From 9f5a28790b450689723921648ef9ac902acf4c74 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 19:14:34 +0000 Subject: [PATCH 001/170] Publish GHSA-pvjv-386f-c8wh --- .../GHSA-pvjv-386f-c8wh.json | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json b/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json index 68e24e4c83b..21ea1abcd12 100644 --- a/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json +++ b/advisories/github-reviewed/2023/04/GHSA-pvjv-386f-c8wh/GHSA-pvjv-386f-c8wh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pvjv-386f-c8wh", - "modified": "2023-04-28T19:56:41Z", + "modified": "2024-09-12T19:12:58Z", "published": "2023-04-17T09:30:24Z", "aliases": [ "CVE-2023-24831" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -33,6 +37,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "apache-iotdb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.13.0" + }, + { + "fixed": "0.13.5" + } + ] + } + ] } ], "references": [ @@ -44,6 +67,10 @@ "type": "PACKAGE", "url": "https://github.com/apache/iotdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2023-7.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread/3dgvzgstycf8b5hyf4z3n7cqdhcyln3l" From 8488f7b9c6ff66f72f30e081719be6a38461890d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 19:16:44 +0000 Subject: [PATCH 002/170] Publish GHSA-c3c6-f2ww-xfr2 --- .../01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json index 0d0e921be03..cf9f8f030bc 100644 --- a/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json +++ b/advisories/github-reviewed/2024/01/GHSA-c3c6-f2ww-xfr2/GHSA-c3c6-f2ww-xfr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c3c6-f2ww-xfr2", - "modified": "2024-01-31T14:55:56Z", + "modified": "2024-09-12T19:15:10Z", "published": "2024-01-24T15:30:30Z", "aliases": [ "CVE-2023-50943" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "0" }, { - "fixed": "2.8.1" + "fixed": "2.8.1rc1" } ] } @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/apache/airflow/pull/36255" }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/commit/2c4c5bc604e9ab0cc1e98f7bee7d31d566579462" + }, { "type": "PACKAGE", "url": "https://github.com/apache/airflow" From 1cfea6e52a79522771bb22cbcd002be334ca5739 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 19:18:52 +0000 Subject: [PATCH 003/170] Publish Advisories GHSA-65xw-pcqw-hjrh GHSA-vm5m-qmrx-fw8w --- .../GHSA-65xw-pcqw-hjrh.json | 18 +++++++++++++++--- .../GHSA-vm5m-qmrx-fw8w.json | 12 ++++++++++-- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json b/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json index c69022efd78..1671438a4d2 100644 --- a/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json +++ b/advisories/github-reviewed/2022/02/GHSA-65xw-pcqw-hjrh/GHSA-65xw-pcqw-hjrh.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-65xw-pcqw-hjrh", - "modified": "2024-03-06T22:40:01Z", + "modified": "2024-09-12T19:17:59Z", "published": "2022-02-26T00:00:45Z", "aliases": [ "CVE-2021-45229" ], - "summary": "Cross site scripting in apache airflow", + "summary": "Apache Airflow Cross-site Scripting Vulnerability", "details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "0" }, { - "fixed": "2.2.4" + "fixed": "2.2.4rc1" } ] } @@ -44,10 +48,18 @@ "type": "WEB", "url": "https://github.com/apache/airflow/commit/628aa1f99c865d97d0b1c7c76e630e43a7b8d319" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-65xw-pcqw-hjrh" + }, { "type": "PACKAGE", "url": "https://github.com/apache/airflow" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-29.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk" diff --git a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json index d3c0d8c483a..150cba40dbe 100644 --- a/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json +++ b/advisories/github-reviewed/2024/01/GHSA-vm5m-qmrx-fw8w/GHSA-vm5m-qmrx-fw8w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vm5m-qmrx-fw8w", - "modified": "2024-01-31T14:55:51Z", + "modified": "2024-09-12T19:16:29Z", "published": "2024-01-24T15:30:30Z", "aliases": [ "CVE-2023-50944" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "0" }, { - "fixed": "2.8.1" + "fixed": "2.8.1rc1" } ] } @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/apache/airflow/pull/36257" }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1" + }, { "type": "PACKAGE", "url": "https://github.com/apache/airflow" From f06b3768a108234b90f16ccf581cc469f53913c0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 19:50:57 +0000 Subject: [PATCH 004/170] Publish Advisories GHSA-32fj-r8qw-r8w8 GHSA-4fgp-7vvm-m4jf GHSA-8cm9-rrgc-4pcj GHSA-fr9q-rgwq-g5r5 GHSA-g2m8-f3x2-qprw GHSA-fr9q-rgwq-g5r5 --- .../GHSA-32fj-r8qw-r8w8.json | 33 +++++++-- .../GHSA-4fgp-7vvm-m4jf.json | 39 +++++++++-- .../GHSA-8cm9-rrgc-4pcj.json | 39 +++++++++-- .../GHSA-fr9q-rgwq-g5r5.json | 69 +++++++++++++++++++ .../GHSA-g2m8-f3x2-qprw.json | 39 +++++++++-- .../GHSA-fr9q-rgwq-g5r5.json | 38 ---------- 6 files changed, 202 insertions(+), 55 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json (58%) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json (54%) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json (50%) create mode 100644 advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json (53%) delete mode 100644 advisories/unreviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json diff --git a/advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json b/advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json similarity index 58% rename from advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json rename to advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json index b5baa7c83db..88019e616bf 100644 --- a/advisories/unreviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json +++ b/advisories/github-reviewed/2024/09/GHSA-32fj-r8qw-r8w8/GHSA-32fj-r8qw-r8w8.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-32fj-r8qw-r8w8", - "modified": "2024-09-12T15:33:01Z", + "modified": "2024-09-12T19:50:04Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45856" ], + "summary": "MindsDB Cross-site Scripting vulnerability", "details": "A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "mindsdb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "24.9.2.1" + } + ] + } + ] + } ], "references": [ { @@ -30,9 +53,9 @@ "cwe_ids": [ "CWE-79" ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T19:50:04Z", "nvd_published_at": "2024-09-12T13:15:15Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json b/advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json similarity index 54% rename from advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json rename to advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json index 9003944e72b..b9756154c24 100644 --- a/advisories/unreviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json +++ b/advisories/github-reviewed/2024/09/GHSA-4fgp-7vvm-m4jf/GHSA-4fgp-7vvm-m4jf.json @@ -1,26 +1,57 @@ { "schema_version": "1.4.0", "id": "GHSA-4fgp-7vvm-m4jf", - "modified": "2024-09-12T15:33:00Z", + "modified": "2024-09-12T19:49:50Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-27321" ], + "summary": "Refuel Autolab Eval Injection vulnerability", "details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "refuel-autolabel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.0.8" + }, + { + "last_affected": "0.0.16" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27321" }, + { + "type": "PACKAGE", + "url": "https://github.com/refuel-ai/autolabel" + }, + { + "type": "WEB", + "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L129-L146" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel" @@ -31,8 +62,8 @@ "CWE-95" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T19:49:50Z", "nvd_published_at": "2024-09-12T13:15:12Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json b/advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json similarity index 50% rename from advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json rename to advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json index b647e62429f..6264d8fddf8 100644 --- a/advisories/unreviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json +++ b/advisories/github-reviewed/2024/09/GHSA-8cm9-rrgc-4pcj/GHSA-8cm9-rrgc-4pcj.json @@ -1,26 +1,57 @@ { "schema_version": "1.4.0", "id": "GHSA-8cm9-rrgc-4pcj", - "modified": "2024-09-12T15:33:01Z", + "modified": "2024-09-12T19:50:02Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45857" ], + "summary": "Cleanlab Deserialization of Untrusted Data vulnerability", "details": "Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "cleanlab" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.0" + }, + { + "last_affected": "2.6.6" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45857" }, + { + "type": "PACKAGE", + "url": "https://github.com/cleanlab/cleanlab" + }, + { + "type": "WEB", + "url": "https://github.com/cleanlab/cleanlab/blob/v2.6.6/cleanlab/datalab/internal/serialize.py#L102-L138" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-cleanlab" @@ -31,8 +62,8 @@ "CWE-502" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T19:50:02Z", "nvd_published_at": "2024-09-12T13:15:16Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json new file mode 100644 index 00000000000..615d58528b5 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fr9q-rgwq-g5r5", + "modified": "2024-09-12T19:49:57Z", + "published": "2024-09-12T15:33:01Z", + "aliases": [ + "CVE-2024-45855" + ], + "summary": "MindsDB Deserialization of Untrusted Data vulnerability", + "details": "Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "mindsdb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "23.10.2.0" + }, + { + "last_affected": "24.9.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45855" + }, + { + "type": "PACKAGE", + "url": "https://github.com/mindsdb/mindsdb" + }, + { + "type": "WEB", + "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L433-L442" + }, + { + "type": "WEB", + "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T19:49:57Z", + "nvd_published_at": "2024-09-12T13:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json b/advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json similarity index 53% rename from advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json rename to advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json index 79e0a0c6997..c40d549d643 100644 --- a/advisories/unreviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json +++ b/advisories/github-reviewed/2024/09/GHSA-g2m8-f3x2-qprw/GHSA-g2m8-f3x2-qprw.json @@ -1,26 +1,57 @@ { "schema_version": "1.4.0", "id": "GHSA-g2m8-f3x2-qprw", - "modified": "2024-09-12T15:33:00Z", + "modified": "2024-09-12T19:49:53Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-27320" ], + "summary": "Refuel Autolab Eval Injection vulnerability", "details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "refuel-autolabel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.0.8" + }, + { + "last_affected": "0.0.16" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27320" }, + { + "type": "PACKAGE", + "url": "https://github.com/refuel-ai/autolabel" + }, + { + "type": "WEB", + "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L57-L79" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel" @@ -31,8 +62,8 @@ "CWE-95" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T19:49:53Z", "nvd_published_at": "2024-09-12T13:15:11Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json b/advisories/unreviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json deleted file mode 100644 index 8e10c7a2d35..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-fr9q-rgwq-g5r5", - "modified": "2024-09-12T15:33:01Z", - "published": "2024-09-12T15:33:01Z", - "aliases": [ - "CVE-2024-45855" - ], - "details": "Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45855" - }, - { - "type": "WEB", - "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-12T13:15:15Z" - } -} \ No newline at end of file From 7ab15cd4aa1909aad36c4d9e63271d2b42b0a1d5 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:10:15 +0000 Subject: [PATCH 005/170] Publish GHSA-r7x6-xfcm-3mxv --- .../2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json b/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json index 9279205f27e..a9bf99dfe7f 100644 --- a/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json +++ b/advisories/github-reviewed/2023/11/GHSA-r7x6-xfcm-3mxv/GHSA-r7x6-xfcm-3mxv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r7x6-xfcm-3mxv", - "modified": "2023-11-20T22:21:53Z", + "modified": "2024-09-12T20:08:48Z", "published": "2023-11-12T15:30:20Z", "aliases": [ "CVE-2023-42781" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 92117fa7e4d3ae69343364065ed0b9433921bfc6 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:12:17 +0000 Subject: [PATCH 006/170] Publish GHSA-fh37-cx83-q542 --- .../GHSA-fh37-cx83-q542.json | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json b/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json index 4bc15960f9f..bad792beda5 100644 --- a/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json +++ b/advisories/github-reviewed/2021/06/GHSA-fh37-cx83-q542/GHSA-fh37-cx83-q542.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fh37-cx83-q542", - "modified": "2024-03-25T15:52:20Z", + "modified": "2024-09-12T20:10:22Z", "published": "2021-06-18T18:30:11Z", "aliases": [ "CVE-2021-26697" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "2.0.0" }, { - "fixed": "2.0.1" + "fixed": "2.0.1rc1" } ] } @@ -55,6 +59,18 @@ "type": "WEB", "url": "https://github.com/apache/airflow/commit/93957e917ff4cfb0be11aef088bd9527cf728a04" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fh37-cx83-q542" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/airflow" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-3.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E" From d3e0e6f2afc3c8ae25f5fa820404c9545d6a25a1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:14:20 +0000 Subject: [PATCH 007/170] Publish GHSA-9gqg-3fxr-9hv7 --- .../GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json b/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json index 3739976bee1..6384c9b26b9 100644 --- a/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json +++ b/advisories/github-reviewed/2019/01/GHSA-9gqg-3fxr-9hv7/GHSA-9gqg-3fxr-9hv7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9gqg-3fxr-9hv7", - "modified": "2023-08-30T23:28:15Z", + "modified": "2024-09-12T20:12:09Z", "published": "2019-01-25T16:19:09Z", "aliases": [ "CVE-2017-17836" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -47,6 +51,14 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-9gqg-3fxr-9hv7" }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/airflow" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-149.