diff --git a/CVE-2023/CVE-2023-23xx/CVE-2023-2340.json b/CVE-2023/CVE-2023-23xx/CVE-2023-2340.json new file mode 100644 index 00000000000..19cf68a0eb5 --- /dev/null +++ b/CVE-2023/CVE-2023-23xx/CVE-2023-2340.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2023-2340", + "sourceIdentifier": "security@huntr.dev", + "published": "2023-04-27T13:15:09.213", + "lastModified": "2023-04-27T13:15:09.213", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21." + } + ], + "metrics": { + "cvssMetricV30": [ + { + "source": "security@huntr.dev", + "type": "Secondary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "security@huntr.dev", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e", + "source": "security@huntr.dev" + }, + { + "url": "https://huntr.dev/bounties/964762b0-b4fe-441c-81e1-0ebdbbf80f3b", + "source": "security@huntr.dev" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-292xx/CVE-2023-29255.json b/CVE-2023/CVE-2023-292xx/CVE-2023-29255.json new file mode 100644 index 00000000000..96785aa9565 --- /dev/null +++ b/CVE-2023/CVE-2023-292xx/CVE-2023-29255.json @@ -0,0 +1,59 @@ +{ + "id": "CVE-2023-29255", + "sourceIdentifier": "psirt@us.ibm.com", + "published": "2023-04-27T13:15:09.053", + "lastModified": "2023-04-27T13:15:09.053", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as it may trap when compiling a variation of an anonymous block. IBM X-Force ID: 251991." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "psirt@us.ibm.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + } + ] + }, + "weaknesses": [ + { + "source": "psirt@us.ibm.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251991", + "source": "psirt@us.ibm.com" + }, + { + "url": "https://www.ibm.com/support/pages/node/6985687", + "source": "psirt@us.ibm.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-304xx/CVE-2023-30444.json b/CVE-2023/CVE-2023-304xx/CVE-2023-30444.json new file mode 100644 index 00000000000..483a4e4ee63 --- /dev/null +++ b/CVE-2023/CVE-2023-304xx/CVE-2023-30444.json @@ -0,0 +1,55 @@ +{ + "id": "CVE-2023-30444", + "sourceIdentifier": "psirt@us.ibm.com", + "published": "2023-04-27T13:15:09.290", + "lastModified": "2023-04-27T13:15:09.290", + "vulnStatus": "Received", + "descriptions": [ + { + "lang": "en", + "value": "IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 253350." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "psirt@us.ibm.com", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 7.1, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 2.8, + "impactScore": 4.2 + } + ] + }, + "weaknesses": [ + { + "source": "psirt@us.ibm.com", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-918" + } + ] + } + ], + "references": [ + { + "url": "https://www.ibm.com/support/pages/node/6985859", + "source": "psirt@us.ibm.com" + } + ] +} \ No newline at end of file diff --git a/CVE-2023/CVE-2023-305xx/CVE-2023-30542.json b/CVE-2023/CVE-2023-305xx/CVE-2023-30542.json index a6c5186c470..03ab833b608 100644 --- a/CVE-2023/CVE-2023-305xx/CVE-2023-30542.json +++ b/CVE-2023/CVE-2023-305xx/CVE-2023-30542.json @@ -2,8 +2,8 @@ "id": "CVE-2023-30542", "sourceIdentifier": "security-advisories@github.com", "published": "2023-04-16T08:15:07.867", - "lastModified": "2023-04-17T13:12:43.170", - "vulnStatus": "Awaiting Analysis", + "lastModified": "2023-04-27T13:23:36.267", + "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", @@ -12,6 +12,26 @@ ], "metrics": { "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH" + }, + "exploitabilityScore": 2.8, + "impactScore": 5.9 + }, { "source": "security-advisories@github.com", "type": "Secondary", @@ -36,8 +56,18 @@ }, "weaknesses": [ { - "source": "security-advisories@github.com", + "source": "nvd@nist.gov", "type": "Primary", + "description": [ + { + "lang": "en", + "value": "NVD-CWE-noinfo" + } + ] + }, + { + "source": "security-advisories@github.com", + "type": "Secondary", "description": [ { "lang": "en", @@ -46,14 +76,46 @@ ] } ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:node.js:*:*", + "versionStartIncluding": "4.3.0", + "versionEndExcluding": "4.8.3", + "matchCriteriaId": "411C30F2-953A-46C1-B290-F73D73742342" + }, + { + "vulnerable": true, + "criteria": "cpe:2.3:a:openzeppelin:contracts_upgradeable:*:*:*:*:*:node.js:*:*", + "versionStartIncluding": "4.3.0", + "versionEndExcluding": "4.8.3", + "matchCriteriaId": "DE759E37-EAC7-4CDA-9AB1-0703E9398214" + } + ] + } + ] + } + ], "references": [ { "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3", - "source": "security-advisories@github.com" + "source": "security-advisories@github.com", + "tags": [ + "Release Notes" + ] }, { "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82", - "source": "security-advisories@github.com" + "source": "security-advisories@github.com", + "tags": [ + "Vendor Advisory" + ] } ] } \ No newline at end of file diff --git a/README.md b/README.md index 4e99e06f385..bb00920c630 100644 --- a/README.md +++ b/README.md @@ -2,23 +2,23 @@ Community reconstruction of the soon-to-be deprecated JSON NVD Data Feeds. [Releases](https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest) each day at 00:00 AM UTC. -Repository synchronizes with the NVD in 2 hour periods. +Repository synchronizes with the NVD every 2 hours. -## Repository at a glance +## Repository at a Glance -### Last repository update +### Last Repository Update ```plain -2023-04-27T13:02:44.285971+00:00 +2023-04-27T14:00:21.230695+00:00 ``` -### Most recent CVE modification timestamp synchronized with NVD +### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2023-04-27T12:15:09.300000+00:00 +2023-04-27T13:23:36.267000+00:00 ``` -### Last Data Feed release +### Last Data Feed Release Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest) @@ -26,33 +26,26 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ 2023-04-27T00:00:20.965588+00:00 ``` -### Total numbers of included CVEs +### Total Number of included CVEs ```plain -213663 +213666 ``` -### CVEs added in the last commit +### CVEs added in the last Commit -Recently added CVEs: `0` +Recently added CVEs: `3` + +* CVE-2023-2340 (`2023-04-27T13:15:09.213`) +* CVE-2023-29255 (`2023-04-27T13:15:09.053`) +* CVE-2023-30444 (`2023-04-27T13:15:09.290`) +### CVEs modified in the last Commit -### CVEs modified in the last commit +Recently modified CVEs: `1` -Recently modified CVEs: `11` - -* CVE-2023-1778 (`2023-04-27T10:15:09.160`) -* CVE-2023-2322 (`2023-04-27T09:15:09.927`) -* CVE-2023-2323 (`2023-04-27T09:15:10.007`) -* CVE-2023-2327 (`2023-04-27T10:15:09.603`) -* CVE-2023-2328 (`2023-04-27T10:15:09.670`) -* CVE-2023-2331 (`2023-04-27T12:15:09.070`) -* CVE-2023-2336 (`2023-04-27T12:15:09.173`) -* CVE-2023-2338 (`2023-04-27T12:15:09.237`) -* CVE-2023-2339 (`2023-04-27T12:15:09.300`) -* CVE-2023-28769 (`2023-04-27T09:15:09.057`) -* CVE-2023-28770 (`2023-04-27T09:15:09.850`) +* CVE-2023-30542 (`2023-04-27T13:23:36.267`) ## Download and Usage @@ -63,7 +56,7 @@ There are several ways you can work with the data in this repository: The most straightforward approach is to obtain the latest Data Feed release packages [here](https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest). -Each day on 02:00 AM UTC we package and upload json files that aim to reconstruct the legacy NVD CVE Data Feeds. +Each day at 00:00 AM UTC we package and upload JSON files that aim to reconstruct the legacy NVD CVE Data Feeds. Those are aggregated by the `year` part of the CVE identifier: ``` @@ -78,14 +71,14 @@ CVE-2023.json We also upload the well-known `Recent` and `Modified` feeds. Furthermore, we provide the `All` feed, which contains a recent snapshot of all NVD records. -Once your local copy is synced and the last sync was no older than 8 days, you can rely on these to stay up to date: +Once your local copy is synchronized and the last synchronization is no older than 8 days, you can rely on these to stay up to date: ```plain CVE-Recent.json # CVEs that were added in the previous eight days CVE-Modified.json # CVEs that were modified or added in the previous eight days ``` -Note that all feeds are