github
/
advisory-database
зеркало из https://github.com/github/advisory-database.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Publish Advisories 

GHSA-6h4q-63c5-qfqf
GHSA-v3rg-qm46-xrg9
GHSA-x22x-5pp9-8v7f
GHSA-x22x-5pp9-8v7f
This commit is contained in:
advisory-database[bot] 2024-01-24 21:54:13 +00:00
Родитель 69da245f93
Коммит a849256a72
4 изменённых файлов: 112 добавлений и 47 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

27
advisories/unreviewed/2024/01/GHSA-6h4q-63c5-qfqf/GHSA-6h4q-63c5-qfqf.json → advisories/github-reviewed/2024/01/GHSA-6h4q-63c5-qfqf/GHSA-6h4q-63c5-qfqf.json
Просмотреть файл

@ -1,11 +1,12 @@
{
"schema_version": "1.4.0",
"id": "GHSA-6h4q-63c5-qfqf",
"modified": "2024-01-24T21:30:31Z",
"modified": "2024-01-24T21:53:25Z",
"published": "2024-01-13T06:30:26Z",
"aliases": [
"CVE-2023-52288"
],
"summary": "Path traversal in flaskcode",
"details": "An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a GET request to a /resource-data/<file_path>.txt URI (from views.py), allows attackers to read arbitrary files.",
"severity": [
{
@ -14,7 +15,25 @@
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flaskcode"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.8"
}
]
}
]
}
],
"references": [
{
@ -31,8 +50,8 @@
"CWE-22"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T21:53:25Z",
"nvd_published_at": "2024-01-13T04:15:08Z"
}
}

27
advisories/unreviewed/2024/01/GHSA-v3rg-qm46-xrg9/GHSA-v3rg-qm46-xrg9.json → advisories/github-reviewed/2024/01/GHSA-v3rg-qm46-xrg9/GHSA-v3rg-qm46-xrg9.json
Просмотреть файл

@ -1,11 +1,12 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v3rg-qm46-xrg9",
"modified": "2024-01-24T21:30:31Z",
"modified": "2024-01-24T21:53:43Z",
"published": "2024-01-13T06:30:26Z",
"aliases": [
"CVE-2023-52289"
],
"summary": "Path traversal in flaskcode",
"details": "An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a POST request to a /update-resource-data/<file_path> URI (from views.py), allows attackers to write to arbitrary files.",
"severity": [
{
@ -14,7 +15,25 @@
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flaskcode"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.8"
}
]
}
]
}
],
"references": [
{
@ -31,8 +50,8 @@
"CWE-22"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T21:53:43Z",
"nvd_published_at": "2024-01-13T04:15:08Z"
}
}

66
advisories/github-reviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"schema_version": "1.4.0",
"id": "GHSA-x22x-5pp9-8v7f",
"modified": "2024-01-24T21:51:55Z",
"published": "2024-01-24T18:31:02Z",
"aliases": [
"CVE-2024-23905"
],
"summary": "Content-Security-Policy disabled by Red Hat Dependency Analytics Jenkins Plugin",
"details": "Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.\n\nRed Hat Dependency Analytics Plugin 0.7.1 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.\n",
"severity": [
],
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:redhat-dependency-analytics"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23905"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/redhat-dependency-analytics-plugin/commit/123e37795eb69f533a1cd8bd74113ebb1fdbdcda"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/redhat-dependency-analytics-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3322"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
}
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T21:51:55Z",
"nvd_published_at": "2024-01-24T18:15:09Z"
}
}

39
advisories/unreviewed/2024/01/GHSA-x22x-5pp9-8v7f/GHSA-x22x-5pp9-8v7f.json
Просмотреть файл

@ -1,39 +0,0 @@
{
"schema_version": "1.4.0",
"id": "GHSA-x22x-5pp9-8v7f",
"modified": "2024-01-24T18:31:02Z",
"published": "2024-01-24T18:31:02Z",
"aliases": [
"CVE-2024-23905"
],
"details": "Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.",
"severity": [
],
"affected": [
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23905"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3322"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
}
],
"database_specific": {
"cwe_ids": [
],
"severity": null,
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-24T18:15:09Z"
}
}