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ade4d54ebf614f68dc81a08891755e60ea58ba88e0209233eeea5f57@%3Cdev.airflow.apache.org%3E" From f90cc2b8dd4c4f8d8f3286153edd91a25044e22c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:18:48 +0000 Subject: [PATCH 008/170] Publish GHSA-qhh5-9738-g9mx --- .../02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json b/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json index 59204b52b01..979838ee78e 100644 --- a/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json +++ b/advisories/github-reviewed/2022/02/GHSA-qhh5-9738-g9mx/GHSA-qhh5-9738-g9mx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qhh5-9738-g9mx", - "modified": "2023-11-07T22:11:35Z", + "modified": "2024-09-12T20:17:17Z", "published": "2022-02-09T22:26:32Z", "aliases": [ "CVE-2020-13922" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Maven", - "name": "org.apache.dolphinscheduler:dolphinscheduler" + "name": "org.apache.dolphinscheduler:dolphinscheduler-api" }, "ranges": [ { @@ -52,6 +56,10 @@ "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2021-876.yaml" }, + { + "type": "WEB", + "url": "https://www.mail-archive.com/announce%40apache.org/msg06076.html" + }, { "type": "WEB", "url": "https://www.mail-archive.com/announce@apache.org/msg06076.html" From aad4b6d8b0b4382ad575ccd79ab7d67a036e0cd6 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:20:58 +0000 Subject: [PATCH 009/170] Publish Advisories GHSA-ffw3-6mp6-jmvj GHSA-hm9r-7f84-25c9 --- .../GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json | 16 ++++++++++++++-- .../GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json | 6 +++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json b/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json index 29b914ceff8..a05d0856d8d 100644 --- a/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json +++ b/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ffw3-6mp6-jmvj", - "modified": "2024-03-06T22:33:58Z", + "modified": "2024-09-12T20:19:16Z", "published": "2021-04-07T21:05:57Z", "aliases": [ "CVE-2021-26559" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "2.0.0" }, { - "fixed": "2.0.1" + "fixed": "2.0.1rc1" } ] } @@ -51,6 +55,10 @@ "type": "WEB", "url": "https://github.com/apache/airflow/commit/5e35926c7eda0dfa11a9623e4bf5f60c2bd6b3f6" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-ffw3-6mp6-jmvj" + }, { "type": "PACKAGE", "url": "https://github.com/apache/airflow" @@ -59,6 +67,10 @@ "type": "WEB", "url": "https://github.com/apache/airflow/blob/486b76438c0679682cf98cb88ed39c4b161cbcc8/CHANGELOG.txt" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2021-2.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E" diff --git a/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json b/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json index 5c6e47d8712..387233ca9e2 100644 --- a/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json +++ b/advisories/github-reviewed/2023/11/GHSA-hm9r-7f84-25c9/GHSA-hm9r-7f84-25c9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hm9r-7f84-25c9", - "modified": "2024-03-06T23:48:49Z", + "modified": "2024-09-12T20:19:58Z", "published": "2023-11-12T15:30:20Z", "aliases": [ "CVE-2023-47037" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 57bbebe233f5fb6e2502ef85179e738663287477 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:29:54 +0000 Subject: [PATCH 010/170] Publish GHSA-g6hg-4v3c-6jq7 --- .../GHSA-g6hg-4v3c-6jq7.json | 50 +++++++++++++++++-- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json b/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json index 15fd5e49d13..e04ae8ea2ed 100644 --- a/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json +++ b/advisories/github-reviewed/2022/10/GHSA-g6hg-4v3c-6jq7/GHSA-g6hg-4v3c-6jq7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g6hg-4v3c-6jq7", - "modified": "2022-10-31T15:43:23Z", + "modified": "2024-09-12T20:28:44Z", "published": "2022-10-26T19:00:39Z", "aliases": [ "CVE-2022-43766" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Maven", - "name": "org.apache.iotdb:iotdb-parent" + "name": "org.apache.iotdb:flink-tsfile-connector" }, "ranges": [ { @@ -44,10 +48,48 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0.13.0" + "introduced": "0.12.2" }, { - "fixed": "0.14.0rc1" + "fixed": "0.13.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.iotdb:iotdb-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.12.2" + }, + { + "fixed": "0.13.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.iotdb:tsfile" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.12.2" + }, + { + "fixed": "0.13.3" } ] } From f2840b2bdbd093711677633e0cd2482fdc98e646 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:32:10 +0000 Subject: [PATCH 011/170] Publish Advisories GHSA-w6j4-3gh2-9f5j GHSA-3h4m-m55v-gx4m --- .../04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json | 10 +++++++++- .../07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json b/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json index cae48e7b149..89a4b03ec56 100644 --- a/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json +++ b/advisories/github-reviewed/2019/04/GHSA-w6j4-3gh2-9f5j/GHSA-w6j4-3gh2-9f5j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w6j4-3gh2-9f5j", - "modified": "2023-08-30T23:11:45Z", + "modified": "2024-09-12T20:30:52Z", "published": "2019-04-18T14:27:40Z", "aliases": [ "CVE-2019-0229" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -48,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/apache/airflow" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-215.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2de387213d45bc626d27554a1bde7b8c67d08720901f82a50b6f4231@%3Cdev.airflow.apache.org%3E" diff --git a/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json b/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json index c5595362cd9..5a4e01fcdfa 100644 --- a/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json +++ b/advisories/github-reviewed/2023/07/GHSA-3h4m-m55v-gx4m/GHSA-3h4m-m55v-gx4m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3h4m-m55v-gx4m", - "modified": "2023-07-21T18:22:19Z", + "modified": "2024-09-12T20:31:36Z", "published": "2023-07-12T12:31:36Z", "aliases": [ "CVE-2023-36543" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ From 71927f276640d07e0f8cca7471ba9ea747350088 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:34:06 +0000 Subject: [PATCH 012/170] Publish Advisories GHSA-vcwx-8mqh-2557 GHSA-5946-8p38-vffp GHSA-ggwr-4vr8-g7wv --- .../05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json | 10 +++++++++- .../07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json | 6 +++++- .../07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json | 6 +++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json b/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json index c69c56acb69..b862255aee9 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json +++ b/advisories/github-reviewed/2022/05/GHSA-vcwx-8mqh-2557/GHSA-vcwx-8mqh-2557.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vcwx-8mqh-2557", - "modified": "2023-08-04T21:52:41Z", + "modified": "2024-09-12T20:33:30Z", "published": "2022-05-17T00:14:14Z", "aliases": [ "CVE-2017-17054" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -55,6 +59,10 @@ { "type": "PACKAGE", "url": "https://github.com/aubio/aubio" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2017-75.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json b/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json index 7c345d4e1af..e74fe1b7420 100644 --- a/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json +++ b/advisories/github-reviewed/2023/07/GHSA-5946-8p38-vffp/GHSA-5946-8p38-vffp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5946-8p38-vffp", - "modified": "2023-07-21T18:18:27Z", + "modified": "2024-09-12T20:32:10Z", "published": "2023-07-12T12:31:36Z", "aliases": [ "CVE-2023-22888" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json b/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json index 111898572d6..7ea37d983f0 100644 --- a/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json +++ b/advisories/github-reviewed/2023/07/GHSA-ggwr-4vr8-g7wv/GHSA-ggwr-4vr8-g7wv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ggwr-4vr8-g7wv", - "modified": "2024-03-06T23:24:01Z", + "modified": "2024-09-12T20:32:41Z", "published": "2023-07-12T12:31:36Z", "aliases": [ "CVE-2023-22887" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 297f253bf1b133bc148d424a44405740189ece13 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:37:15 +0000 Subject: [PATCH 013/170] Publish Advisories GHSA-28mg-98xm-q493 GHSA-42q4-9xf9-f67x --- .../03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json | 10 +++++++++- .../05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json b/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json index 4cbb2984414..0a50f92c9c7 100644 --- a/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json +++ b/advisories/github-reviewed/2022/03/GHSA-28mg-98xm-q493/GHSA-28mg-98xm-q493.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-28mg-98xm-q493", - "modified": "2022-03-18T21:19:29Z", + "modified": "2024-09-12T20:36:10Z", "published": "2022-03-08T00:00:32Z", "aliases": [ "CVE-2022-0697" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/archivy/archivy/commit/2d8cb29853190d42572b36deb61127e68d6be574" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-28mg-98xm-q493" + }, { "type": "PACKAGE", "url": "https://github.com/archivy/archivy" diff --git a/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json b/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json index ce0cacf40ae..34d36191b24 100644 --- a/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json +++ b/advisories/github-reviewed/2022/05/GHSA-42q4-9xf9-f67x/GHSA-42q4-9xf9-f67x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-42q4-9xf9-f67x", - "modified": "2022-08-11T18:25:38Z", + "modified": "2024-09-12T20:36:58Z", "published": "2022-05-24T19:20:31Z", "aliases": [ "CVE-2021-41972" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 914f6a2cd2ea787fe0cc7e60479171958f58a79f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:39:24 +0000 Subject: [PATCH 014/170] Publish GHSA-5fp8-c45m-256p --- .../2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json b/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json index 4f8b3d32f4d..fb900ab2d45 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json +++ b/advisories/github-reviewed/2022/05/GHSA-5fp8-c45m-256p/GHSA-5fp8-c45m-256p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5fp8-c45m-256p", - "modified": "2022-06-21T20:08:57Z", + "modified": "2024-09-12T20:37:55Z", "published": "2022-05-24T19:20:42Z", "aliases": [ "CVE-2021-42250" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 3262aa6581182d307401a498899cc24cd2ccd810 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:48:28 +0000 Subject: [PATCH 015/170] Publish GHSA-69fv-gw6g-8ccg --- .../08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json b/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json index d20003b795b..b5b4f14af57 100644 --- a/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json +++ b/advisories/github-reviewed/2021/08/GHSA-69fv-gw6g-8ccg/GHSA-69fv-gw6g-8ccg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-69fv-gw6g-8ccg", - "modified": "2023-06-13T16:50:04Z", + "modified": "2024-09-12T20:47:21Z", "published": "2021-08-25T20:43:26Z", "aliases": [ "CVE-2018-20998" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -63,6 +67,10 @@ "type": "WEB", "url": "https://github.com/arrayfire/arrayfire-rust/pull/177" }, + { + "type": "WEB", + "url": "https://github.com/arrayfire/arrayfire-rust/commit/a5256f3e5e23b83eaad69699e0b04653aba04fb8" + }, { "type": "PACKAGE", "url": "https://github.com/arrayfire/arrayfire-rust" From 6639165015dc34b59f520fb92107ac6e0113bbaa Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:50:02 +0000 Subject: [PATCH 016/170] Publish Advisories GHSA-m6xf-fq7q-8743 GHSA-743r-5g92-5vgf --- .../GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json | 16 ++++++++++++++-- .../GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json | 14 +++++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json b/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json index afe21a60458..a4f8dfd3a5b 100644 --- a/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json +++ b/advisories/github-reviewed/2020/03/GHSA-m6xf-fq7q-8743/GHSA-m6xf-fq7q-8743.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-m6xf-fq7q-8743", - "modified": "2022-10-07T13:07:17Z", + "modified": "2024-09-12T20:49:31Z", "published": "2020-03-24T15:06:32Z", "aliases": [ "CVE-2020-6816" ], - "summary": "mutation XSS via whitelisted math or svg and raw tag in Bleach", + "summary": "Bleach vulnerable to mutation XSS via whitelisted math or svg and raw tag", "details": "### Impact\n\nA [mutation XSS](https://cure53.de/fp170.pdf) affects users calling `bleach.clean` with all of:\n\n* the `svg` or `math` in the allowed/whitelisted tags\n* an RCDATA tag (see below) in the allowed/whitelisted tags\n* the keyword argument `strip=False`\n\n### Patches\n\nUsers are encouraged to upgrade to bleach v3.1.2 or greater.\n\n### Workarounds\n\n* modify `bleach.clean` calls to use `strip=True`, or not whitelist `math` or `svg` tags and one or more of the following tags:\n\n```\nscript\nnoscript\nstyle\nnoframes\nxmp\nnoembed\niframe\n```\n\n* A strong [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without `unsafe-inline` and `unsafe-eval` [`script-src`s](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1621692\n* https://cure53.de/fp170.pdf\n* https://nvd.nist.gov/vuln/detail/CVE-2020-6816\n* https://www.checkmarx.com/blog/vulnerabilities-discovered-in-mozilla-bleach\n\n### Credits\n\n* Reported by [Yaniv Nizry](https://twitter.com/ynizry) from the CxSCA AppSec group at Checkmarx\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [https://github.com/mozilla/bleach/issues](https://github.com/mozilla/bleach/issues)\n* Email us at [security@mozilla.org](mailto:security@mozilla.org)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -48,10 +52,18 @@ "type": "WEB", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4277" }, + { + "type": "PACKAGE", + "url": "https://github.com/mozilla/bleach" + }, { "type": "WEB", "url": "https://github.com/mozilla/bleach/releases/tag/v3.1.2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-28.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EDQU2SZLZMSSACCBUBJ6NOSRNNBDYFW5" diff --git a/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json b/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json index 7938dc89cbf..c9d7a819cc7 100644 --- a/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json +++ b/advisories/github-reviewed/2021/11/GHSA-743r-5g92-5vgf/GHSA-743r-5g92-5vgf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-743r-5g92-5vgf", - "modified": "2021-12-03T15:20:59Z", + "modified": "2024-09-12T20:48:35Z", "published": "2021-11-24T21:11:16Z", "aliases": [ "CVE-2021-40829" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -78,6 +82,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40829" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-743r-5g92-5vgf" + }, { "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2" @@ -101,6 +109,10 @@ { "type": "WEB", "url": "https://github.com/awslabs/aws-c-io" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-862.yaml" } ], "database_specific": { From e9226d42fb707c8d8a8a2f3ce585be40cfaba7cb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:52:06 +0000 Subject: [PATCH 017/170] Publish Advisories GHSA-j3f7-7rmc-6wqj GHSA-9236-8w7q-rmrv --- .../GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json | 14 +++++++++++++- .../GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json | 14 +++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json index c1065201746..75e8548e3c1 100644 --- a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json +++ b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j3f7-7rmc-6wqj", - "modified": "2021-12-03T15:22:22Z", + "modified": "2024-09-12T20:51:25Z", "published": "2021-11-24T20:35:03Z", "aliases": [ "CVE-2021-40831" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -90,6 +94,10 @@ "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/5aef82573202309063eb540b72cee0e565f85a2d" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-j3f7-7rmc-6wqj" + }, { "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2" @@ -109,6 +117,10 @@ { "type": "WEB", "url": "https://github.com/awslabs/aws-c-io" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-864.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json b/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json index dad72e69a82..858d04adac7 100644 --- a/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json +++ b/advisories/github-reviewed/2022/01/GHSA-9236-8w7q-rmrv/GHSA-9236-8w7q-rmrv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9236-8w7q-rmrv", - "modified": "2022-01-05T20:41:25Z", + "modified": "2024-09-12T20:50:41Z", "published": "2022-01-06T21:59:50Z", "aliases": [ "CVE-2021-4162" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9236-8w7q-rmrv" + }, { "type": "WEB", "url": "https://github.com/archivy/archivy" @@ -52,6 +60,10 @@ "type": "WEB", "url": "https://github.com/archivy/archivy/releases/tag/v1.6.2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/archivy/PYSEC-2021-869.