diff --git a/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json b/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json
index 0e1f472ae61..f009b010e92 100644
--- a/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json
+++ b/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3jqw-crqj-w8qw",
- "modified": "2024-05-16T18:38:37Z",
+ "modified": "2024-09-16T22:34:20Z",
"published": "2018-07-23T19:51:35Z",
"aliases": [
"CVE-2011-4137"
@@ -9,20 +9,27 @@
"summary": "Denial of service in django",
"details": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "0"
},
{
"fixed": "1.2.7"
@@ -34,14 +41,14 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.3.0"
+ "introduced": "1.3"
},
{
"fixed": "1.3.1"
@@ -76,6 +83,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-2.yaml"
+ },
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
@@ -100,10 +111,6 @@
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/09/15/5"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/46614"
- },
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2332"
@@ -113,7 +120,7 @@
"cwe_ids": [
"CWE-1088"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:55:25Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json b/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json
index b3b38e905ad..8795ec968e6 100644
--- a/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json
+++ b/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5j2h-h5hg-3wf8",
- "modified": "2024-05-16T18:44:20Z",
+ "modified": "2024-09-16T21:30:38Z",
"published": "2018-07-23T19:51:10Z",
"aliases": [
"CVE-2011-0696"
@@ -9,7 +9,14 @@
"summary": "Cross-site request forgery in Django",
"details": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -22,7 +29,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.1.0"
+ "introduced": "1.1"
},
{
"fixed": "1.1.4"
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.5"
@@ -76,6 +83,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-10.yaml"
+ },
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
@@ -149,7 +160,7 @@
"cwe_ids": [
"CWE-352"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:16:24Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json b/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json
index 48cb42c0920..44872b3553a 100644
--- a/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json
+++ b/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5mc5-5j6c-qmf9",
- "modified": "2021-09-01T22:16:38Z",
+ "modified": "2024-09-13T14:35:01Z",
"published": "2018-07-13T16:01:01Z",
"aliases": [
"CVE-2017-7235"
],
- "summary": "High severity vulnerability that affects cfscrape",
+ "summary": "cfscrape Improper Input Validation vulnerability",
"details": "An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -61,7 +65,11 @@
},
{
"type": "WEB",
- "url": "http://www.securityfocus.com/bid/97191"
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cfscrape/PYSEC-2017-7.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20170701161512/http://www.securityfocus.com/bid/97191"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json b/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json
index b8cee031fff..e1d112de3b5 100644
--- a/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json
+++ b/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7g9h-c88w-r7h2",
- "modified": "2024-05-16T18:42:40Z",
+ "modified": "2024-09-16T21:55:42Z",
"published": "2018-07-23T19:52:31Z",
"aliases": [
"CVE-2011-0698"
@@ -9,7 +9,14 @@
"summary": "Directory traversal in Django",
"details": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -22,7 +29,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.1.0"
+ "introduced": "1.1"
},
{
"fixed": "1.1.4"
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.5"
@@ -74,11 +81,19 @@
},
{
"type": "WEB",
- "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-12.yaml"
},
{
"type": "WEB",
- "url": "http://secunia.com/advisories/43230"
+ "url": "https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296"
+ },
+ {
+ "type": "WEB",
+ "url": "http://openwall.com/lists/oss-security/2011/02/09/6"
},
{
"type": "WEB",
@@ -87,25 +102,13 @@
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/46296"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0372"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0439"
}
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
- "severity": "HIGH",
+ "severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:22:48Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json b/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json
index de2e524d60e..920d4d478ed 100644
--- a/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json
+++ b/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7wph-fc4w-wqp2",
- "modified": "2024-05-21T20:19:56Z",
+ "modified": "2024-09-17T15:03:58Z",
"published": "2018-07-23T19:51:59Z",
"aliases": [
"CVE-2010-4535"
@@ -9,7 +9,14 @@
"summary": "Improper date handling in Django",
"details": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.4"
@@ -76,6 +83,14 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-9.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20200228193349/http://www.securityfocus.com/bid/45563"
+ },
{
"type": "WEB",
"url": "http://code.djangoproject.com/changeset/15032"
@@ -88,18 +103,6 @@
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42715"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42827"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42913"
- },
{
"type": "WEB",
"url": "http://www.djangoproject.com/weblog/2010/dec/22/security"
@@ -112,21 +115,9 @@
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
},
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/45563"
- },
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1040-1"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0048"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0098"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json b/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json
index 5cc827aa560..3719fec132e 100644
--- a/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json
+++ b/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8m3r-rv5g-fcpq",
- "modified": "2024-03-07T21:56:36Z",
+ "modified": "2024-09-16T21:47:18Z",
"published": "2018-07-23T21:01:00Z",
"aliases": [
"CVE-2011-0697"
@@ -9,20 +9,27 @@
"summary": "Cross-site scripting in django",
"details": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.1.0"
+ "introduced": "1.1"
},
{
"fixed": "1.1.4"
@@ -34,14 +41,14 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.5"
@@ -84,6 +91,30 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-11.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20110521033304/http://secunia.com/advisories/43297"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20110521033309/http://secunia.com/advisories/43382"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20110521033314/http://secunia.com/advisories/43426"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296"
+ },
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html"
@@ -111,26 +142,6 @@
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1066-1"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0372"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0388"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0429"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0439"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0441"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json b/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json
index fc9c78a47f6..bbdf19c67d6 100644
--- a/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json
+++ b/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8p5c-f328-9fvv",
- "modified": "2022-04-26T18:15:07Z",
+ "modified": "2024-09-16T13:49:58Z",
"published": "2018-07-13T16:01:21Z",
"aliases": [
"CVE-2017-0359"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -55,14 +59,26 @@
"type": "WEB",
"url": "https://github.com/anthraxx/diffoscope/commit/f379d1f611dbd5d361e12b732e07c8aee45ff226"
},
+ {
+ "type": "WEB",
+ "url": "https://bugs.debian.org/854723"
+ },
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-8p5c-f328-9fvv"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/anthraxx/diffoscope"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/diffoscope/PYSEC-2018-83.yaml"
+ },
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-0359"
diff --git a/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json b/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json
index e4f142cad0f..87a06058aec 100644
--- a/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json
+++ b/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9pv8-q5rx-c8gq",
- "modified": "2023-08-07T16:57:38Z",
+ "modified": "2024-09-16T22:58:59Z",
"published": "2018-07-13T15:16:59Z",
"aliases": [
"CVE-2017-16764"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -53,10 +57,18 @@
"type": "WEB",
"url": "https://github.com/illagrenan/django-make-app/commit/acd814433d1021aa8783362521b0bd151fdfc9d2"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9pv8-q5rx-c8gq"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/illagrenan/django-make-app"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-make-app/PYSEC-2017-79.yaml"
+ },
{
"type": "WEB",
"url": "https://joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-app"
diff --git a/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json b/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json
index 8ff5e7d4e75..0e334784f32 100644
--- a/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json
+++ b/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fcf9-3qw3-gxmj",
- "modified": "2024-02-23T20:24:24Z",
+ "modified": "2024-09-13T18:13:03Z",
"published": "2018-07-31T18:28:09Z",
"aliases": [
"CVE-2018-10903"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -48,13 +52,29 @@
"type": "WEB",
"url": "https://github.com/pyca/cryptography/commit/d4378e42937b56f473ddade2667f919ce32208cb"
},
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2018:3600"
+ },
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fcf9-3qw3-gxmj"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2018-52.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://usn.ubuntu.com/3720-1"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json b/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json
index ff4a6a13a14..9d57aab53b0 100644
--- a/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json
+++ b/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fwr5-q9rx-294f",
- "modified": "2024-05-21T20:21:49Z",
+ "modified": "2024-09-16T22:56:41Z",
"published": "2018-07-23T19:51:40Z",
"aliases": [
"CVE-2010-4534"
@@ -9,13 +9,20 @@
"summary": "Improper query string handling in Django",
"details": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,14 +41,14 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.4"
@@ -76,6 +83,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-8.yaml"
+ },
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html"
@@ -100,18 +111,6 @@
"type": "WEB",
"url": "http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42715"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42827"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/42913"
- },
{
"type": "WEB",
"url": "http://www.djangoproject.com/weblog/2010/dec/22/security"
@@ -124,25 +123,9 @@
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/01/03/5"
},
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/archive/1/515446"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/45562"
- },
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1040-1"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0048"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2011/0098"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json b/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json
index 8e3e9e11ae7..91826a8fa91 100644
--- a/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json
+++ b/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fxpg-gg9g-76gj",
- "modified": "2024-03-07T21:50:30Z",
+ "modified": "2024-09-16T22:57:31Z",
"published": "2018-07-23T19:52:42Z",
"aliases": [
"CVE-2010-3082"
@@ -9,20 +9,27 @@
"summary": "Cross-site scripting in django",
"details": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.2"
},
{
"fixed": "1.2.2"
@@ -57,6 +64,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2010-12.yaml"
+ },
{
"type": "WEB",
"url": "http://marc.info/?l=oss-security&m=128403961700444&w=2"
@@ -65,10 +76,6 @@
"type": "WEB",
"url": "http://www.djangoproject.com/weblog/2010/sep/08/security-release"
},
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/43116"
- },
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1004-1"
diff --git a/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json b/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json
index 85d66747d89..d87bdb8cb00 100644
--- a/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json
+++ b/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json
@@ -1,21 +1,28 @@
{
"schema_version": "1.4.0",
"id": "GHSA-h95j-h2rv-qrg4",
- "modified": "2021-09-14T17:15:58Z",
+ "modified": "2024-09-16T22:05:38Z",
"published": "2018-07-23T19:51:19Z",
"aliases": [
"CVE-2011-4140"
],
- "summary": "Moderate severity vulnerability that affects django",
+ "summary": "Django Cross-Site Request Forgery vulnerability",
"details": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -25,7 +32,7 @@
"introduced": "0"
},
{
- "fixed": "1.2.7"
+ "last_affected": "1.2.7"
}
]
}
@@ -34,17 +41,17 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.3.0"
+ "introduced": "1.3"
},
{
- "fixed": "1.3.1"
+ "last_affected": "1.3.1"
}
]
}
@@ -68,10 +75,18 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-5.yaml"
+ },
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
},
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20140806062902/http://secunia.com/advisories/46614"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2011/sep/09"
@@ -88,10 +103,6 @@
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/09/13/2"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/46614"
- },
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2332"
@@ -101,7 +112,7 @@
"cwe_ids": [
"CWE-352"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:39:45Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json b/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json
index d6b6c2da662..3a87cf35d92 100644
--- a/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json
+++ b/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hxf9-7h4c-f5jv",
- "modified": "2022-04-26T18:07:11Z",
+ "modified": "2024-09-16T21:24:24Z",
"published": "2018-07-12T20:30:40Z",
"aliases": [
"CVE-2018-6596"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -73,6 +77,10 @@
"type": "WEB",
"url": "https://github.com/anymail/django-anymail/releases/tag/v1.3"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-anymail/PYSEC-2018-7.yaml"
+ },
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4107"
diff --git a/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json b/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json
index 67584db0b4c..c1c9abd0e9c 100644
--- a/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json
+++ b/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m85c-9mf8-m2m6",
- "modified": "2023-08-23T22:09:03Z",
+ "modified": "2024-09-13T18:29:06Z",
"published": "2018-07-18T18:28:26Z",
"aliases": [
"CVE-2017-16763"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -61,6 +65,10 @@
"type": "PACKAGE",
"url": "https://github.com/bbengfort/confire"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/confire/PYSEC-2017-78.yaml"
+ },
{
"type": "WEB",
"url": "https://joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16763-configure-loaded-through-confire"
diff --git a/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json b/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json
index e0e664fdd2d..3c027cb1f87 100644
--- a/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json
+++ b/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pvhp-v9qp-xf5r",
- "modified": "2023-08-31T21:39:49Z",
+ "modified": "2024-09-16T23:00:29Z",
"published": "2018-07-23T19:50:48Z",
"aliases": [
"CVE-2011-4103"
@@ -9,7 +9,14 @@
"summary": "Django-piston and Django-tastypie do not properly deserialize YAML data",
"details": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.\n\nDjango Tastypie has a very similar vulnerability.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -29,28 +36,6 @@
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 0.2.2.0"
- }
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "django-piston"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0.2.2.2"
- },
- {
- "fixed": "0.2.3"
- }
- ]
- }
]
}
],
@@ -75,6 +60,10 @@
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pvhp-v9qp-xf5r"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-piston/PYSEC-2014-24.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases"
@@ -92,7 +81,7 @@
"cwe_ids": [
"CWE-20"
],
- "severity": "HIGH",
+ "severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:50:09Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json b/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json
index ee75b9535ca..d50930eeae6 100644
--- a/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json
+++ b/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-x88j-93vc-wpmp",
- "modified": "2024-05-16T18:41:00Z",
+ "modified": "2024-09-16T23:03:58Z",
"published": "2018-07-23T19:52:39Z",
"aliases": [
"CVE-2011-4136"
@@ -9,23 +9,30 @@
"summary": "Session manipulation in Django",
"details": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.3.0"
+ "introduced": "0"
},
{
- "fixed": "1.3.1"
+ "fixed": "1.2.7"
}
]
}
@@ -34,17 +41,17 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.2.0"
+ "introduced": "1.3"
},
{
- "fixed": "1.2.7"
+ "fixed": "1.3.1"
}
]
}
@@ -76,6 +83,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml"
+ },
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
@@ -96,10 +107,6 @@
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/09/13/2"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/46614"
- },
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2332"
diff --git a/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json b/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json
index 7529df47646..1f3f2aafcf7 100644
--- a/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json
+++ b/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-xp5m-4c9f-498q",
- "modified": "2023-09-05T18:25:18Z",
+ "modified": "2024-09-16T23:02:16Z",
"published": "2018-07-13T15:17:18Z",
"aliases": [
"CVE-2017-6591"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -34,6 +38,14 @@
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xp5m-4c9f-498q"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/barraq/django-epiceditor"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-epiceditor/PYSEC-2017-86.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20170706013108/http://www.morningchen.com/2017/03/09/Cross-site-scripting-vulnerability-in-django-epiceditor"
diff --git a/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json b/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json
index ae9f258b49a..5e21faa54f5 100644
--- a/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json
+++ b/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5hg3-6c2f-f3wr",
- "modified": "2024-05-07T20:42:24Z",
+ "modified": "2024-09-17T15:06:31Z",
"published": "2018-10-04T21:58:46Z",
"aliases": [
"CVE-2018-14574"
@@ -12,32 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "1.11.0"
- },
- {
- "fixed": "1.11.15"
- }
- ]
- }
- ]
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -52,6 +37,25 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "Django"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.11"
+ },
+ {
+ "fixed": "1.11.15"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -79,6 +83,10 @@
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5hg3-6c2f-f3wr"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-2.yaml"
+ },
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3726-1"
diff --git a/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json b/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json
index 63dbba5ad0c..80a0a2f76c2 100644
--- a/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json
+++ b/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cf3c-fffp-34qh",
- "modified": "2023-09-05T15:09:02Z",
+ "modified": "2024-09-13T18:11:18Z",
"published": "2018-10-29T19:05:38Z",
"aliases": [
"CVE-2018-14572"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cf3c-fffp-34qh"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/conference-scheduler-cli/PYSEC-2018-64.yaml"
+ },
{
"type": "WEB",
"url": "https://joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli"
diff --git a/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json b/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json
index 4782cb736e3..57c694393c9 100644
--- a/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json
+++ b/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v4x4-98cg-wr4g",
- "modified": "2023-09-05T17:59:57Z",
+ "modified": "2024-09-13T20:11:10Z",
"published": "2018-12-26T17:45:19Z",
"aliases": [
"CVE-2018-20325"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
@@ -49,16 +53,24 @@
"type": "WEB",
"url": "https://github.com/danijar/definitions/issues/14"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-v4x4-98cg-wr4g"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/danijar/definitions"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/definitions/PYSEC-2018-82.yaml"
}
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
- "severity": "CRITICAL",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:56:38Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json b/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json
index 27684e54e57..0aeaac6f5c2 100644
--- a/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json
+++ b/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2f9x-5v75-3qv4",
- "modified": "2024-03-07T22:57:21Z",
+ "modified": "2024-09-17T15:09:40Z",
"published": "2019-01-04T17:50:00Z",
"aliases": [
"CVE-2018-7537"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -37,7 +41,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -56,7 +60,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -106,6 +110,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-6.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
@@ -121,10 +129,6 @@
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/103357"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json b/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json
index 3739976bee1..6384c9b26b9 100644
--- a/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json
+++ b/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9gqg-3fxr-9hv7",
- "modified": "2023-08-30T23:28:15Z",
+ "modified": "2024-09-12T20:12:09Z",
"published": "2019-01-25T16:19:09Z",
"aliases": [
"CVE-2017-17836"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -47,6 +51,14 @@
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9gqg-3fxr-9hv7"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/apache/airflow"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E"
diff --git a/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json b/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json
index a1069624ddb..5f29c93b612 100644
--- a/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json
+++ b/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rv95-4wxj-6fqq",
- "modified": "2023-09-05T09:29:43Z",
+ "modified": "2024-09-13T14:26:33Z",
"published": "2019-02-07T18:18:22Z",
"aliases": [
"CVE-2017-18361"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -55,6 +59,14 @@
{
"type": "PACKAGE",
"url": "https://github.com/Pylons/colander"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-rv95-4wxj-6fqq"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/colander/PYSEC-2019-167.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json b/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json
index 336f79d256a..ec1a066b64d 100644
--- a/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json
+++ b/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5xc6-fpc7-4qvg",
- "modified": "2023-09-05T18:40:23Z",
+ "modified": "2024-09-13T14:31:59Z",
"published": "2019-04-08T15:19:01Z",
"aliases": [
"CVE-2018-12680"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -51,6 +55,10 @@
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5xc6-fpc7-4qvg"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/coapthon/PYSEC-2019-165.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json b/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json
index cae48e7b149..89a4b03ec56 100644
--- a/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json
+++ b/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-w6j4-3gh2-9f5j",
- "modified": "2023-08-30T23:11:45Z",
+ "modified": "2024-09-12T20:30:52Z",
"published": "2019-04-18T14:27:40Z",
"aliases": [
"CVE-2019-0229"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -48,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-215.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2de387213d45bc626d27554a1bde7b8c67d08720901f82a50b6f4231@%3Cdev.airflow.apache.org%3E"
diff --git a/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json b/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json
index d96a86fd9f4..d1ceef99de6 100644
--- a/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json
+++ b/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-g86p-hgx5-2pfh",
- "modified": "2022-03-04T21:16:27Z",
+ "modified": "2024-09-13T17:46:56Z",
"published": "2019-05-29T18:48:11Z",
"aliases": [
"CVE-2019-12300"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -69,6 +73,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12300"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-g86p-hgx5-2pfh"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/buildbot/buildbot"
@@ -76,6 +84,18 @@
{
"type": "WEB",
"url": "https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2019-6.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json b/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json
index 1c366468dbe..8543c2c7f54 100644
--- a/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json
+++ b/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7vvr-h4p5-m7fh",
- "modified": "2023-08-07T15:09:13Z",
+ "modified": "2024-09-13T14:19:43Z",
"published": "2019-07-26T16:10:20Z",
"aliases": [
"CVE-2018-19801"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -40,6 +44,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19801"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-7vvr-h4p5-m7fh"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/aubio/aubio"
@@ -47,6 +55,26 @@
{
"type": "WEB",
"url": "https://github.com/aubio/aubio/blob/0.4.9/ChangeLog"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2019-163.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYIKPYXZIWYWWNNORSKWRCFFCP6AFMRZ"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHIRMWW4JQ6UHJK4AVBJLFRLE2TPKC2W"
+ },
+ {
+ "type": "WEB",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00063.html"
+ },
+ {
+ "type": "WEB",
+ "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00067.html"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json b/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json
index b45a79229c3..945fe513ac9 100644
--- a/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json
+++ b/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-p3w6-jcg4-52xh",
- "modified": "2022-09-17T00:26:01Z",
+ "modified": "2024-09-16T21:58:34Z",
"published": "2019-07-02T15:43:41Z",
"aliases": [
"CVE-2019-13177"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -64,6 +68,10 @@
{
"type": "WEB",
"url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-rest-registration/PYSEC-2019-20.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json b/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json
index 977195da47a..baa08558226 100644
--- a/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json
+++ b/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vx6v-2rg6-865h",
- "modified": "2023-04-20T21:51:43Z",
+ "modified": "2024-09-16T21:48:51Z",
"published": "2019-08-27T17:39:33Z",
"aliases": [
"CVE-2019-15486"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -57,6 +61,10 @@
"type": "WEB",
"url": "https://github.com/ierror/django-js-reverse/commit/a3b57d1e4424e2fadabcd526d170c4868d55159c"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vx6v-2rg6-865h"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/ierror/django-js-reverse"
@@ -64,6 +72,10 @@
{
"type": "WEB",
"url": "https://github.com/ierror/django-js-reverse/compare/v0.9.0...v0.9.1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-js-reverse/PYSEC-2019-19.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json b/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json
index a53eacf8472..42bc7c23414 100644
--- a/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json
+++ b/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pg2f-r7pc-6fxx",
- "modified": "2021-08-17T22:19:46Z",
+ "modified": "2024-09-16T13:44:56Z",
"published": "2019-09-11T22:57:57Z",
"aliases": [
"CVE-2019-11457"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -40,6 +44,18 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11457"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/MicroPyramid/Django-CRM"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-pg2f-r7pc-6fxx"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-crm/PYSEC-2019-174.yaml"
