Auto-Update: 2023-05-19 22:00:29.011435+00:00

2025-05-07 19:16:29 +00:00 · 2023-05-19 22:00:32 +00:00 · 2023-05-19 22:00:32 +00:00 · e0f2092203
commit e0f2092203
parent 855cd67ef8
4 changed files with 189 additions and 14 deletions
--- a/CVE-2023/CVE-2023-326xx/CVE-2023-32675.json
+++ b/CVE-2023/CVE-2023-326xx/CVE-2023-32675.json
@ -0,0 +1,59 @@
+{
+  "id": "CVE-2023-32675",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-05-19T20:15:09.230",
+  "lastModified": "2023-05-19T20:15:09.230",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "HIGH",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "NONE",
+          "baseScore": 3.7,
+          "baseSeverity": "LOW"
+        },
+        "exploitabilityScore": 2.2,
+        "impactScore": 1.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-670"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/vyperlang/vyper/commit/02339dfda0f3caabad142060d511d10bfe93c520.",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-vxmm-cwh2-q762",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2023/CVE-2023-326xx/CVE-2023-32677.json
+++ b/CVE-2023/CVE-2023-326xx/CVE-2023-32677.json
@ -0,0 +1,67 @@
+{
+  "id": "CVE-2023-32677",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-05-19T21:15:08.740",
+  "lastModified": "2023-05-19T21:15:08.740",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "HIGH",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE",
+          "baseScore": 3.1,
+          "baseSeverity": "LOW"
+        },
+        "exploitabilityScore": 1.6,
+        "impactScore": 1.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-862"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/zulip/zulip/security/advisories/GHSA-mrvp-96q6-jpvc",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://zulip.com/help/configure-who-can-invite-to-streams",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://zulip.com/help/restrict-account-creation#change-who-can-send-invitations",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/CVE-2023/CVE-2023-326xx/CVE-2023-32679.json
+++ b/CVE-2023/CVE-2023-326xx/CVE-2023-32679.json
@ -0,0 +1,55 @@
+{
+  "id": "CVE-2023-32679",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-05-19T20:15:09.310",
+  "lastModified": "2023-05-19T20:15:09.310",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "HIGH",
+          "baseScore": 7.2,
+          "baseSeverity": "HIGH"
+        },
+        "exploitabilityScore": 1.2,
+        "impactScore": 5.9
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-74"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/README.md
+++ b/README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2023-05-19T20:00:28.756086+00:00
+2023-05-19T22:00:29.011435+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2023-05-19T19:11:04.160000+00:00
+2023-05-19T21:15:08.740000+00:00
 ```

 ### Last Data Feed Release
@ -29,28 +29,22 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs

 ```plain
-215670
+215673
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `0`
+Recently added CVEs: `3`

+* [CVE-2023-32675](CVE-2023/CVE-2023-326xx/CVE-2023-32675.json) (`2023-05-19T20:15:09.230`)
+* [CVE-2023-32679](CVE-2023/CVE-2023-326xx/CVE-2023-32679.json) (`2023-05-19T20:15:09.310`)
+* [CVE-2023-32677](CVE-2023/CVE-2023-326xx/CVE-2023-32677.json) (`2023-05-19T21:15:08.740`)


 ### CVEs modified in the last Commit

-Recently modified CVEs: `9`
+Recently modified CVEs: `0`

-* [CVE-2021-46877](CVE-2021/CVE-2021-468xx/CVE-2021-46877.json) (`2023-05-19T19:11:04.160`)
-* [CVE-2022-32114](CVE-2022/CVE-2022-321xx/CVE-2022-32114.json) (`2023-05-19T18:15:09.237`)
-* [CVE-2023-29809](CVE-2023/CVE-2023-298xx/CVE-2023-29809.json) (`2023-05-19T18:15:09.340`)
-* [CVE-2023-2457](CVE-2023/CVE-2023-24xx/CVE-2023-2457.json) (`2023-05-19T18:33:08.217`)
-* [CVE-2023-25958](CVE-2023/CVE-2023-259xx/CVE-2023-25958.json) (`2023-05-19T18:33:11.257`)
-* [CVE-2023-2458](CVE-2023/CVE-2023-24xx/CVE-2023-2458.json) (`2023-05-19T18:33:22.990`)
-* [CVE-2023-27863](CVE-2023/CVE-2023-278xx/CVE-2023-27863.json) (`2023-05-19T18:33:52.137`)
-* [CVE-2023-30247](CVE-2023/CVE-2023-302xx/CVE-2023-30247.json) (`2023-05-19T18:34:45.307`)
-* [CVE-2023-22312](CVE-2023/CVE-2023-223xx/CVE-2023-22312.json) (`2023-05-19T18:38:40.060`)


 ## Download and Usage