diff --git a/CVE-2025/CVE-2025-12xx/CVE-2025-1219.json b/CVE-2025/CVE-2025-12xx/CVE-2025-1219.json new file mode 100644 index 00000000000..ec00730fce2 --- /dev/null +++ b/CVE-2025/CVE-2025-12xx/CVE-2025-1219.json @@ -0,0 +1,66 @@ +{ + "id": "CVE-2025-1219", + "sourceIdentifier": "security@php.net", + "published": "2025-03-30T06:15:13.570", + "lastModified": "2025-03-30T06:15:13.570", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type\u00a0header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations." + } + ], + "metrics": { + "cvssMetricV40": [ + { + "source": "security@php.net", + "type": "Secondary", + "cvssData": { + "version": "4.0", + "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "attackRequirements": "PRESENT", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "vulnConfidentialityImpact": "LOW", + "vulnIntegrityImpact": "NONE", + "vulnAvailabilityImpact": "NONE", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "subAvailabilityImpact": "NONE", + "exploitMaturity": "NOT_DEFINED", + "confidentialityRequirement": "NOT_DEFINED", + "integrityRequirement": "NOT_DEFINED", + "availabilityRequirement": "NOT_DEFINED", + "modifiedAttackVector": "NOT_DEFINED", + "modifiedAttackComplexity": "NOT_DEFINED", + "modifiedAttackRequirements": "NOT_DEFINED", + "modifiedPrivilegesRequired": "NOT_DEFINED", + "modifiedUserInteraction": "NOT_DEFINED", + "modifiedVulnConfidentialityImpact": "NOT_DEFINED", + "modifiedVulnIntegrityImpact": "NOT_DEFINED", + "modifiedVulnAvailabilityImpact": "NOT_DEFINED", + "modifiedSubConfidentialityImpact": "NOT_DEFINED", + "modifiedSubIntegrityImpact": "NOT_DEFINED", + "modifiedSubAvailabilityImpact": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "valueDensity": "NOT_DEFINED", + "vulnerabilityResponseEffort": "NOT_DEFINED", + "providerUrgency": "NOT_DEFINED" + } + } + ] + }, + "references": [ + { + "url": "https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc", + "source": "security@php.net" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-17xx/CVE-2025-1734.json b/CVE-2025/CVE-2025-17xx/CVE-2025-1734.json new file mode 100644 index 00000000000..7d95d8dd17e --- /dev/null +++ b/CVE-2025/CVE-2025-17xx/CVE-2025-1734.json @@ -0,0 +1,78 @@ +{ + "id": "CVE-2025-1734", + "sourceIdentifier": "security@php.net", + "published": "2025-03-30T06:15:14.603", + "lastModified": "2025-03-30T06:15:14.603", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers." + } + ], + "metrics": { + "cvssMetricV40": [ + { + "source": "security@php.net", + "type": "Secondary", + "cvssData": { + "version": "4.0", + "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "attackRequirements": "PRESENT", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "vulnConfidentialityImpact": "LOW", + "vulnIntegrityImpact": "NONE", + "vulnAvailabilityImpact": "NONE", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "subAvailabilityImpact": "NONE", + "exploitMaturity": "NOT_DEFINED", + "confidentialityRequirement": "NOT_DEFINED", + "integrityRequirement": "NOT_DEFINED", + "availabilityRequirement": "NOT_DEFINED", + "modifiedAttackVector": "NOT_DEFINED", + "modifiedAttackComplexity": "NOT_DEFINED", + "modifiedAttackRequirements": "NOT_DEFINED", + "modifiedPrivilegesRequired": "NOT_DEFINED