+ },
{
"type": "WEB",
"url": "https://www.netsparker.com/blog/web-security"
diff --git a/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json b/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json
index 7847e55bed5..e50b9b77b23 100644
--- a/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json
+++ b/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5fq8-3q2f-4m5g",
- "modified": "2021-01-08T20:33:14Z",
+ "modified": "2024-09-16T21:59:21Z",
"published": "2020-01-24T19:56:59Z",
"aliases": [
"CVE-2020-5224"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"
}
],
"affected": [
@@ -47,13 +51,21 @@
{
"type": "WEB",
"url": "https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Bouke/django-user-sessions"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-user-sessions/PYSEC-2020-230.yaml"
}
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
- "severity": "LOW",
+ "severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2020-01-24T19:56:37Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json b/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json
index 1a779d878e8..d2cf5d31cf7 100644
--- a/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json
+++ b/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-q65m-pv3f-wr5r",
- "modified": "2022-10-07T13:11:43Z",
+ "modified": "2024-09-13T15:05:52Z",
"published": "2020-02-24T17:33:44Z",
"aliases": [
"CVE-2020-6802"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -64,6 +68,10 @@
"type": "PACKAGE",
"url": "https://github.com/mozilla/bleach"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-27.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI"
diff --git a/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json b/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json
index afe21a60458..a4f8dfd3a5b 100644
--- a/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json
+++ b/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m6xf-fq7q-8743",
- "modified": "2022-10-07T13:07:17Z",
+ "modified": "2024-09-12T20:49:31Z",
"published": "2020-03-24T15:06:32Z",
"aliases": [
"CVE-2020-6816"
],
- "summary": "mutation XSS via whitelisted math or svg and raw tag in Bleach",
+ "summary": "Bleach vulnerable to mutation XSS via whitelisted math or svg and raw tag",
"details": "### Impact\n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* the `svg` or `math` in the allowed/whitelisted tags\n* an RCDATA tag (see below) in the allowed/whitelisted tags\n* the keyword argument `strip=False`\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.1.2 or greater.\n\n### Workarounds\n\n* modify `bleach.clean` calls to use `strip=True`, or not whitelist `math` or `svg` tags and one or more of the following tags:\n\n```\nscript\nnoscript\nstyle\nnoframes\nxmp\nnoembed\niframe\n```\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1621692\n* https://cure53.de/fp170.pdf\n* https://nvd.nist.gov/vuln/detail/CVE-2020-6816\n* https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -48,10 +52,18 @@
"type": "WEB",
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4277"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mozilla/bleach"
+ },
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/releases/tag/v3.1.2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-28.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5"
diff --git a/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json b/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json
index a6973e7476b..920d4cb8cad 100644
--- a/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json
+++ b/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-37cf-r3w2-gjfw",
- "modified": "2023-09-01T10:17:33Z",
+ "modified": "2024-09-16T22:30:29Z",
"published": "2020-06-05T16:09:19Z",
"aliases": [
"CVE-2019-10682"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,14 @@
"type": "WEB",
"url": "https://github.com/relekang/django-nopassword/commit/d8b4615f5fbfe3997d96cf4cb3e342406396193c"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-37cf-r3w2-gjfw"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-nopassword/PYSEC-2020-229.yaml"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/relekang/django-nopassword"
diff --git a/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json b/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json
index e2e93698e53..1286bb641b7 100644
--- a/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json
+++ b/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m38j-pmg3-v5x5",
- "modified": "2021-01-07T23:50:14Z",
+ "modified": "2024-09-16T21:26:35Z",
"published": "2020-06-23T19:58:27Z",
"aliases": [
"CVE-2020-4071"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"
}
],
"affected": [
@@ -48,6 +52,14 @@
"type": "WEB",
"url": "https://github.com/tm-kn/django-basic-auth-ip-whitelist/commit/effe05ed1ed9e1ccc675a65b69d36217e5c5dfc6"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-basic-auth-ip-whitelist/PYSEC-2020-37.yaml"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/tm-kn/django-basic-auth-ip-whitelist"
+ },
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ"
diff --git a/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json b/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json
index d43d71bc9f4..30ad7d2188b 100644
--- a/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json
+++ b/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vhr6-pvjm-9qwf",
- "modified": "2021-01-07T23:48:04Z",
+ "modified": "2024-09-16T21:33:50Z",
"published": "2020-07-10T20:55:00Z",
"aliases": [
"CVE-2020-15105"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "0"
},
{
- "fixed": "1.12.0"
+ "fixed": "1.12"
}
]
}
@@ -48,16 +52,24 @@
"type": "WEB",
"url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Bouke/django-two-factor-auth"
+ },
{
"type": "WEB",
"url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-two-factor-auth/PYSEC-2020-39.yaml"
}
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
- "severity": "HIGH",
+ "severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2020-07-10T20:52:31Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json b/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json
index f63d8c61e82..78c4c1236f3 100644
--- a/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json
+++ b/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-x7gm-rfgv-w973",
- "modified": "2022-01-06T20:22:25Z",
+ "modified": "2024-09-16T22:10:02Z",
"published": "2020-09-28T19:05:29Z",
"aliases": [
"CVE-2020-15225"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -56,6 +60,10 @@
"type": "WEB",
"url": "https://github.com/carltongibson/django-filter/releases/tag/2.4.0"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S"
diff --git a/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json b/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json
index 12e48957e8d..99a0676a380 100644
--- a/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json
+++ b/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hggm-jpg3-v476",
- "modified": "2022-07-29T18:12:08Z",
+ "modified": "2024-09-13T18:16:06Z",
"published": "2020-10-27T20:33:13Z",
"aliases": [
"CVE-2020-25659"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -46,16 +50,24 @@
},
{
"type": "WEB",
- "url": "https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b"
+ "url": "https://github.com/pyca/cryptography/pull/5507"
},
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hggm-jpg3-v476"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml"
+ },
{
"type": "WEB",
"url": "https://pypi.org/project/cryptography"
diff --git a/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json b/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json
index 735bee6dbd3..6b83a20fa64 100644
--- a/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json
+++ b/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hq37-853p-g5cf",
- "modified": "2021-01-06T19:12:20Z",
+ "modified": "2024-09-13T17:42:15Z",
"published": "2021-01-06T16:57:50Z",
"aliases": [
"CVE-2021-21236"
@@ -9,7 +9,14 @@
"summary": "Regular Expression Denial of Service in CairoSVG",
"details": "# Doyensec Vulnerability Advisory \n\n* Regular Expression Denial of Service (REDoS) in cairosvg\n* Affected Product: CairoSVG v2.0.0+\n* Vendor: https://github.com/Kozea\n* Severity: Medium\n* Vulnerability Class: Denial of Service\n* Author(s): Ben Caller ([Doyensec](https://doyensec.com))\n\n## Summary\n\nWhen processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).\nIf an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.\n\n## Technical description\n\nThe vulnerable regular expressions are\n\nhttps://github.com/Kozea/CairoSVG/blob/9c4a982b9a021280ad90e89707eacc1d114e4ac4/cairosvg/colors.py#L190-L191\n\nThe section between 'rgb(' and the final ')' contains multiple overlapping groups.\n\nSince all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.\n\nThe complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.\n\n## Reproduction steps\n\nCreate a malicious SVG of the form:\n\n \n\nwith the following code:\n\n ''\n\nNote that there is no closing parenthesis before the semi-colon.\n\nRun cairosvg e.g.:\n\n cairosvg cairo-redos.svg -o x.png\n\nand notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.\n\n## Remediation\n\nFix the regexes to avoid overlapping parts. Perhaps remove the [ \\n\\r\\t]* groups from the regex, and use .strip() on the returned capture group.\n\n## Disclosure timeline\n\n- 2020-12-30: Vulnerability disclosed via email to CourtBouillon",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+ }
],
"affected": [
{
@@ -45,10 +52,18 @@
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Kozea/CairoSVG"
+ },
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/releases/tag/2.5.1"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yaml"
+ },
{
"type": "WEB",
"url": "https://pypi.org/project/CairoSVG"
@@ -58,7 +73,7 @@
"cwe_ids": [
"CWE-400"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2021-01-06T16:57:38Z",
"nvd_published_at": "2021-01-06T17:15:00Z"
diff --git a/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json b/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json
index 0cb5e88c3a2..08ba9156bc0 100644
--- a/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json
+++ b/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rhm9-p9w5-fwm7",
- "modified": "2023-08-30T22:06:59Z",
+ "modified": "2024-09-13T18:33:13Z",
"published": "2021-02-10T01:32:27Z",
"aliases": [
"CVE-2020-36242"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -20,6 +24,11 @@
"ecosystem": "PyPI",
"name": "cryptography"
},
+ "ecosystem_specific": {
+ "affected_functions": [
+ "cryptography.hazmat.backends.openssl.ciphers._CipherContext"
+ ]
+ },
"ranges": [
{
"type": "ECOSYSTEM",
@@ -52,6 +61,10 @@
"type": "WEB",
"url": "https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-rhm9-p9w5-fwm7"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
@@ -64,6 +77,14 @@
"type": "WEB",
"url": "https://github.com/pyca/cryptography/compare/3.3.1...3.3.2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-63.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E"
@@ -82,7 +103,7 @@
"CWE-190",
"CWE-787"
],
- "severity": "CRITICAL",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2021-02-10T01:31:02Z",
"nvd_published_at": "2021-02-07T20:15:00Z"
diff --git a/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json b/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json
index 454eb900592..5b6fb83acab 100644
--- a/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json
+++ b/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vv2x-vrpj-qqpq",
- "modified": "2023-08-23T22:57:36Z",
+ "modified": "2024-09-13T15:15:58Z",
"published": "2021-02-02T17:58:40Z",
"aliases": [
"CVE-2021-23980"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -53,6 +57,10 @@
"type": "WEB",
"url": "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13"
},
+ {
+ "type": "WEB",
+ "url": "https://advisory.checkmarx.net/advisory/CX-2021-4303"
+ },
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1689399"
@@ -65,10 +73,18 @@
"type": "WEB",
"url": "https://cure53.de/fp170.pdf"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mozilla/bleach"
+ },
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2021-865.yaml"
+ },
{
"type": "WEB",
"url": "https://pypi.org/project/bleach"
diff --git a/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json b/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json
index b538fdbe2d4..cb2a2011f83 100644
--- a/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json
+++ b/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json
@@ -1,15 +1,22 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cqff-fx2x-p86v",
- "modified": "2021-03-08T15:48:55Z",
+ "modified": "2024-09-13T15:07:22Z",
"published": "2021-03-08T15:50:10Z",
"aliases": [
],
- "summary": "Improper Authentication",
+ "summary": "botframework-connector vulnerable to Improper Authentication",
"details": "### Impact\nA maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.\n\n### Patches\nThe problem has been patched in all affected versions. Please see the list of patched versions for the most appropiate one for your individual case.\n\n### Workarounds\nUsers who do not wish or are not able to upgrade can add an authentication configuration containing ClaimsValidator, which throws an exception if Claims are Skill Claims. \n\nFor detailed instructions, see the link in the References section.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Microsoft Bot Builder SDK](https://github.com/microsoft/botframework-sdk)\n* Email us at [bf-reports@microsoft.com](mailto:bf-reports@microsoft.com)",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -104,6 +111,14 @@
"type": "WEB",
"url": "https://github.com/microsoft/botbuilder-python/blob/main/doc/SkillClaimsValidation.md"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/botframework-connector/PYSEC-2021-422.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725"
+ },
{
"type": "WEB",
"url": "https://pypi.org/project/botframework-connector"
diff --git a/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json b/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json
index 6ef84ec32ae..72d1a64693a 100644
--- a/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json
+++ b/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v542-8q9x-cffc",
- "modified": "2023-09-05T14:34:15Z",
+ "modified": "2024-09-13T17:49:26Z",
"published": "2021-03-19T21:29:02Z",
"aliases": [
"CVE-2020-35681"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,9 +56,21 @@
"type": "WEB",
"url": "https://channels.readthedocs.io/en/stable/releases/index.html"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-v542-8q9x-cffc"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/django/channels"
+ },
{
"type": "WEB",
"url": "https://github.com/django/channels/releases"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/channels/PYSEC-2021-113.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json b/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json
index dae81c982ad..1ccd6032d8a 100644
--- a/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json
+++ b/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2xpj-f5g2-8p7m",
- "modified": "2023-08-30T21:16:22Z",
+ "modified": "2024-09-12T21:06:18Z",
"published": "2021-04-20T16:30:51Z",
"aliases": [
"CVE-2020-17446"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,10 +48,22 @@
"type": "WEB",
"url": "https://github.com/MagicStack/asyncpg/commit/69bcdf5bf7696b98ee708be5408fd7d854e910d0"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/MagicStack/asyncpg"
+ },
{
"type": "WEB",
"url": "https://github.com/MagicStack/asyncpg/releases/tag/v0.21.0"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2xpj-f5g2-8p7m"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncpg/PYSEC-2020-24.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00002.html"
diff --git a/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json b/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json
index f9ba78c972e..1428feb16bd 100644
--- a/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json
+++ b/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-58c7-px5v-82hh",
- "modified": "2023-03-30T14:48:14Z",
+ "modified": "2024-09-16T21:29:06Z",
"published": "2021-04-06T17:28:59Z",
"aliases": [
"CVE-2021-21416"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -48,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/ubernostrum/django-registration/commit/2db0bb7ec35636ea46b07b146328b87b2cb13ca5"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-registration/PYSEC-2021-11.yaml"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/ubernostrum/django-registration"
diff --git a/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json b/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json
index 72823c32698..26f0716cacd 100644
--- a/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json
+++ b/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f248-v4qh-x2r6",
- "modified": "2023-08-31T16:38:53Z",
+ "modified": "2024-09-13T17:43:29Z",
"published": "2021-04-20T16:29:41Z",
"aliases": [
"CVE-2020-27589"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -42,16 +46,28 @@
},
{
"type": "WEB",
- "url": "https://github.com/blackducksoftware/hub-rest-api-python/pull/113/commits/273b27d0de1004389dd8cf43c40b1197c787e7cd"
+ "url": "https://github.com/blackducksoftware/hub-rest-api-python/pull/113"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/blackducksoftware/hub-rest-api-python/commit/0a25777117515b8b4ff287a98f57837a8c6bdbdb"
},
{
"type": "WEB",
"url": "https://community.synopsys.com/s/question/0D52H00005JCZAXSA5/announcement-black-duck-defect-identified"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-f248-v4qh-x2r6"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/blackducksoftware/hub-rest-api-python"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/blackduck/PYSEC-2020-26.yaml"
+ },
{
"type": "WEB",
"url": "https://pypi.org/project/blackduck"
diff --git a/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json b/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json
index 29b914ceff8..a05d0856d8d 100644
--- a/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json
+++ b/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-ffw3-6mp6-jmvj",
- "modified": "2024-03-06T22:33:58Z",
+ "modified": "2024-09-12T20:19:16Z",
"published": "2021-04-07T21:05:57Z",
"aliases": [
"CVE-2021-26559"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "2.0.0"
},
{
- "fixed": "2.0.1"
+ "fixed": "2.0.1rc1"
}
]
}
@@ -51,6 +55,10 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/5e35926c7eda0dfa11a9623e4bf5f60c2bd6b3f6"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-ffw3-6mp6-jmvj"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
@@ -59,6 +67,10 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-2.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"
diff --git a/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json b/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json
index 5dd77b5a056..6eb5144d6d8 100644
--- a/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json
+++ b/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pghf-347x-c2gj",
- "modified": "2021-04-14T22:22:37Z",
+ "modified": "2024-09-13T20:10:20Z",
"published": "2021-04-16T19:53:28Z",
"aliases": [
"CVE-2021-30459"
@@ -9,7 +9,14 @@
"summary": "SQL Injection via in django-debug-toolbar",
"details": "### Impact\nWith Django Debug Toolbar attackers are able to execute SQL by changing the `raw_sql` input of the SQL explain, analyze or select forms and submitting the form.\n\n**NOTE:** This is a high severity issue for anyone using the toolbar in a **production environment**.\n\nGenerally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.\n\n### Patches\nPlease upgrade to one of the following versions, depending on the major version you're using:\n\n- Version 1.x: [django-debug-toolbar 1.11.1](https://pypi.org/project/django-debug-toolbar/1.11.1/)\n- Version 2.x: [django-debug-toolbar 2.2.1](https://pypi.org/project/django-debug-toolbar/2.2.1/)\n- Version 3.x: [django-debug-toolbar 3.2.1](https://pypi.org/project/django-debug-toolbar/3.2.1/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [django-debug-toolbar repo](https://github.com/jazzband/django-debug-toolbar/issues/new) (Please NO SENSITIVE INFORMATION, send an email instead!)\n* Email us at [security@jazzband.co](mailto:security@jazzband.co)",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "2.0.0"
+ "introduced": "2.0a1"
},
{
"fixed": "2.2.1"
@@ -60,7 +67,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "3.0.0"
+ "introduced": "3.0a1"
},
{
"fixed": "3.2.1"
@@ -83,10 +90,18 @@
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/jazzband/django-debug-toolbar"
+ },
{
"type": "WEB",
"url": "https://github.com/jazzband/django-debug-toolbar/releases"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-debug-toolbar/PYSEC-2021-10.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases"
diff --git a/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json b/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json
index d05dba32969..92f0d4d8c13 100644
--- a/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json
+++ b/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qhx9-7hx7-cp4r",
- "modified": "2023-09-05T14:37:12Z",
+ "modified": "2024-09-13T14:20:37Z",
"published": "2021-04-07T21:05:21Z",
"aliases": [
"CVE-2020-28473"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,10 +48,18 @@
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-qhx9-7hx7-cp4r"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/bottlepy/bottle"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2021-129.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html"
diff --git a/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json b/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json
index 33e7de4ff3b..31927a318cf 100644
--- a/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json
+++ b/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rjmf-p882-645m",
- "modified": "2024-02-13T19:28:56Z",
+ "modified": "2024-09-16T22:04:44Z",
"published": "2021-04-12T18:51:17Z",
"aliases": [
"CVE-2021-20327"
],
"summary": "mongodb-client-encryption vulnerable to Improper Certificate Validation",
- "details": "A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.",
+ "details": "A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. This issue affect MongoDB Node.js Driver mongodb-client-encryption module version 1.2.0",
"severity": [
{
"type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json b/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json
index 56e6c89689e..024f7e76015 100644
--- a/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json
+++ b/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vgv5-cxvh-vfxh",
- "modified": "2022-11-08T18:16:44Z",
+ "modified": "2024-09-13T15:17:57Z",
"published": "2021-04-07T20:50:57Z",
"aliases": [
"CVE-2020-26759"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -58,9 +62,17 @@
"type": "WEB",
"url": "https://github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vgv5-cxvh-vfxh"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/mymarilyn/clickhouse-driver"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/clickhouse-driver/PYSEC-2021-61.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json b/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json
index 2c4893a4d87..e39e9abc5f5 100644
--- a/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json
+++ b/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f6mq-5m25-4r72",
- "modified": "2023-08-30T00:18:26Z",
+ "modified": "2024-09-17T15:38:07Z",
"published": "2021-06-15T16:08:16Z",
"aliases": [
"CVE-2021-20329"
@@ -48,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mongodb/mongo-go-driver"
+ },
{
"type": "WEB",
"url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1"
@@ -55,6 +59,10 @@
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/GODRIVER-1923"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2021-0112"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json b/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json
index 4bc15960f9f..bad792beda5 100644
--- a/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json
+++ b/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fh37-cx83-q542",
- "modified": "2024-03-25T15:52:20Z",
+ "modified": "2024-09-12T20:10:22Z",
"published": "2021-06-18T18:30:11Z",
"aliases": [
"CVE-2021-26697"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "2.0.0"
},
{
- "fixed": "2.0.1"
+ "fixed": "2.0.1rc1"
}
]
}
@@ -55,6 +59,18 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/93957e917ff4cfb0be11aef088bd9527cf728a04"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fh37-cx83-q542"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/apache/airflow"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-3.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E"
diff --git a/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json b/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json
index 5368300e01f..d844cd05721 100644
--- a/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json
+++ b/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fvx8-v524-8579",
- "modified": "2023-08-30T21:23:58Z",
+ "modified": "2024-09-13T20:13:25Z",
"published": "2021-06-04T21:46:52Z",
"aliases": [
"CVE-2020-17495"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -54,11 +58,19 @@
},
{
"type": "WEB",
- "url": "https://github.com/celery/django-celery-results/pull/316/commits/f4af2810dd2f70718a757f733b43225527f6aa3d"
+ "url": "https://github.com/celery/django-celery-results/commit/ad508fe3433499e5fc94645412d911e174863f28"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-fvx8-v524-8579"
},
{
"type": "PACKAGE",
"url": "https://github.com/celery/django-celery-results"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-celery-results/PYSEC-2020-38.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json b/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json
index 14abe8ca5a3..80e7b7eeff9 100644
--- a/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json
+++ b/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json
@@ -1,13 +1,14 @@
{
"schema_version": "1.4.0",
"id": "GHSA-gff3-739c-gxfq",
- "modified": "2021-06-09T20:39:24Z",
+ "modified": "2024-09-16T15:03:13Z",
"published": "2021-06-10T17:22:59Z",
+ "withdrawn": "2024-09-16T15:02:24Z",
"aliases": [
- "CVE-2021-32670"
+
],
- "summary": "Reflected cross-site scripting issue in Datasette",
- "details": "Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.",
+ "summary": "Duplicate Advisory: Reflected cross-site scripting issue in Datasette",
+ "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xw7c-jx9m-xh5g. This link is maintained to preserve external references.\n\n## Original Description\nDatasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.",
"severity": [
{
"type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json b/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json
index 7c3515c3553..1218763b574 100644
--- a/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json
+++ b/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json
@@ -1,10 +1,10 @@
{
"schema_version": "1.4.0",
"id": "GHSA-xw7c-jx9m-xh5g",
- "modified": "2021-10-05T17:23:33Z",
+ "modified": "2024-09-16T15:03:38Z",
"published": "2021-06-07T21:47:41Z",
"aliases": [
-
+ "CVE-2021-32670"
],
"summary": "Reflected cross-site scripting issue in Datasette",
"details": "### Impact\n\nThe `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability.\n\nThis vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data.\n\n### Patches\n\nDatasette 0.57 and 0.56.1 both include patches for this issue.\n\n### Workarounds\n\nIf you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.\n\n### References\n\n- [OWASP guide to reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks)\n- [Datasette issue #1360](https://github.com/simonw/datasette/issues/1360)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in [simonw/datasette](https://github.com/simonw/datasette/discussions)\n* Email us at `swillison+datasette @ gmail.com`\n",
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -40,9 +44,33 @@
"type": "WEB",
"url": "https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/simonw/datasette/issues/1360"
+ },
+ {
+ "type": "WEB",
+ "url": "https://datasette.io/plugins/datasette-auth-passwords"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-gff3-739c-gxfq"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2021-89.yaml"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/simonw/datasette"
+ },
+ {
+ "type": "WEB",
+ "url": "https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pypi.org/project/datasette"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json b/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json
index d20003b795b..b5b4f14af57 100644
--- a/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json
+++ b/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-69fv-gw6g-8ccg",
- "modified": "2023-06-13T16:50:04Z",
+ "modified": "2024-09-12T20:47:21Z",
"published": "2021-08-25T20:43:26Z",
"aliases": [
"CVE-2018-20998"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -63,6 +67,10 @@
"type": "WEB",
"url": "https://github.com/arrayfire/arrayfire-rust/pull/177"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/arrayfire/arrayfire-rust/commit/a5256f3e5e23b83eaad69699e0b04653aba04fb8"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/arrayfire/arrayfire-rust"
diff --git a/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json b/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json