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/e204a768-2129-4b6f-abad-e436309c7c32" From bf979623082141d10d2785961667bb6a9de69177 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:54:06 +0000 Subject: [PATCH 018/170] Publish Advisories GHSA-c4rh-4376-gff4 GHSA-j3f7-7rmc-6wqj GHSA-5x6q-ffwj-8vcf --- .../GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json | 14 +++++++++++++- .../GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json | 4 ++-- .../GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json | 14 +++++++++++++- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json b/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json index e70fb894ffb..ba3e05737d1 100644 --- a/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json +++ b/advisories/github-reviewed/2021/11/GHSA-c4rh-4376-gff4/GHSA-c4rh-4376-gff4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c4rh-4376-gff4", - "modified": "2021-12-03T15:22:02Z", + "modified": "2024-09-12T20:53:25Z", "published": "2021-11-24T21:12:04Z", "aliases": [ "CVE-2021-40830" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -90,6 +94,10 @@ "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/0450ce68add7e3d05c6d781ecdac953c299c053a" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c4rh-4376-gff4" + }, { "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2" @@ -109,6 +117,10 @@ { "type": "WEB", "url": "https://github.com/awslabs/aws-c-io" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-863.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json index 75e8548e3c1..3e5587d1b20 100644 --- a/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json +++ b/advisories/github-reviewed/2021/11/GHSA-j3f7-7rmc-6wqj/GHSA-j3f7-7rmc-6wqj.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-j3f7-7rmc-6wqj", - "modified": "2024-09-12T20:51:25Z", + "modified": "2024-09-12T20:52:09Z", "published": "2021-11-24T20:35:03Z", "aliases": [ "CVE-2021-40831" ], "summary": "Improper certificate management in AWS IoT Device SDK v2", - "details": "The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been “overridden”. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.", + "details": "The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been \"overridden\". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The `aws_tls_ctx_options_override_default_trust_store_*` function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json b/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json index 4e137aad008..87541b29f6b 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json +++ b/advisories/github-reviewed/2022/05/GHSA-5x6q-ffwj-8vcf/GHSA-5x6q-ffwj-8vcf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5x6q-ffwj-8vcf", - "modified": "2024-05-01T10:59:36Z", + "modified": "2024-09-12T20:52:47Z", "published": "2022-05-17T01:57:32Z", "aliases": [ "CVE-2015-4082" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/jborg/attic" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/attic/PYSEC-2017-6.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200517225455/http://www.securityfocus.com/bid/74821" @@ -59,6 +67,10 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/05/31/3" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/74821" } ], "database_specific": { From 5115b0578ac31e9633681e03c28645749a53b9ac Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:56:05 +0000 Subject: [PATCH 019/170] Publish GHSA-qhmp-h54x-38qr --- .../09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json b/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json index eb067a83110..c8d0f33a6d6 100644 --- a/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json +++ b/advisories/github-reviewed/2021/09/GHSA-qhmp-h54x-38qr/GHSA-qhmp-h54x-38qr.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-qhmp-h54x-38qr", - "modified": "2021-10-06T20:37:36Z", + "modified": "2024-09-12T20:54:36Z", "published": "2021-09-20T20:57:02Z", "aliases": [ "CVE-2021-39229" ], - "summary": "CWE-730 Regex injection with IFTTT Plugin", + "summary": "Apprise vulnerable to regex injection with IFTTT Plugin", "details": "### Impact\nAnyone _publicly_ hosting the Apprise library and granting them access to the IFTTT notification service.\n\n### Patches\nUpdate to Apprise v0.9.5.1\n ```bash\n # Install Apprise v0.9.5.1 from PyPI\n pip install apprise==0.9.5.1\n ```\n\nThe patch to the problem was performed [here](https://github.com/caronc/apprise/pull/436/files).\n\n### Workarounds\nAlternatively, if upgrading is not an option, you can safely remove the following file:\n- `apprise/plugins/NotifyIFTTT.py` \n\nThe above will eliminate the ability to use IFTTT, but everything else will work smoothly.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Apprise](https://github.com/caronc/apprise/issues)\n* Email me at [lead2gold@gmail.com](mailto:lead2gold@gmail.com)\n\n### Additional Credit\nGithub would not allow me to additionally credit **Rasmus Petersen**, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited\n\n## Additional Notes:\n- Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -66,6 +70,10 @@ { "type": "WEB", "url": "https://github.com/caronc/apprise/releases/tag/v0.9.5.1" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apprise/PYSEC-2021-327.yaml" } ], "database_specific": { From 53d65d1cdd2352365d54610d873ec8ae79ab06a3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:58:02 +0000 Subject: [PATCH 020/170] Publish GHSA-h4m5-qpfp-3mpv --- .../GHSA-h4m5-qpfp-3mpv.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json b/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json index 022f59ec77e..84900eac9de 100644 --- a/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json +++ b/advisories/github-reviewed/2021/10/GHSA-h4m5-qpfp-3mpv/GHSA-h4m5-qpfp-3mpv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h4m5-qpfp-3mpv", - "modified": "2021-10-27T17:06:39Z", + "modified": "2024-09-12T20:56:02Z", "published": "2021-10-21T17:49:59Z", "aliases": [ "CVE-2021-42771" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,18 @@ "type": "WEB", "url": "https://github.com/python-babel/babel/pull/782" }, + { + "type": "WEB", + "url": "https://github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h4m5-qpfp-3mpv" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/babel/PYSEC-2021-421.yaml" + }, { "type": "WEB", "url": "https://github.com/python-babel/babel" From e575f62fe9e8986b5530d295f7ed41b050da934d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:04:27 +0000 Subject: [PATCH 021/170] Publish GHSA-rxgg-273w-rfw7 --- .../01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json b/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json index 10ef11e527f..70de5142256 100644 --- a/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json +++ b/advisories/github-reviewed/2024/01/GHSA-rxgg-273w-rfw7/GHSA-rxgg-273w-rfw7.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-rxgg-273w-rfw7", - "modified": "2024-01-22T21:32:51Z", + "modified": "2024-09-12T21:02:56Z", "published": "2024-01-15T12:30:19Z", "aliases": [ "CVE-2023-46226" ], "summary": "Remote Code Execution vulnerability in Apache IoTDB via UDF", - "details": "Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\n\n", + "details": "Remote Code Execution vulnerability in Apache IoTDB. This issue affects Apache IoTDB from 1.0.0 through 1.2.2.\n\nUsers are recommended to upgrade to version 1.3.0, which fixes the issue.\n\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" } ], "affected": [ @@ -83,7 +87,7 @@ "cwe_ids": [ ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-16T20:45:55Z", "nvd_published_at": "2024-01-15T11:15:07Z" From a8f6f0545e177818c202b18b7e2b0dfadccf4083 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:07:20 +0000 Subject: [PATCH 022/170] Publish Advisories GHSA-2xpj-f5g2-8p7m GHSA-39vm-p9mr-4r27 --- .../GHSA-2xpj-f5g2-8p7m.json | 18 +++++++++++++++++- .../GHSA-39vm-p9mr-4r27.json | 17 ++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json b/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json index dae81c982ad..1ccd6032d8a 100644 --- a/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json +++ b/advisories/github-reviewed/2021/04/GHSA-2xpj-f5g2-8p7m/GHSA-2xpj-f5g2-8p7m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2xpj-f5g2-8p7m", - "modified": "2023-08-30T21:16:22Z", + "modified": "2024-09-12T21:06:18Z", "published": "2021-04-20T16:30:51Z", "aliases": [ "CVE-2020-17446" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,10 +48,22 @@ "type": "WEB", "url": "https://github.com/MagicStack/asyncpg/commit/69bcdf5bf7696b98ee708be5408fd7d854e910d0" }, + { + "type": "PACKAGE", + "url": "https://github.com/MagicStack/asyncpg" + }, { "type": "WEB", "url": "https://github.com/MagicStack/asyncpg/releases/tag/v0.21.0" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2xpj-f5g2-8p7m" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncpg/PYSEC-2020-24.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00002.html" diff --git a/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json b/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json index 2913bc0cba9..19fa146a29c 100644 --- a/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json +++ b/advisories/github-reviewed/2022/05/GHSA-39vm-p9mr-4r27/GHSA-39vm-p9mr-4r27.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-39vm-p9mr-4r27", - "modified": "2024-05-01T10:58:46Z", + "modified": "2024-09-12T21:05:41Z", "published": "2022-05-17T05:22:19Z", "aliases": [ "CVE-2012-3458" @@ -9,7 +9,14 @@ "summary": "Beaker Sensitive Information Disclosure vulnerability", "details": "Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -49,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/bbangert/beaker" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/beaker/PYSEC-2012-1.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20140724164516/http://secunia.com/advisories/50226" @@ -68,7 +79,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-326" ], "severity": "MODERATE", "github_reviewed": true, From 61c45050678c88152b66244c84698e01c31afe08 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:14:45 +0000 Subject: [PATCH 023/170] Publish Advisories GHSA-94jq-q5v2-76wj GHSA-cr45-98w9-gwqx --- .../GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json | 14 +++++++++++++- .../GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json | 6 +++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json b/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json index a9d42dee8c4..2ca8b0a6f8b 100644 --- a/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json +++ b/advisories/github-reviewed/2021/11/GHSA-94jq-q5v2-76wj/GHSA-94jq-q5v2-76wj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-94jq-q5v2-76wj", - "modified": "2021-12-03T15:21:36Z", + "modified": "2024-09-12T21:14:08Z", "published": "2021-11-24T21:02:24Z", "aliases": [ "CVE-2021-40828" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -90,6 +94,10 @@ "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-python-v2/commit/fd4c0ba04b35eab9e20c635af5548fcc5a92d8be" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-94jq-q5v2-76wj" + }, { "type": "WEB", "url": "https://github.com/aws/aws-iot-device-sdk-cpp-v2" @@ -109,6 +117,10 @@ { "type": "WEB", "url": "https://github.com/awslabs/aws-c-io" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/awsiotsdk/PYSEC-2021-861.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json b/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json index a909dd0f547..a53b182cfd6 100644 --- a/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json +++ b/advisories/github-reviewed/2023/10/GHSA-cr45-98w9-gwqx/GHSA-cr45-98w9-gwqx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cr45-98w9-gwqx", - "modified": "2023-11-06T16:32:12Z", + "modified": "2024-09-12T21:13:16Z", "published": "2023-10-19T16:13:50Z", "aliases": [ "CVE-2023-45815" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 884818544b56209724ddcb0eac76079efb55d344 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:17:00 +0000 Subject: [PATCH 024/170] Publish Advisories GHSA-hhm3-48h2-597v GHSA-f8vc-f28w-x9c9 --- .../GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json | 14 +++++++++++++- .../GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json | 13 +++++++------ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json b/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json index 3ddfdafda80..0a2daa23738 100644 --- a/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json +++ b/advisories/github-reviewed/2022/02/GHSA-hhm3-48h2-597v/GHSA-hhm3-48h2-597v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hhm3-48h2-597v", - "modified": "2023-08-31T15:18:54Z", + "modified": "2024-09-12T21:15:25Z", "published": "2022-02-02T00:01:46Z", "aliases": [ "CVE-2021-44451" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -40,10 +44,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44451" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hhm3-48h2-597v" + }, { "type": "PACKAGE", "url": "https://github.com/apache/superset" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-36.yaml" + }, { "type": "WEB", "url": "https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb" diff --git a/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json b/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json index 762b518c3a9..3448ebe5292 100644 --- a/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json +++ b/advisories/github-reviewed/2022/05/GHSA-f8vc-f28w-x9c9/GHSA-f8vc-f28w-x9c9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f8vc-f28w-x9c9", - "modified": "2023-08-31T15:49:27Z", + "modified": "2024-09-12T21:16:24Z", "published": "2022-05-24T19:17:47Z", "aliases": [ "CVE-2021-32609" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -28,14 +32,11 @@ "introduced": "0" }, { - "fixed": "1.2" + "fixed": "1.2.0" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 1.1" - } + ] } ], "references": [ From 3820f9c918385bc15b25926a5c676c7022e849c0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:19:46 +0000 Subject: [PATCH 025/170] Publish GHSA-9xwq-72vp-5j3c --- .../2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json b/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json index 6a0ae7a9f94..ed0a711c9cf 100644 --- a/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json +++ b/advisories/github-reviewed/2022/05/GHSA-9xwq-72vp-5j3c/GHSA-9xwq-72vp-5j3c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9xwq-72vp-5j3c", - "modified": "2022-11-04T18:44:51Z", + "modified": "2024-09-12T21:18:20Z", "published": "2022-05-17T01:17:22Z", "aliases": [ "CVE-2017-3152" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ From 41739fea801edeba473432e44ae7e7d45d41f81a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:30:46 +0000 Subject: [PATCH 026/170] Publish GHSA-mwhf-vhr5-7j23 --- .../GHSA-mwhf-vhr5-7j23.json | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json diff --git a/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json new file mode 100644 index 00000000000..ae14cd7a67b --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwhf-vhr5-7j23", + "modified": "2024-09-12T21:29:17Z", + "published": "2024-09-12T21:29:17Z", + "aliases": [ + "CVE-2024-45607" + ], + "summary": "whatsapp-api-js fails to validate message's signature", + "details": "### Impact\nIncorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.\n\n### Patches\nPatched in version 4.0.3.\n\n### Workarounds\nIt's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.