admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-07-09 16:05:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-03-30T19:00:37.755072+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-03-30 19:03:28 +00:00
parent 0ad191c329
commit f2cbec1471
3 changed files with 67 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
CVE-2024/CVE-2024-15xx/CVE-2024-1522.json Normal file
View File

@ -0,0 +1,59 @@
{
"id": "CVE-2024-1522",
"sourceIdentifier": "security@huntr.dev",
"published": "2024-03-30T18:15:45.930",
"lastModified": "2024-03-30T18:15:45.930",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.\n\nSo what I just did is :\n- First removed the cors configuration that allows everyone to access it :\nbefore:\n```python\n sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=\"*\", ping_timeout=1200, ping_interval=30) # Enable CORS for every one\n```\nafter:\n```python\n cert_file_path = lollms_paths.personal_certificates/\"cert.pem\"\n key_file_path = lollms_paths.personal_certificates/\"key.pem\"\n if os.path.exists(cert_file_path) and os.path.exists(key_file_path):\n is_https = True\n else:\n is_https = False \n\n # Create a Socket.IO server\n sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=config.allowed_origins+[f\"https://localhost:{config['port']}\" if is_https else f\"http://localhost:{config['port']}\"], ping_timeout=1200, ping_interval=30) # Enable CORS for selected origins\n```\n\n- Second, I have updated lollms to have two modes (a headless mode and a ui mode).\nAnd updated the /execute_code to block if the server is headless or is exposed\n```python\n@router.post(\"/execute_code\")\nasync def execute_code(request: Request):\n \"\"\"\n Executes Python code and returns the output.\n\n :param request: The HTTP request object.\n :return: A JSON response with the status of the operation.\n \"\"\"\n if lollmsElfServer.config.headless_server_mode:\n return {\"status\":False,\"error\":\"Code execution is blocked when in headless mode for obvious security reasons!\"}\n\n if lollmsElfServer.config.host==\"0.0.0.0\":\n return {\"status\":False,\"error\":\"Code execution is blocked when the server is exposed outside for very obvipous reasons!\"}\n\n try:\n data = (await request.json())\n code = data[\"code\"]\n discussion_id = int(data.get(\"discussion_id\",\"unknown_discussion\"))\n message_id = int(data.get(\"message_id\",\"unknown_message\"))\n language = data.get(\"language\",\"python\")\n \n\n\n if language==\"python\":\n ASCIIColors.info(\"Executing python code:\")\n ASCIIColors.yellow(code)\n return execute_python(code, discussion_id, message_id)\n if language==\"javascript\":\n ASCIIColors.info(\"Executing javascript code:\")\n ASCIIColors.yellow(code)\n return execute_javascript(code, discussion_id, message_id)\n if language in [\"html\",\"html5\",\"svg\"]:\n ASCIIColors.info(\"Executing javascript code:\")\n ASCIIColors.yellow(code)\n return execute_html(code, discussion_id, message_id)\n \n elif language==\"latex\":\n ASCIIColors.info(\"Executing latex code:\")\n ASCIIColors.yellow(code)\n return execute_latex(code, discussion_id, message_id)\n elif language in [\"bash\",\"shell\",\"cmd\",\"powershell\"]:\n ASCIIColors.info(\"Executing shell code:\")\n ASCIIColors.yellow(code)\n return execute_bash(code, discussion_id, message_id)\n elif language in [\"mermaid\"]:\n ASCIIColors.info(\"Executing mermaid code:\")\n ASCIIColors.yellow(code)\n return execute_mermaid(code, discussion_id, message_id)\n elif language in [\"graphviz\",\"dot\"]:\n ASCIIColors.info(\"Executing graphviz code:\")\n ASCIIColors.yellow(code)\n return execute_graphviz(code, discussion_id, message_id)\n return {\"status\": False, \"error\": \"Unsupported language\", \"execution_time\": 0}\n except Exception as ex:\n trace_exception(ex)\n lollmsElfServer.error(ex)\n return {\"status\":False,\"error\":str(ex)}\n```\n\nI also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.\n\n\nAll updates will be in V 9.1 \n\n\nAgain, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)"
}
],
"metrics": {
"cvssMetricV30": [
{
"source": "security@huntr.dev",
"type": "Secondary",
"cvssData": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "security@huntr.dev",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
],
"references": [
{
"url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b",
"source": "security@huntr.dev"
},
{
"url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71",
"source": "security@huntr.dev"
}
]
}

11
README.md
View File

@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours.
### Last Repository Update ### Last Repository Update
```plain ```plain
2024-03-30T15:00:37.901925+00:00 2024-03-30T19:00:37.755072+00:00
``` ```
### Most recent CVE Modification Timestamp synchronized with NVD ### Most recent CVE Modification Timestamp synchronized with NVD
```plain ```plain
2024-03-30T14:15:07.720000+00:00 2024-03-30T18:15:45.930000+00:00
``` ```
### Last Data Feed Release ### Last Data Feed Release
@ -33,15 +33,14 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
### Total Number of included CVEs ### Total Number of included CVEs
```plain ```plain
243442 243443
``` ```
### CVEs added in the last Commit ### CVEs added in the last Commit
Recently added CVEs: `2` Recently added CVEs: `1`
- [CVE-2024-3090](CVE-2024/CVE-2024-30xx/CVE-2024-3090.json) (`2024-03-30T13:15:45.663`) - [CVE-2024-1522](CVE-2024/CVE-2024-15xx/CVE-2024-1522.json) (`2024-03-30T18:15:45.930`)
- [CVE-2024-3091](CVE-2024/CVE-2024-30xx/CVE-2024-3091.json) (`2024-03-30T14:15:07.720`)
### CVEs modified in the last Commit ### CVEs modified in the last Commit