index b49d39e2bc3..73f2402d910 100644
--- a/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json
+++ b/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-98hv-qff3-8793",
- "modified": "2021-08-26T19:20:22Z",
+ "modified": "2024-09-16T22:06:25Z",
"published": "2021-08-30T16:24:08Z",
"aliases": [
"CVE-2020-18704"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,9 +48,17 @@
"type": "WEB",
"url": "https://github.com/fusionbox/django-widgy/issues/387"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-98hv-qff3-8793"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/fusionbox/django-widgy"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-widgy/PYSEC-2021-336.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json b/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json
index 0d396946bd1..75de5ca65c5 100644
--- a/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json
+++ b/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9jjr-qqfp-ppwx",
- "modified": "2021-08-26T14:47:49Z",
+ "modified": "2024-09-13T18:05:58Z",
"published": "2021-08-30T16:16:58Z",
"aliases": [
"CVE-2021-39159"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
}
],
"affected": [
@@ -60,6 +64,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/jupyterhub/binderhub"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/binderhub/PYSEC-2021-371.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json b/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json
index eb067a83110..c8d0f33a6d6 100644
--- a/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json
+++ b/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qhmp-h54x-38qr",
- "modified": "2021-10-06T20:37:36Z",
+ "modified": "2024-09-12T20:54:36Z",
"published": "2021-09-20T20:57:02Z",
"aliases": [
"CVE-2021-39229"
],
- "summary": "CWE-730 Regex injection with IFTTT Plugin",
+ "summary": "Apprise vulnerable to regex injection with IFTTT Plugin",
"details": "### Impact\nAnyone _publicly_ hosting the Apprise library and granting them access to the IFTTT notification service.\n\n### Patches\nUpdate to Apprise v0.9.5.1\n ```bash\n # Install Apprise v0.9.5.1 from PyPI\n pip install apprise==0.9.5.1\n ```\n\nThe patch to the problem was performed [here](https://github.com/caronc/apprise/pull/436/files).\n\n### Workarounds\nAlternatively, if upgrading is not an option, you can safely remove the following file:\n- `apprise/plugins/NotifyIFTTT.py` \n\nThe above will eliminate the ability to use IFTTT, but everything else will work smoothly.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Apprise](https://github.com/caronc/apprise/issues)\n* Email me at [lead2gold@gmail.com](mailto:lead2gold@gmail.com)\n\n### Additional Credit\nGithub would not allow me to additionally credit **Rasmus Petersen**, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited\n\n## Additional Notes:\n- Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -66,6 +70,10 @@
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/releases/tag/v0.9.5.1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apprise/PYSEC-2021-327.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json b/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json
index e9d02224d1f..a6b75f694a0 100644
--- a/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json
+++ b/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4cfr-gjfx-fj3x",
- "modified": "2021-10-05T15:51:30Z",
+ "modified": "2024-09-13T17:50:11Z",
"published": "2021-10-05T17:53:11Z",
"aliases": [
"CVE-2021-40324"
@@ -9,7 +9,14 @@
"summary": "Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.",
"details": "Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -41,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4cfr-gjfx-fj3x"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
@@ -48,6 +59,10 @@
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-374.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json b/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json
index 0b4bcc28147..d7908097e70 100644
--- a/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json
+++ b/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c87f-fq5g-63r2",
- "modified": "2021-10-08T21:32:32Z",
+ "modified": "2024-09-16T21:51:22Z",
"published": "2021-10-12T17:51:11Z",
"aliases": [
"CVE-2021-42053"
@@ -9,7 +9,14 @@
"summary": "Cross-site scripting in Unicorn framework",
"details": "The Unicorn framework through 0.35.3 for Django allows XSS via component.name.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
@@ -39,7 +46,11 @@
},
{
"type": "WEB",
- "url": "https://github.com/adamghill/django-unicorn/pull/288/commits/aa5b9835d946bd9893ef02e556859e3ea62cc5e2"
+ "url": "https://github.com/adamghill/django-unicorn/pull/288"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/adamghill/django-unicorn/commit/aa5b9835d946bd9893ef02e556859e3ea62cc5e2"
},
{
"type": "PACKAGE",
@@ -49,6 +60,14 @@
"type": "WEB",
"url": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-c87f-fq5g-63r2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-unicorn/PYSEC-2021-357.yaml"
+ },
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html"
diff --git a/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json b/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json
index f594b3bf42d..9428bf5f825 100644
--- a/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json
+++ b/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cpqf-3c3r-c9g2",
- "modified": "2021-10-05T15:57:32Z",
+ "modified": "2024-09-13T15:11:50Z",
"published": "2021-10-05T17:53:20Z",
"aliases": [
"CVE-2021-40323"
@@ -9,7 +9,14 @@
"summary": "Cobbler before 3.3.0 allows log poisoning",
"details": "Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -41,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-cpqf-3c3r-c9g2"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
@@ -48,6 +59,10 @@
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-373.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json b/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json
index 8c23ab8b490..41ec6175d1e 100644
--- a/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json
+++ b/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cr3f-r24j-3chw",
- "modified": "2023-08-08T19:59:06Z",
+ "modified": "2024-09-13T17:50:35Z",
"published": "2021-10-05T17:53:29Z",
"aliases": [
"CVE-2021-40325"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-cr3f-r24j-3chw"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
@@ -51,6 +59,10 @@
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-375.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json b/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json
index b8856cc41b7..e78f25387c8 100644
--- a/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json
+++ b/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-ggmv-6q9p-9gm6",
- "modified": "2021-10-19T14:51:11Z",
+ "modified": "2024-09-16T21:57:56Z",
"published": "2021-10-12T17:51:04Z",
"aliases": [
"CVE-2021-42134"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -51,6 +55,14 @@
{
"type": "WEB",
"url": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-ggmv-6q9p-9gm6"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-unicorn/PYSEC-2021-369.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json b/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json
index 022f59ec77e..84900eac9de 100644
--- a/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json
+++ b/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-h4m5-qpfp-3mpv",
- "modified": "2021-10-27T17:06:39Z",
+ "modified": "2024-09-12T20:56:02Z",
"published": "2021-10-21T17:49:59Z",
"aliases": [
"CVE-2021-42771"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,18 @@
"type": "WEB",
"url": "https://github.com/python-babel/babel/pull/782"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h4m5-qpfp-3mpv"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/babel/PYSEC-2021-421.yaml"
+ },
{
"type": "WEB",
"url": "https://github.com/python-babel/babel"
diff --git a/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json b/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json
index ae759eb0ee4..b4302a8b569 100644
--- a/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json
+++ b/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-j8fq-86c5-5v2r",
- "modified": "2022-03-21T19:58:43Z",
+ "modified": "2024-09-16T13:56:48Z",
"published": "2021-10-27T18:53:48Z",
"aliases": [
"CVE-2021-42343"
@@ -12,19 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "distributed"
- },
- "ecosystem_specific": {
- "affected_functions": [
- "dask.distributed.LocalCluster",
- "dask.distributed.Client"
- ]
+ "name": "dask"
},
"ranges": [
{
@@ -62,9 +60,21 @@
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dask/dask/tags"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/dask/distributed"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/dask/PYSEC-2021-387.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json b/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json
index 7938dc89cbf..c9d7a819cc7 100644
--- a/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json
+++ b/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-743r-5g92-5vgf",
- "modified": "2021-12-03T15:20:59Z",
+ "modified": "2024-09-12T20:48:35Z",
"published": "2021-11-24T21:11:16Z",
"aliases": [
"CVE-2021-40829"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -78,6 +82,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40829"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-743r-5g92-5vgf"
+ },
{
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2"
@@ -101,6 +109,10 @@
{
"type": "WEB",
"url": "https://github.com/awslabs/aws-c-io"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json b/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json
index a9d42dee8c4..2ca8b0a6f8b 100644
--- a/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json
+++ b/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-94jq-q5v2-76wj",
- "modified": "2021-12-03T15:21:36Z",
+ "modified": "2024-09-12T21:14:08Z",
"published": "2021-11-24T21:02:24Z",
"aliases": [
"CVE-2021-40828"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -90,6 +94,10 @@
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-94jq-q5v2-76wj"
+ },
{
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2"
@@ -109,6 +117,10 @@
{
"type": "WEB",
"url": "https://github.com/awslabs/aws-c-io"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json b/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json
index e70fb894ffb..ba3e05737d1 100644
--- a/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json
+++ b/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c4rh-4376-gff4",
- "modified": "2021-12-03T15:22:02Z",
+ "modified": "2024-09-12T20:53:25Z",
"published": "2021-11-24T21:12:04Z",
"aliases": [
"CVE-2021-40830"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -90,6 +94,10 @@
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-c4rh-4376-gff4"
+ },
{
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2"
@@ -109,6 +117,10 @@
{
"type": "WEB",
"url": "https://github.com/awslabs/aws-c-io"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json
index c1065201746..3e5587d1b20 100644
--- a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json
+++ b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-j3f7-7rmc-6wqj",
- "modified": "2021-12-03T15:22:22Z",
+ "modified": "2024-09-12T20:52:09Z",
"published": "2021-11-24T20:35:03Z",
"aliases": [
"CVE-2021-40831"
],
"summary": "Improper certificate management in AWS IoT Device SDK v2",
- "details": "The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been “overridden”. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.",
+ "details": "The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been \"overridden\". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The `aws_tls_ctx_options_override_default_trust_store_*` function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -90,6 +94,10 @@
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-j3f7-7rmc-6wqj"
+ },
{
"type": "WEB",
"url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2"
@@ -109,6 +117,10 @@
{
"type": "WEB",
"url": "https://github.com/awslabs/aws-c-io"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json b/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json
index 105d945690a..a29446f6f20 100644
--- a/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json
+++ b/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vfrc-ggmc-5jwv",
- "modified": "2021-11-24T19:43:03Z",
+ "modified": "2024-09-16T21:40:06Z",
"published": "2021-11-23T17:55:46Z",
"aliases": [
"CVE-2021-3950"
],
"summary": "Cross-site Scripting in django-helpdesk",
- "details": "django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
+ "details": "django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vfrc-ggmc-5jwv"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/django-helpdesk/django-helpdesk"
@@ -52,6 +60,10 @@
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/0.3.2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-431.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e"
diff --git a/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json b/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json
index 3ad0868e882..f542f425373 100644
--- a/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json
+++ b/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vx6v-xg64-pmr8",
- "modified": "2021-11-17T21:10:26Z",
+ "modified": "2024-09-16T22:11:51Z",
"published": "2021-11-15T23:12:41Z",
"aliases": [
"CVE-2021-3945"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,11 +32,14 @@
"introduced": "0"
},
{
- "last_affected": "0.3.0"
+ "fixed": "0.3.1"
}
]
}
- ]
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.3.0"
+ }
}
],
"references": [
@@ -44,10 +51,22 @@
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/django-helpdesk/django-helpdesk/commit/44abb197120a843cce5b5fe8276e4a44b8bb2f48"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-vx6v-xg64-pmr8"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/django-helpdesk/django-helpdesk"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-430.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4"
diff --git a/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json b/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json
index 7cfa30539fd..da9165a0e85 100644
--- a/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json
+++ b/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2v5j-q74q-r53f",
- "modified": "2021-12-03T15:19:07Z",
+ "modified": "2024-09-16T21:36:59Z",
"published": "2021-12-03T20:42:26Z",
"aliases": [
"CVE-2021-3994"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/commit/a22eb0673fe0b7784f99c6b5fd343b64a6700f06"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-2v5j-q74q-r53f"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/django-helpdesk/django-helpdesk"
@@ -52,6 +60,10 @@
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/0.3.2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-438.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd"
diff --git a/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json b/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json
index ddb7c67eebc..f8f2fdb62bb 100644
--- a/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json
+++ b/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-6w9p-88qg-p3g3",
- "modified": "2023-08-31T15:31:45Z",
+ "modified": "2024-09-13T18:03:57Z",
"published": "2021-12-03T20:44:48Z",
"aliases": [
"CVE-2021-25967"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -32,10 +36,7 @@
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 2.9.3"
- }
+ ]
}
],
"references": [
@@ -51,10 +52,18 @@
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-6w9p-88qg-p3g3"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/ckan/ckan"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2021-841.yaml"
+ },
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967"
diff --git a/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json b/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json
index e5f944f7439..ec35275f7a7 100644
--- a/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json
+++ b/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8rh6-h94m-vj54",
- "modified": "2022-01-04T16:55:20Z",
+ "modified": "2024-09-13T20:07:10Z",
"published": "2022-01-07T00:01:11Z",
"aliases": [
"CVE-2021-41500"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -48,10 +52,18 @@
"type": "WEB",
"url": "https://github.com/cvxopt/cvxopt/commit/d5a21cf1da62e4269176384b1ff62edac5579f94"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-8rh6-h94m-vj54"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/cvxopt/cvxopt"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cvxopt/PYSEC-2021-870.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CXTPM3DGVYTYQ54OFCMXZVWVOMR7JM2D"
diff --git a/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json b/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json
index dad72e69a82..858d04adac7 100644
--- a/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json
+++ b/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9236-8w7q-rmrv",
- "modified": "2022-01-05T20:41:25Z",
+ "modified": "2024-09-12T20:50:41Z",
"published": "2022-01-06T21:59:50Z",
"aliases": [
"CVE-2021-4162"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-9236-8w7q-rmrv"
+ },
{
"type": "WEB",
"url": "https://github.com/archivy/archivy"
@@ -52,6 +60,10 @@
"type": "WEB",
"url": "https://github.com/archivy/archivy/releases/tag/v1.6.2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/archivy/PYSEC-2021-869.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/e204a768-2129-4b6f-abad-e436309c7c32"
diff --git a/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json b/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json
index f5515bb41f2..6d52460ef37 100644
--- a/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json
+++ b/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-h56g-v4vp-q9q6",
- "modified": "2022-02-04T16:38:23Z",
+ "modified": "2024-09-13T14:31:05Z",
"published": "2022-01-29T00:00:41Z",
"aliases": [
"CVE-2022-0352"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -44,10 +48,18 @@
"type": "WEB",
"url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h56g-v4vp-q9q6"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/janeczku/calibre-web"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-18.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"
diff --git a/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json b/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json
index 95a14494196..3bd35909e23 100644
--- a/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json
+++ b/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hx7c-qpfq-xcrp",
- "modified": "2022-01-21T13:25:18Z",
+ "modified": "2024-09-16T21:47:38Z",
"published": "2022-01-13T20:10:53Z",
"aliases": [
"CVE-2021-44649"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -97,10 +101,18 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44649"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hx7c-qpfq-xcrp"
+ },
{
"type": "WEB",
"url": "https://github.com/divio/django-cms"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-cms/PYSEC-2022-7.yaml"
+ },
{
"type": "WEB",
"url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability"
diff --git a/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json b/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json
index e90165ce91f..b84c1d27714 100644
--- a/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json
+++ b/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4w8p-x6g8-fv64",
- "modified": "2022-02-23T17:39:11Z",
+ "modified": "2024-09-13T15:04:25Z",
"published": "2022-02-01T00:48:54Z",
"aliases": [
"CVE-2022-0339"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -48,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-4w8p-x6g8-fv64"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/janeczku/calibre-web"
@@ -56,6 +64,10 @@
"type": "WEB",
"url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.16"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-23.yaml"
+ },
{
"type": "WEB",
"url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"
diff --git a/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json b/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json
index 56eaf5bbbfb..0b065fccd9d 100644
--- a/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json
+++ b/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5946-mpw5-pqxx",
- "modified": "2022-03-08T18:49:35Z",
+ "modified": "2024-09-13T18:30:44Z",
"published": "2022-02-21T00:00:20Z",
"aliases": [
"CVE-2021-45083"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1193671"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-5946-mpw5-pqxx"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
@@ -64,6 +72,10 @@
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.1"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-38.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW"
diff --git a/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json b/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json
index c69022efd78..1671438a4d2 100644
--- a/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json
+++ b/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-65xw-pcqw-hjrh",
- "modified": "2024-03-06T22:40:01Z",
+ "modified": "2024-09-12T19:17:59Z",
"published": "2022-02-26T00:00:45Z",
"aliases": [
"CVE-2021-45229"
],
- "summary": "Cross site scripting in apache airflow",
+ "summary": "Apache Airflow Cross-site Scripting Vulnerability",
"details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "0"
},
{
- "fixed": "2.2.4"
+ "fixed": "2.2.4rc1"
}
]
}
@@ -44,10 +48,18 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
diff --git a/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json b/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json
index 3ddfdafda80..0a2daa23738 100644
--- a/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json
+++ b/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hhm3-48h2-597v",
- "modified": "2023-08-31T15:18:54Z",
+ "modified": "2024-09-12T21:15:25Z",
"published": "2022-02-02T00:01:46Z",
"aliases": [
"CVE-2021-44451"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -40,10 +44,18 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44451"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-hhm3-48h2-597v"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-36.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb"
diff --git a/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json b/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json
index 59204b52b01..979838ee78e 100644
--- a/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json
+++ b/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qhh5-9738-g9mx",
- "modified": "2023-11-07T22:11:35Z",
+ "modified": "2024-09-12T20:17:17Z",
"published": "2022-02-09T22:26:32Z",
"aliases": [
"CVE-2020-13922"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Maven",
- "name": "org.apache.dolphinscheduler:dolphinscheduler"
+ "name": "org.apache.dolphinscheduler:dolphinscheduler-api"
},
"ranges": [
{
@@ -52,6 +56,10 @@
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml"
},
+ {
+ "type": "WEB",
+ "url": "https://www.mail-archive.com/announce%40apache.org/msg06076.html"
+ },
{
"type": "WEB",
"url": "https://www.mail-archive.com/announce@apache.org/msg06076.html"
diff --git a/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json b/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json
index 4cbb2984414..0a50f92c9c7 100644
--- a/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json
+++ b/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-28mg-98xm-q493",
- "modified": "2022-03-18T21:19:29Z",
+ "modified": "2024-09-12T20:36:10Z",
"published": "2022-03-08T00:00:32Z",
"aliases": [
"CVE-2022-0697"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/archivy/archivy/commit/2d8cb29853190d42572b36deb61127e68d6be574"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-28mg-98xm-q493"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/archivy/archivy"
diff --git a/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json b/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json
index 0299b93925b..dd06f2f4cff 100644
--- a/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json
+++ b/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mcg6-h362-cmq5",
- "modified": "2022-03-11T20:52:04Z",
+ "modified": "2024-09-13T17:40:26Z",
"published": "2022-03-11T20:52:04Z",
"aliases": [
"CVE-2022-0860"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json b/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json
index 06217058736..f03a42284a4 100644
--- a/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json
+++ b/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3r7g-wrpr-j5g4",
- "modified": "2022-05-26T20:18:03Z",
+ "modified": "2024-09-16T21:50:13Z",
"published": "2022-04-22T20:48:28Z",
"aliases": [
"CVE-2022-24857"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json b/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json
index f801ad67631..9582eed7dc2 100644
--- a/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json
+++ b/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-66vw-v2x9-hw75",
- "modified": "2024-06-28T18:58:58Z",
+ "modified": "2024-09-16T17:22:51Z",
"published": "2022-04-30T00:00:35Z",
"aliases": [
"CVE-2022-1227"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,25 +56,6 @@
]
}
]
- },
- {
- "package": {
- "ecosystem": "Go",
- "name": "github.com/containers/psgo/internal/proc"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "1.7.2"
- }
- ]
- }
- ]
}
],
"references": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json
index 4394dc47938..3b42dd29e7f 100644
--- a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json
+++ b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2cvf-r9jm-4qm9",
- "modified": "2023-07-19T20:01:06Z",
+ "modified": "2024-09-13T15:15:21Z",
"published": "2022-05-13T01:14:22Z",
"aliases": [
"CVE-2019-3830"
@@ -11,7 +11,11 @@
"severity": [
{
"type": "CVSS_V3",
- "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -59,13 +63,17 @@
{
"type": "PACKAGE",
"url": "https://github.com/openstack/ceilometer"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ceilometer/PYSEC-2019-78.yaml"
}
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
- "severity": "HIGH",
+ "severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2023-07-19T20:01:06Z",
"nvd_published_at": "2019-03-26T18:29:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json b/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json
index 10cc278be1d..2ad1ceb6451 100644
--- a/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json
+++ b/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-2pqc-gv8q-pvqv",
- "modified": "2023-08-03T19:53:31Z",
+ "modified": "2024-09-16T14:42:41Z",
"published": "2022-05-17T01:57:52Z",
"aliases": [
"CVE-2015-5081"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "3.1.0"
+ "introduced": "3.1.0b1"
},
{
"fixed": "3.1.1"
@@ -59,10 +63,18 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5081"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a"
+ },
{
"type": "WEB",
"url": "https://github.com/django-cms/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-cms/PYSEC-2017-11.yaml"
+ },
{
"type": "WEB",
"url": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release"
diff --git a/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json b/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json
index 2913bc0cba9..19fa146a29c 100644
--- a/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json
+++ b/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-39vm-p9mr-4r27",
- "modified": "2024-05-01T10:58:46Z",
+ "modified": "2024-09-12T21:05:41Z",
"published": "2022-05-17T05:22:19Z",
"aliases": [
"CVE-2012-3458"
@@ -9,7 +9,14 @@
"summary": "Beaker Sensitive Information Disclosure vulnerability",
"details": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -49,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/bbangert/beaker"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/beaker/PYSEC-2012-1.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20140724164516/http://secunia.com/advisories/50226"
@@ -68,7 +79,7 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-326"
],
"severity": "MODERATE",
"github_reviewed": true,
diff --git a/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json b/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json
index ce0cacf40ae..34d36191b24 100644
--- a/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json
+++ b/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-42q4-9xf9-f67x",
- "modified": "2022-08-11T18:25:38Z",
+ "modified": "2024-09-12T20:36:58Z",
"published": "2022-05-24T19:20:31Z",
"aliases": [
"CVE-2021-41972"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json b/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json
index 10408e74a1d..6629ced0a16 100644
--- a/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json
+++ b/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4fpg-j5mp-783g",
- "modified": "2024-04-22T22:45:45Z",
+ "modified": "2024-09-13T15:57:09Z",
"published": "2022-05-13T01:49:46Z",
"aliases": [
"CVE-2018-13390"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"
}
],
"affected": [
@@ -43,13 +47,17 @@
{
"type": "WEB",
"url": "https://bitbucket.org/atlassian/cloudtoken/wiki/CVE-2018-13390%20-%20Exposed%20credentials%20in%20daemon%20mode%20on%20Linux"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cloudtoken/PYSEC-2018-1.yaml"