\n\n```ts\nfunction doPost(payload, header_signature) {\n if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) {\n throw 403;\n }\n \n // Now the payload is correctly verified\n whatsapp.post(payload);\n}\n```\n\n### References\nhttps://github.com/Secreto31126/whatsapp-api-js/pull/371\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "whatsapp-api-js" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23" + }, + { + "type": "WEB", + "url": "https://github.com/Secreto31126/whatsapp-api-js/pull/371" + }, + { + "type": "WEB", + "url": "https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Secreto31126/whatsapp-api-js" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-347" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-12T21:29:17Z", + "nvd_published_at": null + } +} \ No newline at end of file From d1cf51f8fe827d0534e1d7bbf292b52d9efb00e3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:33:07 +0000 Subject: [PATCH 027/170] Advisory Database Sync --- .../GHSA-jcrr-rr6w-8c83.json | 4 +- .../GHSA-2xgw-64w9-83wm.json | 10 +++- .../GHSA-2fcg-hwv9-g767.json | 2 +- .../GHSA-4qww-v3r6-7335.json | 2 +- .../GHSA-97jg-3m56-w8ph.json | 2 +- .../GHSA-jq2h-j9qf-53rv.json | 2 +- .../GHSA-qj3c-jhpr-p28m.json | 2 +- .../GHSA-627f-4vcr-fmq4.json | 2 +- .../GHSA-6pp8-37pj-mhcc.json | 4 +- .../GHSA-4pmw-7j2g-cfp7.json | 11 +++-- .../GHSA-253q-prr2-4prx.json | 3 +- .../GHSA-27qw-rmpj-379q.json | 11 +++-- .../GHSA-27rm-pvpp-228f.json | 11 +++-- .../GHSA-2c74-9qcc-prpp.json | 3 +- .../GHSA-3ffg-5vr4-3v59.json | 11 +++-- .../GHSA-7w35-8v2m-9grg.json | 3 +- .../GHSA-crf2-q686-qj4r.json | 9 ++-- .../GHSA-pm23-3px3-qrh7.json | 6 ++- .../GHSA-vp43-mc38-mmg5.json | 5 +- .../GHSA-3qv6-5f5f-f89j.json | 46 +++++++++++++++++++ .../GHSA-5h7r-mv43-gm2c.json | 9 ++-- .../GHSA-66wp-pmr8-89fq.json | 38 +++++++++++++++ .../GHSA-6c6w-688f-8mwx.json | 11 +++-- .../GHSA-6pj4-296c-2375.json | 9 ++-- .../GHSA-6x3x-mhgp-4j2c.json | 9 ++-- .../GHSA-8ccr-ppgf-4r3x.json | 35 ++++++++++++++ .../GHSA-8gv7-8h2v-9w6c.json | 11 +++-- .../GHSA-947f-qh3g-pcj5.json | 38 +++++++++++++++ .../GHSA-c4q5-vjmp-xrgv.json | 43 +++++++++++++++++ .../GHSA-cf4q-v7mm-g53q.json | 11 +++-- .../GHSA-cwr9-w5qw-fr62.json | 35 ++++++++++++++ .../GHSA-f2jx-jjc7-hv9g.json | 42 +++++++++++++++++ .../GHSA-g8hg-rjf5-vfrm.json | 42 +++++++++++++++++ .../GHSA-g8mr-6p9f-7c7x.json | 38 +++++++++++++++ .../GHSA-gvqc-g8mm-r66f.json | 9 ++-- .../GHSA-hcmh-526c-3ggp.json | 39 ++++++++++++++++ .../GHSA-m2wr-9pq6-49jc.json | 9 ++-- .../GHSA-m48w-79jh-f8w7.json | 35 ++++++++++++++ .../GHSA-mrr5-8hm7-42xh.json | 43 +++++++++++++++++ .../GHSA-ph8h-4mq7-vw5v.json | 42 +++++++++++++++++ .../GHSA-qj4x-mh6f-mw42.json | 38 +++++++++++++++ .../GHSA-qmm9-m4wr-gv24.json | 9 ++-- .../GHSA-qxrx-gr5j-75cw.json | 11 +++-- .../GHSA-rp3x-cq62-cvh4.json | 9 ++-- .../GHSA-vpx9-6rc9-v679.json | 38 +++++++++++++++ .../GHSA-wpxq-m249-cq6r.json | 9 ++-- .../GHSA-x654-52cq-hxj3.json | 42 +++++++++++++++++ .../GHSA-x863-gchp-57m3.json | 11 +++-- .../GHSA-xj5f-4vpp-mxhf.json | 38 +++++++++++++++ .../GHSA-xmrg-69jq-mfv5.json | 39 ++++++++++++++++ .../GHSA-xwpv-8x3r-cvm2.json | 38 +++++++++++++++ 51 files changed, 899 insertions(+), 80 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-3qv6-5f5f-f89j/GHSA-3qv6-5f5f-f89j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-66wp-pmr8-89fq/GHSA-66wp-pmr8-89fq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8ccr-ppgf-4r3x/GHSA-8ccr-ppgf-4r3x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-947f-qh3g-pcj5/GHSA-947f-qh3g-pcj5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cwr9-w5qw-fr62/GHSA-cwr9-w5qw-fr62.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f2jx-jjc7-hv9g/GHSA-f2jx-jjc7-hv9g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g8hg-rjf5-vfrm/GHSA-g8hg-rjf5-vfrm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g8mr-6p9f-7c7x/GHSA-g8mr-6p9f-7c7x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hcmh-526c-3ggp/GHSA-hcmh-526c-3ggp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-ph8h-4mq7-vw5v/GHSA-ph8h-4mq7-vw5v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qj4x-mh6f-mw42/GHSA-qj4x-mh6f-mw42.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vpx9-6rc9-v679/GHSA-vpx9-6rc9-v679.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x654-52cq-hxj3/GHSA-x654-52cq-hxj3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xj5f-4vpp-mxhf/GHSA-xj5f-4vpp-mxhf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xmrg-69jq-mfv5/GHSA-xmrg-69jq-mfv5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xwpv-8x3r-cvm2/GHSA-xwpv-8x3r-cvm2.json diff --git a/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json b/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json index 2ebc754e94d..8e1a615b828 100644 --- a/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json +++ b/advisories/github-reviewed/2023/12/GHSA-jcrr-rr6w-8c83/GHSA-jcrr-rr6w-8c83.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jcrr-rr6w-8c83", - "modified": "2023-12-22T19:51:38Z", + "modified": "2024-09-12T21:32:39Z", "published": "2023-12-22T12:31:52Z", "aliases": [ "CVE-2023-49391" @@ -55,7 +55,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/unreviewed/2023/02/GHSA-2xgw-64w9-83wm/GHSA-2xgw-64w9-83wm.json b/advisories/unreviewed/2023/02/GHSA-2xgw-64w9-83wm/GHSA-2xgw-64w9-83wm.json index ef1085a8d35..9adb82cebb1 100644 --- a/advisories/unreviewed/2023/02/GHSA-2xgw-64w9-83wm/GHSA-2xgw-64w9-83wm.json +++ b/advisories/unreviewed/2023/02/GHSA-2xgw-64w9-83wm/GHSA-2xgw-64w9-83wm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2xgw-64w9-83wm", - "modified": "2023-02-09T21:30:28Z", + "modified": "2024-09-12T21:32:00Z", "published": "2023-02-02T18:30:48Z", "aliases": [ "CVE-2023-0651" @@ -11,6 +11,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ @@ -36,6 +40,10 @@ { "type": "WEB", "url": "https://vuldb.com/?id.220038" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.82316" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/10/GHSA-2fcg-hwv9-g767/GHSA-2fcg-hwv9-g767.json b/advisories/unreviewed/2023/10/GHSA-2fcg-hwv9-g767/GHSA-2fcg-hwv9-g767.json index 6b8046a18a1..3d622d500c1 100644 --- a/advisories/unreviewed/2023/10/GHSA-2fcg-hwv9-g767/GHSA-2fcg-hwv9-g767.json +++ b/advisories/unreviewed/2023/10/GHSA-2fcg-hwv9-g767/GHSA-2fcg-hwv9-g767.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-4qww-v3r6-7335/GHSA-4qww-v3r6-7335.json b/advisories/unreviewed/2023/10/GHSA-4qww-v3r6-7335/GHSA-4qww-v3r6-7335.json index 828b804dab2..c6b608c53c5 100644 --- a/advisories/unreviewed/2023/10/GHSA-4qww-v3r6-7335/GHSA-4qww-v3r6-7335.json +++ b/advisories/unreviewed/2023/10/GHSA-4qww-v3r6-7335/GHSA-4qww-v3r6-7335.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4qww-v3r6-7335", - "modified": "2023-11-02T18:30:23Z", + "modified": "2024-09-12T21:32:00Z", "published": "2023-10-22T21:36:10Z", "aliases": [ "CVE-2023-46306" diff --git a/advisories/unreviewed/2023/10/GHSA-97jg-3m56-w8ph/GHSA-97jg-3m56-w8ph.json b/advisories/unreviewed/2023/10/GHSA-97jg-3m56-w8ph/GHSA-97jg-3m56-w8ph.json index 45bcbc03084..dea26f2f0fd 100644 --- a/advisories/unreviewed/2023/10/GHSA-97jg-3m56-w8ph/GHSA-97jg-3m56-w8ph.json +++ b/advisories/unreviewed/2023/10/GHSA-97jg-3m56-w8ph/GHSA-97jg-3m56-w8ph.json @@ -36,7 +36,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-jq2h-j9qf-53rv/GHSA-jq2h-j9qf-53rv.json b/advisories/unreviewed/2023/10/GHSA-jq2h-j9qf-53rv/GHSA-jq2h-j9qf-53rv.json index e60e6422584..961e7848644 100644 --- a/advisories/unreviewed/2023/10/GHSA-jq2h-j9qf-53rv/GHSA-jq2h-j9qf-53rv.json +++ b/advisories/unreviewed/2023/10/GHSA-jq2h-j9qf-53rv/GHSA-jq2h-j9qf-53rv.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-qj3c-jhpr-p28m/GHSA-qj3c-jhpr-p28m.json b/advisories/unreviewed/2023/10/GHSA-qj3c-jhpr-p28m/GHSA-qj3c-jhpr-p28m.json index 355e5c2afba..3871c1a810e 100644 --- a/advisories/unreviewed/2023/10/GHSA-qj3c-jhpr-p28m/GHSA-qj3c-jhpr-p28m.json +++ b/advisories/unreviewed/2023/10/GHSA-qj3c-jhpr-p28m/GHSA-qj3c-jhpr-p28m.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json b/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json index 4c071c72a09..8ec006d35a9 100644 --- a/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json +++ b/advisories/unreviewed/2024/01/GHSA-627f-4vcr-fmq4/GHSA-627f-4vcr-fmq4.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-400" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json b/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json index 4df6c156466..45f74edb075 100644 --- a/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json +++ b/advisories/unreviewed/2024/01/GHSA-6pp8-37pj-mhcc/GHSA-6pp8-37pj-mhcc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6pp8-37pj-mhcc", - "modified": "2024-01-30T21:30:28Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-01-23T21:30:21Z", "aliases": [ "CVE-2023-52325" @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-98" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/07/GHSA-4pmw-7j2g-cfp7/GHSA-4pmw-7j2g-cfp7.json b/advisories/unreviewed/2024/07/GHSA-4pmw-7j2g-cfp7/GHSA-4pmw-7j2g-cfp7.json index 020aac7d7de..3816f15da17 100644 --- a/advisories/unreviewed/2024/07/GHSA-4pmw-7j2g-cfp7/GHSA-4pmw-7j2g-cfp7.json +++ b/advisories/unreviewed/2024/07/GHSA-4pmw-7j2g-cfp7/GHSA-4pmw-7j2g-cfp7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4pmw-7j2g-cfp7", - "modified": "2024-07-29T09:36:16Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-07-29T09:36:16Z", "aliases": [ "CVE-2024-41143" ], "details": "Origin validation error vulnerability exists in SKYSEA Client View Ver.3.013.00 to Ver.19.210.04e. If this vulnerability is exploited, an arbitrary process may be executed with SYSTEM privilege by a user who can log in to the PC where the product's Windows client is installed.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-346" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-29T09:15:02Z" diff --git a/advisories/unreviewed/2024/08/GHSA-253q-prr2-4prx/GHSA-253q-prr2-4prx.json b/advisories/unreviewed/2024/08/GHSA-253q-prr2-4prx/GHSA-253q-prr2-4prx.json index 761a07ba104..7381cdde37b 100644 --- a/advisories/unreviewed/2024/08/GHSA-253q-prr2-4prx/GHSA-253q-prr2-4prx.json +++ b/advisories/unreviewed/2024/08/GHSA-253q-prr2-4prx/GHSA-253q-prr2-4prx.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-862" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-27qw-rmpj-379q/GHSA-27qw-rmpj-379q.json b/advisories/unreviewed/2024/08/GHSA-27qw-rmpj-379q/GHSA-27qw-rmpj-379q.json index f24e471b436..39b601e259c 100644 --- a/advisories/unreviewed/2024/08/GHSA-27qw-rmpj-379q/GHSA-27qw-rmpj-379q.json +++ b/advisories/unreviewed/2024/08/GHSA-27qw-rmpj-379q/GHSA-27qw-rmpj-379q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-27qw-rmpj-379q", - "modified": "2024-08-29T18:31:35Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-26T12:31:20Z", "aliases": [ "CVE-2024-44939" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-26T12:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-27rm-pvpp-228f/GHSA-27rm-pvpp-228f.json b/advisories/unreviewed/2024/08/GHSA-27rm-pvpp-228f/GHSA-27rm-pvpp-228f.json index b42d76bd28d..3135cbe6494 100644 --- a/advisories/unreviewed/2024/08/GHSA-27rm-pvpp-228f/GHSA-27rm-pvpp-228f.json +++ b/advisories/unreviewed/2024/08/GHSA-27rm-pvpp-228f/GHSA-27rm-pvpp-228f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-27rm-pvpp-228f", - "modified": "2024-08-23T21:30:42Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-23T21:30:42Z", "aliases": [ "CVE-2024-37392" ], "details": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code into an SMS message, which gets executed when the SMS is viewed and specially interacted in web-GUI.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-23T21:15:07Z" diff --git a/advisories/unreviewed/2024/08/GHSA-2c74-9qcc-prpp/GHSA-2c74-9qcc-prpp.json b/advisories/unreviewed/2024/08/GHSA-2c74-9qcc-prpp/GHSA-2c74-9qcc-prpp.json index 3be0e570839..8d36016fc84 100644 --- a/advisories/unreviewed/2024/08/GHSA-2c74-9qcc-prpp/GHSA-2c74-9qcc-prpp.json +++ b/advisories/unreviewed/2024/08/GHSA-2c74-9qcc-prpp/GHSA-2c74-9qcc-prpp.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-277" + "CWE-277", + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-3ffg-5vr4-3v59/GHSA-3ffg-5vr4-3v59.json b/advisories/unreviewed/2024/08/GHSA-3ffg-5vr4-3v59/GHSA-3ffg-5vr4-3v59.json index b901543b0c2..5df1d8b9ed9 100644 --- a/advisories/unreviewed/2024/08/GHSA-3ffg-5vr4-3v59/GHSA-3ffg-5vr4-3v59.json +++ b/advisories/unreviewed/2024/08/GHSA-3ffg-5vr4-3v59/GHSA-3ffg-5vr4-3v59.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3ffg-5vr4-3v59", - "modified": "2024-08-26T12:31:20Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-26T12:31:20Z", "aliases": [ "CVE-2024-44941" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lock\n\nsyzbot reports a f2fs bug as below:\n\nBUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\nRead of size 4 at addr ffff8880739ab220 by task syz-executor200/5097\n\nCPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46\n do_read_inode fs/f2fs/inode.c:509 [inline]\n f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560\n f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237\n generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413\n exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444\n exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584\n do_handle_to_path fs/fhandle.c:155 [inline]\n handle_to_path fs/fhandle.c:210 [inline]\n do_handle_open+0x495/0x650 fs/fhandle.c:226\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe missed to cover sanity_check_extent_cache() w/ extent cache lock,\nso, below race case may happen, result in use after free issue.\n\n- f2fs_iget\n - do_read_inode\n - f2fs_init_read_extent_tree\n : add largest extent entry in to cache\n\t\t\t\t\t- shrink\n\t\t\t\t\t - f2fs_shrink_read_extent_tree\n\t\t\t\t\t - __shrink_extent_tree\n\t\t\t\t\t - __detach_extent_node\n\t\t\t\t\t : drop largest extent entry\n - sanity_check_extent_cache\n : access et->largest w/o lock\n\nlet's refactor sanity_check_extent_cache() to avoid extent cache access\nand call it before f2fs_init_read_extent_tree() to fix this issue.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-26T12:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-7w35-8v2m-9grg/GHSA-7w35-8v2m-9grg.json b/advisories/unreviewed/2024/08/GHSA-7w35-8v2m-9grg/GHSA-7w35-8v2m-9grg.json index 8c340f5df99..53761d3c4b9 100644 --- a/advisories/unreviewed/2024/08/GHSA-7w35-8v2m-9grg/GHSA-7w35-8v2m-9grg.json +++ b/advisories/unreviewed/2024/08/GHSA-7w35-8v2m-9grg/GHSA-7w35-8v2m-9grg.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-277" + "CWE-277", + "CWE-732" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-crf2-q686-qj4r/GHSA-crf2-q686-qj4r.json b/advisories/unreviewed/2024/08/GHSA-crf2-q686-qj4r/GHSA-crf2-q686-qj4r.json index ec903f5f619..c677a3373fe 100644 --- a/advisories/unreviewed/2024/08/GHSA-crf2-q686-qj4r/GHSA-crf2-q686-qj4r.json +++ b/advisories/unreviewed/2024/08/GHSA-crf2-q686-qj4r/GHSA-crf2-q686-qj4r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-crf2-q686-qj4r", - "modified": "2024-08-13T18:31:15Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-13T18:31:15Z", "aliases": [ "CVE-2024-36446" ], "details": "The provisioning manager component of Mitel MiVoice MX-ONE through 7.6 SP1 could allow an authenticated attacker to conduct an authentication bypass attack due to improper access control. A successful exploit could allow an attacker to bypass the authorization schema.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-13T17:15:23Z" diff --git a/advisories/unreviewed/2024/08/GHSA-pm23-3px3-qrh7/GHSA-pm23-3px3-qrh7.json b/advisories/unreviewed/2024/08/GHSA-pm23-3px3-qrh7/GHSA-pm23-3px3-qrh7.json index 625e6e7ae6f..c39abf99602 100644 --- a/advisories/unreviewed/2024/08/GHSA-pm23-3px3-qrh7/GHSA-pm23-3px3-qrh7.json +++ b/advisories/unreviewed/2024/08/GHSA-pm23-3px3-qrh7/GHSA-pm23-3px3-qrh7.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pm23-3px3-qrh7", - "modified": "2024-08-26T00:30:54Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-26T00:30:54Z", "aliases": [ "CVE-2024-8158" ], "details": "A bug in the 9p authentication implementation within lib9p allows an attacker with an existing valid user within the configured auth server to impersonate any other valid filesystem user.