5
_state.csv
View File

@ -239095,6 +239095,7 @@ CVE-2024-1515,0,0,10b8f7584c1d46b0c128529ff6f70b319305352d97cad9adba528cb892ba5a
CVE-2024-1516,0,0,0682d9e420aa946a0984c09969b8a3678dc3bf8e7ee03099492a3120e2d66ebf,2024-02-28T14:06:45.783000 CVE-2024-1516,0,0,0682d9e420aa946a0984c09969b8a3678dc3bf8e7ee03099492a3120e2d66ebf,2024-02-28T14:06:45.783000
CVE-2024-1519,0,0,c896f4900048f4c20516f0867e21ed67ad610a4383bb1c6f7418db09defb6991,2024-02-29T13:49:29.390000 CVE-2024-1519,0,0,c896f4900048f4c20516f0867e21ed67ad610a4383bb1c6f7418db09defb6991,2024-02-29T13:49:29.390000
CVE-2024-1521,0,0,e31c834264512a69616436064a77ed46807a9b0fc5577151a1db5822b2ee5d08,2024-03-27T12:29:30.307000 CVE-2024-1521,0,0,e31c834264512a69616436064a77ed46807a9b0fc5577151a1db5822b2ee5d08,2024-03-27T12:29:30.307000
CVE-2024-1522,1,1,c8358a8479805993163784de40b139db44de744ef037505028fe892ae3996399,2024-03-30T18:15:45.930000
CVE-2024-1523,0,0,721970163db9a6dae0df03cedd71fdd66f1e0962f7f754fea5cd28f457c2c9b4,2024-02-15T06:23:39.303000 CVE-2024-1523,0,0,721970163db9a6dae0df03cedd71fdd66f1e0962f7f754fea5cd28f457c2c9b4,2024-02-15T06:23:39.303000
CVE-2024-1525,0,0,fff84c6c726ad730b73a3bd54bd21496a1cae79f6fe36efed68cabad049a1519,2024-03-04T20:14:59.457000 CVE-2024-1525,0,0,fff84c6c726ad730b73a3bd54bd21496a1cae79f6fe36efed68cabad049a1519,2024-03-04T20:14:59.457000
CVE-2024-1527,0,0,8f06fe1c17bff39e91c6d3012913ea5f8070ff383b8a0b61bb88d3bd435f1fdc,2024-03-12T17:46:17.273000 CVE-2024-1527,0,0,8f06fe1c17bff39e91c6d3012913ea5f8070ff383b8a0b61bb88d3bd435f1fdc,2024-03-12T17:46:17.273000
@ -243425,8 +243426,8 @@ CVE-2024-3086,0,0,cc5a01ab88ce423f04c8e499fc5c4ae76ca65b66c37b46eb53fe666ff0b26b
CVE-2024-3087,0,0,58a2a50b13efdc9006ff609b1b35a4d1f9aa703f618a30d89033d50f7e02b844,2024-03-30T11:15:50.123000 CVE-2024-3087,0,0,58a2a50b13efdc9006ff609b1b35a4d1f9aa703f618a30d89033d50f7e02b844,2024-03-30T11:15:50.123000
CVE-2024-3088,0,0,75e336a30e6366575c15823fb5c1169d3c04cc034936f7f9923994a537b606f7,2024-03-30T11:15:50.483000 CVE-2024-3088,0,0,75e336a30e6366575c15823fb5c1169d3c04cc034936f7f9923994a537b606f7,2024-03-30T11:15:50.483000
CVE-2024-3089,0,0,d9e6000375bc975d92e9af606a08c79464dd8df87e00cc3a7780d662edd5a1a0,2024-03-30T12:15:07.730000 CVE-2024-3089,0,0,d9e6000375bc975d92e9af606a08c79464dd8df87e00cc3a7780d662edd5a1a0,2024-03-30T12:15:07.730000
CVE-2024-3090,1,1,041a60bb5db48d2385ac7440882bf24387cc4a4c84793d33c53aebe3dee428b4,2024-03-30T13:15:45.663000 CVE-2024-3090,0,0,041a60bb5db48d2385ac7440882bf24387cc4a4c84793d33c53aebe3dee428b4,2024-03-30T13:15:45.663000
CVE-2024-3091,1,1,9228666915943527bd7b660c37f84937c5d51df8cece4dbce66d12f967ca2b48,2024-03-30T14:15:07.720000 CVE-2024-3091,0,0,9228666915943527bd7b660c37f84937c5d51df8cece4dbce66d12f967ca2b48,2024-03-30T14:15:07.720000
CVE-2024-3094,0,0,c8cfb5d8db4948559902213da97949db9e528da393ca65060d5bc6149c3532fa,2024-03-30T11:15:50.713000 CVE-2024-3094,0,0,c8cfb5d8db4948559902213da97949db9e528da393ca65060d5bc6149c3532fa,2024-03-30T11:15:50.713000
CVE-2024-31032,0,0,f6232fe0ef0534ba6d6e20ea0777fd8892cbb87efba42355deb8d8634b00d21e,2024-03-29T17:15:20.993000 CVE-2024-31032,0,0,f6232fe0ef0534ba6d6e20ea0777fd8892cbb87efba42355deb8d8634b00d21e,2024-03-29T17:15:20.993000
CVE-2024-31061,0,0,3a611478260a969dc7c268c913c4f396b21e3b4ebcb9a4cb4b0ae2a352b58da0,2024-03-28T20:53:20.813000 CVE-2024-31061,0,0,3a611478260a969dc7c268c913c4f396b21e3b4ebcb9a4cb4b0ae2a352b58da0,2024-03-28T20:53:20.813000

Can't render this file because it is too large.