}
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
- "severity": "MODERATE",
+ "severity": "LOW",
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:45:45Z",
"nvd_published_at": "2018-08-10T15:29:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json b/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json
index 808652ac1ad..7ff7415c9f6 100644
--- a/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json
+++ b/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4wcc-jv3p-prqw",
- "modified": "2024-04-29T16:54:38Z",
+ "modified": "2024-09-13T14:25:50Z",
"published": "2022-05-17T02:52:55Z",
"aliases": [
"CVE-2015-8310"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/devsnd/cherrymusic"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-100.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227183347/http://www.securityfocus.com/bid/97148"
diff --git a/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json b/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json
index 7b722c4a0cb..d9d4784eeeb 100644
--- a/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json
+++ b/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-54qj-48vx-cr9f",
- "modified": "2024-05-21T20:31:08Z",
+ "modified": "2024-09-16T21:53:19Z",
"published": "2022-05-01T23:48:43Z",
"aliases": [
"CVE-2008-2302"
@@ -9,13 +9,20 @@
"summary": "Django Cross-site scripting (XSS) vulnerability",
"details": "Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,7 +41,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -53,7 +60,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -97,27 +104,27 @@
},
{
"type": "WEB",
- "url": "http://secunia.com/advisories/30250"
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-1.yaml"
},
{
"type": "WEB",
- "url": "http://secunia.com/advisories/30291"
+ "url": "https://web.archive.org/web/20080725022008/http://secunia.com/advisories/30291"
},
{
"type": "WEB",
- "url": "http://securitytracker.com/id?1020028"
+ "url": "https://web.archive.org/web/20081012011038/http://secunia.com/advisories/30250"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20170222015451/http://securitytracker.com/id?1020028"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20200228153339/http://www.securityfocus.com/bid/29209"
},
{
"type": "WEB",
"url": "http://www.djangoproject.com/weblog/2008/may/14/security"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/29209"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2008/1618"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json b/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json
index a1f1083a287..857a39ac5ed 100644
--- a/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json
+++ b/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-59w8-4wm2-4xw8",
- "modified": "2023-08-29T22:31:03Z",
+ "modified": "2024-09-17T15:14:45Z",
"published": "2022-05-17T05:12:01Z",
"aliases": [
"CVE-2012-3443"
@@ -9,13 +9,20 @@
"summary": "Django Image Field Vulnerable to Image Decompression Bombs",
"details": "The `django.forms.ImageField` class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,14 +41,14 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.4.0"
+ "introduced": "1.4"
},
{
"fixed": "1.4.1"
@@ -68,6 +75,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-3.yaml"
+ },
{
"type": "WEB",
"url": "https://www.debian.org/security/2012/dsa-2529"
@@ -91,6 +102,26 @@
{
"type": "WEB",
"url": "https://www.ubuntu.com/usn/USN-1560-1"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.debian.org/security/2012/dsa-2529"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.ubuntu.com/usn/USN-1560-1"
}
],
"database_specific": {
@@ -98,7 +129,7 @@
"CWE-20",
"CWE-400"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2023-08-29T22:31:03Z",
"nvd_published_at": "2012-07-31T17:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json b/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json
index 4f8b3d32f4d..fb900ab2d45 100644
--- a/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json
+++ b/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5fp8-c45m-256p",
- "modified": "2022-06-21T20:08:57Z",
+ "modified": "2024-09-12T20:37:55Z",
"published": "2022-05-24T19:20:42Z",
"aliases": [
"CVE-2021-42250"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json b/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json
index 8a98901db79..f782dce4e21 100644
--- a/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json
+++ b/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json
@@ -1,15 +1,22 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5h2q-4hrp-v9rr",
- "modified": "2024-03-07T21:58:37Z",
+ "modified": "2024-09-16T21:41:20Z",
"published": "2022-05-17T05:12:01Z",
"aliases": [
"CVE-2012-3444"
],
"summary": "Django vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer",
- "details": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.",
+ "details": "The `get_image_dimensions` function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -80,6 +87,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-4.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued"
@@ -109,7 +120,7 @@
"cwe_ids": [
"CWE-119"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2023-04-21T20:17:54Z",
"nvd_published_at": "2012-07-31T17:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json b/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json
index 33067b6ffa1..5a190a23f39 100644
--- a/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json
+++ b/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5v8v-66v8-mwm7",
- "modified": "2022-06-16T23:47:42Z",
+ "modified": "2024-09-16T13:48:46Z",
"published": "2022-05-24T17:28:21Z",
"aliases": [
"CVE-2020-8927"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -2826,6 +2830,25 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "brotli"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.0.8"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -2841,6 +2864,10 @@
"type": "WEB",
"url": "https://github.com/github/advisory-database/issues/785"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6"
+ },
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4801"
@@ -2897,10 +2924,18 @@
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/brotli/PYSEC-2020-29.yaml"
+ },
{
"type": "WEB",
"url": "https://github.com/google/brotli/releases/tag/v1.0.9"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/google/brotli/releases/tag/v1.0.8"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/bitemyapp/brotli2-rs"
diff --git a/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json b/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json
index 4e137aad008..87541b29f6b 100644
--- a/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json
+++ b/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5x6q-ffwj-8vcf",
- "modified": "2024-05-01T10:59:36Z",
+ "modified": "2024-09-12T20:52:47Z",
"published": "2022-05-17T01:57:32Z",
"aliases": [
"CVE-2015-4082"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/jborg/attic"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/attic/PYSEC-2017-6.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200517225455/http://www.securityfocus.com/bid/74821"
@@ -59,6 +67,10 @@
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/05/31/3"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.securityfocus.com/bid/74821"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json b/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json
index 8c10ae43ff9..f122743c8df 100644
--- a/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json
+++ b/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-66x7-2r56-fj77",
- "modified": "2023-09-28T20:40:46Z",
+ "modified": "2024-09-13T17:51:51Z",
"published": "2022-05-14T01:36:13Z",
"aliases": [
"CVE-2019-7313"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -25,7 +29,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0"
+ "introduced": "0.9.0"
},
{
"fixed": "1.8.1"
@@ -55,6 +59,10 @@
{
"type": "WEB",
"url": "https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2019-7.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json b/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json
index a2c5ce376fd..fa2064b30e6 100644
--- a/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json
+++ b/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-6wgp-fwfm-mxp3",
- "modified": "2024-05-07T14:40:05Z",
+ "modified": "2024-09-17T15:10:52Z",
"published": "2022-05-17T03:29:56Z",
"aliases": [
"CVE-2015-3982"
@@ -9,7 +9,14 @@
"summary": "Django allows user sessions hijacking via an empty string in the session key",
"details": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -45,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-19.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228092138/http://www.securityfocus.com/bid/74960"
@@ -56,7 +67,7 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-384"
],
"severity": "MODERATE",
"github_reviewed": true,
diff --git a/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json b/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json
index 4caf803e1ec..cd221a48dc0 100644
--- a/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json
+++ b/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-76x8-gg39-5jjg",
- "modified": "2024-04-01T19:52:43Z",
+ "modified": "2024-09-13T18:02:56Z",
"published": "2022-05-01T23:28:42Z",
"aliases": [
"CVE-2008-0252"
@@ -9,7 +9,14 @@
"summary": "CherryPy Malicious cookies allow access to files outside the session directory",
"details": "Directory traversal vulnerability in the _get_file_path function in (1) `lib/sessions.py` in CherryPy 3.0.x up to 3.0.2, (2) `filter/sessionfilter.py` in CherryPy 2.1, and (3) `filter/sessionfilter.py` in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -25,14 +32,30 @@
"introduced": "0"
},
{
- "fixed": "3.0.3"
+ "fixed": "2.1.1"
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 3.0.2"
- }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "cherrypy"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "3.0"
+ },
+ {
+ "fixed": "3.0.2"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -48,10 +71,46 @@
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=204829"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cherrypy/cherrypy"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2008-3.yaml"
+ },
{
"type": "WEB",
"url": "https://issues.rpath.com/browse/RPL-2127"
},
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20080129011723/http://secunia.com/advisories/28354"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20080312130713/http://secunia.com/advisories/28353"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20080328003510/http://secunia.com/advisories/28611"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20100122080212/http://www.vupen.com/english/advisories/2008/0039"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20110513223620/http://secunia.com/advisories/28769"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20111224161644/http://secunia.com/advisories/28620"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20151108024505/http://www.securityfocus.com/bid/27181"
+ },
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html"
@@ -60,26 +119,6 @@
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/28353"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/28354"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/28611"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/28620"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/28769"
- },
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200801-11.xml"
@@ -103,18 +142,6 @@
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1481"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/archive/1/487001/100/0/threaded"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/27181"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2008/0039"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json b/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json
index b9c744362e4..5d6dd16a382 100644
--- a/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json
+++ b/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-78vx-ggch-wghm",
- "modified": "2023-08-29T21:47:28Z",
+ "modified": "2024-09-16T22:14:25Z",
"published": "2022-05-17T05:12:01Z",
"aliases": [
"CVE-2012-3442"
@@ -9,13 +9,20 @@
"summary": "Django Allows Redirect via Data URL",
"details": "The (1) `django.http.HttpResponseRedirect` and (2) `django.http.HttpResponsePermanentRedirect` classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a `data:` URL.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,7 +41,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -68,6 +75,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-2.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued"
@@ -76,6 +87,10 @@
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2529"
},
+ {
+ "type": "WEB",
+ "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143"
+ },
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/07/31/1"
diff --git a/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json b/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json
index dabc7c42e5d..e9dc6348ee6 100644
--- a/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json
+++ b/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-873q-wpqr-xfgw",
- "modified": "2023-08-16T23:15:40Z",
+ "modified": "2024-09-13T17:57:20Z",
"published": "2022-05-17T04:19:29Z",
"aliases": [
"CVE-2014-3137"
@@ -9,7 +9,14 @@
"summary": "Bottle does not properly limit content-types",
"details": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a `;` (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -79,10 +86,22 @@
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/issues/616"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/defnull/bottle/issues/616"
+ },
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1093255"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/bottlepy/bottle"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2014-77.yaml"
+ },
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2948"
@@ -96,7 +115,7 @@
"cwe_ids": [
"CWE-20"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2023-08-16T23:15:40Z",
"nvd_published_at": "2014-10-25T22:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json b/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json
index 5fe48e4cd80..685306b8c20 100644
--- a/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json
+++ b/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9v8h-57gv-qch6",
- "modified": "2024-05-21T20:33:18Z",
+ "modified": "2024-09-16T21:36:16Z",
"published": "2022-05-01T18:36:08Z",
"aliases": [
"CVE-2007-5712"
@@ -9,7 +9,14 @@
"summary": "Django vulnerable to Denial of Service via i18n middleware component",
"details": "The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -101,6 +108,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2007-1.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20091201070224/http://secunia.com/advisories/27435"
@@ -142,7 +153,7 @@
"cwe_ids": [
"CWE-400"
],
- "severity": "LOW",
+ "severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T14:37:50Z",
"nvd_published_at": "2007-10-30T19:46:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json b/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json
index ef4999e01ea..6ff52236052 100644
--- a/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json
+++ b/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9w4f-3v37-6f75",
- "modified": "2024-04-29T16:18:48Z",
+ "modified": "2024-09-13T15:52:40Z",
"published": "2022-05-17T03:33:24Z",
"aliases": [
"CVE-2015-3010"
@@ -9,7 +9,14 @@
"summary": "ceph-deploy allows local users to obtain sensitive information by reading the file",
"details": "ceph-deploy before 1.5.23 uses weak permissions (644) for `ceph/ceph.client.admin.keyring`, which allows local users to obtain sensitive information by reading the file.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -53,6 +60,10 @@
"type": "PACKAGE",
"url": "https://github.com/ceph/ceph-deploy"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ceph-deploy/PYSEC-2015-2.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228233028/http://www.securityfocus.com/bid/74043"
@@ -76,6 +87,10 @@
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/04/09/9"
+ },
+ {
+ "type": "WEB",
+ "url": "http://www.securityfocus.com/bid/74043"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json
index d61177f559e..da0db62d4ef 100644
--- a/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json
+++ b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9xg7-gg9m-rmq9",
- "modified": "2024-02-08T21:27:24Z",
+ "modified": "2024-09-16T22:08:51Z",
"published": "2022-05-02T03:37:17Z",
"aliases": [
"CVE-2009-2659"
@@ -9,7 +9,14 @@
"summary": "Django Admin Media Handler Vulnerable to Directory Traversal",
"details": "The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -68,6 +75,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-3.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20111211001428/http://www.securityfocus.com/bid/35859"
@@ -101,7 +112,7 @@
"cwe_ids": [
"CWE-22"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-02-08T21:27:24Z",
"nvd_published_at": "2009-08-04T16:30:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json b/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json
index 6a0ae7a9f94..ed0a711c9cf 100644
--- a/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json
+++ b/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9xwq-72vp-5j3c",
- "modified": "2022-11-04T18:44:51Z",
+ "modified": "2024-09-12T21:18:20Z",
"published": "2022-05-17T01:17:22Z",
"aliases": [
"CVE-2017-3152"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json b/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json
index fc37d4af3ea..3f58c29e8e2 100644
--- a/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json
+++ b/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c8c8-9472-w52h",
- "modified": "2024-03-07T22:46:19Z",
+ "modified": "2024-09-17T15:13:11Z",
"published": "2022-05-14T02:46:13Z",
"aliases": [
"CVE-2016-6186"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -94,6 +98,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ"
diff --git a/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json b/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json
index 762b518c3a9..3448ebe5292 100644
--- a/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json
+++ b/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f8vc-f28w-x9c9",
- "modified": "2023-08-31T15:49:27Z",
+ "modified": "2024-09-12T21:16:24Z",
"published": "2022-05-24T19:17:47Z",
"aliases": [
"CVE-2021-32609"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -28,14 +32,11 @@
"introduced": "0"
},
{
- "fixed": "1.2"
+ "fixed": "1.2.0"
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 1.1"
- }
+ ]
}
],
"references": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json b/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json
index 4162bed80af..62a77280177 100644
--- a/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json
+++ b/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fcgg-qgxg-2g2x",
- "modified": "2024-04-25T20:40:54Z",
+ "modified": "2024-09-13T19:33:37Z",
"published": "2022-05-14T01:36:14Z",
"aliases": [
"CVE-2018-16191"
@@ -34,7 +34,7 @@
}
],
"database_specific": {
- "last_known_affected_version_range": "< 3.0.16"
+ "last_known_affected_version_range": "<= 3.0.16"
}
}
],
diff --git a/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json b/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json
index 42fca65dbe8..7f55de5102e 100644
--- a/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json
+++ b/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fx92-wh72-8g9q",
- "modified": "2023-12-04T15:21:05Z",
+ "modified": "2024-09-13T14:14:32Z",
"published": "2022-05-17T01:17:12Z",
"aliases": [
"CVE-2017-3154"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json b/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json
index 954f2d10ff4..73432e4e9b3 100644
--- a/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json
+++ b/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hq4r-47qc-3jhc",
- "modified": "2023-08-31T16:12:41Z",
+ "modified": "2024-09-16T21:25:32Z",
"published": "2022-05-13T01:11:25Z",
"aliases": [
"CVE-2018-16552"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "Django-CRM"
+ "name": "django-crm"
},
"ranges": [
{
@@ -47,6 +51,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/MicroPyramid/Django-CRM"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-crm/PYSEC-2018-65.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json b/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json
index 17be0061f3d..0be77b443cc 100644
--- a/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json
+++ b/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-j6f7-hghw-g437",
- "modified": "2022-05-31T15:43:48Z",
+ "modified": "2024-09-13T14:23:26Z",
"published": "2022-05-17T03:05:15Z",
"aliases": [
"CVE-2016-9964"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -25,10 +29,10 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0"
+ "introduced": "0.10.1"
},
{
- "fixed": "0.12.10"
+ "fixed": "0.12.11"
}
]
}
@@ -48,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/bottlepy/bottle/commit/78f67d51965db11cb1ed0003f1eb7926458b5c2c"
+ },
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j6f7-hghw-g437"
@@ -62,11 +70,11 @@
},
{
"type": "WEB",
- "url": "http://www.debian.org/security/2016/dsa-3743"
+ "url": "https://web.archive.org/web/20170214030628/http://www.securityfocus.com/bid/94961"
},
{
"type": "WEB",
- "url": "http://www.securityfocus.com/bid/94961"
+ "url": "http://www.debian.org/security/2016/dsa-3743"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json b/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json
index 2aa8c302e2d..0a4360854bd 100644
--- a/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json
+++ b/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jqqh-999x-w26w",
- "modified": "2024-04-01T19:29:57Z",
+ "modified": "2024-09-13T15:10:34Z",
"published": "2022-05-02T03:40:27Z",
"aliases": [
"CVE-2009-2959"
@@ -9,7 +9,14 @@
"summary": "Buildbot Cross-site scripting (XSS) vulnerability",
"details": "Cross-site scripting (XSS) vulnerability in the waterfall web status view (`status/web/waterfall.py`) in Buildbot 0.7.6 through 0.7.11p1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
@@ -41,6 +48,30 @@
"type": "WEB",
"url": "https://github.com/buildbot/buildbot/commit/a08ee48e796ae66c54fca6a087b4adce7d1d6c06"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/buildbot/buildbot"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2009-1.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20101118080215/http://www.vupen.com/english/advisories/2009/2352"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20111225112636/http://secunia.com/advisories/36352"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20111225123121/http://secunia.com/advisories/36418"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20200228175025/http://www.securityfocus.com/bid/36100"
+ },
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00978.html"
@@ -53,25 +84,9 @@
"type": "WEB",
"url": "http://buildbot.net/trac#SecurityAlert"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/36352"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/36418"
- },
{
"type": "WEB",
"url": "http://sourceforge.net/mailarchive/message.php?msg_name=42338fbf0908121232mb790a6cn787ac3de90e8bc31%40mail.gmail.com"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/36100"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2009/2352"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json b/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json
index f4f82fd3452..e2b726bca5b 100644
--- a/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json
+++ b/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json
@@ -1,15 +1,22 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mj3x-wprp-mvj9",
- "modified": "2024-04-01T19:28:56Z",
+ "modified": "2024-09-13T18:09:12Z",
"published": "2022-05-02T03:40:28Z",
"aliases": [
"CVE-2009-2967"
],
- "summary": "Buildbot Multiple cross-site scripting (XSS) vulnerabilities",
+ "summary": "Buildbot vulnerable to cross-site scripting",
"details": "Multiple cross-site scripting (XSS) vulnerabilities in Buildbot 0.7.6 through 0.7.11p2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, different vulnerabilities than CVE-2009-2959.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+ }
],
"affected": [
{
@@ -45,6 +52,14 @@
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52896"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/buildbot/buildbot"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2009-2.yaml"
+ },
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00978.html"
diff --git a/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json b/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json
index 84f442fc3be..70853e2eee3 100644
--- a/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json
+++ b/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mqwh-r366-4224",
- "modified": "2023-08-04T21:48:39Z",
+ "modified": "2024-09-13T15:56:14Z",
"published": "2022-05-24T17:29:11Z",
"aliases": [
"CVE-2020-7734"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L/E:U"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/arachnys/cabot"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cabot/PYSEC-2020-227.yaml"
+ },
{
"type": "WEB",
"url": "https://itsmeanonartist.tech/blogs/blog2.html"
@@ -69,7 +77,7 @@
"cwe_ids": [
"CWE-79"
],
- "severity": "HIGH",
+ "severity": "LOW",
"github_reviewed": true,
"github_reviewed_at": "2023-08-04T21:48:39Z",
"nvd_published_at": "2020-09-22T08:15:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json
index 85b715fcae7..2e749f3d31d 100644
--- a/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json
+++ b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-p6m5-h7pp-v2x5",
- "modified": "2024-05-22T19:06:34Z",
+ "modified": "2024-09-16T21:57:14Z",
"published": "2022-05-02T03:47:43Z",
"aliases": [
"CVE-2009-3695"
@@ -9,7 +9,14 @@
"summary": "Django Regex Algorithmic Complexity Causes Denial of Service",
"details": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -22,7 +29,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.0.0"
+ "introduced": "1.0"
},
{
"fixed": "1.0.4"
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.1.0"
+ "introduced": "1.1"
},
{
"fixed": "1.1.1"
@@ -72,6 +79,18 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-4.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20091013093057/http://secunia.com/advisories/36968"
+ },
+ {
+ "type": "WEB",
+ "url": "https://web.archive.org/web/20091017070244/http://secunia.com/advisories/36948"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228171918/http://www.securityfocus.com/bid/36655"
@@ -102,7 +121,7 @@
"CWE-1333",
"CWE-400"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-02-08T22:00:20Z",
"nvd_published_at": "2009-10-13T10:30:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json b/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json
index 628e37c06de..b3c1d6a33c5 100644
--- a/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json
+++ b/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pg8m-4p8j-2p56",
- "modified": "2023-08-31T15:50:47Z",
+ "modified": "2024-09-13T14:12:38Z",
"published": "2022-05-24T19:17:46Z",
"aliases": [
"CVE-2021-41971"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json b/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json
index 8a69aab0f38..6d9e1f1ef47 100644
--- a/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json
+++ b/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pgxh-wfw4-jx2v",
- "modified": "2024-05-08T17:38:27Z",
+ "modified": "2024-09-17T15:08:38Z",
"published": "2022-05-17T00:36:02Z",
"aliases": [
"CVE-2015-5963"
@@ -9,13 +9,20 @@
"summary": "Django denial of service via empty session record creation",
"details": "`contrib.sessions.middleware.SessionMiddleware` in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to `contrib.auth.views.logout`, which triggers the creation of an empty session record.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ecosystem_specific": {
"affected_functions": [
@@ -27,7 +34,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.8.0"
+ "introduced": "1.8"
},
{
"fixed": "1.8.4"
@@ -39,7 +46,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ecosystem_specific": {
"affected_functions": [
@@ -51,7 +58,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.7.0"
+ "introduced": "1.7"
},
{
"fixed": "1.7.10"
@@ -63,7 +70,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ecosystem_specific": {
"affected_functions": [
@@ -75,7 +82,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.4.0"
+ "introduced": "1.4"
},
{
"fixed": "1.4.22"
@@ -118,6 +125,10 @@
"type": "WEB",
"url": "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.4.txt#L9-L21"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-22.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20150904151934/http://www.securitytracker.com/id/1033318"
@@ -169,7 +180,7 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-770"
],
"severity": "MODERATE",
"github_reviewed": true,
diff --git a/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json b/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json
index ee50726a3f4..3c663a50b0e 100644
--- a/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json
+++ b/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-q3cj-2r34-2cwc",
- "modified": "2022-06-17T21:29:04Z",
+ "modified": "2024-09-13T20:08:25Z",
"published": "2022-05-17T02:51:56Z",