\n\nThis is due to lib9p not properly verifying that the uname given in the Tauth and Tattach 9p messages matches the client UID returned from the factotum authentication handshake.\n\n\nThe only filesystem making use of these functions within the base 9front systems is the experimental hjfs disk filesystem, other disk filesystems (cwfs and gefs) are not affected by this bug.\n\nThis bug was inherited from Plan 9 and is present in all versions of 9front and is remedied fully in commit 9645ae07eb66a59015e3e118d0024790c37400da.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:C/RE:L/U:Red" diff --git a/advisories/unreviewed/2024/08/GHSA-vp43-mc38-mmg5/GHSA-vp43-mc38-mmg5.json b/advisories/unreviewed/2024/08/GHSA-vp43-mc38-mmg5/GHSA-vp43-mc38-mmg5.json index 434b25067bc..7541f84eae0 100644 --- a/advisories/unreviewed/2024/08/GHSA-vp43-mc38-mmg5/GHSA-vp43-mc38-mmg5.json +++ b/advisories/unreviewed/2024/08/GHSA-vp43-mc38-mmg5/GHSA-vp43-mc38-mmg5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vp43-mc38-mmg5", - "modified": "2024-08-26T03:30:44Z", + "modified": "2024-09-12T21:32:00Z", "published": "2024-08-26T03:30:44Z", "aliases": [ "CVE-2024-8073" @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-20" + "CWE-20", + "CWE-77" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-3qv6-5f5f-f89j/GHSA-3qv6-5f5f-f89j.json b/advisories/unreviewed/2024/09/GHSA-3qv6-5f5f-f89j/GHSA-3qv6-5f5f-f89j.json new file mode 100644 index 00000000000..a6407f7db51 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3qv6-5f5f-f89j/GHSA-3qv6-5f5f-f89j.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qv6-5f5f-f89j", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-34336" + ], + "details": "User enumeration vulnerability in ORDAT FOSS-Online before v2.24.01 allows attackers to determine if an account exists in the application by comparing the server responses of the forgot password functionality.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34336" + }, + { + "type": "WEB", + "url": "https://mind-bytes.de/offenlegung-existierender-benutzerkonten-in-foss-online-cve-2024-34336" + }, + { + "type": "WEB", + "url": "http://foss-online.com" + }, + { + "type": "WEB", + "url": "http://ordat.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-204" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5h7r-mv43-gm2c/GHSA-5h7r-mv43-gm2c.json b/advisories/unreviewed/2024/09/GHSA-5h7r-mv43-gm2c/GHSA-5h7r-mv43-gm2c.json index 6af9ccbdeee..0ed9bdc3c49 100644 --- a/advisories/unreviewed/2024/09/GHSA-5h7r-mv43-gm2c/GHSA-5h7r-mv43-gm2c.json +++ b/advisories/unreviewed/2024/09/GHSA-5h7r-mv43-gm2c/GHSA-5h7r-mv43-gm2c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5h7r-mv43-gm2c", - "modified": "2024-09-03T21:31:12Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-03T21:31:12Z", "aliases": [ "CVE-2024-8399" ], "details": "Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar This vulnerability affects Focus for iOS < 130.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-03T20:15:09Z" diff --git a/advisories/unreviewed/2024/09/GHSA-66wp-pmr8-89fq/GHSA-66wp-pmr8-89fq.json b/advisories/unreviewed/2024/09/GHSA-66wp-pmr8-89fq/GHSA-66wp-pmr8-89fq.json new file mode 100644 index 00000000000..f8d17723176 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-66wp-pmr8-89fq/GHSA-66wp-pmr8-89fq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-66wp-pmr8-89fq", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-45383" + ], + "details": "A mishandling of IRP requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver 10.0.19041.3636 (WinBuild.160101.0800). A specially crafted application can issue multiple IRP Complete requests which leads to a local denial-of-service. An attacker can execute malicious script/application to trigger this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45383" + }, + { + "type": "WEB", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2008" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-664" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6c6w-688f-8mwx/GHSA-6c6w-688f-8mwx.json b/advisories/unreviewed/2024/09/GHSA-6c6w-688f-8mwx/GHSA-6c6w-688f-8mwx.json index 24c7c2b75fa..c73f9843e9f 100644 --- a/advisories/unreviewed/2024/09/GHSA-6c6w-688f-8mwx/GHSA-6c6w-688f-8mwx.json +++ b/advisories/unreviewed/2024/09/GHSA-6c6w-688f-8mwx/GHSA-6c6w-688f-8mwx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6c6w-688f-8mwx", - "modified": "2024-09-12T18:31:42Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T18:31:42Z", "aliases": [ "CVE-2020-24061" ], "details": "Cross Site Scripting (XSS) Vulnerability in Firewall menu in Control Panel in KASDA KW5515 version 4.3.1.0, allows attackers to execute arbitrary code and steal cookies via a crafted script", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T18:15:05Z" diff --git a/advisories/unreviewed/2024/09/GHSA-6pj4-296c-2375/GHSA-6pj4-296c-2375.json b/advisories/unreviewed/2024/09/GHSA-6pj4-296c-2375/GHSA-6pj4-296c-2375.json index ac5d6094e8a..fbd64d05710 100644 --- a/advisories/unreviewed/2024/09/GHSA-6pj4-296c-2375/GHSA-6pj4-296c-2375.json +++ b/advisories/unreviewed/2024/09/GHSA-6pj4-296c-2375/GHSA-6pj4-296c-2375.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6pj4-296c-2375", - "modified": "2024-09-12T06:30:22Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:22Z", "aliases": [ "CVE-2024-7766" ], "details": "The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:24Z" diff --git a/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json b/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json index 8acbf514867..a03579b95b7 100644 --- a/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json +++ b/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6x3x-mhgp-4j2c", - "modified": "2024-09-12T06:30:21Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:21Z", "aliases": [ "CVE-2024-6019" ], "details": "The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:24Z" diff --git a/advisories/unreviewed/2024/09/GHSA-8ccr-ppgf-4r3x/GHSA-8ccr-ppgf-4r3x.json b/advisories/unreviewed/2024/09/GHSA-8ccr-ppgf-4r3x/GHSA-8ccr-ppgf-4r3x.json new file mode 100644 index 00000000000..bdf172d0ac9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8ccr-ppgf-4r3x/GHSA-8ccr-ppgf-4r3x.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8ccr-ppgf-4r3x", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-44459" + ], + "details": "A memory allocation issue in vernemq v2.0.1 allows attackers to cause a Denial of Service (DoS) via excessive memory consumption.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44459" + }, + { + "type": "WEB", + "url": "https://github.com/zzh-newlearner/MQTT_Crash/blob/main/Vernemq_crash.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T20:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8gv7-8h2v-9w6c/GHSA-8gv7-8h2v-9w6c.json b/advisories/unreviewed/2024/09/GHSA-8gv7-8h2v-9w6c/GHSA-8gv7-8h2v-9w6c.json index f8bdd5e809d..af7d9003c47 100644 --- a/advisories/unreviewed/2024/09/GHSA-8gv7-8h2v-9w6c/GHSA-8gv7-8h2v-9w6c.json +++ b/advisories/unreviewed/2024/09/GHSA-8gv7-8h2v-9w6c/GHSA-8gv7-8h2v-9w6c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8gv7-8h2v-9w6c", - "modified": "2024-09-03T18:31:32Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-03T18:31:32Z", "aliases": [ "CVE-2024-42903" ], "details": "A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-74" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-03T18:15:08Z" diff --git a/advisories/unreviewed/2024/09/GHSA-947f-qh3g-pcj5/GHSA-947f-qh3g-pcj5.json b/advisories/unreviewed/2024/09/GHSA-947f-qh3g-pcj5/GHSA-947f-qh3g-pcj5.json new file mode 100644 index 00000000000..dea88913f07 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-947f-qh3g-pcj5/GHSA-947f-qh3g-pcj5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-947f-qh3g-pcj5", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-8311" + ], + "details": "An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8311" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/479315" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-424" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json b/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json new file mode 100644 index 00000000000..4b8b98e1fe0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c4q5-vjmp-xrgv", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-34335" + ], + "details": "ORDAT FOSS-Online before version 2.24.01 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login page.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34335" + }, + { + "type": "WEB", + "url": "https://mind-bytes.de/cross-site-scripting-in-foss-online-cve-2024-34335" + }, + { + "type": "WEB", + "url": "http://foss-online.com" + }, + { + "type": "WEB", + "url": "http://ordat.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cf4q-v7mm-g53q/GHSA-cf4q-v7mm-g53q.json b/advisories/unreviewed/2024/09/GHSA-cf4q-v7mm-g53q/GHSA-cf4q-v7mm-g53q.json index a9bbdf29962..e380fcfefd9 100644 --- a/advisories/unreviewed/2024/09/GHSA-cf4q-v7mm-g53q/GHSA-cf4q-v7mm-g53q.json +++ b/advisories/unreviewed/2024/09/GHSA-cf4q-v7mm-g53q/GHSA-cf4q-v7mm-g53q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cf4q-v7mm-g53q", - "modified": "2024-09-03T21:31:12Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-03T21:31:12Z", "aliases": [ "CVE-2024-45678" ], "details": "Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -45,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-203" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-03T20:15:08Z" diff --git a/advisories/unreviewed/2024/09/GHSA-cwr9-w5qw-fr62/GHSA-cwr9-w5qw-fr62.json b/advisories/unreviewed/2024/09/GHSA-cwr9-w5qw-fr62/GHSA-cwr9-w5qw-fr62.json new file mode 100644 index 00000000000..f048d0659c3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cwr9-w5qw-fr62/GHSA-cwr9-w5qw-fr62.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cwr9-w5qw-fr62", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-44460" + ], + "details": "An invalid read size in Nanomq v0.21.9 allows attackers to cause a Denial of Service (DoS).", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44460" + }, + { + "type": "WEB", + "url": "https://github.com/zzh-newlearner/MQTT_Crash/blob/main/Nanomq_invalid_read.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T20:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f2jx-jjc7-hv9g/GHSA-f2jx-jjc7-hv9g.json b/advisories/unreviewed/2024/09/GHSA-f2jx-jjc7-hv9g/GHSA-f2jx-jjc7-hv9g.json new file mode 100644 index 00000000000..1c4820da2e3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f2jx-jjc7-hv9g/GHSA-f2jx-jjc7-hv9g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f2jx-jjc7-hv9g", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-45181" + ], + "details": "An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45181" + }, + { + "type": "WEB", + "url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-94453.pdf" + }, + { + "type": "WEB", + "url": "https://wibu.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g8hg-rjf5-vfrm/GHSA-g8hg-rjf5-vfrm.json b/advisories/unreviewed/2024/09/GHSA-g8hg-rjf5-vfrm/GHSA-g8hg-rjf5-vfrm.json new file mode 100644 index 00000000000..839d2f35287 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g8hg-rjf5-vfrm/GHSA-g8hg-rjf5-vfrm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g8hg-rjf5-vfrm", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-4472" + ], + "details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4472" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2477062" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/460289" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g8mr-6p9f-7c7x/GHSA-g8mr-6p9f-7c7x.json b/advisories/unreviewed/2024/09/GHSA-g8mr-6p9f-7c7x/GHSA-g8mr-6p9f-7c7x.json new file mode 100644 index 00000000000..043421ee34a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g8mr-6p9f-7c7x/GHSA-g8mr-6p9f-7c7x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g8mr-6p9f-7c7x", + "modified": "2024-09-12T21:32:03Z", + "published": "2024-09-12T21:32:03Z", + "aliases": [ + "CVE-2024-7961" + ], + "details": "A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7961" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T21:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gvqc-g8mm-r66f/GHSA-gvqc-g8mm-r66f.json b/advisories/unreviewed/2024/09/GHSA-gvqc-g8mm-r66f/GHSA-gvqc-g8mm-r66f.json index afde8cf07d4..c8287895bd3 100644 --- a/advisories/unreviewed/2024/09/GHSA-gvqc-g8mm-r66f/GHSA-gvqc-g8mm-r66f.json +++ b/advisories/unreviewed/2024/09/GHSA-gvqc-g8mm-r66f/GHSA-gvqc-g8mm-r66f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gvqc-g8mm-r66f", - "modified": "2024-09-10T06:30:49Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-10T06:30:49Z", "aliases": [ "CVE-2024-7891" ], "details": "The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-10T06:15:02Z" diff --git a/advisories/unreviewed/2024/09/GHSA-hcmh-526c-3ggp/GHSA-hcmh-526c-3ggp.json b/advisories/unreviewed/2024/09/GHSA-hcmh-526c-3ggp/GHSA-hcmh-526c-3ggp.json new file mode 100644 index 00000000000..13cb48a7fae --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hcmh-526c-3ggp/GHSA-hcmh-526c-3ggp.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hcmh-526c-3ggp", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-45182" + ], + "details": "An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70 An improper bounds check allows specially crafted packets to cause an arbitrary address read, resulting in Denial of Service.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45182" + }, + { + "type": "WEB", + "url": "https://cdn.wibu.com/fileadmin/wibu_downloads/security_advisories/AdvisoryWIBU-94453.pdf" + }, + { + "type": "WEB", + "url": "https://wibu.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json b/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json index effb8aa60a3..d7baf3ca4cc 100644 --- a/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json +++ b/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m2wr-9pq6-49jc", - "modified": "2024-09-12T06:30:21Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:21Z", "aliases": [ "CVE-2024-6017" ], "details": "The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:23Z" diff --git a/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json b/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json new file mode 100644 index 00000000000..cbe9afd7c94 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m48w-79jh-f8w7", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-25270" + ], + "details": "An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25270" + }, + { + "type": "WEB", + "url": "https://github.com/fbkcs/CVE-2024-25270" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json b/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json new file mode 100644 index 00000000000..0b00d9bb61f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrr5-8hm7-42xh", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-34334" + ], + "details": "ORDAT FOSS-Online before v2.24.01 was discovered to contain a SQL injection vulnerability via the forgot password function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34334" + }, + { + "type": "WEB", + "url": "https://mind-bytes.de/sql-injection-in-foss-online-cve-2024-34334" + }, + { + "type": "WEB", + "url": "http://foss-online.com" + }, + { + "type": "WEB", + "url": "http://ordat.