVE-2023-471xx/CVE-2023-47108.json) (`2023-11-10T19:15:16.410`)
+* [CVE-2023-47129](CVE-2023/CVE-2023-471xx/CVE-2023-47129.json) (`2023-11-10T19:15:16.617`)
+* [CVE-2023-36027](CVE-2023/CVE-2023-360xx/CVE-2023-36027.json) (`2023-11-10T20:15:07.263`)


 ### CVEs modified in the last Commit

-Recently modified CVEs: `12`
+Recently modified CVEs: `0`

-* [CVE-2023-31102](CVE-2023/CVE-2023-311xx/CVE-2023-31102.json) (`2023-11-10T18:15:07.827`)
-* [CVE-2023-32636](CVE-2023/CVE-2023-326xx/CVE-2023-32636.json) (`2023-11-10T18:15:07.903`)
-* [CVE-2023-39325](CVE-2023/CVE-2023-393xx/CVE-2023-39325.json) (`2023-11-10T18:15:08.033`)
-* [CVE-2023-40745](CVE-2023/CVE-2023-407xx/CVE-2023-40745.json) (`2023-11-10T18:15:08.150`)
-* [CVE-2023-40791](CVE-2023/CVE-2023-407xx/CVE-2023-40791.json) (`2023-11-10T18:15:08.277`)
-* [CVE-2023-41900](CVE-2023/CVE-2023-419xx/CVE-2023-41900.json) (`2023-11-10T18:15:08.370`)
-* [CVE-2023-42445](CVE-2023/CVE-2023-424xx/CVE-2023-42445.json) (`2023-11-10T18:15:08.490`)
-* [CVE-2023-44387](CVE-2023/CVE-2023-443xx/CVE-2023-44387.json) (`2023-11-10T18:15:08.597`)
-* [CVE-2023-45871](CVE-2023/CVE-2023-458xx/CVE-2023-45871.json) (`2023-11-10T18:15:08.733`)
-* [CVE-2023-46604](CVE-2023/CVE-2023-466xx/CVE-2023-46604.json) (`2023-11-10T18:15:08.920`)
-* [CVE-2023-4586](CVE-2023/CVE-2023-45xx/CVE-2023-4586.json) (`2023-11-10T18:15:10.077`)
-* [CVE-2023-4813](CVE-2023/CVE-2023-48xx/CVE-2023-4813.json) (`2023-11-10T18:15:10.280`)


 ## Download and Usage