"aliases": [
"CVE-2016-9243"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -68,6 +72,18 @@
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2017-8.yaml"
},
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL"
diff --git a/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json b/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json
index 57333139770..ee81161b26b 100644
--- a/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json
+++ b/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-q586-7p8w-9pg8",
- "modified": "2022-11-04T18:44:00Z",
+ "modified": "2024-09-13T14:13:40Z",
"published": "2022-05-17T01:17:12Z",
"aliases": [
"CVE-2017-3155"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -59,10 +63,6 @@
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227151159/http://www.securityfocus.com/bid/100587"
- },
- {
- "type": "WEB",
- "url": "http://www.securityfocus.com/bid/100587"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json b/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json
index dcbe813a53c..ba323d1bf37 100644
--- a/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json
+++ b/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-q624-9634-77gh",
- "modified": "2024-04-29T16:53:37Z",
+ "modified": "2024-09-13T14:25:12Z",
"published": "2022-05-17T02:52:55Z",
"aliases": [
"CVE-2015-8309"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/devsnd/cherrymusic"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-99.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227183321/http://www.securityfocus.com/bid/97149"
diff --git a/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json b/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json
index e78412b147b..5d4a9bd55b2 100644
--- a/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json
+++ b/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qgvw-qc2q-gv5q",
- "modified": "2024-01-12T20:55:43Z",
+ "modified": "2024-09-16T22:12:36Z",
"published": "2022-05-14T03:08:09Z",
"aliases": [
"CVE-2011-4104"
@@ -9,7 +9,14 @@
"summary": "Django Tastypie Improper Deserialization of YAML Data",
"details": "The `from_yaml` method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -41,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-tastypie/PYSEC-2014-25.yaml"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/toastdriven/django-tastypie"
@@ -66,7 +77,7 @@
"cwe_ids": [
"CWE-502"
],
- "severity": "HIGH",
+ "severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T20:55:43Z",
"nvd_published_at": "2014-10-27T01:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json b/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json
index 14774c6a1f6..02d628c5af0 100644
--- a/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json
+++ b/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qh9x-mc42-vg4g",
- "modified": "2022-07-27T21:33:52Z",
+ "modified": "2024-09-16T21:27:22Z",
"published": "2022-05-14T03:32:28Z",
"aliases": [
"CVE-2018-1000089"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json b/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json
index 794f6b9bd43..1e4bcd24d8d 100644
--- a/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json
+++ b/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-r5cj-wv24-92p5",
- "modified": "2024-05-21T20:28:50Z",
+ "modified": "2024-09-16T22:32:44Z",
"published": "2022-05-02T00:05:00Z",
"aliases": [
"CVE-2008-3909"
@@ -9,13 +9,20 @@
"summary": "Django cross-site request forgery (CSRF) vulnerability",
"details": "The administration application in Django 0.91.x, 0.95.x, and 0.96.x stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,7 +41,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -53,7 +60,7 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -95,6 +102,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-2.yaml"
+ },
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.html"
@@ -103,18 +114,6 @@
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html"
},
- {
- "type": "WEB",
- "url": "http://osvdb.org/47906"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/31837"
- },
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/31961"
- },
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1640"
@@ -126,17 +125,13 @@
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/09/03/4"
- },
- {
- "type": "WEB",
- "url": "http://www.vupen.com/english/advisories/2008/2533"
}
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2023-09-22T23:12:22Z",
"nvd_published_at": "2008-09-04T17:41:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json b/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json
index b422d3623f7..ffe8dded1c7 100644
--- a/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json
+++ b/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rm2j-x595-q9cj",
- "modified": "2024-01-16T22:47:59Z",
+ "modified": "2024-09-16T22:35:46Z",
"published": "2022-05-14T03:49:36Z",
"aliases": [
"CVE-2011-4139"
@@ -9,13 +9,20 @@
"summary": "Django Vulnerable to Cache Poisoning",
"details": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
@@ -34,14 +41,14 @@
{
"package": {
"ecosystem": "PyPI",
- "name": "django"
+ "name": "Django"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.3.0"
+ "introduced": "1.3"
},
{
"fixed": "1.3.1"
@@ -72,6 +79,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml"
+ },
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
@@ -102,7 +113,7 @@
"CWE-20",
"CWE-349"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T22:47:59Z",
"nvd_published_at": "2011-10-19T10:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json b/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json
index 99642db654c..9009ea42e3b 100644
--- a/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json
+++ b/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rvq6-mrpv-m6rm",
- "modified": "2024-05-16T18:28:00Z",
+ "modified": "2024-09-16T22:13:37Z",
"published": "2022-05-17T03:07:04Z",
"aliases": [
"CVE-2014-0472"
@@ -9,7 +9,14 @@
"summary": "Code Injection in Django",
"details": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -51,7 +58,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.5.0"
+ "introduced": "1.5"
},
{
"fixed": "1.5.6"
@@ -75,7 +82,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.6.0"
+ "introduced": "1.6"
},
{
"fixed": "1.6.3"
@@ -106,6 +113,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2014/apr/21/security"
@@ -122,10 +133,6 @@
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
},
- {
- "type": "WEB",
- "url": "http://secunia.com/advisories/61281"
- },
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2934"
@@ -139,7 +146,7 @@
"cwe_ids": [
"CWE-94"
],
- "severity": "MODERATE",
+ "severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2023-02-23T23:29:51Z",
"nvd_published_at": "2014-04-23T15:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json b/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json
index 87dd72e28ea..1ddd119801e 100644
--- a/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json
+++ b/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v3m2-pg96-w33m",
- "modified": "2024-04-29T10:26:03Z",
+ "modified": "2024-09-13T14:24:17Z",
"published": "2022-05-24T17:20:04Z",
"aliases": [
"CVE-2020-10755"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -151,6 +155,10 @@
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cinder/PYSEC-2020-228.yaml"
+ },
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4420-1"
diff --git a/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json b/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json
index c69c56acb69..b862255aee9 100644
--- a/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json
+++ b/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vcwx-8mqh-2557",
- "modified": "2023-08-04T21:52:41Z",
+ "modified": "2024-09-12T20:33:30Z",
"published": "2022-05-17T00:14:14Z",
"aliases": [
"CVE-2017-17054"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -55,6 +59,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/aubio/aubio"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2017-75.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json b/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json
index c69878b54a2..5512d7f3768 100644
--- a/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json
+++ b/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vx77-5pf4-c9wr",
- "modified": "2024-04-29T14:31:33Z",
+ "modified": "2024-09-13T17:48:35Z",
"published": "2022-05-01T06:43:18Z",
"aliases": [
"CVE-2006-0847"
@@ -9,7 +9,14 @@
"summary": "CherryPy Directory traversal vulnerability",
"details": "Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via \"..\" sequences in unspecified vectors.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -41,6 +48,14 @@
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24809"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cherrypy/cherrypy"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2006-1.yaml"
+ },
{
"type": "WEB",
"url": "https://web.archive.org/web/20140724140216/http://secunia.com/advisories/18944"
@@ -72,9 +87,9 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-22"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T14:31:33Z",
"nvd_published_at": "2006-02-22T02:02:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json b/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json
index 37a4a3d4be6..571eece2709 100644
--- a/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json
+++ b/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json
@@ -1,15 +1,22 @@
{
"schema_version": "1.4.0",
"id": "GHSA-w3j6-8j34-q43x",
- "modified": "2024-02-23T20:59:34Z",
+ "modified": "2024-09-13T14:18:40Z",
"published": "2022-05-17T05:39:24Z",
"aliases": [
"CVE-2010-4340"
],
"summary": "Apache Libcloud does not verify SSL certificates for HTTPS connections",
- "details": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. This is due to an upstream issue with python's SSL module rather than directly with libcloud.",
+ "details": "libcloud before 0.4.0 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. This is due to an upstream issue with python's SSL module rather than directly with libcloud.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -25,14 +32,11 @@
"introduced": "0"
},
{
- "fixed": "0.4.1"
+ "fixed": "0.4.0"
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 0.4.0"
- }
+ ]
}
],
"references": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/apache/libcloud"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-libcloud/PYSEC-2011-24.yaml"
+ },
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/LIBCLOUD-55"
@@ -77,7 +85,7 @@
"cwe_ids": [
"CWE-295"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-02-23T20:59:34Z",
"nvd_published_at": "2011-09-12T12:41:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json b/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json
index 59bc25833a8..9fb4994fac1 100644
--- a/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json
+++ b/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-wp7w-vx86-vj9h",
- "modified": "2023-07-21T21:42:33Z",
+ "modified": "2024-09-16T15:00:24Z",
"published": "2022-05-13T01:34:58Z",
"aliases": [
"CVE-2018-10856"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "github.com/containers/podman/v4"
+ "name": "github.com/containers/podman"
},
"ranges": [
{
@@ -51,6 +55,10 @@
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10856"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/containers/podman"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json b/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json
index 598eed56cee..89e660bde14 100644
--- a/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json
+++ b/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-wxg3-mfph-qg9w",
- "modified": "2024-01-16T22:48:09Z",
+ "modified": "2024-09-16T22:32:03Z",
"published": "2022-05-14T03:49:36Z",
"aliases": [
"CVE-2011-4138"
@@ -9,7 +9,14 @@
"summary": "Django Might Allow CSRF Requests via URL Verification",
"details": "The `verify_exists` functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -41,7 +48,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "1.3.0"
+ "introduced": "1.3"
},
{
"fixed": "1.3.1"
@@ -72,6 +79,10 @@
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-3.yaml"
+ },
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/14700881"
@@ -101,7 +112,7 @@
"cwe_ids": [
"CWE-20"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T22:48:09Z",
"nvd_published_at": "2011-10-19T10:55:00Z"
diff --git a/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json b/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json
index 1d269de0176..162b197876f 100644
--- a/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json
+++ b/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-wxmr-7xjv-8xqw",
- "modified": "2023-08-04T23:07:33Z",
+ "modified": "2024-09-16T21:28:10Z",
"published": "2022-05-17T04:13:43Z",
"aliases": [
"CVE-2015-0846"
@@ -9,7 +9,14 @@
"summary": "django-markupfield Arbitrary File Read",
"details": "django-markupfield before 1.3.2 uses the default docutils `RESTRUCTUREDTEXT_FILTER_SETTINGS` settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -17,6 +24,11 @@
"ecosystem": "PyPI",
"name": "django-markupfield"
},
+ "ecosystem_specific": {
+ "affected_functions": [
+ "markupfield.markup.render_rest"
+ ]
+ },
"ranges": [
{
"type": "ECOSYSTEM",
@@ -49,6 +61,14 @@
"type": "WEB",
"url": "https://github.com/jamesturk/django-markupfield/blob/1.3.3/CHANGELOG"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/jamesturk/django-markupfield/blob/master/CHANGELOG"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-markupfield/PYSEC-2015-12.yaml"
+ },
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2015/apr/21/docutils-security-advisory"
@@ -62,7 +82,7 @@
"cwe_ids": [
"CWE-200"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2023-08-04T23:07:33Z",
"nvd_published_at": "2015-04-24T14:59:00Z"
diff --git a/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json b/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json
index fd2e8a6d213..29fadc1a85a 100644
--- a/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json
+++ b/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4w8f-hjm9-xwgf",
- "modified": "2022-06-06T21:24:24Z",
+ "modified": "2024-09-16T21:49:30Z",
"published": "2022-06-06T21:24:24Z",
"aliases": [
"CVE-2022-24840"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json b/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json
index b5cfb356502..71eeeb40bca 100644
--- a/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json
+++ b/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9266-j9v3-q4j5",
- "modified": "2024-04-24T21:38:00Z",
+ "modified": "2024-09-13T18:30:10Z",
"published": "2022-06-11T00:00:36Z",
"aliases": [
"CVE-2022-32563"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -40,6 +44,18 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32563"
},
+ {
+ "type": "WEB",
+ "url": "https://forums.couchbase.com/tags/security"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/couchbase/PYSEC-2022-207.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.couchbase.com/alerts"
+ },
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts/#CVE-2022-32563"
diff --git a/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json b/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json
index 16fde421caa..2e426895b06 100644
--- a/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json
+++ b/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f4q6-9qm4-h8j4",
- "modified": "2022-06-09T23:48:49Z",
+ "modified": "2024-09-13T18:10:22Z",
"published": "2022-06-09T23:48:49Z",
"aliases": [
"CVE-2022-24065"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json b/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json
index 32da13b75b2..043885d170a 100644
--- a/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json
+++ b/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-xhp9-4947-rq78",
- "modified": "2022-06-14T20:06:55Z",
+ "modified": "2024-09-13T15:51:00Z",
"published": "2022-06-03T00:01:15Z",
"aliases": [
"CVE-2022-31799"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json b/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json
index 9c4a0c398ba..839dc745b8b 100644
--- a/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json
+++ b/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-h3qr-fjhm-jphw",
- "modified": "2022-07-29T18:08:32Z",
+ "modified": "2024-09-13T15:05:09Z",
"published": "2022-07-14T00:00:23Z",
"aliases": [
"CVE-2019-10800"
],
- "summary": "Codecov prior to 2.0.16 does not sanitize gcov arguments",
+ "summary": "Codecov does not sanitize gcov arguments",
"details": "This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-h3qr-fjhm-jphw"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/codecov/codecov-python"
diff --git a/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json b/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json
index 032af7d4484..929b4ba2ee5 100644
--- a/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json
+++ b/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hwqr-f3v9-hwxr",
- "modified": "2022-07-15T21:56:08Z",
+ "modified": "2024-09-16T13:56:39Z",
"published": "2022-07-15T21:56:08Z",
"aliases": [
@@ -9,7 +9,14 @@
"summary": "Workers for local Dask clusters mistakenly listened on public interfaces",
"details": "Versions of `distributed` earlier than `2021.10.0` had a potential security vulnerability relating to single-machine Dask clusters.\n\nClusters started with `dask.distributed.LocalCluster` or `dask.distributed.Client()` (which defaults to using `LocalCluster`) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on `localhost`. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than `LocalCluster` (e.g. `dask_kubernetes.KubeCluster`) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version `2021.10.0` (PR #5427).",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -17,6 +24,12 @@
"ecosystem": "PyPI",
"name": "distributed"
},
+ "ecosystem_specific": {
+ "affected_functions": [
+ "dask.distributed.LocalCluster",
+ "dask.distributed.Client"
+ ]
+ },
"ranges": [
{
"type": "ECOSYSTEM",
@@ -37,6 +50,14 @@
"type": "WEB",
"url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/dask/distributed/pull/5427"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b"
+ },
{
"type": "WEB",
"url": "https://docs.dask.org/en/latest/changelog.html"
@@ -64,9 +85,9 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-668"
],
- "severity": "MODERATE",
+ "severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T21:56:08Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json b/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json
index 6cad70f7525..9a4281d5684 100644
--- a/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json
+++ b/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5c8p-qhch-qhx6",
- "modified": "2022-09-01T22:19:29Z",
+ "modified": "2024-09-16T13:50:34Z",
"published": "2022-08-27T00:00:44Z",
"aliases": [
"CVE-2021-3427"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json b/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json
index 15fd5e49d13..e04ae8ea2ed 100644
--- a/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json
+++ b/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-g6hg-4v3c-6jq7",
- "modified": "2022-10-31T15:43:23Z",
+ "modified": "2024-09-12T20:28:44Z",
"published": "2022-10-26T19:00:39Z",
"aliases": [
"CVE-2022-43766"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Maven",
- "name": "org.apache.iotdb:iotdb-parent"
+ "name": "org.apache.iotdb:flink-tsfile-connector"
},
"ranges": [
{
@@ -44,10 +48,48 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0.13.0"
+ "introduced": "0.12.2"
},
{
- "fixed": "0.14.0rc1"
+ "fixed": "0.13.3"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.apache.iotdb:iotdb-server"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.12.2"
+ },
+ {
+ "fixed": "0.13.3"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.apache.iotdb:tsfile"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.12.2"
+ },
+ {
+ "fixed": "0.13.3"
}
]
}
diff --git a/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json b/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
index 504375436b0..79969847321 100644
--- a/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
+++ b/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jjjh-jjxp-wpff",
- "modified": "2024-03-15T00:14:43Z",
+ "modified": "2024-09-13T18:29:13Z",
"published": "2022-10-03T00:00:31Z",
"aliases": [
"CVE-2022-42003"
],
"summary": "Uncontrolled Resource Consumption in Jackson-databind",
- "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.",
+ "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.\n\nThe `2.13.4.1` release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in `2.13.4.2` which is listed in the advisory metadata so that users are not subjected to unnecessary build failures",
"severity": [
{
"type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json b/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json
index a1f35c056d0..ee822d1252a 100644
--- a/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json
+++ b/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vw39-2wj9-4q86",
- "modified": "2022-10-11T20:49:45Z",
+ "modified": "2024-09-16T22:09:24Z",
"published": "2022-10-11T19:00:29Z",
"aliases": [
"CVE-2022-42731"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json b/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json
index f893a3ff8ff..2ab8f97cfba 100644
--- a/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json
+++ b/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-287q-jfcp-9vhv",
- "modified": "2022-12-21T16:13:03Z",
+ "modified": "2024-09-16T21:38:52Z",
"published": "2022-12-15T21:30:26Z",
"aliases": [
"CVE-2022-4526"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json b/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json
index 957f9e6165c..54d829f4b1a 100644
--- a/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json
+++ b/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-43fp-rhv2-5gv8",
- "modified": "2022-12-07T23:05:18Z",
+ "modified": "2024-09-13T17:46:06Z",
"published": "2022-12-07T23:05:18Z",
"aliases": [
"CVE-2022-23491"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -52,6 +56,10 @@
"type": "PACKAGE",
"url": "https://github.com/certifi/python-certifi"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2022-42986.yaml"
+ },
{
"type": "WEB",
"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ"
diff --git a/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json b/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json
index bde0870ffe8..7d6da343171 100644
--- a/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json
+++ b/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4r9h-x77w-mffv",
- "modified": "2022-12-21T17:23:08Z",
+ "modified": "2024-09-13T20:05:21Z",
"published": "2022-12-15T21:30:26Z",
"aliases": [
"CVE-2022-4527"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -48,10 +52,18 @@
"type": "PACKAGE",
"url": "https://github.com/collective/collective.task"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/collective/collective.task/releases/tag/3.0.10"
+ },
{
"type": "WEB",
"url": "https://github.com/collective/collective.task/releases/tag/3.0.9"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/collective-task/PYSEC-2022-42990.yaml"
+ },
{
"type": "WEB",
"url": "https://vuldb.com/?id.215907"
diff --git a/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json b/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json
index d79f4010fe4..6b1050730d3 100644
--- a/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json
+++ b/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5pqf-rvm7-3wgw",
- "modified": "2022-12-29T00:36:20Z",
+ "modified": "2024-09-13T14:38:04Z",
"published": "2022-12-22T00:30:36Z",
"aliases": [
"CVE-2022-4638"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -48,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/collective/collective.contact.widget"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/collective-contact-widget/PYSEC-2022-42988.yaml"
+ },
{
"type": "WEB",
"url": "https://vuldb.com/?id.216496"
diff --git a/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json b/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json
index d54f746c5e1..91771c490c4 100644
--- a/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json
+++ b/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pjx4-3f3p-29v3",
- "modified": "2023-01-11T20:54:03Z",
+ "modified": "2024-09-16T21:38:14Z",
"published": "2023-01-05T09:30:27Z",
"aliases": [
"CVE-2016-15010"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-ucamlookup/PYSEC-2023-14.yaml"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/uisautomation/django-ucamlookup"
diff --git a/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json b/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json
index 20fe237d449..c917c98e128 100644
--- a/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json
+++ b/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-w7pp-m8wf-vj6r",
- "modified": "2023-02-16T19:07:57Z",
+ "modified": "2024-09-13T20:07:50Z",
"published": "2023-02-07T20:54:10Z",
"aliases": [
"CVE-2023-23931"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -51,7 +55,7 @@
},
{
"type": "WEB",
- "url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3"
+ "url": "https://github.com/pyca/cryptography/pull/8230"
},
{
"type": "WEB",
@@ -60,6 +64,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json b/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json
index 8536f93de5e..14b6b0c560b 100644
--- a/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json
+++ b/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rwmf-w63j-p7gv",
- "modified": "2023-03-20T21:27:15Z",
+ "modified": "2024-09-13T14:37:05Z",
"published": "2023-03-20T21:27:15Z",
"aliases": [
"CVE-2023-27586"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L"
}
],
"affected": [
@@ -59,6 +63,10 @@
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/releases/tag/2.7.0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json b/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json
index 68e24e4c83b..21ea1abcd12 100644
--- a/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json
+++ b/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pvjv-386f-c8wh",
- "modified": "2023-04-28T19:56:41Z",
+ "modified": "2024-09-12T19:12:58Z",
"published": "2023-04-17T09:30:24Z",
"aliases": [
"CVE-2023-24831"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -33,6 +37,25 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "apache-iotdb"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.13.0"
+ },
+ {
+ "fixed": "0.13.5"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -44,6 +67,10 @@
"type": "PACKAGE",
"url": "https://github.com/apache/iotdb"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml"
+ },
{
"type": "WEB",
"url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l"
diff --git a/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json b/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json
index 3b1eb41e89c..b0866a79d39 100644
--- a/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json
+++ b/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qg36-9jxh-fj25",
- "modified": "2023-05-26T21:50:46Z",
+ "modified": "2024-09-16T21:31:26Z",
"published": "2023-05-22T19:41:56Z",
"aliases": [
"CVE-2023-33185"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json b/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json
index 32968628a9b..2722307c138 100644
--- a/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json
+++ b/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-46v3-ggjg-qq3x",
- "modified": "2023-06-06T01:59:54Z",
+ "modified": "2024-09-16T15:05:11Z",
"published": "2023-06-06T01:59:54Z",
"aliases": [
"CVE-2022-43760"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "rancher/rancher"
+ "name": "github.com/rancher/rancher"
},
"ranges": [
{
@@ -37,7 +41,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "rancher/rancher"
+ "name": "github.com/rancher/rancher"
},
"ranges": [
{
@@ -84,7 +88,7 @@
"cwe_ids": [
"CWE-79"
],
- "severity": "HIGH",
+ "severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T01:59:54Z",
"nvd_published_at": "2023-06-01T13:15:10Z"
diff --git a/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json b/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json
index 835528d0b28..00aec7a0fd8 100644
--- a/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json
+++ b/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-p976-h52c-26p6",
- "modified": "2023-06-06T02:00:28Z",
+ "modified": "2024-09-16T15:07:40Z",
"published": "2023-06-06T02:00:28Z",
"aliases": [
"CVE-2023-22647"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "rancher/rancher"
+ "name": "github.com/rancher/rancher"
},
"ranges": [
{
@@ -37,7 +41,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "rancher/rancher"
+ "name": "github.com/rancher/rancher"
},
"ranges": [
{
diff --git a/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json b/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json
index c5595362cd9..5a4e01fcdfa 100644
--- a/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json
+++ b/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3h4m-m55v-gx4m",
- "modified": "2023-07-21T18:22:19Z",
+ "modified": "2024-09-12T20:31:36Z",
"published": "2023-07-12T12:31:36Z",
"aliases": [
"CVE-2023-36543"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json b/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json
index 7c345d4e1af..e74fe1b7420 100644