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-ph8h-4mq7-vw5v/GHSA-ph8h-4mq7-vw5v.json b/advisories/unreviewed/2024/09/GHSA-ph8h-4mq7-vw5v/GHSA-ph8h-4mq7-vw5v.json new file mode 100644 index 00000000000..2d3b0748e9d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-ph8h-4mq7-vw5v/GHSA-ph8h-4mq7-vw5v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ph8h-4mq7-vw5v", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-6678" + ], + "details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6678" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2595495" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/471923" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-290" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qj4x-mh6f-mw42/GHSA-qj4x-mh6f-mw42.json b/advisories/unreviewed/2024/09/GHSA-qj4x-mh6f-mw42/GHSA-qj4x-mh6f-mw42.json new file mode 100644 index 00000000000..ff057a52209 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qj4x-mh6f-mw42/GHSA-qj4x-mh6f-mw42.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj4x-mh6f-mw42", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-8533" + ], + "details": "A privilege escalation vulnerability exists in the Rockwell Automation affected products. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8533" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1964.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T20:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qmm9-m4wr-gv24/GHSA-qmm9-m4wr-gv24.json b/advisories/unreviewed/2024/09/GHSA-qmm9-m4wr-gv24/GHSA-qmm9-m4wr-gv24.json index 60dfd2ed4fc..784bb917312 100644 --- a/advisories/unreviewed/2024/09/GHSA-qmm9-m4wr-gv24/GHSA-qmm9-m4wr-gv24.json +++ b/advisories/unreviewed/2024/09/GHSA-qmm9-m4wr-gv24/GHSA-qmm9-m4wr-gv24.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qmm9-m4wr-gv24", - "modified": "2024-09-12T06:30:21Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:21Z", "aliases": [ "CVE-2024-6887" ], "details": "The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:24Z" diff --git a/advisories/unreviewed/2024/09/GHSA-qxrx-gr5j-75cw/GHSA-qxrx-gr5j-75cw.json b/advisories/unreviewed/2024/09/GHSA-qxrx-gr5j-75cw/GHSA-qxrx-gr5j-75cw.json index 6e709d8a2a9..d5aa9c47b7a 100644 --- a/advisories/unreviewed/2024/09/GHSA-qxrx-gr5j-75cw/GHSA-qxrx-gr5j-75cw.json +++ b/advisories/unreviewed/2024/09/GHSA-qxrx-gr5j-75cw/GHSA-qxrx-gr5j-75cw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qxrx-gr5j-75cw", - "modified": "2024-09-03T18:31:32Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-03T18:31:32Z", "aliases": [ "CVE-2024-42904" ], "details": "A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-03T18:15:08Z" diff --git a/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json b/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json index 424718ae958..f83e15bac4d 100644 --- a/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json +++ b/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rp3x-cq62-cvh4", - "modified": "2024-09-12T06:30:21Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:21Z", "aliases": [ "CVE-2024-6018" ], "details": "The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:23Z" diff --git a/advisories/unreviewed/2024/09/GHSA-vpx9-6rc9-v679/GHSA-vpx9-6rc9-v679.json b/advisories/unreviewed/2024/09/GHSA-vpx9-6rc9-v679/GHSA-vpx9-6rc9-v679.json new file mode 100644 index 00000000000..a39c6f2c7ff --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vpx9-6rc9-v679/GHSA-vpx9-6rc9-v679.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vpx9-6rc9-v679", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-6077" + ], + "details": "A denial-of-service vulnerability exists in the Rockwell Automation affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6077" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1963.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T20:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wpxq-m249-cq6r/GHSA-wpxq-m249-cq6r.json b/advisories/unreviewed/2024/09/GHSA-wpxq-m249-cq6r/GHSA-wpxq-m249-cq6r.json index 034159bdff5..4a2cb60b114 100644 --- a/advisories/unreviewed/2024/09/GHSA-wpxq-m249-cq6r/GHSA-wpxq-m249-cq6r.json +++ b/advisories/unreviewed/2024/09/GHSA-wpxq-m249-cq6r/GHSA-wpxq-m249-cq6r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wpxq-m249-cq6r", - "modified": "2024-09-12T06:30:21Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T06:30:21Z", "aliases": [ "CVE-2024-5799" ], "details": "The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T06:15:23Z" diff --git a/advisories/unreviewed/2024/09/GHSA-x654-52cq-hxj3/GHSA-x654-52cq-hxj3.json b/advisories/unreviewed/2024/09/GHSA-x654-52cq-hxj3/GHSA-x654-52cq-hxj3.json new file mode 100644 index 00000000000..b6f5331a7c5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x654-52cq-hxj3/GHSA-x654-52cq-hxj3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x654-52cq-hxj3", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-8641" + ], + "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8641" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2595495" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/471954" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-270" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json b/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json index ee7df4f0a51..4ce6bc5468e 100644 --- a/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json +++ b/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-x863-gchp-57m3", - "modified": "2024-09-12T18:31:42Z", + "modified": "2024-09-12T21:32:01Z", "published": "2024-09-12T18:31:42Z", "aliases": [ "CVE-2024-41629" ], "details": "An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T18:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-xj5f-4vpp-mxhf/GHSA-xj5f-4vpp-mxhf.json b/advisories/unreviewed/2024/09/GHSA-xj5f-4vpp-mxhf/GHSA-xj5f-4vpp-mxhf.json new file mode 100644 index 00000000000..08c26a8717c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xj5f-4vpp-mxhf/GHSA-xj5f-4vpp-mxhf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xj5f-4vpp-mxhf", + "modified": "2024-09-12T21:32:03Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-7960" + ], + "details": "The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7960" + }, + { + "type": "WEB", + "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T21:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xmrg-69jq-mfv5/GHSA-xmrg-69jq-mfv5.json b/advisories/unreviewed/2024/09/GHSA-xmrg-69jq-mfv5/GHSA-xmrg-69jq-mfv5.json new file mode 100644 index 00000000000..4b1bc86f052 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xmrg-69jq-mfv5/GHSA-xmrg-69jq-mfv5.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xmrg-69jq-mfv5", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-36066" + ], + "details": "The CMP CLI client in KeyFactor EJBCA before 8.3.1 has only 6 octets of salt, and is thus not compliant with the security requirements of RFC 4211, and might make man-in-the-middle attacks easier. CMP includes password-based MAC as one of the options for message integrity and authentication (the other option is certificate-based). RFC 4211 section 4.4 requires that password-based MAC parameters use a salt with a random value of at least 8 octets. This helps to inhibit dictionary attacks. Because the standalone CMP client originally was developed as test code, the salt was instead hardcoded and only 6 octets long.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36066" + }, + { + "type": "WEB", + "url": "https://datatracker.ietf.org/doc/html/rfc4211#section-4.4" + }, + { + "type": "WEB", + "url": "https://support.keyfactor.com/hc/en-us/articles/26965687021595-EJBCA-Security-Advisory-EJBCA-standalone-CMP-CLI-client" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T19:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xwpv-8x3r-cvm2/GHSA-xwpv-8x3r-cvm2.json b/advisories/unreviewed/2024/09/GHSA-xwpv-8x3r-cvm2/GHSA-xwpv-8x3r-cvm2.json new file mode 100644 index 00000000000..6d803a9f4ee --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xwpv-8x3r-cvm2/GHSA-xwpv-8x3r-cvm2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xwpv-8x3r-cvm2", + "modified": "2024-09-12T21:32:02Z", + "published": "2024-09-12T21:32:02Z", + "aliases": [ + "CVE-2024-20430" + ], + "details": "A vulnerability in Cisco Meraki Systems Manager (SM) Agent for Windows could allow an authenticated, local attacker to execute arbitrary code with elevated privileges. \n\nThis vulnerability is due to incorrect handling of directory search paths at runtime. A low-privileged attacker could exploit this vulnerability by placing both malicious configuration files and malicious DLL files on an affected system, which would read and execute the files when Cisco Meraki SM launches on startup. A successful exploit could allow the attacker to execute arbitrary code on the affected system with SYSTEM privileges. ", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20430" + }, + { + "type": "WEB", + "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-agent-dll-hj-Ptn7PtKe" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T20:15:04Z" + } +} \ No newline at end of file From bb7fe8c2a980be330fe7e9ab9a03a1cec718b6cc Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:39:13 +0000 Subject: [PATCH 028/170] Publish GHSA-gprj-6m2f-j9hx --- .../2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json b/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json index 463b7aac3c4..05b9808278c 100644 --- a/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json +++ b/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gprj-6m2f-j9hx", - "modified": "2024-09-03T21:45:31Z", + "modified": "2024-09-12T21:38:09Z", "published": "2024-09-03T19:33:36Z", "aliases": [ "CVE-2024-45389" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ From 461a907dc341007c0e66e407624b53920785d62f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 21:40:44 +0000 Subject: [PATCH 029/170] Publish Advisories GHSA-4qrm-9h4r-v2fx GHSA-mwhf-vhr5-7j23 --- .../2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json | 3 ++- .../2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json b/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json index 8ec5b4b9f11..ae0a3fc0fe3 100644 --- a/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json +++ b/advisories/github-reviewed/2024/09/GHSA-4qrm-9h4r-v2fx/GHSA-4qrm-9h4r-v2fx.json @@ -63,7 +63,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-312" ], "severity": "HIGH", "github_reviewed": true, diff --git a/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json index ae14cd7a67b..9eda576d6e6 100644 --- a/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json +++ b/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mwhf-vhr5-7j23", - "modified": "2024-09-12T21:29:17Z", + "modified": "2024-09-12T21:39:35Z", "published": "2024-09-12T21:29:17Z", "aliases": [ "CVE-2024-45607" @@ -44,6 +44,10 @@ "type": "WEB", "url": "https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45607" + }, { "type": "WEB", "url": "https://github.com/Secreto31126/whatsapp-api-js/pull/371" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-12T21:29:17Z", - "nvd_published_at": null + "nvd_published_at": "2024-09-12T20:15:05Z" } } \ No newline at end of file From ed55c3bb46267bbab960f1ea9e2f26388318eee3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 00:32:14 +0000 Subject: [PATCH 030/170] Publish Advisories GHSA-43pr-r6xw-f56v GHSA-jf4r-vjvc-pj36 GHSA-jpgp-pmqh-538w GHSA-v66p-q797-c8vm GHSA-w7wj-5p2p-g7p7 GHSA-22q6-7m3g-6r77 GHSA-35pg-8ph2-rp9c GHSA-c4q5-vjmp-xrgv GHSA-f53w-fw63-qjpw GHSA-g7wm-3q7g-g3q2 GHSA-m2jf-3295-7fpm GHSA-mrr5-8hm7-42xh GHSA-pcxj-w6pv-x9c5 GHSA-qfx3-m2xp-3pcp GHSA-v7mj-q2hh-7r72 GHSA-w8hf-8rpm-xjp2 GHSA-wfg8-6fh4-8fp9 GHSA-x4fw-fhfj-vm7c --- .../GHSA-43pr-r6xw-f56v.json | 2 +- .../GHSA-jf4r-vjvc-pj36.json | 2 +- .../GHSA-jpgp-pmqh-538w.json | 2 +- .../GHSA-v66p-q797-c8vm.json | 11 ++-- .../GHSA-w7wj-5p2p-g7p7.json | 2 +- .../GHSA-22q6-7m3g-6r77.json | 2 +- .../GHSA-35pg-8ph2-rp9c.json | 2 +- .../GHSA-c4q5-vjmp-xrgv.json | 11 ++-- .../GHSA-f53w-fw63-qjpw.json | 2 +- .../GHSA-g7wm-3q7g-g3q2.json | 2 +- .../GHSA-m2jf-3295-7fpm.json | 54 +++++++++++++++++++ .../GHSA-mrr5-8hm7-42xh.json | 11 ++-- .../GHSA-pcxj-w6pv-x9c5.json | 2 +- .../GHSA-qfx3-m2xp-3pcp.json | 2 +- .../GHSA-v7mj-q2hh-7r72.json | 2 +- .../GHSA-w8hf-8rpm-xjp2.json | 2 +- .../GHSA-wfg8-6fh4-8fp9.json | 2 +- .../GHSA-x4fw-fhfj-vm7c.json | 2 +- 18 files changed, 89 insertions(+), 26 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-m2jf-3295-7fpm/GHSA-m2jf-3295-7fpm.json diff --git a/advisories/unreviewed/2023/10/GHSA-43pr-r6xw-f56v/GHSA-43pr-r6xw-f56v.json b/advisories/unreviewed/2023/10/GHSA-43pr-r6xw-f56v/GHSA-43pr-r6xw-f56v.json index fe340edbcfe..98018e3f8f9 100644 --- a/advisories/unreviewed/2023/10/GHSA-43pr-r6xw-f56v/GHSA-43pr-r6xw-f56v.json +++ b/advisories/unreviewed/2023/10/GHSA-43pr-r6xw-f56v/GHSA-43pr-r6xw-f56v.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-jf4r-vjvc-pj36/GHSA-jf4r-vjvc-pj36.json b/advisories/unreviewed/2023/10/GHSA-jf4r-vjvc-pj36/GHSA-jf4r-vjvc-pj36.json index e27be2e4bea..28dfcd309e3 100644 --- a/advisories/unreviewed/2023/10/GHSA-jf4r-vjvc-pj36/GHSA-jf4r-vjvc-pj36.json +++ b/advisories/unreviewed/2023/10/GHSA-jf4r-vjvc-pj36/GHSA-jf4r-vjvc-pj36.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-jpgp-pmqh-538w/GHSA-jpgp-pmqh-538w.json b/advisories/unreviewed/2023/10/GHSA-jpgp-pmqh-538w/GHSA-jpgp-pmqh-538w.json index 5eac217366a..58573bf1fc6 100644 --- a/advisories/unreviewed/2023/10/GHSA-jpgp-pmqh-538w/GHSA-jpgp-pmqh-538w.json +++ b/advisories/unreviewed/2023/10/GHSA-jpgp-pmqh-538w/GHSA-jpgp-pmqh-538w.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-v66p-q797-c8vm/GHSA-v66p-q797-c8vm.json b/advisories/unreviewed/2024/08/GHSA-v66p-q797-c8vm/GHSA-v66p-q797-c8vm.json index 55d4bc5f9ff..d6580d11405 100644 --- a/advisories/unreviewed/2024/08/GHSA-v66p-q797-c8vm/GHSA-v66p-q797-c8vm.json +++ b/advisories/unreviewed/2024/08/GHSA-v66p-q797-c8vm/GHSA-v66p-q797-c8vm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v66p-q797-c8vm", - "modified": "2024-08-28T06:30:31Z", + "modified": "2024-09-13T00:30:47Z", "published": "2024-08-28T06:30:31Z", "aliases": [ "CVE-2024-39771" ], "details": "QBiC CLOUD CC-2L v1.1.30 and earlier and Safie One v1.8.2 and earlier do not properly validate certificates, which may allow a network-adjacent unauthenticated attacker to obtain and/or alter communications of the affected product via a man-in-the-middle attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-295" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-28T06:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-w7wj-5p2p-g7p7/GHSA-w7wj-5p2p-g7p7.json b/advisories/unreviewed/2024/08/GHSA-w7wj-5p2p-g7p7/GHSA-w7wj-5p2p-g7p7.json index 8b8a9cb6708..0ed7c841166 100644 --- a/advisories/unreviewed/2024/08/GHSA-w7wj-5p2p-g7p7/GHSA-w7wj-5p2p-g7p7.json +++ b/advisories/unreviewed/2024/08/GHSA-w7wj-5p2p-g7p7/GHSA-w7wj-5p2p-g7p7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w7wj-5p2p-g7p7", - "modified": "2024-08-27T09:30:44Z", + "modified": "2024-09-13T00:30:46Z", "published": "2024-08-27T09:30:44Z", "aliases": [ "CVE-2024-7304" diff --git a/advisories/unreviewed/2024/09/GHSA-22q6-7m3g-6r77/GHSA-22q6-7m3g-6r77.json b/advisories/unreviewed/2024/09/GHSA-22q6-7m3g-6r77/GHSA-22q6-7m3g-6r77.json index 186944c2766..38e70f8f7e1 100644 --- a/advisories/unreviewed/2024/09/GHSA-22q6-7m3g-6r77/GHSA-22q6-7m3g-6r77.json +++ b/advisories/unreviewed/2024/09/GHSA-22q6-7m3g-6r77/GHSA-22q6-7m3g-6r77.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-35pg-8ph2-rp9c/GHSA-35pg-8ph2-rp9c.json b/advisories/unreviewed/2024/09/GHSA-35pg-8ph2-rp9c/GHSA-35pg-8ph2-rp9c.json index 4e9d29e7519..af8b666d362 100644 --- a/advisories/unreviewed/2024/09/GHSA-35pg-8ph2-rp9c/GHSA-35pg-8ph2-rp9c.json +++ b/advisories/unreviewed/2024/09/GHSA-35pg-8ph2-rp9c/GHSA-35pg-8ph2-rp9c.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json b/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json index 4b8b98e1fe0..0132418231b 100644 --- a/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json +++ b/advisories/unreviewed/2024/09/GHSA-c4q5-vjmp-xrgv/GHSA-c4q5-vjmp-xrgv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c4q5-vjmp-xrgv", - "modified": "2024-09-12T21:32:02Z", + "modified": "2024-09-13T00:30:48Z", "published": "2024-09-12T21:32:02Z", "aliases": [ "CVE-2024-34335" ], "details": "ORDAT FOSS-Online before version 2.24.01 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login page.