distributed in `xz`-compressed format to save storage and bandwidth on Github. +Note that all feeds are distributed in `xz`-compressed format to save storage and bandwidth. For decompression execute: ```sh @@ -95,7 +88,7 @@ xz -d -k .json.xz #### Automation using Release Data Feed Packages -You can fetch the latest releases for each package using the following static link layout: +You can fetch the latest releases for each package with the following static link layout: ```sh https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-.json.xz @@ -108,14 +101,14 @@ wget https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CV xz -d -k CVE-2023.json.xz ``` -### 2) Clone the repository (with git history) +### 2) Clone the Repository (with Git History) -As you can see by browsing this repository, there is a slight difference between the release packages format and the repo folder structure. +As you can see by browsing this repository, there is a slight difference between the release packages format and the repository folder structure. This is because we want to maintain explorability of the dataset. -Each CVE gets its own json file, e.g., `CVE-1999-0001.json`. +Each CVE gets its own JSON file, e.g., `CVE-1999-0001.json`. Here, each file is put into a folder layout that first sorts by CVE `year` identifier part and then by `number` part. -We mask (`xx`) the last two digits to create easily navigable folders that hold a maximum of 100 CVE jsons: +We mask (`xx`) the last two digits to create easily navigable folders that hold a maximum of 100 CVE JSON files: ```plain . @@ -135,15 +128,15 @@ We mask (`xx`) the last two digits to create easily navigable folders that hold └── [...] ``` -A byproduct of managing and continuously updating this dataset via git is that we can track changes over time through the git history. +A byproduct of managing and continuously updating this dataset via Git is that we can track changes over time through the Git history. -If you are interested in having the NVD data as organized above, including the historical data of changes, just clone this repo (large!): +If you are interested in having the NVD data as organized above, including the historical data of changes, just clone this repository (large!): ```sh git clone https://github.com/fkie-cad/nvd-json-data-feeds.git ``` -### 3) Clone the repository (without git history) +### 3) Clone the Repository (without Git History) Don't need the history? Then create a shallow copy: @@ -153,18 +146,18 @@ git clone --depth 1 -b main https://github.com/fkie-cad/nvd-json-data-feeds.git ## Motivation -As of Sept. 2023, the NIST will retire all [json-based NVD Data Feeds](https://nvd.nist.gov/vuln/data-feeds#divRetirementBanner-1). +As of September 2023, the NIST will retire all [JSON-based NVD Data Feeds](https://nvd.nist.gov/vuln/data-feeds#divRetirementBanner-1). The new [NVD CVE API 2.0](https://nvd.nist.gov/developers/vulnerabilities) is, without a doubt, a great way to obtain CVE information. However, we from [Fraunhofer FKIE - Cyber Analysis and Defense](https://www.fkie.fraunhofer.de/en/departments/cad.html) believe that the API does not cover a variety of use cases. The legacy NVD Data Feeds provided a convenient way to quickly obtain a complete, file-based offline database snapshot; just download the `CVE-.tar.gz`, decompress it, and use it as you please, e.g.: -* Put the json feed into a document-based database and quickly leverage upon that data in your software project, ... +* Put the JSON feed into a document-based database and quickly leverage upon that data in your software project, ... * Parse and analyze it using your favorite programming language, ... * Put it on a USB stick and transfer it to a system without internet access, or ... * Query the file using `jq`! -Unfortunately, the new NVD API 2.0 puts complexity into this process. +Unfortunately, the new NVD API 2.0 adds complexity to this process. We want to preserve ease of use by reconstructing these data sources. ## Non-Endorsement Clause