--- a/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json
+++ b/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5946-8p38-vffp",
- "modified": "2023-07-21T18:18:27Z",
+ "modified": "2024-09-12T20:32:10Z",
"published": "2023-07-12T12:31:36Z",
"aliases": [
"CVE-2023-22888"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json b/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json
index a9eef70fc6f..88fe50ca91f 100644
--- a/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json
+++ b/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cf7p-gm2m-833m",
- "modified": "2023-08-15T20:39:56Z",
+ "modified": "2024-09-13T20:06:10Z",
"published": "2023-07-14T21:31:08Z",
"aliases": [
"CVE-2023-38325"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -20,6 +24,11 @@
"ecosystem": "PyPI",
"name": "cryptography"
},
+ "ecosystem_specific": {
+ "affected_functions": [
+ "cryptography.hazmat.primitives.serialization.ssh.SSHCertificateBuilder.sign"
+ ]
+ },
"ranges": [
{
"type": "ECOSYSTEM",
@@ -68,6 +77,10 @@
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml"
},
+ {
+ "type": "WEB",
+ "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK"
+ },
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK"
diff --git a/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json b/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json
index 01b83c51db1..0d8118d7420 100644
--- a/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json
+++ b/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f54q-j679-p9hh",
- "modified": "2023-07-25T17:49:21Z",
+ "modified": "2024-09-13T18:12:18Z",
"published": "2023-07-25T17:49:21Z",
"aliases": [
"CVE-2023-38501"
],
- "summary": "Reflected cross-site scripting via k304 parameter",
+ "summary": "copyparty vulnerable to reflected cross-site scripting via k304 parameter",
"details": "### Summary\nThe application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`\n\n### Details\nA reflected cross-site scripting (XSS) vulnerability exists in the web interface of the application that could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.\n\nThe worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.\n\nIt is recommended to change the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks.\n\n### Checking for exposure\nif copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping for URLs containing `?hc=` with `<` somewhere in its value, for example using the following command:\n* nginx:\n ```bash\n (gzip -dc access.log*.gz; cat access.log) | sed -r 's/\" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'\n ```\nthe above commands also check for attacks against GHSA-cw7j-v52w-fp5r\n\n### PoC\n`https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E`\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json b/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json
index 111898572d6..7ea37d983f0 100644
--- a/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json
+++ b/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-ggwr-4vr8-g7wv",
- "modified": "2024-03-06T23:24:01Z",
+ "modified": "2024-09-12T20:32:41Z",
"published": "2023-07-12T12:31:36Z",
"aliases": [
"CVE-2023-22887"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json b/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json
index 2235408c4ce..6e697195532 100644
--- a/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json
+++ b/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pxfv-7rr3-2qjg",
- "modified": "2023-11-14T19:04:47Z",
+ "modified": "2024-09-13T18:19:54Z",
"published": "2023-07-14T21:59:23Z",
"aliases": [
"CVE-2023-37474"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json b/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json
index 08a65c4c94b..100c33d7c2a 100644
--- a/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json
+++ b/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8fjr-hghr-4m99",
- "modified": "2023-09-06T19:17:29Z",
+ "modified": "2024-09-13T14:35:53Z",
"published": "2023-08-30T20:09:33Z",
"aliases": [
"CVE-2023-36811"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json b/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json
index 1be09fccf17..adcf748c433 100644
--- a/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json
+++ b/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c2hm-mjxv-89r4",
- "modified": "2024-07-05T18:07:13Z",
+ "modified": "2024-09-16T16:50:14Z",
"published": "2023-09-04T17:02:00Z",
"aliases": [
],
"summary": "Multiple soundness issues in lexical",
- "details": "`lexical` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n\nThe crate also has some correctness issues and appears to be unmaintained.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.\n\nFor quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.\n\nFor formatting integers in a `#[no_std]` context consider the [`numtoa`](https://crates.io/crates/numtoa) crate.\n\nFor working with big numbers consider `num-bigint` and `num-traits`.\n",
+ "details": "`lexical` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126)\n\nThe crate also has some correctness issues.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.\n\nFor quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.\n\nFor formatting integers in a `#[no_std]` context consider the [`numtoa`](https://crates.io/crates/numtoa) crate.\n\nFor working with big numbers consider `num-bigint` and `num-traits`.\n",
"severity": [
],
@@ -25,11 +25,14 @@
"introduced": "0"
},
{
- "last_affected": "6.1.1"
+ "fixed": "7.0.0"
}
]
}
- ]
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 6.1.1"
+ }
}
],
"references": [
@@ -46,7 +49,7 @@
"cwe_ids": [
],
- "severity": "MODERATE",
+ "severity": "LOW",
"github_reviewed": true,
"github_reviewed_at": "2023-09-04T17:02:00Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json b/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json
index dc8fc6f7835..8dcd1a34458 100644
--- a/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json
+++ b/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9x43-5qcq-h79q",
- "modified": "2023-10-31T22:10:27Z",
+ "modified": "2024-09-13T20:12:08Z",
"published": "2023-10-22T21:36:10Z",
"aliases": [
"CVE-2021-46898"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json b/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json
index a909dd0f547..a53b182cfd6 100644
--- a/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json
+++ b/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cr45-98w9-gwqx",
- "modified": "2023-11-06T16:32:12Z",
+ "modified": "2024-09-12T21:13:16Z",
"published": "2023-10-19T16:13:50Z",
"aliases": [
"CVE-2023-45815"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json b/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json
index 1a825d38960..895f4ad32cc 100644
--- a/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json
+++ b/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v9jh-j8px-98vq",
- "modified": "2023-10-27T23:14:16Z",
+ "modified": "2024-09-13T18:36:55Z",
"published": "2023-10-18T06:30:30Z",
"aliases": [
"CVE-2023-42319"
diff --git a/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json b/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json
index 5c6e47d8712..387233ca9e2 100644
--- a/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json
+++ b/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hm9r-7f84-25c9",
- "modified": "2024-03-06T23:48:49Z",
+ "modified": "2024-09-12T20:19:58Z",
"published": "2023-11-12T15:30:20Z",
"aliases": [
"CVE-2023-47037"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json b/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json
index 9279205f27e..a9bf99dfe7f 100644
--- a/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json
+++ b/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-r7x6-xfcm-3mxv",
- "modified": "2023-11-20T22:21:53Z",
+ "modified": "2024-09-12T20:08:48Z",
"published": "2023-11-12T15:30:20Z",
"aliases": [
"CVE-2023-42781"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json b/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json
new file mode 100644
index 00000000000..476aa854208
--- /dev/null
+++ b/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json
@@ -0,0 +1,101 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-488m-w9fp-5mm2",
+ "modified": "2024-09-16T21:37:34Z",
+ "published": "2023-12-28T21:30:37Z",
+ "aliases": [
+ "CVE-2023-5236"
+ ],
+ "summary": "Infinispan circular object references causes out of memory errors",
+ "details": "A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan.protostream:protostream"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "4.6.2.Final"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/protostream/commit/4501b6b307a6bab545346f66238f8be7e42f83eb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/protostream/commit/4ef66958f2c4890ae1c6a7acd629d27bd88aa4cb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/protostream/commit/50320b5987dc87bc04b616b87e8cf93472ee19c1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2023:5396"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2023-5236"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/infinispan/infinispan"
+ },
+ {
+ "type": "WEB",
+ "url": "https://issues.redhat.com/browse/IPROTO-262"
+ },
+ {
+ "type": "WEB",
+ "url": "https://issues.redhat.com/browse/IPROTO-263"
+ },
+ {
+ "type": "WEB",
+ "url": "https://issues.redhat.com/browse/ISPN-14534"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240125-0004"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-1047"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T21:37:34Z",
+ "nvd_published_at": "2023-12-18T14:15:10Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json b/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json
index 10e282315ce..b6d8d46bd56 100644
--- a/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json
+++ b/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7j69-qfc3-2fq9",
- "modified": "2024-04-25T18:49:43Z",
+ "modified": "2024-09-16T21:08:57Z",
"published": "2023-12-13T00:30:37Z",
"aliases": [
"CVE-2023-5764"
],
"summary": "Ansible template injection vulnerability",
- "details": "A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.",
+ "details": "A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.",
"severity": [
{
"type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json b/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json
new file mode 100644
index 00000000000..eb680efaee9
--- /dev/null
+++ b/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json
@@ -0,0 +1,104 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-fhr7-8jx4-r9cp",
+ "modified": "2024-09-16T17:19:18Z",
+ "published": "2023-12-30T00:30:23Z",
+ "aliases": [
+ "CVE-2023-3628"
+ ],
+ "summary": "Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions",
+ "details": "A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-server-rest"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev04"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-server-rest"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.18.Final"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2023:5396"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2023-3628"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/infinispan/infinispan"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240125-0004"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-304"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T17:19:18Z",
+ "nvd_published_at": "2023-12-18T14:15:08Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json b/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json
new file mode 100644
index 00000000000..741c865b727
--- /dev/null
+++ b/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json
@@ -0,0 +1,382 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-gg57-587f-h5v6",
+ "modified": "2024-09-16T22:00:09Z",
+ "published": "2023-12-28T18:30:32Z",
+ "aliases": [
+ "CVE-2023-5384"
+ ],
+ "summary": "Infinispan caches credentials in clear text",
+ "details": "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-commons"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-commons"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-hotrod"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-hotrod"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-client-hotrod"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-client-hotrod"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-jdbc-common"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-jdbc-common"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-remote"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-remote"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-sql"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-sql"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-jdbc"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev07"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-cachestore-jdbc"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.25.Final"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5384"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/pull/11555"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/pull/11995"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/7140fc9b026ec55786c1aa78bb3cd8bf951fad47"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/fd3e18ec3b1a4e7fcfd79392f5bf78792a2b8c61"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2023:7676"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2023-5384"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242156"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/infinispan/infinispan"
+ },
+ {
+ "type": "WEB",
+ "url": "https://issues.redhat.com/browse/ISPN-15202"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240125-0004"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-312"
+ ],
+ "severity": "LOW",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T22:00:09Z",
+ "nvd_published_at": "2023-12-18T14:15:11Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json b/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json
index 2ebc754e94d..8e1a615b828 100644
--- a/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json
+++ b/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jcrr-rr6w-8c83",
- "modified": "2023-12-22T19:51:38Z",
+ "modified": "2024-09-12T21:32:39Z",
"published": "2023-12-22T12:31:52Z",
"aliases": [
"CVE-2023-49391"
@@ -55,7 +55,7 @@
],
"database_specific": {
"cwe_ids": [
-
+ "CWE-94"
],
"severity": "HIGH",
"github_reviewed": true,
diff --git a/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json b/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json
new file mode 100644
index 00000000000..79c0688b3a2
--- /dev/null
+++ b/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json
@@ -0,0 +1,104 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-r4w2-hjmr-36m7",
+ "modified": "2024-09-16T17:19:37Z",
+ "published": "2023-12-30T00:30:23Z",
+ "aliases": [
+ "CVE-2023-3629"
+ ],
+ "summary": " Infinispan REST Server's cache retrieval endpoints do not properly evaluate the necessary admin permissions",
+ "details": "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-server-rest"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "15.0.0.Dev01"
+ },
+ {
+ "fixed": "15.0.0.Dev04"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.infinispan:infinispan-server-rest"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "14.0.18.Final"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/11b3cb0f7ba68b73dd32f655ff3f3df842a0c6bd"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/infinispan/infinispan/commit/1e3cc542336d2f49743ab8176ed6f1175e034c59"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2023:5396"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2023-3629"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/infinispan/infinispan"
+ },
+ {
+ "type": "WEB",
+ "url": "https://security.netapp.com/advisory/ntap-20240125-0004"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-304"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T17:19:37Z",
+ "nvd_published_at": "2023-12-18T14:15:08Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json
index 3df1beb1e3e..70203b6f7de 100644
--- a/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json
+++ b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4mp7-2m29-gqxf",
- "modified": "2024-01-31T00:21:58Z",
+ "modified": "2024-09-16T17:21:31Z",
"published": "2024-01-31T00:21:58Z",
"aliases": [
"CVE-2020-16251"
@@ -18,7 +18,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -37,7 +37,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -56,7 +56,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -75,7 +75,7 @@
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -97,6 +97,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16251"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/hashicorp/vault"
+ },
{
"type": "WEB",
"url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151"
diff --git a/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json
index 21b0d4b1d1d..e965125cc0f 100644
--- a/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json
+++ b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4pwp-cx67-5cpx",
- "modified": "2024-01-31T23:11:17Z",
+ "modified": "2024-09-16T17:33:27Z",
"published": "2024-01-31T23:11:17Z",
"aliases": [
"CVE-2019-19499"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "github.com/grafana/grafana/pkg/tsdb/mysql"
+ "name": "github.com/grafana/grafana"
},
"ranges": [
{
@@ -44,6 +48,14 @@
"type": "WEB",
"url": "https://github.com/grafana/grafana/pull/20192"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/grafana/grafana/commit/19dbd27c5caa1a160bd5854b65a4e1fe2a8a4f00"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/grafana/grafana"
+ },
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#644-2019-11-06"
@@ -51,10 +63,6 @@
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200918-0003"
- },
- {
- "type": "WEB",
- "url": "https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json
index d0cbf302654..353a3427e3e 100644
--- a/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json
+++ b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7mgx-gvjw-m3w3",
- "modified": "2024-01-31T12:37:36Z",
+ "modified": "2024-09-13T18:28:16Z",
"published": "2024-01-30T03:30:30Z",
"aliases": [
"CVE-2023-51982"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -90,6 +94,25 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "crate"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "0.35.2"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -105,6 +128,10 @@
"type": "WEB",
"url": "https://github.com/crate/crate/pull/15234"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/crate/crate-python/commit/813946b9420d45877ef7c369311dbc8804d6674f"
+ },
{
"type": "WEB",
"url": "https://github.com/crate/crate/commit/0c166ef083bec4d64dd55c1d8cb9b3dec350d241"
diff --git a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json
index 0d0e921be03..cf9f8f030bc 100644
--- a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json
+++ b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c3c6-f2ww-xfr2",
- "modified": "2024-01-31T14:55:56Z",
+ "modified": "2024-09-12T19:15:10Z",
"published": "2024-01-24T15:30:30Z",
"aliases": [
"CVE-2023-50943"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "0"
},
{
- "fixed": "2.8.1"
+ "fixed": "2.8.1rc1"
}
]
}
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/36255"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
diff --git a/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json b/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json
index 570e4bc1f27..3813c98312a 100644
--- a/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json
+++ b/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-g777-crp9-m27g",
- "modified": "2024-01-12T23:19:29Z",
+ "modified": "2024-09-13T14:15:59Z",
"published": "2024-01-09T09:30:29Z",
"aliases": [
"CVE-2023-50974"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json b/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json
index 47969b7ce8a..ab4f38aa182 100644
--- a/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json
+++ b/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hcvp-2cc7-jrwr",
- "modified": "2024-01-23T12:50:59Z",
+ "modified": "2024-09-13T17:38:17Z",
"published": "2024-01-23T12:50:59Z",
"aliases": [
"CVE-2024-23329"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
@@ -36,25 +40,6 @@
"database_specific": {
"last_known_affected_version_range": "<= 0.45.12"
}
- },
- {
- "package": {
- "ecosystem": "PyPI",
- "name": "changedetection-io"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0.39.14"
- },
- {
- "fixed": "0.45.13"
- }
- ]
- }
- ]
}
],
"references": [
diff --git a/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json
index e241f600150..d5eec56bb56 100644
--- a/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json
+++ b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-j6vv-vv26-rh7c",
- "modified": "2024-01-30T23:40:40Z",
+ "modified": "2024-09-16T15:06:33Z",
"published": "2024-01-30T23:40:40Z",
"aliases": [
"CVE-2020-10661"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/hashicorp/vault"
+ },
{
"type": "WEB",
"url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020"
diff --git a/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json
index 70107cc5c97..ac3a4cf9d20 100644
--- a/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json
+++ b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m979-w9wj-qfj9",
- "modified": "2024-01-30T23:40:43Z",
+ "modified": "2024-09-16T17:23:48Z",
"published": "2024-01-30T23:40:43Z",
"aliases": [
"CVE-2020-10660"
@@ -12,13 +12,17 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Go",
- "name": "github.com/hashicorp/vault/vault"
+ "name": "github.com/hashicorp/vault"
},
"ranges": [
{
@@ -48,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/hashicorp/vault"
+ },
{
"type": "WEB",
"url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020"
diff --git a/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json b/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json
index 58221531319..9643d1e666b 100644
--- a/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json
+++ b/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rgrf-6mf5-m882",
- "modified": "2024-01-11T15:18:51Z",
+ "modified": "2024-09-13T17:39:18Z",
"published": "2024-01-11T15:18:51Z",
"aliases": [
"CVE-2024-22194"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
@@ -277,39 +281,7 @@
},
{
"type": "WEB",
- "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
- },
- {
- "type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
},
{
"type": "WEB",
@@ -317,7 +289,47 @@
},
{
"type": "WEB",
- "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509"
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/case-utils/PYSEC-2024-5.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cdo-local-uuid/PYSEC-2024-6.yaml"
},
{
"type": "PACKAGE",
diff --git a/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json b/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json
index 10ef11e527f..70de5142256 100644
--- a/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json
+++ b/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json
@@ -1,17 +1,21 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rxgg-273w-rfw7",
- "modified": "2024-01-22T21:32:51Z",
+ "modified": "2024-09-12T21:02:56Z",
"published": "2024-01-15T12:30:19Z",
"aliases": [
"CVE-2023-46226"
],
"summary": "Remote Code Execution vulnerability in Apache IoTDB via UDF",
- "details": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\n\n",
+ "details": "Remote Code Execution vulnerability in Apache IoTDB. This issue affects Apache IoTDB from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\n\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
}
],
"affected": [
@@ -83,7 +87,7 @@
"cwe_ids": [
],
- "severity": "CRITICAL",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-01-16T20:45:55Z",
"nvd_published_at": "2024-01-15T11:15:07Z"
diff --git a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json
index d3c0d8c483a..150cba40dbe 100644
--- a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json
+++ b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-vm5m-qmrx-fw8w",
- "modified": "2024-01-31T14:55:51Z",
+ "modified": "2024-09-12T19:16:29Z",
"published": "2024-01-24T15:30:30Z",
"aliases": [
"CVE-2023-50944"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -28,7 +32,7 @@
"introduced": "0"
},
{
- "fixed": "2.8.1"
+ "fixed": "2.8.1rc1"
}
]
}
@@ -44,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/36257"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
diff --git a/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json
index 8f7a6b81641..1d0607b9c34 100644
--- a/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json
+++ b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-547x-748v-vp6p",
- "modified": "2024-03-06T16:21:30Z",
+ "modified": "2024-09-16T13:44:03Z",
"published": "2024-02-02T06:30:31Z",
"aliases": [
"CVE-2024-21485"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"
}
],
"affected": [
diff --git a/advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json b/advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json
similarity index 67%
rename from advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json
rename to advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json
index a60d96696bb..769b193165c 100644
--- a/advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json
+++ b/advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json
@@ -1,26 +1,76 @@
{
"schema_version": "1.4.0",
"id": "GHSA-w6qf-42m7-vh68",
- "modified": "2024-04-17T18:31:31Z",
+ "modified": "2024-09-16T21:22:33Z",
"published": "2024-02-20T00:30:36Z",
"aliases": [
"CVE-2024-1635"
],
+ "summary": "Undertow Uncontrolled Resource Consumption Vulnerability",
"details": "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \n\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "io.undertow:undertow-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.3.0.Final"
+ },
+ {
+ "fixed": "2.3.12.Final"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "io.undertow:undertow-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.2.31.Final"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1635"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4de"
+ },
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1674"
@@ -65,6 +115,10 @@
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/undertow-io/undertow"
+ },
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240322-0007"
@@ -75,8 +129,8 @@
"CWE-400"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T21:22:33Z",
"nvd_published_at": "2024-02-19T22:15:48Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json b/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json
index 0d553d99118..abce989f87b 100644
--- a/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json
+++ b/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7jwh-3vrq-q3m8",
- "modified": "2024-03-14T21:46:07Z",
+ "modified": "2024-09-13T15:36:58Z",
"published": "2024-03-04T20:45:25Z",
"aliases": [
@@ -9,7 +9,14 @@
"summary": "pgproto3 SQL Injection via Protocol Message Size Overflow",
"details": "### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v2.3.3\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -49,44 +56,6 @@
]
}
]
- },
- {
- "package": {
- "ecosystem": "Go",
- "name": "github.com/jackc/pgx/v4"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "4.18.2"
- }
- ]
- }
- ]
- },
- {
- "package": {
- "ecosystem": "Go",
- "name": "github.com/jackc/pgx/v5"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "5.0.0"
- },
- {
- "fixed": "5.5.4"
- }
- ]
- }
- ]
}
],
"references": [
@@ -128,7 +97,7 @@
"CWE-190",
"CWE-89"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:45:25Z",
"nvd_published_at": null
diff --git a/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json b/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json
new file mode 100644
index 00000000000..59d99b4a0ef
--- /dev/null
+++ b/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json
@@ -0,0 +1,104 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-fhx8-5c23-x7x5",
+ "modified": "2024-09-16T22:28:01Z",
+ "published": "2024-03-01T15:31:37Z",
+ "aliases": [
+ "CVE-2023-46950"
+ ],
+ "summary": "Cross Site Scripting vulnerability in Contribsys Sidekiq ",
+ "details": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "RubyGems",
+ "name": "sidekiq-unique-jobs"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "8.0.0"
+ },
+ {
+ "fixed": "8.0.7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "RubyGems",
+ "name": "sidekiq-unique-jobs"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "7.1.33"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46950"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7"
+ },
+ {
+ "type": "WEB",
+ "url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-79"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T22:28:01Z",
+ "nvd_published_at": "2024-03-01T14:15:53Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json b/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json
index 9ab7551c0eb..c5e2e55f55f 100644
--- a/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json
+++ b/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m7wr-2xf7-cm9p",
- "modified": "2024-03-12T15:15:00Z",
+ "modified": "2024-09-13T15:34:58Z",
"published": "2024-03-04T20:13:11Z",
"aliases": [
"CVE-2024-27289"
@@ -9,7 +9,14 @@
"summary": "pgx SQL Injection via Line Comment Creation",