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T19:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-f53w-fw63-qjpw/GHSA-f53w-fw63-qjpw.json b/advisories/unreviewed/2024/09/GHSA-f53w-fw63-qjpw/GHSA-f53w-fw63-qjpw.json index f78686d297f..c5c658e8b8a 100644 --- a/advisories/unreviewed/2024/09/GHSA-f53w-fw63-qjpw/GHSA-f53w-fw63-qjpw.json +++ b/advisories/unreviewed/2024/09/GHSA-f53w-fw63-qjpw/GHSA-f53w-fw63-qjpw.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-g7wm-3q7g-g3q2/GHSA-g7wm-3q7g-g3q2.json b/advisories/unreviewed/2024/09/GHSA-g7wm-3q7g-g3q2/GHSA-g7wm-3q7g-g3q2.json index 364ff41af7c..7860b2e1c07 100644 --- a/advisories/unreviewed/2024/09/GHSA-g7wm-3q7g-g3q2/GHSA-g7wm-3q7g-g3q2.json +++ b/advisories/unreviewed/2024/09/GHSA-g7wm-3q7g-g3q2/GHSA-g7wm-3q7g-g3q2.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-m2jf-3295-7fpm/GHSA-m2jf-3295-7fpm.json b/advisories/unreviewed/2024/09/GHSA-m2jf-3295-7fpm/GHSA-m2jf-3295-7fpm.json new file mode 100644 index 00000000000..433820653da --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m2jf-3295-7fpm/GHSA-m2jf-3295-7fpm.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m2jf-3295-7fpm", + "modified": "2024-09-13T00:30:48Z", + "published": "2024-09-13T00:30:48Z", + "aliases": [ + "CVE-2024-8751" + ], + "details": "A vulnerability in the MSC800 allows an unauthenticated attacker to modify the product’s IP\naddress over Sopas ET. \nThis can lead to Denial of Service. \nUsers are recommended to upgrade both\nMSC800 and MSC800 LFT to version V4.26 and S2.93.20 respectively which fixes this issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8751" + }, + { + "type": "WEB", + "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF" + }, + { + "type": "WEB", + "url": "https://sick.com/psirt" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices" + }, + { + "type": "WEB", + "url": "https://www.first.org/cvss/calculator/3.1" + }, + { + "type": "WEB", + "url": "https://www.sick.com/.well-known/csaf/white/2024" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-12T22:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json b/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json index 0b00d9bb61f..5c02b239e59 100644 --- a/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json +++ b/advisories/unreviewed/2024/09/GHSA-mrr5-8hm7-42xh/GHSA-mrr5-8hm7-42xh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mrr5-8hm7-42xh", - "modified": "2024-09-12T21:32:02Z", + "modified": "2024-09-13T00:30:48Z", "published": "2024-09-12T21:32:02Z", "aliases": [ "CVE-2024-34334" ], "details": "ORDAT FOSS-Online before v2.24.01 was discovered to contain a SQL injection vulnerability via the forgot password function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T19:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-pcxj-w6pv-x9c5/GHSA-pcxj-w6pv-x9c5.json b/advisories/unreviewed/2024/09/GHSA-pcxj-w6pv-x9c5/GHSA-pcxj-w6pv-x9c5.json index 70d279ef20c..79dc38d012c 100644 --- a/advisories/unreviewed/2024/09/GHSA-pcxj-w6pv-x9c5/GHSA-pcxj-w6pv-x9c5.json +++ b/advisories/unreviewed/2024/09/GHSA-pcxj-w6pv-x9c5/GHSA-pcxj-w6pv-x9c5.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-qfx3-m2xp-3pcp/GHSA-qfx3-m2xp-3pcp.json b/advisories/unreviewed/2024/09/GHSA-qfx3-m2xp-3pcp/GHSA-qfx3-m2xp-3pcp.json index 72f4b0cdfbc..02aba739b25 100644 --- a/advisories/unreviewed/2024/09/GHSA-qfx3-m2xp-3pcp/GHSA-qfx3-m2xp-3pcp.json +++ b/advisories/unreviewed/2024/09/GHSA-qfx3-m2xp-3pcp/GHSA-qfx3-m2xp-3pcp.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-502" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-v7mj-q2hh-7r72/GHSA-v7mj-q2hh-7r72.json b/advisories/unreviewed/2024/09/GHSA-v7mj-q2hh-7r72/GHSA-v7mj-q2hh-7r72.json index 852dc3f7a5b..8356835a8d0 100644 --- a/advisories/unreviewed/2024/09/GHSA-v7mj-q2hh-7r72/GHSA-v7mj-q2hh-7r72.json +++ b/advisories/unreviewed/2024/09/GHSA-v7mj-q2hh-7r72/GHSA-v7mj-q2hh-7r72.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-w8hf-8rpm-xjp2/GHSA-w8hf-8rpm-xjp2.json b/advisories/unreviewed/2024/09/GHSA-w8hf-8rpm-xjp2/GHSA-w8hf-8rpm-xjp2.json index cb1a8940ba4..90b6f8f3d9e 100644 --- a/advisories/unreviewed/2024/09/GHSA-w8hf-8rpm-xjp2/GHSA-w8hf-8rpm-xjp2.json +++ b/advisories/unreviewed/2024/09/GHSA-w8hf-8rpm-xjp2/GHSA-w8hf-8rpm-xjp2.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-wfg8-6fh4-8fp9/GHSA-wfg8-6fh4-8fp9.json b/advisories/unreviewed/2024/09/GHSA-wfg8-6fh4-8fp9/GHSA-wfg8-6fh4-8fp9.json index 8a9b07cb4f5..1300650fef2 100644 --- a/advisories/unreviewed/2024/09/GHSA-wfg8-6fh4-8fp9/GHSA-wfg8-6fh4-8fp9.json +++ b/advisories/unreviewed/2024/09/GHSA-wfg8-6fh4-8fp9/GHSA-wfg8-6fh4-8fp9.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-x4fw-fhfj-vm7c/GHSA-x4fw-fhfj-vm7c.json b/advisories/unreviewed/2024/09/GHSA-x4fw-fhfj-vm7c/GHSA-x4fw-fhfj-vm7c.json index aa34be247ac..8f6545cc6cf 100644 --- a/advisories/unreviewed/2024/09/GHSA-x4fw-fhfj-vm7c/GHSA-x4fw-fhfj-vm7c.json +++ b/advisories/unreviewed/2024/09/GHSA-x4fw-fhfj-vm7c/GHSA-x4fw-fhfj-vm7c.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, From 2ba55370c1d5d0870533504f593719ba1ce7459d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 03:33:12 +0000 Subject: [PATCH 031/170] Publish Advisories GHSA-94w6-j9m3-vpw3 GHSA-9r4q-j9g4-gj24 --- .../GHSA-94w6-j9m3-vpw3.json | 42 ++++++++++++++ .../GHSA-9r4q-j9g4-gj24.json | 58 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 advisories/unreviewed/2024/09/GHSA-94w6-j9m3-vpw3/GHSA-94w6-j9m3-vpw3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9r4q-j9g4-gj24/GHSA-9r4q-j9g4-gj24.json diff --git a/advisories/unreviewed/2024/09/GHSA-94w6-j9m3-vpw3/GHSA-94w6-j9m3-vpw3.json b/advisories/unreviewed/2024/09/GHSA-94w6-j9m3-vpw3/GHSA-94w6-j9m3-vpw3.json new file mode 100644 index 00000000000..6c2ff7e38d9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-94w6-j9m3-vpw3/GHSA-94w6-j9m3-vpw3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-94w6-j9m3-vpw3", + "modified": "2024-09-13T03:31:33Z", + "published": "2024-09-13T03:31:33Z", + "aliases": [ + "CVE-2024-43180" + ], + "details": "IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43180" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/351213" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7168234" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-614" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T02:15:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9r4q-j9g4-gj24/GHSA-9r4q-j9g4-gj24.json b/advisories/unreviewed/2024/09/GHSA-9r4q-j9g4-gj24/GHSA-9r4q-j9g4-gj24.json new file mode 100644 index 00000000000..31cc0080485 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9r4q-j9g4-gj24/GHSA-9r4q-j9g4-gj24.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9r4q-j9g4-gj24", + "modified": "2024-09-13T03:31:33Z", + "published": "2024-09-13T03:31:33Z", + "aliases": [ + "CVE-2024-8762" + ], + "details": "A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an unknown part of the file /updatedata.php. The manipulation of the argument sid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8762" + }, + { + "type": "WEB", + "url": "https://github.com/Kangsiyuan/1/issues/1" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277341" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277341" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.406159" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T01:15:02Z" + } +} \ No newline at end of file From 139f4aef2848364c60be90be17c33a46bcc789ec Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 06:32:12 +0000 Subject: [PATCH 032/170] Advisory Database Sync --- .../GHSA-263w-f6fg-v2x5.json | 47 ++++++++++++++ .../GHSA-2h6h-vcrw-57ff.json | 39 ++++++++++++ .../GHSA-2mh2-9xm5-m59q.json | 43 +++++++++++++ .../GHSA-34r9-jr37-pmrf.json | 39 ++++++++++++ .../GHSA-3rvq-3fc5-4w68.json | 35 +++++++++++ .../GHSA-3xv2-v2hj-2crv.json | 35 +++++++++++ .../GHSA-5293-cf37-fxqw.json | 43 +++++++++++++ .../GHSA-5mq7-93mw-h965.json | 39 ++++++++++++ .../GHSA-5qvx-cmvh-v55m.json | 43 +++++++++++++ .../GHSA-5w55-q3rh-9cgc.json | 39 ++++++++++++ .../GHSA-64qj-9hxc-x9rc.json | 63 +++++++++++++++++++ .../GHSA-6mh5-7p3w-gfg6.json | 43 +++++++++++++ .../GHSA-7f48-pc7q-83qh.json | 39 ++++++++++++ .../GHSA-9hw6-9frh-hxrg.json | 59 +++++++++++++++++ .../GHSA-c2m5-hm36-mq75.json | 59 +++++++++++++++++ .../GHSA-crwg-8vm3-26rf.json | 59 +++++++++++++++++ .../GHSA-cx7f-g6mp-7hqm.json | 38 +++++++++++ .../GHSA-f78v-vf29-36gj.json | 46 ++++++++++++++ .../GHSA-fp3g-r7j4-vr8g.json | 63 +++++++++++++++++++ .../GHSA-fr4x-3m2g-jm28.json | 35 +++++++++++ .../GHSA-gq5m-j7gp-3x7q.json | 35 +++++++++++ .../GHSA-gr4h-g2ph-j8j2.json | 35 +++++++++++ .../GHSA-grj2-x9v7-7qqx.json | 43 +++++++++++++ .../GHSA-gx3x-w926-g8pm.json | 35 +++++++++++ .../GHSA-hggx-qfvf-7mfh.json | 63 +++++++++++++++++++ .../GHSA-hrvw-rfgx-8g4m.json | 39 ++++++++++++ .../GHSA-j57f-xm3w-v49f.json | 47 ++++++++++++++ .../GHSA-m8mp-83qq-7j4f.json | 35 +++++++++++ .../GHSA-mpm4-ggh2-c745.json | 39 ++++++++++++ .../GHSA-p594-vh26-gh4w.json | 43 +++++++++++++ .../GHSA-p8g8-q26r-2q2r.json | 39 ++++++++++++ .../GHSA-pf4v-hxvm-3ch8.json | 46 ++++++++++++++ .../GHSA-pfgc-2q82-vggq.json | 39 ++++++++++++ .../GHSA-prj2-h762-9j59.json | 39 ++++++++++++ .../GHSA-qf44-c626-28f4.json | 63 +++++++++++++++++++ .../GHSA-r3gx-4wx6-8mr3.json | 63 +++++++++++++++++++ .../GHSA-w6fj-6wrc-6vhr.json | 39 ++++++++++++ .../GHSA-w8pf-f5g8-5xgv.json | 35 +++++++++++ .../GHSA-xrjv-8x73-5h7v.json | 39 ++++++++++++ 39 files changed, 1722 insertions(+) create mode 100644 advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json create mode 100644 advisories/unreviewed/2024/09/GHSA-2mh2-9xm5-m59q/GHSA-2mh2-9xm5-m59q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5mq7-93mw-h965/GHSA-5mq7-93mw-h965.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6mh5-7p3w-gfg6/GHSA-6mh5-7p3w-gfg6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9hw6-9frh-hxrg/GHSA-9hw6-9frh-hxrg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c2m5-hm36-mq75/GHSA-c2m5-hm36-mq75.json create mode 100644 advisories/unreviewed/2024/09/GHSA-crwg-8vm3-26rf/GHSA-crwg-8vm3-26rf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f78v-vf29-36gj/GHSA-f78v-vf29-36gj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hrvw-rfgx-8g4m/GHSA-hrvw-rfgx-8g4m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j57f-xm3w-v49f/GHSA-j57f-xm3w-v49f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p594-vh26-gh4w/GHSA-p594-vh26-gh4w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p8g8-q26r-2q2r/GHSA-p8g8-q26r-2q2r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pf4v-hxvm-3ch8/GHSA-pf4v-hxvm-3ch8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pfgc-2q82-vggq/GHSA-pfgc-2q82-vggq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-prj2-h762-9j59/GHSA-prj2-h762-9j59.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qf44-c626-28f4/GHSA-qf44-c626-28f4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json diff --git a/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json b/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json new file mode 100644 index 00000000000..0ab5bb43584 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-263w-f6fg-v2x5", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46686" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()\n\nThis happens when called from SMB2_read() while using rdma\nand reaching the rdma_readwrite_threshold.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46686" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/6df57c63c200cd05e085c3b695128260e21959b7" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/a01859dd6aebf826576513850a3b05992809e9d2" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b902fb78ab21299e4dd1775e7e8d251d5c0735bc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json b/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json new file mode 100644 index 00000000000..39fc59d94dc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2h6h-vcrw-57ff", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46696" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix potential UAF in nfsd4_cb_getattr_release\n\nOnce we drop the delegation reference, the fields embedded in it are no\nlonger safe to access. Do that last.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46696" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1116e0e372eb16dd907ec571ce5d4af325c55c10" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e0b66698a5ae41078f7490e8b3527013f5fccd6c" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-2mh2-9xm5-m59q/GHSA-2mh2-9xm5-m59q.json b/advisories/unreviewed/2024/09/GHSA-2mh2-9xm5-m59q/GHSA-2mh2-9xm5-m59q.json new file mode 100644 index 00000000000..fec7d3ca76b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2mh2-9xm5-m59q/GHSA-2mh2-9xm5-m59q.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2mh2-9xm5-m59q", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46678" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: change ipsec_lock from spin lock to mutex\n\nIn the cited commit, bond->ipsec_lock is added to protect ipsec_list,\nhence xdo_dev_state_add and xdo_dev_state_delete are called inside\nthis lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep,\n\"scheduling while atomic\" will be triggered when changing bond's\nactive slave.\n\n[ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200\n[ 101.055726] Modules linked in:\n[ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1\n[ 101.058760] Hardware name:\n[ 101.059434] Call Trace:\n[ 101.059436] \n[ 101.060873] dump_stack_lvl+0x51/0x60\n[ 101.061275] __schedule_bug+0x4e/0x60\n[ 101.061682] __schedule+0x612/0x7c0\n[ 101.062078] ? __mod_timer+0x25c/0x370\n[ 101.062486] schedule+0x25/0xd0\n[ 101.062845] schedule_timeout+0x77/0xf0\n[ 101.063265] ? asm_common_interrupt+0x22/0x40\n[ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10\n[ 101.064215] __wait_for_common+0x87/0x190\n[ 101.064648] ? usleep_range_state+0x90/0x90\n[ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core]\n[ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core]\n[ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core]\n[ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core]\n[ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding]\n[ 101.067738] ? kmalloc_trace+0x4d/0x350\n[ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core]\n[ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core]\n[ 101.069312] bond_change_active_slave+0x392/0x900 [bonding]\n[ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding]\n[ 101.070454] __bond_opt_set+0xa6/0x430 [bonding]\n[ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding]\n[ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding]\n[ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding]\n[ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0\n[ 101.073033] vfs_write+0x2d8/0x400\n[ 101.073416] ? alloc_fd+0x48/0x180\n[ 101.073798] ksys_write+0x5f/0xe0\n[ 101.074175] do_syscall_64+0x52/0x110\n[ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nAs bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called\nfrom bond_change_active_slave, which requires holding the RTNL lock.\nAnd bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state\nxdo_dev_state_add and xdo_dev_state_delete APIs, which are in user\ncontext. So ipsec_lock doesn't have to be spin lock, change it to\nmutex, and thus the above issue can be resolved.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46678" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/2aeeef906d5a526dc60cf4af92eda69836c39b1f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/56354b0a2c24a7828eeed7de4b4dc9652d9affa3" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/6b598069164ac1bb60996d6ff94e7f9169dbd2d3" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json b/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json new file mode 100644 index 00000000000..3fc6b0dbaf1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34r9-jr37-pmrf", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46700" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix mes ring buffer overflow\n\nwait memory room until enough before writing mes packets\nto avoid ring buffer overflow.