", + "modifiedUserInteraction": "NOT_DEFINED", + "modifiedVulnConfidentialityImpact": "NOT_DEFINED", + "modifiedVulnIntegrityImpact": "NOT_DEFINED", + "modifiedVulnAvailabilityImpact": "NOT_DEFINED", + "modifiedSubConfidentialityImpact": "NOT_DEFINED", + "modifiedSubIntegrityImpact": "NOT_DEFINED", + "modifiedSubAvailabilityImpact": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "valueDensity": "NOT_DEFINED", + "vulnerabilityResponseEffort": "NOT_DEFINED", + "providerUrgency": "NOT_DEFINED" + } + } + ] + }, + "weaknesses": [ + { + "source": "security@php.net", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44", + "source": "security@php.net" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-17xx/CVE-2025-1736.json b/CVE-2025/CVE-2025-17xx/CVE-2025-1736.json new file mode 100644 index 00000000000..74914c9e501 --- /dev/null +++ b/CVE-2025/CVE-2025-17xx/CVE-2025-1736.json @@ -0,0 +1,78 @@ +{ + "id": "CVE-2025-1736", + "sourceIdentifier": "security@php.net", + "published": "2025-03-30T06:15:14.803", + "lastModified": "2025-03-30T06:15:14.803", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted." + } + ], + "metrics": { + "cvssMetricV40": [ + { + "source": "security@php.net", + "type": "Secondary", + "cvssData": { + "version": "4.0", + "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "attackRequirements": "PRESENT", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "vulnConfidentialityImpact": "LOW", + "vulnIntegrityImpact": "NONE", + "vulnAvailabilityImpact": "NONE", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "subAvailabilityImpact": "NONE", + "exploitMaturity": "NOT_DEFINED", + "confidentialityRequirement": "NOT_DEFINED", + "integrityRequirement": "NOT_DEFINED", + "availabilityRequirement": "NOT_DEFINED", + "modifiedAttackVector": "NOT_DEFINED", + "modifiedAttackComplexity": "NOT_DEFINED", + "modifiedAttackRequirements": "NOT_DEFINED", + "modifiedPrivilegesRequired": "NOT_DEFINED", + "modifiedUserInteraction": "NOT_DEFINED", + "modifiedVulnConfidentialityImpact": "NOT_DEFINED", + "modifiedVulnIntegrityImpact": "NOT_DEFINED", + "modifiedVulnAvailabilityImpact": "NOT_DEFINED", + "modifiedSubConfidentialityImpact": "NOT_DEFINED", + "modifiedSubIntegrityImpact": "NOT_DEFINED", + "modifiedSubAvailabilityImpact": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "valueDensity": "NOT_DEFINED", + "vulnerabilityResponseEffort": "NOT_DEFINED", + "providerUrgency": "NOT_DEFINED" + } + } + ] + }, + "weaknesses": [ + { + "source": "security@php.net", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-20" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528", + "source": "security@php.net" + } + ] +} \ No newline at end of file diff --git a/CVE-2025/CVE-2025-18xx/CVE-2025-1861.json b/CVE-2025/CVE-2025-18xx/CVE-2025-1861.json new file mode 100644 index 00000000000..63d2f848eaf --- /dev/null +++ b/CVE-2025/CVE-2025-18xx/CVE-2025-1861.json @@ -0,0 +1,78 @@ +{ + "id": "CVE-2025-1861", + "sourceIdentifier": "security@php.net", + "published": "2025-03-30T06:15:14.957", + "lastModified": "2025-03-30T06:15:14.957", + "vulnStatus": "Received", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location." + } + ], + "metrics": { + "cvssMetricV40": [ + { + "source": "security@php.net", + "type": "Secondary", + "cvssData": { + "version": "4.0", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "attackRequirements": "PRESENT", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "vulnConfidentialityImpact": "LOW", + "vulnIntegrityImpact": "NONE", + "vulnAvailabilityImpact": "NONE", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "subAvailabilityImpact": "NONE", + "exploitMaturity": "NOT_DEFINED", + "confidentialityRequirement": "NOT_DEFINED", + "integrityRequirement": "NOT_DEFINED", + "availabilityRequirement": "NOT_DEFINED", + "modifiedAttackVector": "NOT_DEFINED", + "modifiedAttackComplexity": "NOT_DEFINED", + "modifiedAttackRequirements": "NOT_DEFINED", + "modifiedPrivilegesRequired": "NOT_DEFINED", + "modifiedUserInteraction": "NOT_DEFINED", + "modifiedVulnConfidentialityImpact": "NOT_DEFINED", + "modifiedVulnIntegrityImpact": "NOT_DEFINED", + "modifiedVulnAvailabilityImpact": "NOT_DEFINED", + "modifiedSubConfidentialityImpact": "NOT_DEFINED", + "modifiedSubIntegrityImpact": "NOT_DEFINED", + "modifiedSubAvailabilityImpact": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "valueDensity": "NOT_DEFINED", + "vulnerabilityResponseEffort": "NOT_DEFINED", + "providerUrgency": "NOT_DEFINED" + } + } + ] + }, + "weaknesses": [ + { + "source": "security@php.net", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-131" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff", + "source": "security@php.net" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index 633a853765f..809a49601e2 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours. ### Last Repository Update ```plain -2025-03-30T04:00:19.488847+00:00 +2025-03-30T08:00:19.204161+00:00 ``` ### Most recent CVE Modification Timestamp synchronized with NVD ```plain -2025-03-30T02:15:28.623000+00:00 +2025-03-30T06:15:14.957000+00:00 ``` ### Last Data Feed Release @@ -33,20 +33,23 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/ ### Total Number of included CVEs ```plain -287321 +287325 ``` ### CVEs added in the last Commit -Recently added CVEs: `0` +Recently added CVEs: `4` +- [CVE-2025-1219](CVE-2025/CVE-2025-12xx/CVE-2025-1219.json) (`2025-03-30T06:15:13.570`) +- [CVE-2025-1734](CVE-2025/CVE-2025-17xx/CVE-2025-1734.json) (`2025-03-30T06:15:14.603`) +- [CVE-2025-1736](CVE-2025/CVE-2025-17xx/CVE-2025-1736.json) (`2025-03-30T06:15:14.803`) +- [CVE-2025-1861](CVE-2025/CVE-2025-18xx/CVE-2025-1861.json) (`2025-03-30T06:15:14.957`) ### CVEs modified in the last Commit -Recently modified CVEs: `1` +Recently modified CVEs: `0` -- [CVE-2023-35789](CVE-2023/CVE-2023-357xx/CVE-2023-35789.json) (`2025-03-30T02:15:28.623`) ## Download and Usage diff --git a/_state.csv b/_state.csv index 495b33bd5ee..b38933211b9 100644 --- a/_state.csv +++ b/_state.csv @@ -228555,7 +228555,7 @@ CVE-2023-35784,0,0,92bffea3d19a414217d93556796e9db160b86ad398f7a3ed25e3faa847a5f CVE-2023-35785,0,0,d8d31a6718ba2b1fa8a57b64085b22f16a8f7c54bbdabe7f77647cdf02e744e0,2024-11-21T08:08:41.970000 CVE-2023-35786,0,0,71cba8ff6ea8692d2c2fe41e4b8cda87c85549eb620d31348d7593a98a7a23b7,2024-11-21T08:08:42.180000 CVE-2023-35788,0,0,16e509c7d4c711364e1f24a8df2d3ea6360a7fd9ebf70bd8660a1950df6e530b,2024-11-21T08:08:42.340000 -CVE-2023-35789,0,1,b940cabe7e6c8cae0b3dde3a79eccc75c66c5f0b24281b6efcce7a3bce1f300b,2025-03-30T02:15:28.623000 +CVE-2023-35789,0,0,b940cabe7e6c8cae0b3dde3a79eccc75c66c5f0b24281b6efcce7a3bce1f300b,2025-03-30T02:15:28.623000 CVE-2023-3579,0,0,70d29496e6785a1e039d03c2c84b744360c3cb198222a4a0d50ee0a9571a2f53,2024-11-21T08:17:35.603000 CVE-2023-35790,0,0,28f8841aca5121634b77442098b0ee14884fce6595a3aa69f5c741b82439ff69,2024-11-21T08:08:42.683000 CVE-2023-35791,0,0,add921c16f935e74765f61438c66002b438f31889914ed862f0783a902559507,2024-11-21T08:08:42.830000 @@ -281849,6 +281849,7 @@ CVE-2025-1214,0,0,ee530a0ccb2dbec34bd0adb6326677fa3eb44dee2c85c32f60f080d2175851 CVE-2025-1215,0,0,28588a9b24de663f5bef0961d5dfe96e8a71be7eda3beced3b32d3f6d90dfb60,2025-03-21T18:15:34.290000 CVE-2025-1216,0,0,c2395b4be7af9479c54e2cb380a24f136f34a8574d4e9d63fb5aa8873ac74d92,2025-02-12T20:15:39.907000 CVE-2025-1217,0,0,cda61f3b889accc7a5e4b9a6ff1643628ba0a333f6b9a900d4decc256cd80df9,2025-03-29T06:15:36.557000 +CVE-2025-1219,1,1,3667e3860193f21fc2daa0f072c295e16ecd6a2cec3ce274667680458b68a4d8,2025-03-30T06:15:13.570000 CVE-2025-1222,0,0,37e1c4bd7e5e0aef71d4eaf69d903e1860c5e20ac2c3d888fafec2d8540da40a,2025-02-20T01:15:09.707000 CVE-2025-1223,0,0,79c0b4e1b63833c27fb384ab59edaf7afe279373880088cf1aa2309d13ed89d4,2025-02-20T01:15:09.837000 CVE-2025-1224,0,0,58216170a09b4d8b7ea38fc4d10b486062bc143b21003c5f5c48c0a6339e51a5,2025-02-13T15:15:20.500000 @@ -282159,6 +282160,8 @@ CVE-2025-1724,0,0,b8e86d6fa70198b5cc9fe6224a04663cb9564b5f8c33fbf347cdad07f13847 CVE-2025-1726,0,0,2f1dd31a8200e6d83c282baf3f0abaf3df3bb9d56b822973c75d4b2e2b3c7f8c,2025-02-26T20:15:13.510000 CVE-2025-1728,0,0,126b29abd5a8b7142eab21be075a4425d5b9e0d4bb1eedd2c9477807954e2152,2025-02-26T22:15:14.333000 CVE-2025-1730,0,0,1995ccb1e144a2c7a6984fe76cde065e7b6f85edc7bf90ff89583ed751f146df,2025-03-01T07:15:11.380000 +CVE-2025-1734,1,1,5f2d2f68d75695bcc5b4fa8436cf08047ce0447410f5916234ad0d1d4fb3abc1,2025-03-30T06:15:14.603000 +CVE-2025-1736,1,1,462cc1e9a003a8ba4176886c0abc36175ce5fb4221e54050f9788c21f6364905,2025-03-30T06:15:14.803000 CVE-2025-1738,0,0,88cd928ab6b3e7b21edc6d43e0b3a3d2962b8b23417ddd8c84224e61394ebbde,2025-02-27T13:15:11.720000 CVE-2025-1739,0,0,3fd0271bebf5dab4e4b7dc5bc9151c4b432e19911079ec61b281141a587b7651,2025-02-27T13:15:11.883000 CVE-2025-1741,0,0,e3cefbac58ae300d7a16e849817a4e07ca1da020b4a797f97ccd724d6b4aefd2,2025-02-27T16:15:38.930000 @@ -282250,6 +282253,7 @@ CVE-2025-1857,0,0,818488625417d8af4a65dda3d70be6b5611a94debd81aafcadaaa8f15a86f4 CVE-2025-1858,0,0,988ce388e9a6bf83d2134feab05ec9557f8d5d059b2c6f3b50e9e023160ee37a,2025-03-03T09:15:38.857000 CVE-2025-1859,0,0,70eed6aa2ae7042bee5e2f20f0d8c842e42ef5f3e1a1b3da126361521cdde159,2025-03-07T14:13:19.170000 CVE-2025-1860,0,0,60ba04db4576a640a3f84fe9a861b7787e663192dda65af53c28f80599c533c5,2025-03-28T18:11:40.180000 +CVE-2025-1861,1,1,d2e0f81f72499b55633ad34b17ae3d4eb761712a510c27720bada6938461da1e,2025-03-30T06:15:14.957000 CVE-2025-1864,0,0,c92fc87cd84b99acae49e648c1289b46612421f948d2c6533ab7724af225a718,2025-03-03T09:15:39.210000 CVE-2025-1866,0,0,6d645070e86ae70b91e6d45d95a260c1e9eb1ae7937ef173d0ea19de235adb52,2025-03-03T09:15:39.370000 CVE-2025-1867,0,0,a65a0cea20f97468944d29f6ba9795de8029e0ca08dd1a9572fb100876a713fb,2025-03-03T09:15:39.520000