"details": "### Impact\n\nSQL injection can occur when all of the following conditions are met:\n\n1. The non-default simple protocol is used.\n2. A placeholder for a numeric value must be immediately preceded by a minus.\n3. There must be a second placeholder for a string value after the first placeholder; both\nmust be on the same line.\n4. Both parameter values must be user-controlled.\n\ne.g. \n\nSimple mode must be enabled:\n\n```go\n// connection string includes \"prefer_simple_protocol=true\"\n// or\n// directly enabled in code\nconfig.ConnConfig.PreferSimpleProtocol = true\n```\n\nParameterized query:\n\n```sql\nSELECT * FROM example WHERE result=-$1 OR name=$2;\n```\n\nParameter values:\n\n`$1` => `-42`\n`$2` => `\"foo\\n 1 AND 1=0 UNION SELECT * FROM secrets; --\"`\n\nResulting query after preparation:\n\n```sql\nSELECT * FROM example WHERE result=--42 OR name= 'foo\n1 AND 1=0 UNION SELECT * FROM secrets; --';\n```\n\n### Patches\n\nThe problem is resolved in v4.18.2.\n\n### Workarounds\n\nDo not use the simple protocol or do not place a minus directly before a placeholder.\n",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
],
"affected": [
{
@@ -69,7 +76,7 @@
"cwe_ids": [
"CWE-89"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:13:11Z",
"nvd_published_at": "2024-03-06T19:15:08Z"
diff --git a/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json b/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json
index cba66b21901..a5aa50b359a 100644
--- a/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json
+++ b/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-mrww-27vc-gghv",
- "modified": "2024-03-14T21:45:18Z",
+ "modified": "2024-09-13T15:36:55Z",
"published": "2024-03-04T20:43:24Z",
"aliases": [
"CVE-2024-27304"
@@ -9,7 +9,14 @@
"summary": "pgx SQL Injection via Protocol Message Size Overflow",
"details": "### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v4.18.2 and v5.5.4.\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n",
"severity": [
-
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+ }
],
"affected": [
{
@@ -50,44 +57,6 @@
}
]
},
- {
- "package": {
- "ecosystem": "Go",
- "name": "github.com/jackc/pgproto3"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "2.3.3"
- }
- ]
- }
- ]
- },
- {
- "package": {
- "ecosystem": "Go",
- "name": "github.com/jackc/pgproto3/v2"
- },
- "ranges": [
- {
- "type": "ECOSYSTEM",
- "events": [
- {
- "introduced": "0"
- },
- {
- "fixed": "2.3.3"
- }
- ]
- }
- ]
- },
{
"package": {
"ecosystem": "Go",
@@ -162,7 +131,7 @@
"CWE-190",
"CWE-89"
],
- "severity": "MODERATE",
+ "severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:43:24Z",
"nvd_published_at": "2024-03-06T19:15:08Z"
diff --git a/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json b/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json
index 9364d394bf9..70d80d397c7 100644
--- a/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json
+++ b/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-6wvf-f2vw-3425",
- "modified": "2024-08-30T00:31:22Z",
+ "modified": "2024-09-17T00:31:03Z",
"published": "2024-05-14T18:30:52Z",
"aliases": [
"CVE-2024-3727"
@@ -154,6 +154,10 @@
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-3727"
},
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/errata/RHSA-2024:6708"
+ },
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6054"
diff --git a/advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json b/advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json
similarity index 65%
rename from advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json
rename to advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json
index 0277d923197..ae555185b32 100644
--- a/advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json
+++ b/advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json
@@ -1,20 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pwc9-q4hj-pg8g",
- "modified": "2024-05-16T09:33:08Z",
+ "modified": "2024-09-13T19:34:51Z",
"published": "2024-05-16T09:33:08Z",
"aliases": [
"CVE-2024-4078"
],
+ "summary": "LoLLMS Command Injection vulnerability",
"details": "A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "lollms"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9.5.0"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
@@ -25,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/parisneo/lollms"
+ },
{
"type": "WEB",
"url": "https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d"
@@ -34,9 +61,9 @@
"cwe_ids": [
"CWE-77"
],
- "severity": "CRITICAL",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:51Z",
"nvd_published_at": "2024-05-16T09:15:15Z"
}
}
\ No newline at end of file
diff --git a/advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json b/advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json
similarity index 65%
rename from advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json
rename to advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json
index ac90b5bfa30..6f09a503d99 100644
--- a/advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json
+++ b/advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json
@@ -1,20 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3x47-w4rx-6pm7",
- "modified": "2024-06-06T21:30:37Z",
+ "modified": "2024-09-13T19:34:34Z",
"published": "2024-06-06T21:30:37Z",
"aliases": [
"CVE-2024-3429"
],
- "details": "A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\\lollms\\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.6.",
+ "summary": "LoLLMS Path Traversal vulnerability",
+ "details": "A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\\lollms\\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.5.0.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "lollms"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9.5.0"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
@@ -25,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/f4424cfc3d6dfb3ad5ac17dd46801efe784933e9"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/parisneo/lollms"
+ },
{
"type": "WEB",
"url": "https://huntr.com/bounties/fd8f50c8-17f0-40be-a2c6-bb8d80f7c409"
@@ -34,9 +61,9 @@
"cwe_ids": [
"CWE-29"
],
- "severity": "CRITICAL",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:34Z",
"nvd_published_at": "2024-06-06T19:16:02Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json b/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json
index 2fe47bbfb0b..5c846a5dfa3 100644
--- a/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json
+++ b/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json
@@ -51,6 +51,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-78",
"CWE-94"
],
"severity": "MODERATE",
diff --git a/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json b/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json
index 44d4128401e..6a0f37f5660 100644
--- a/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json
+++ b/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json
@@ -51,6 +51,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-611",
"CWE-776"
],
"severity": "CRITICAL",
diff --git a/advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json b/advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json
similarity index 69%
rename from advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json
rename to advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json
index 4cb44522e42..95986f2e964 100644
--- a/advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json
+++ b/advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json
@@ -1,20 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-p8h7-c8gw-6x8c",
- "modified": "2024-06-06T21:30:37Z",
+ "modified": "2024-09-13T19:34:56Z",
"published": "2024-06-06T21:30:37Z",
"aliases": [
"CVE-2024-4881"
],
- "details": "A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\\windows\\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.",
+ "summary": "LoLLMS Path Traversal vulnerability",
+ "details": "A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 9.5.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\\windows\\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "lollms"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9.5.0"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
@@ -25,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/parisneo/lollms"
+ },
{
"type": "WEB",
"url": "https://huntr.com/bounties/94f7f901-80b0-4cf5-b545-ac5c1e7635e9"
@@ -35,8 +62,8 @@
"CWE-36"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:56Z",
"nvd_published_at": "2024-06-06T19:16:03Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json
index 55c001b6c97..149266bcc8a 100644
--- a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json
+++ b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-whf4-fpj8-pgg8",
- "modified": "2024-06-07T21:54:40Z",
+ "modified": "2024-09-16T16:54:09Z",
"published": "2024-06-07T21:31:54Z",
"aliases": [
"CVE-2024-36827"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
@@ -47,10 +51,15 @@
{
"type": "PACKAGE",
"url": "https://github.com/dnkorpushov/ebookmeta"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ebookmeta/PYSEC-2024-76.yaml"
}
],
"database_specific": {
"cwe_ids": [
+ "CWE-611",
"CWE-776"
],
"severity": "HIGH",
diff --git a/advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json b/advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json
similarity index 60%
rename from advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json
rename to advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json
index e88ef555ca1..45e5ed2d269 100644
--- a/advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json
+++ b/advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json
@@ -1,20 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8mrm-r7h3-c3hj",
- "modified": "2024-07-20T06:30:35Z",
+ "modified": "2024-09-13T19:34:25Z",
"published": "2024-07-20T06:30:35Z",
"aliases": [
"CVE-2024-6281"
],
+ "summary": "LoLLMS vulnerable to Expected Behavior Violation",
"details": "A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "lollms"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "9.5.1"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
@@ -25,6 +48,10 @@
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/parisneo/lollms"
+ },
{
"type": "WEB",
"url": "https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61"
@@ -35,8 +62,8 @@
"CWE-440"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:25Z",
"nvd_published_at": "2024-07-20T04:15:05Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json b/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json
new file mode 100644
index 00000000000..839ce618199
--- /dev/null
+++ b/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json
@@ -0,0 +1,158 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-4323-f82v-f6jr",
+ "modified": "2024-09-16T20:09:42Z",
+ "published": "2024-08-14T12:35:02Z",
+ "aliases": [
+ "CVE-2024-39410"
+ ],
+ "summary": "Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability",
+ "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.7-p1"
+ },
+ {
+ "fixed": "2.4.7-p2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.7"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.6-p1"
+ },
+ {
+ "fixed": "2.4.6-p7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.6"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.5-p1"
+ },
+ {
+ "fixed": "2.4.5-p9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.5"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.4-p10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.4"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39410"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/magento/magento2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-352"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:09:42Z",
+ "nvd_published_at": "2024-08-14T12:15:27Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json b/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json
new file mode 100644
index 00000000000..579f2246079
--- /dev/null
+++ b/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json
@@ -0,0 +1,158 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-4cj6-f32v-6hgx",
+ "modified": "2024-09-16T20:09:17Z",
+ "published": "2024-08-14T12:35:02Z",
+ "aliases": [
+ "CVE-2024-39408"
+ ],
+ "summary": "Magento Open Source Cross-Site Request Forgery vulnerability",
+ "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.7-p1"
+ },
+ {
+ "fixed": "2.4.7-p2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.7"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.6-p1"
+ },
+ {
+ "fixed": "2.4.6-p7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.6"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.5-p1"
+ },
+ {
+ "fixed": "2.4.5-p9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.5"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.4-p10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.4"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39408"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/magento/magento2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-352"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:09:17Z",
+ "nvd_published_at": "2024-08-14T12:15:26Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json b/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json
new file mode 100644
index 00000000000..8f5672e2a45
--- /dev/null
+++ b/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json
@@ -0,0 +1,158 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-6pxh-2557-5cj5",
+ "modified": "2024-09-16T18:26:41Z",
+ "published": "2024-08-14T12:35:02Z",
+ "aliases": [
+ "CVE-2024-39406"
+ ],
+ "summary": "Magento Open Source Path Traversal vulnerability",
+ "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.7-p1"
+ },
+ {
+ "fixed": "2.4.7-p2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.7"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.6-p1"
+ },
+ {
+ "fixed": "2.4.6-p7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.6"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.5-p1"
+ },
+ {
+ "fixed": "2.4.5-p9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.5"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.4-p10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.4"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39406"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/magento/magento2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-22"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T18:26:14Z",
+ "nvd_published_at": "2024-08-14T12:15:26Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json b/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json
new file mode 100644
index 00000000000..8eb7d1f1cce
--- /dev/null
+++ b/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json
@@ -0,0 +1,158 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-7472-vw39-g2j3",
+ "modified": "2024-09-16T20:10:08Z",
+ "published": "2024-08-14T12:35:02Z",
+ "aliases": [
+ "CVE-2024-39412"
+ ],
+ "summary": "Magento Open Source Improper Authorization vulnerability",
+ "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.7-p1"
+ },
+ {
+ "fixed": "2.4.7-p2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.7"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.6-p1"
+ },
+ {
+ "fixed": "2.4.6-p7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.6"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.5-p1"
+ },
+ {
+ "fixed": "2.4.5-p9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.5"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.4-p10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.4"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39412"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/magento/magento2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-285"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:10:08Z",
+ "nvd_published_at": "2024-08-14T12:15:27Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json b/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json
index f3f73e933a0..d6596c7d6cc 100644
--- a/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json
+++ b/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cj55-gc7m-wvcq",
- "modified": "2024-08-26T15:54:18Z",
+ "modified": "2024-09-16T16:05:30Z",
"published": "2024-08-26T00:30:54Z",
"aliases": [
"CVE-2024-45258"
@@ -37,6 +37,44 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/imroc/req"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.43.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/imroc/req/v2"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "3.43.4"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -55,6 +93,10 @@
{
"type": "WEB",
"url": "https://github.com/imroc/req/compare/v3.43.3...v3.43.4"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2024-3098"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json b/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json
index b8af79c5752..e0a66a5827a 100644
--- a/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json
+++ b/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-fmj9-77q8-g6c4",
- "modified": "2024-08-27T18:14:12Z",
+ "modified": "2024-09-13T13:35:59Z",
"published": "2024-08-27T18:14:12Z",
"aliases": [
"CVE-2024-43414"
@@ -82,6 +82,10 @@
"type": "WEB",
"url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4"
},
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43414"
+ },
{
"type": "WEB",
"url": "https://github.com/apollographql/router/commit/e309c9bb5a48c1304ff69c88b7eabdd08c26bf45"
@@ -101,11 +105,12 @@
],
"database_specific": {
"cwe_ids": [
- "CWE-673"
+ "CWE-673",
+ "CWE-674"
],
"severity": "HIGH",
"github_reviewed": true,
"github_reviewed_at": "2024-08-27T18:14:12Z",
- "nvd_published_at": null
+ "nvd_published_at": "2024-08-27T18:15:15Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json b/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json
index 2582f9dfebc..e942d4fd349 100644
--- a/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json
+++ b/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-ghg6-32f9-2jp7",
- "modified": "2024-09-04T14:15:19Z",
+ "modified": "2024-09-13T13:37:31Z",
"published": "2024-08-29T17:58:27Z",
"aliases": [
"CVE-2024-45048"
@@ -29,7 +29,26 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "2.0.0"
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.29.1"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "phpoffice/phpspreadsheet"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.2.0"
},
{
"fixed": "2.2.1"
@@ -48,10 +67,10 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0"
+ "introduced": "2.0.0"
},
{
- "fixed": "1.29.1"
+ "fixed": "2.1.1"
}
]
}
diff --git a/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json b/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json
index 71516dc7dab..6bb94aa8128 100644
--- a/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json
+++ b/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-m3px-vjxr-fx4m",
- "modified": "2024-08-12T18:36:10Z",
+ "modified": "2024-09-16T14:51:34Z",
"published": "2024-08-12T18:36:10Z",
"aliases": [
"CVE-2024-42485"
@@ -29,7 +29,7 @@
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0"
+ "introduced": "2.0.0-alpha"
},
{
"fixed": "2.3.3"
@@ -37,6 +37,25 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "pxlrbt/filament-excel"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.1.14"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -48,6 +67,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42485"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pxlrbt/filament-excel/commit/af36f933b032aefccc87d17431b6e74673b04af5"
+ },
{
"type": "WEB",
"url": "https://github.com/pxlrbt/filament-excel/commit/bda42891a4b0c15d5dab5da8c53a006ddadccfb7"
@@ -55,6 +78,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/pxlrbt/filament-excel"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pxlrbt/filament-excel/releases/tag/v1.1.14"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json b/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json
new file mode 100644
index 00000000000..e98bb9817c8
--- /dev/null
+++ b/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json
@@ -0,0 +1,158 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-rf4q-m23c-7q8r",
+ "modified": "2024-09-16T20:09:34Z",
+ "published": "2024-08-14T12:35:02Z",
+ "aliases": [
+ "CVE-2024-39409"
+ ],
+ "summary": "Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability",
+ "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.7-p1"
+ },
+ {
+ "fixed": "2.4.7-p2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.7"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.6-p1"
+ },
+ {
+ "fixed": "2.4.6-p7"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.6"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.5-p1"
+ },
+ {
+ "fixed": "2.4.5-p9"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.5"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.4.4-p10"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "magento/community-edition"
+ },
+ "versions": [
+ "2.4.4"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39409"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/magento/magento2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-352"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:09:33Z",
+ "nvd_published_at": "2024-08-14T12:15:26Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json b/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json
new file mode 100644
index 00000000000..d42498ee1fa
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json
@@ -0,0 +1,82 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-2326-pfpj-vx3h",
+ "modified": "2024-09-16T17:19:01Z",
+ "published": "2024-09-16T17:19:01Z",
+ "aliases": [
+
+ ],
+ "summary": "lexical-core has multiple soundness issues",
+ "details": "`RUSTSEC-2024-0377` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126)\n\nVersion 1.0 fixes these issues, removes the vast majority of `unsafe` code, and also fixes some correctness issues.\n",
+ "severity": [
+
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "crates.io",
+ "name": "lexical-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.0.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/Alexhuszagh/rust-lexical/issues/101"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Alexhuszagh/rust-lexical/issues/102"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Alexhuszagh/rust-lexical/issues/104"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Alexhuszagh/rust-lexical/issues/126"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Alexhuszagh/rust-lexical/issues/95"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Alexhuszagh/rust-lexical"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/advisories/GHSA-c2hm-mjxv-89r4"
+ },
+ {
+ "type": "WEB",
+ "url": "https://rustsec.org/advisories/RUSTSEC-2023-0055"
+ },
+ {
+ "type": "WEB",
+ "url": "https://rustsec.org/advisories/RUSTSEC-2023-0086.html"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+
+ ],
+ "severity": "LOW",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T17:19:01Z",
+ "nvd_published_at": null
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json b/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json
new file mode 100644
index 00000000000..12c9533455e
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json
@@ -0,0 +1,115 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-2xpq-xp6c-5mgj",
+ "modified": "2024-09-17T14:59:02Z",
+ "published": "2024-09-17T14:59:02Z",
+ "aliases": [
+ "CVE-2024-45612"
+ ],
+ "summary": "Contao affected by insert tag injection via canonical URL",
+ "details": "### Impact\n\nIt is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.\n\n### Patches\n\nUpdate to Contao 4.13.49, 5.3.15 or 5.4.3.\n\n### Workarounds\n\nDisable canonical tags in the settings of the website root page.\n\n### References\n\nhttps://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "4.13.0"
+ },
+ {
+ "fixed": "4.13.49"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.0.0"
+ },
+ {
+ "fixed": "5.3.15"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.4.0"
+ },
+ {
+ "fixed": "5.4.3"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590"
+ },
+ {
+ "type": "WEB",
+ "url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/contao/contao"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-79"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-17T14:59:02Z",
+ "nvd_published_at": null
+ }
+}
\ No newline at end of file
diff --git a/advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json b/advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json
similarity index 58%
rename from advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json
rename to advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json
index b5baa7c83db..88019e616bf 100644
--- a/advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json
+++ b/advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json
@@ -1,20 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-32fj-r8qw-r8w8",
- "modified": "2024-09-12T15:33:01Z",
+ "modified": "2024-09-12T19:50:04Z",
"published": "2024-09-12T15:33:01Z",
"aliases": [
"CVE-2024-45856"
],
+ "summary": "MindsDB Cross-site Scripting vulnerability",
"details": "A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "mindsdb"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "24.9.2.1"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
@@ -30,9 +53,9 @@
"cwe_ids": [
"CWE-79"
],
- "severity": "CRITICAL",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T19:50:04Z",
"nvd_published_at": "2024-09-12T13:15:15Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json b/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json
new file mode 100644
index 00000000000..aeeceeb3b9e
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json
@@ -0,0 +1,87 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-3xq2-w6j4-c99r",
+ "modified": "2024-09-16T20:19:35Z",
+ "published": "2024-09-16T14:37:28Z",
+ "aliases": [
+ "CVE-2024-22399"
+ ],
+ "summary": "Apache Seata Deserialization of Untrusted Data vulnerability",
+ "details": "Deserialization of Untrusted Data vulnerability in Apache Seata. \n\nWhen developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.\n\nThis issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.\n\nUsers are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.apache.seata:seata-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.0.0"
+ },
+ {
+ "fixed": "2.1.0"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "2.0.0"
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.apache.seata:seata-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "1.0.0"
+ },
+ {
+ "fixed": "1.8.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22399"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/apache/incubator-seata"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-502"
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:18:41Z",
+ "nvd_published_at": "2024-09-16T12:15:02Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json b/advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json
new file mode 100644
index 00000000000..6e4b29556ff
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json
@@ -0,0 +1,74 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-46hr-3cq3-mcgp",
+ "modified": "2024-09-16T20:16:16Z",
+ "published": "2024-09-16T14:37:28Z",
+ "aliases": [
+ "CVE-2024-46943"
+ ],
+ "summary": "OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability",
+ "details": "An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.opendaylight.aaa:aaa-artifacts"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "0.19.3"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46943"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html"
+ },
+ {
+ "type": "WEB",
+ "url": "https://doi.org/10.48550/arXiv.2408.16940"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/opendaylight/aaa"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lf-opendaylight.atlassian.net/browse/AAA-285"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-285",
+ "CWE-287"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:16:16Z",
+ "nvd_published_at": "2024-09-15T23:15:11Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json b/advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json
similarity index 54%
rename from advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json
rename to advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json
index 9003944e72b..b9756154c24 100644
--- a/advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json
+++ b/advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json
@@ -1,26 +1,57 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4fgp-7vvm-m4jf",
- "modified": "2024-09-12T15:33:00Z",
+ "modified": "2024-09-12T19:49:50Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-27321"
],
+ "summary": "Refuel Autolab Eval Injection vulnerability",
"details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "refuel-autolabel"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.0.8"
+ },
+ {
+ "last_affected": "0.0.16"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27321"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/refuel-ai/autolabel"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L129-L146"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
@@ -31,8 +62,8 @@
"CWE-95"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T19:49:50Z",
"nvd_published_at": "2024-09-12T13:15:12Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json b/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json
new file mode 100644
index 00000000000..86c4266f5ee
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-4p75-5p53-65m9",
+ "modified": "2024-09-17T14:58:45Z",
+ "published": "2024-09-17T14:58:45Z",
+ "aliases": [
+ "CVE-2024-45604"
+ ],
+ "summary": "Contao affected by directory traversal in the file selector widget",
+ "details": "### Impact\n\nBack end users can list files outside their file mounts or the document root in the FileSelector widget.\n\n### Patches\n\nUpdate to Contao 4.13.49.\n\n### Workarounds\n\nNone.\n\n### References\n\nhttps://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).\n\n### Credits\n\nThanks to Jakob Steeg from usd AG for reporting this vulnerability.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "4.13.49"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/63409c6bdfd95197d9906e229d765b630d45742e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/contao/contao"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-22"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-17T14:58:45Z",
+ "nvd_published_at": null
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json b/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json
index 8ec5b4b9f11..ae0a3fc0fe3 100644
--- a/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json
+++ b/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json
@@ -63,7 +63,8 @@
],
"database_specific": {
"cwe_ids": [
- "CWE-200"
+ "CWE-200",
+ "CWE-312"
],
"severity": "HIGH",
"github_reviewed": true,
diff --git a/advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json b/advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json
new file mode 100644
index 00000000000..1aa8295774e
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-5777-rcjj-9p22",
+ "modified": "2024-09-16T20:20:49Z",
+ "published": "2024-09-16T15:32:46Z",
+ "aliases": [
+ "CVE-2024-39772"
+ ],
+ "summary": "Mattermost Desktop App fails to safeguard screen capture functionality",
+ "details": "Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "mattermost-desktop"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "5.9.0"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39772"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mattermost/desktop"
+ },
+ {
+ "type": "WEB",
+ "url": "https://mattermost.com/security-updates"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-284"
+ ],
+ "severity": "LOW",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:20:49Z",
+ "nvd_published_at": "2024-09-16T15:15:16Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json b/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json
new file mode 100644
index 00000000000..2986ae4b838
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-6p2q-8qfq-wq7x",
+ "modified": "2024-09-13T19:29:12Z",
+ "published": "2024-09-13T18:31:48Z",
+ "aliases": [
+ "CVE-2024-6087"
+ ],
+ "summary": "Lunary improper access control vulnerability",
+ "details": "An improper access control vulnerability exists in lunary-ai/lunary prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "lunary"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.9"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6087"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/lunary-ai/lunary"
+ },
+ {
+ "type": "WEB",
+ "url": "https://huntr.com/bounties/bd9f2301-11c7-4cbd-8d77-3e9225bd67e8"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-284"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:29:12Z",
+ "nvd_published_at": "2024-09-13T17:15:13Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json b/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json
index 11b29e6bfbf..c44ca33ac82 100644
--- a/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json
+++ b/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7vhh-gfjc-x8rm",
- "modified": "2024-09-12T17:38:45Z",
+ "modified": "2024-09-17T15:38:50Z",
"published": "2024-09-12T15:33:01Z",
"aliases": [
"CVE-2024-45854"
@@ -52,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L444-L449"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-84.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
diff --git a/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json b/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json
index 2aca24e628d..18d6ebe3ea1 100644
--- a/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json
+++ b/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-7vhj-pfwv-hx3w",
- "modified": "2024-09-12T17:38:48Z",
+ "modified": "2024-09-16T22:34:06Z",
"published": "2024-09-12T15:33:01Z",
"aliases": [
"CVE-2024-45852"
@@ -52,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/proc_wrapper.py#L54-L55"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-82.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
diff --git a/advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json b/advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json
similarity index 50%
rename from advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json
rename to advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json
index b647e62429f..6264d8fddf8 100644
--- a/advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json
+++ b/advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json
@@ -1,26 +1,57 @@
{
"schema_version": "1.4.0",
"id": "GHSA-8cm9-rrgc-4pcj",
- "modified": "2024-09-12T15:33:01Z",
+ "modified": "2024-09-12T19:50:02Z",
"published": "2024-09-12T15:33:01Z",
"aliases": [
"CVE-2024-45857"
],
+ "summary": "Cleanlab Deserialization of Untrusted Data vulnerability",
"details": "Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "cleanlab"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "2.4.0"
+ },
+ {
+ "last_affected": "2.6.6"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45857"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cleanlab/cleanlab"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cleanlab/cleanlab/blob/v2.6.6/cleanlab/datalab/internal/serialize.py#L102-L138"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-cleanlab"
@@ -31,8 +62,8 @@
"CWE-502"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T19:50:02Z",
"nvd_published_at": "2024-09-12T13:15:16Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json
index 49d4c618f5d..09c0097fe6a 100644
--- a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json
+++ b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9gq6-6936-885w",
- "modified": "2024-09-12T17:03:57Z",
+ "modified": "2024-09-16T22:32:50Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-45848"
@@ -52,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-78.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
@@ -59,6 +63,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-94",
"CWE-95"
],
"severity": "HIGH",
diff --git a/advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json b/advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json
new file mode 100644
index 00000000000..dab93e9fab8
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json
@@ -0,0 +1,65 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-9jmp-j63g-8x6m",
+ "modified": "2024-09-13T19:34:16Z",
+ "published": "2024-09-13T18:31:48Z",
+ "aliases": [
+ "CVE-2024-6867"
+ ],
+ "summary": "Lunary information disclosure vulnerability",
+ "details": "An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "lunary"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.10"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6867"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/lunary-ai/lunary/commit/35afd4439464571eb016318cd7b6f85a162225ca"
+ },
+ {
+ "type": "WEB",
+ "url": "https://huntr.com/bounties/460df515-164c-4435-954b-0233a181545f"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-1220"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:16Z",
+ "nvd_published_at": "2024-09-13T17:15:13Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json b/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json
index 1b9a88d34d9..bab723d27ff 100644
--- a/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json
+++ b/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9xcg-3q8v-7fq6",
- "modified": "2024-09-06T19:52:45Z",
+ "modified": "2024-09-16T16:07:15Z",
"published": "2024-09-06T19:40:01Z",
"aliases": [
"CVE-2024-45040"
@@ -36,10 +36,26 @@
}
]
}
- ],
- "database_specific": {
- "last_known_affected_version_range": "<= 0.10.0"
- }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/consensys/gnark"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.11.0"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -62,6 +78,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/Consensys/gnark"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2024-3123"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json
index 900f25ee716..4d91b88f320 100644
--- a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json
+++ b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-c85f-pcx6-2ghm",
- "modified": "2024-09-12T17:03:55Z",
+ "modified": "2024-09-16T22:33:01Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-45849"
@@ -52,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-79.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
@@ -59,6 +63,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-94",
"CWE-95"
],
"severity": "HIGH",
diff --git a/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json b/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json
index eb7a7d8d96d..65fa1ce031d 100644
--- a/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json
+++ b/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-crmg-rp64-5cm3",
- "modified": "2024-09-12T17:03:59Z",
+ "modified": "2024-09-16T21:11:56Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-45847"
@@ -59,6 +59,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-94",
"CWE-95"
],
"severity": "HIGH",
diff --git a/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json b/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json
index 61638954c61..3e907561b5f 100644
--- a/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json
+++ b/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cvp8-5r8g-fhvq",
- "modified": "2024-09-12T13:53:00Z",
+ "modified": "2024-09-16T15:29:12Z",
"published": "2024-09-11T21:08:26Z",
"aliases": [
@@ -59,6 +59,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/omniauth/omniauth-saml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json b/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json
new file mode 100644
index 00000000000..1521e55453a
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json
@@ -0,0 +1,103 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-cx7f-g6mp-7hqm",
+ "modified": "2024-09-13T19:32:23Z",
+ "published": "2024-09-13T06:30:42Z",
+ "aliases": [
+ "CVE-2024-38816"
+ ],
+ "summary": "Path traversal vulnerability in functional web frameworks",
+ "details": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions to serve static resources\n * resource handling is explicitly configured with a FileSystemResource location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use\n * the application runs on Tomcat or Jetty",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.springframework:spring-webmvc"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.1.0"
+ },
+ {
+ "fixed": "6.1.13"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.springframework:spring-webmvc"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "6.0.0"
+ },
+ {
+ "fixed": "6.0.24"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.springframework:spring-webmvc"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "5.3.40"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38816"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/spring-projects/spring-framework"
+ },
+ {
+ "type": "WEB",
+ "url": "https://spring.io/security/cve-2024-38816"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:32:23Z",
+ "nvd_published_at": "2024-09-13T06:15:11Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json
new file mode 100644
index 00000000000..3788f0b29b0
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-fr9q-rgwq-g5r5",
+ "modified": "2024-09-17T15:40:26Z",
+ "published": "2024-09-12T15:33:01Z",
+ "aliases": [
+ "CVE-2024-45855"
+ ],
+ "summary": "MindsDB Deserialization of Untrusted Data vulnerability",
+ "details": "Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "mindsdb"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "23.10.2.0"
+ },
+ {
+ "last_affected": "24.9.2.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45855"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/mindsdb/mindsdb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L433-L442"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-85.yaml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-502"
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T19:49:57Z",
+ "nvd_published_at": "2024-09-12T13:15:15Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json b/advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json
new file mode 100644
index 00000000000..88a9262681d
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-g26j-5385-hhw3",
+ "modified": "2024-09-13T19:29:08Z",
+ "published": "2024-09-13T18:31:47Z",
+ "aliases": [
+ "CVE-2024-6587"
+ ],
+ "summary": "LiteLLM Server-Side Request Forgery (SSRF) vulnerability",
+ "details": "A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "litellm"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.44.8"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6587"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/berriai/litellm/commit/ba1912afd1b19e38d3704bb156adf887f91ae1e0"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/berriai/litellm"
+ },
+ {
+ "type": "WEB",
+ "url": "https://huntr.com/bounties/4001e1a2-7b7a-4776-a3ae-e6692ec3d997"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-918"
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:29:08Z",
+ "nvd_published_at": "2024-09-13T16:15:04Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json b/advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json
similarity index 53%
rename from advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json
rename to advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json
index 79e0a0c6997..c40d549d643 100644
--- a/advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json
+++ b/advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json
@@ -1,26 +1,57 @@
{
"schema_version": "1.4.0",
"id": "GHSA-g2m8-f3x2-qprw",
- "modified": "2024-09-12T15:33:00Z",
+ "modified": "2024-09-12T19:49:53Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-27320"
],
+ "summary": "Refuel Autolab Eval Injection vulnerability",
"details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
-
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "refuel-autolabel"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.0.8"
+ },
+ {
+ "last_affected": "0.0.16"
+ }
+ ]
+ }
+ ]
+ }
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27320"
},
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/refuel-ai/autolabel"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L57-L79"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
@@ -31,8 +62,8 @@
"CWE-95"
],
"severity": "HIGH",
- "github_reviewed": false,
- "github_reviewed_at": null,
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T19:49:53Z",
"nvd_published_at": "2024-09-12T13:15:11Z"
}
}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json b/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json
index 8a2ed0e3e4c..a99282287ef 100644
--- a/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json
+++ b/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-g5xx-c4hv-9ccc",
- "modified": "2024-09-03T20:03:08Z",
+ "modified": "2024-09-16T16:13:43Z",
"published": "2024-09-03T20:03:08Z",
"aliases": [
@@ -75,6 +75,44 @@
]
}
]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cometbft/cometbft"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.37.0"
+ },
+ {
+ "fixed": "0.37.11"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Go",
+ "name": "github.com/cometbft/cometbft"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.38.0"
+ },
+ {
+ "fixed": "0.38.12"
+ }
+ ]
+ }
+ ]
}
],
"references": [
@@ -93,6 +131,10 @@
{
"type": "PACKAGE",
"url": "https://github.com/cometbft/cometbft"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2024-3112"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json b/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json
index 463b7aac3c4..05b9808278c 100644
--- a/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json
+++ b/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-gprj-6m2f-j9hx",
- "modified": "2024-09-03T21:45:31Z",
+ "modified": "2024-09-12T21:38:09Z",
"published": "2024-09-03T19:33:36Z",
"aliases": [
"CVE-2024-45389"
@@ -12,6 +12,10 @@
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"
}
],
"affected": [
diff --git a/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json b/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json
new file mode 100644
index 00000000000..b43dd3581f9
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-hv38-h5pj-c96j",
+ "modified": "2024-09-16T20:16:14Z",
+ "published": "2024-09-16T14:37:28Z",
+ "aliases": [
+ "CVE-2024-46942"
+ ],
+ "summary": "OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries",
+ "details": "In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Maven",
+ "name": "org.opendaylight.mdsal:mdsal-artifacts"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "13.0.1"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46942"
+ },
+ {
+ "type": "WEB",
+ "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/mdsal.html"
+ },
+ {
+ "type": "WEB",
+ "url": "https://doi.org/10.48550/arXiv.2408.16940"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/opendaylight/mdsal"
+ },
+ {
+ "type": "WEB",
+ "url": "https://lf-opendaylight.atlassian.net/browse/MDSAL-869"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-285"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:16:14Z",
+ "nvd_published_at": "2024-09-15T23:15:11Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json
new file mode 100644
index 00000000000..ac233663a1f
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-jpxc-vmjf-9fcj",
+ "modified": "2024-09-16T22:55:00Z",
+ "published": "2024-09-16T14:37:26Z",
+ "aliases": [
+ "CVE-2024-8775"
+ ],
+ "summary": "Ansible vulnerable to Insertion of Sensitive Information into Log File",
+ "details": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "ansible-core"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "last_affected": "2.17.4"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8775"
+ },
+ {
+ "type": "WEB",
+ "url": "https://access.redhat.com/security/cve/CVE-2024-8775"
+ },
+ {
+ "type": "WEB",
+ "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/ansible/ansible"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-532"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T22:49:05Z",
+ "nvd_published_at": "2024-09-14T03:15:08Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json
index d526586036c..e10dad76a9f 100644
--- a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json
+++ b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jw9c-mfg7-9rx2",
- "modified": "2024-09-11T21:03:15Z",
+ "modified": "2024-09-16T15:29:25Z",
"published": "2024-09-10T19:42:03Z",
"aliases": [
"CVE-2024-45409"
@@ -79,9 +79,25 @@
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd"
+ },
{
"type": "PACKAGE",
"url": "https://github.com/SAML-Toolkits/ruby-saml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/CVE-2024-45409.yml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2024-45409.yml"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json
new file mode 100644
index 00000000000..e1ea0ab87c4
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json
@@ -0,0 +1,93 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-mmhx-hmjr-r674",
+ "modified": "2024-09-16T22:37:33Z",
+ "published": "2024-09-16T20:34:26Z",
+ "aliases": [
+ "CVE-2024-45801"
+ ],
+ "summary": "DOMPurify allows tampering by prototype pollution",
+ "details": "It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "dompurify"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "2.5.4"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "dompurify"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "3.0.0"
+ },
+ {
+ "fixed": "3.1.3"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/cure53/DOMPurify"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-1321",
+ "CWE-1333"
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T20:34:26Z",
+ "nvd_published_at": "2024-09-16T19:16:11Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json
new file mode 100644
index 00000000000..9eda576d6e6
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-mwhf-vhr5-7j23",
+ "modified": "2024-09-12T21:39:35Z",
+ "published": "2024-09-12T21:29:17Z",
+ "aliases": [
+ "CVE-2024-45607"
+ ],
+ "summary": "whatsapp-api-js fails to validate message's signature",
+ "details": "### Impact\nIncorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.\n\n### Patches\nPatched in version 4.0.3.\n\n### Workarounds\nIt's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.\n\n```ts\nfunction doPost(payload, header_signature) {\n if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) {\n throw 403;\n }\n \n // Now the payload is correctly verified\n whatsapp.post(payload);\n}\n```\n\n### References\nhttps://github.com/Secreto31126/whatsapp-api-js/pull/371\n\n",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "whatsapp-api-js"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "4.0.0"
+ },
+ {
+ "fixed": "4.0.3"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45607"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Secreto31126/whatsapp-api-js/pull/371"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/Secreto31126/whatsapp-api-js"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-347"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-12T21:29:17Z",
+ "nvd_published_at": "2024-09-12T20:15:05Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json b/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json
index 0aad1ceaa10..b67e6540ba0 100644
--- a/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json
+++ b/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-pv7h-hg6m-82j8",
- "modified": "2024-09-09T18:17:47Z",
+ "modified": "2024-09-16T16:15:43Z",
"published": "2024-09-08T09:30:27Z",
"aliases": [
"CVE-2024-8572"
@@ -64,6 +64,10 @@
"type": "WEB",
"url": "https://github.com/gouniverse/cms/releases/tag/v1.4.1"
},
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2024-3125"
+ },
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.276802"
diff --git a/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json b/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json
index 065691ac773..179b734e78d 100644
--- a/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json
+++ b/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-q9r8-89xr-4xv4",
- "modified": "2024-09-12T17:38:46Z",
+ "modified": "2024-09-16T22:34:35Z",
"published": "2024-09-12T15:33:01Z",
"aliases": [
"CVE-2024-45853"
@@ -52,6 +52,10 @@
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L424-L431"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-83.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
diff --git a/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json b/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json
index 6b9ae86e297..509f5bce84d 100644
--- a/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json
+++ b/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-qwgc-rr35-h4x9",
- "modified": "2024-09-09T18:16:22Z",
+ "modified": "2024-09-16T16:10:29Z",
"published": "2024-09-09T18:16:22Z",
"aliases": [
"CVE-2024-45041"
@@ -67,6 +67,10 @@
{
"type": "WEB",
"url": "https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49"
+ },
+ {
+ "type": "WEB",
+ "url": "https://pkg.go.dev/vuln/GO-2024-3126"
}
],
"database_specific": {
diff --git a/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json
new file mode 100644
index 00000000000..d8625597afe
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json
@@ -0,0 +1,106 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-rx9f-5ggv-5rh6",
+ "modified": "2024-09-16T22:36:58Z",
+ "published": "2024-09-16T17:17:20Z",
+ "aliases": [
+ "CVE-2024-32034"
+ ],
+ "summary": "Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log",
+ "details": "### Impact\nThe admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. \n\n### Patches\n\nN/A\n\n### Workarounds\n\nRedirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`)\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "RubyGems",
+ "name": "decidim-admin"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.27.7"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.27.6"
+ }
+ },
+ {
+ "package": {
+ "ecosystem": "RubyGems",
+ "name": "decidim-admin"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0.28.0"
+ },
+ {
+ "fixed": "0.28.2"
+ }
+ ]
+ }
+ ],
+ "database_specific": {
+ "last_known_affected_version_range": "<= 0.28.1"
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6"
+ },
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32034"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/decidim/decidim"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-79"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-16T17:17:20Z",
+ "nvd_published_at": "2024-09-16T19:16:10Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json
index 03a15966b58..d619f42e3a4 100644
--- a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json
+++ b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v6g6-3cm3-vf6c",
- "modified": "2024-09-12T17:03:53Z",
+ "modified": "2024-09-16T22:33:15Z",
"published": "2024-09-12T15:33:00Z",
"aliases": [
"CVE-2024-45850"
@@ -52,6 +52,10 @@
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
+ {
+ "type": "WEB",
+ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-80.yaml"
+ },
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
@@ -59,6 +63,7 @@
],
"database_specific": {
"cwe_ids": [
+ "CWE-94",
"CWE-95"
],
"severity": "HIGH",
diff --git a/advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json b/advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json
new file mode 100644
index 00000000000..9fcf06f6c95
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json
@@ -0,0 +1,69 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-v6x6-4v4x-2fx9",
+ "modified": "2024-09-13T19:34:09Z",
+ "published": "2024-09-13T18:31:48Z",
+ "aliases": [
+ "CVE-2024-6862"
+ ],
+ "summary": "Lunary Cross-Site Request Forgery (CSRF) vulnerability",
+ "details": "A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "npm",
+ "name": "lunary"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.4.10"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6862"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/lunary-ai/lunary"
+ },
+ {
+ "type": "WEB",
+ "url": "https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-352"
+ ],
+ "severity": "MODERATE",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-13T19:34:09Z",
+ "nvd_published_at": "2024-09-13T17:15:13Z"
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json b/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json
new file mode 100644
index 00000000000..ee0742367d1
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json
@@ -0,0 +1,115 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-vm6r-j788-hjh5",
+ "modified": "2024-09-17T14:58:35Z",
+ "published": "2024-09-17T14:58:35Z",
+ "aliases": [
+ "CVE-2024-45398"
+ ],
+ "summary": "Contao affected by remote command execution through file upload",
+ "details": "### Impact\n\nBack end users with access to the file manager can upload malicious files and execute them on the server.\n\n### Patches\n\nUpdate to Contao 4.13.49, 5.3.15 or 5.4.3.\n\n### Workarounds\n\nConfigure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.\n\n### References\n\nhttps://contao.org/en/security-advisories/remote-command-execution-through-file-uploads\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).\n\n### Credits\n\nThanks to Jakob Steeg from usd AG for reporting this vulnerability.",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
+ },
+ {
+ "type": "CVSS_V4",
+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "4.0.0"
+ },
+ {
+ "fixed": "4.13.49"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.0.0"
+ },
+ {
+ "fixed": "5.3.15"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "package": {
+ "ecosystem": "Packagist",
+ "name": "contao/core-bundle"
+ },
+ "ranges": [
+ {
+ "type": "ECOSYSTEM",
+ "events": [
+ {
+ "introduced": "5.4.0"
+ },
+ {
+ "fixed": "5.4.3"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/9445d509f12a7f1b68a4794dcc5e3e459b363ebb"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/a7e39f96ac8fdc281f7caaa96e01deb0e24ac7d3"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/contao/contao/commit/f3db59ffe5a6c0e1f705b3230ebd5ff16865280e"
+ },
+ {
+ "type": "WEB",
+ "url": "https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads"
+ },
+ {
+ "type": "PACKAGE",
+ "url": "https://github.com/contao/contao"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-434"
+ ],
+ "severity": "HIGH",
+ "github_reviewed": true,
+ "github_reviewed_at": "2024-09-17T14:58:35Z",
+ "nvd_published_at": null
+ }
+}
\ No newline at end of file
diff --git a/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json
new file mode 100644
index 00000000000..c041fca9c90
--- /dev/null
+++ b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json
@@ -0,0 +1,72 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-vvqw-fqwx-mqmm",
+ "modified": "2024-09-16T22:37:19Z",
+ "published": "2024-09-16T17:17:54Z",
+ "aliases": [
+ "CVE-2024-39910"
+ ],
+ "summary": " Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor",
+ "details": "### Impact\n\nThe WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.\n\nThe attacker is able to change e.g. to