\n\nv2: squash in sched_hw_submission fix\n\n(cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46700" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/11752c013f562a1124088a35bd314aa0e9f0e88f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ed37550d7c516017c3b0324bdf144e2fa563ffb0" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json b/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json new file mode 100644 index 00000000000..5365be833cf --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rvq-3fc5-4w68", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-7864" + ], + "details": "The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7864" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/6ce62e78-04a4-46b2-b97f-c4ef8f3258c3" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json b/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json new file mode 100644 index 00000000000..788c21eed50 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xv2-v2hj-2crv", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-6617" + ], + "details": "The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6617" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/9c5efe3c-95a8-4647-86c0-20aa7dd92b66" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json b/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json new file mode 100644 index 00000000000..a9389d72e66 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5293-cf37-fxqw", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46692" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: Mark get_wq_ctx() as atomic call\n\nCurrently get_wq_ctx() is wrongly configured as a standard call. When two\nSMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to\nresume the corresponding sleeping thread. But if get_wq_ctx() is\ninterrupted, goes to sleep and another SMC call is waiting to be allocated\na waitq context, it leads to a deadlock.\n\nTo avoid this get_wq_ctx() must be an atomic call and can't be a standard\nSMC call. Hence mark get_wq_ctx() as a fast call.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46692" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9960085a3a82c58d3323c1c20b991db6045063b0" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/cdf7efe4b02aa93813db0bf1ca596ad298ab6b06" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e40115c33c0d79c940545b6b12112aace7acd9f5" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5mq7-93mw-h965/GHSA-5mq7-93mw-h965.json b/advisories/unreviewed/2024/09/GHSA-5mq7-93mw-h965/GHSA-5mq7-93mw-h965.json new file mode 100644 index 00000000000..44531e064ec --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5mq7-93mw-h965/GHSA-5mq7-93mw-h965.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mq7-93mw-h965", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46681" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npktgen: use cpus_read_lock() in pg_net_init()\n\nI have seen the WARN_ON(smp_processor_id() != cpu) firing\nin pktgen_thread_worker() during tests.\n\nWe must use cpus_read_lock()/cpus_read_unlock()\naround the for_each_online_cpu(cpu) loop.\n\nWhile we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46681" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/5f5f7366dda8ae870e8305d6e7b3c0c2686cd2cf" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/979b581e4c69257acab1af415ddad6b2d78a2fa5" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json b/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json new file mode 100644 index 00000000000..f1813663280 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5qvx-cmvh-v55m", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46693" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi->client = NULL;\n devm_pmic_glink_register_client()\n client->pdr_notify(client->priv, pg->client_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(&ucsi->register_work)\n \n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi->client)\n \n ucsi->client = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46693" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1efdbf5323c9360e05066049b97414405e94e087" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/3568affcddd68743e25aa3ec1647d9b82797757b" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/943b0e7cc646a624bb20a68080f8f1a4a55df41c" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json b/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json new file mode 100644 index 00000000000..5238b587791 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5w55-q3rh-9cgc", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46691" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Move unregister out of atomic section\n\nCommit '9329933699b3 (\"soc: qcom: pmic_glink: Make client-lock\nnon-sleeping\")' moved the pmic_glink client list under a spinlock, as it\nis accessed by the rpmsg/glink callback, which in turn is invoked from\nIRQ context.\n\nThis means that ucsi_unregister() is now called from atomic context,\nwhich isn't feasible as it's expecting a sleepable context. An effort is\nunder way to get GLINK to invoke its callbacks in a sleepable context,\nbut until then lets schedule the unregistration.\n\nA side effect of this is that ucsi_unregister() can now happen\nafter the remote processor, and thereby the communication link with it, is\ngone. pmic_glink_send() is amended with a check to avoid the resulting NULL\npointer dereference.\nThis does however result in the user being informed about this error by\nthe following entry in the kernel log:\n\n ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46691" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/095b0001aefddcd9361097c971b7debc84e72714" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/11bb2ffb679399f99041540cf662409905179e3a" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json b/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json new file mode 100644 index 00000000000..d5a767a341f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-64qj-9hxc-x9rc", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46677" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix a potential NULL pointer dereference\n\nWhen sockfd_lookup() fails, gtp_encap_enable_socket() returns a\nNULL pointer, but its callers only check for error pointers thus miss\nthe NULL pointer case.\n\nFix it by returning an error pointer with the error code carried from\nsockfd_lookup().\n\n(I found this bug during code inspection.)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46677" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/28c67f0f84f889fe9f4cbda8354132b20dc9212d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4643b91691e969b1b9ad54bf552d7a990cfa3b87" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/612edd35f2a3910ab1f61c1f2338889d4ba99fa2" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/620fe9809752fae91b4190e897b81ed9976dfb39" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8bbb9e4e0e66a39282e582d0440724055404b38c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/bdd99e5f0ad5fa727b16f2101fe880aa2bff2f8e" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e8b9930b0eb045d19e883c65ff9676fc89320c70" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6mh5-7p3w-gfg6/GHSA-6mh5-7p3w-gfg6.json b/advisories/unreviewed/2024/09/GHSA-6mh5-7p3w-gfg6/GHSA-6mh5-7p3w-gfg6.json new file mode 100644 index 00000000000..3ff00839331 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6mh5-7p3w-gfg6/GHSA-6mh5-7p3w-gfg6.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6mh5-7p3w-gfg6", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46680" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix random crash seen while removing driver\n\nThis fixes the random kernel crash seen while removing the driver, when\nrunning the load/unload test over multiple iterations.\n\n1) modprobe btnxpuart\n2) hciconfig hci0 reset\n3) hciconfig (check hci0 interface up with valid BD address)\n4) modprobe -r btnxpuart\nRepeat steps 1 to 4\n\nThe ps_wakeup() call in btnxpuart_close() schedules the psdata->work(),\nwhich gets scheduled after module is removed, causing a kernel crash.\n\nThis hidden issue got highlighted after enabling Power Save by default\nin 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on\nstartup)\n\nThe new ps_cleanup() deasserts UART break immediately while closing\nserdev device, cancels any scheduled ps_work and destroys the ps_lock\nmutex.\n\n[ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258\n[ 85.884624] Mem abort info:\n[ 85.884625] ESR = 0x0000000086000007\n[ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits\n[ 85.884633] SET = 0, FnV = 0\n[ 85.884636] EA = 0, S1PTW = 0\n[ 85.884638] FSC = 0x07: level 3 translation fault\n[ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000\n[ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000\n[ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP\n[ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]\n[ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1\n[ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT)\n[ 85.936182] Workqueue: events 0xffffd4a61638f380\n[ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 85.952817] pc : 0xffffd4a61638f258\n[ 85.952823] lr : 0xffffd4a61638f258\n[ 85.952827] sp : ffff8000084fbd70\n[ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000\n[ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305\n[ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970\n[ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000\n[ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090\n[ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139\n[ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50\n[ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8\n[ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000\n[ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000\n[ 85.977443] Call trace:\n[ 85.977446] 0xffffd4a61638f258\n[ 85.977451] 0xffffd4a61638f3e8\n[ 85.977455] process_one_work+0x1d4/0x330\n[ 85.977464] worker_thread+0x6c/0x430\n[ 85.977471] kthread+0x108/0x10c\n[ 85.977476] ret_from_fork+0x10/0x20\n[ 85.977488] Code: bad PC value\n[ 85.977491] ---[ end trace 0000000000000000 ]---\n\nPreset since v6.9.11", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46680" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/29a1d9971e38f92c84b363ff50379dd434ddfe1c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/35237475384ab3622f63c3c09bdf6af6dacfe9c3" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/662a55986b88807da4d112d838c8aaa05810e938" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json b/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json new file mode 100644 index 00000000000..f0bcef967c4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7f48-pc7q-83qh", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46698" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo/aperture: optionally match the device in sysfb_disable()\n\nIn aperture_remove_conflicting_pci_devices(), we currently only\ncall sysfb_disable() on vga class devices. This leads to the\nfollowing problem when the pimary device is not VGA compatible:\n\n1. A PCI device with a non-VGA class is the boot display\n2. That device is probed first and it is not a VGA device so\n sysfb_disable() is not called, but the device resources\n are freed by aperture_detach_platform_device()\n3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()\n4. NULL pointer dereference via sysfb_disable() since the resources\n have already been freed by aperture_detach_platform_device() when\n it was called by the other device.\n\nFix this by passing a device pointer to sysfb_disable() and checking\nthe device to determine if we should execute it or not.\n\nv2: Fix build when CONFIG_SCREEN_INFO is not set\nv3: Move device check into the mutex\n Drop primary variable in aperture_remove_conflicting_pci_devices()\n Drop __init on pci sysfb_pci_dev_is_enabled()", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46698" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/17e78f43de0c6da34204cc858b4cc05671ea9acf" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b49420d6a1aeb399e5b107fc6eb8584d0860fbd7" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9hw6-9frh-hxrg/GHSA-9hw6-9frh-hxrg.json b/advisories/unreviewed/2024/09/GHSA-9hw6-9frh-hxrg/GHSA-9hw6-9frh-hxrg.json new file mode 100644 index 00000000000..422ab99b237 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9hw6-9frh-hxrg/GHSA-9hw6-9frh-hxrg.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hw6-9frh-hxrg", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46689" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: cmd-db: Map shared memory as WC, not WB\n\nLinux does not write into cmd-db region. This region of memory is write\nprotected by XPU. XPU may sometime falsely detect clean cache eviction\nas \"write\" into the write protected region leading to secure interrupt\nwhich causes an endless loop somewhere in Trust Zone.\n\nThe only reason it is working right now is because Qualcomm Hypervisor\nmaps the same region as Non-Cacheable memory in Stage 2 translation\ntables. The issue manifests if we want to use another hypervisor (like\nXen or KVM), which does not know anything about those specific mappings.\n\nChanging the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC\nremoves dependency on correct mappings in Stage 2 tables. This patch\nfixes the issue by updating the mapping to MEMREMAP_WC.\n\nI tested this on SA8155P with Xen.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46689" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/62c2d63605ca25b5db78a347ed303c0a0a77d5b4" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/d9d48d70e922b272875cda60d2ada89291c840cf" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/eaff392c1e34fb77cc61505a31b0191e5e46e271" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ef80520be0ff78ae5ed44cb6eee1525e65bebe70" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f5a5a5a0e95f36e2792d48e6e4b64e665eb01374" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f9bb896eab221618927ae6a2f1d566567999839d" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c2m5-hm36-mq75/GHSA-c2m5-hm36-mq75.json b/advisories/unreviewed/2024/09/GHSA-c2m5-hm36-mq75/GHSA-c2m5-hm36-mq75.json new file mode 100644 index 00000000000..c675b67c773 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c2m5-hm36-mq75/GHSA-c2m5-hm36-mq75.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c2m5-hm36-mq75", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46679" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: check device is present when getting link settings\n\nA sysfs reader can race with a device reset or removal, attempting to\nread device state when the device is not actually present. eg:\n\n [exception RIP: qed_get_current_link+17]\n #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]\n #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3\n #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4\n #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300\n #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c\n #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b\n #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3\n #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1\n #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f\n #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb\n\n crash> struct net_device.state ffff9a9d21336000\n state = 5,\n\nstate 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).\nThe device is not present, note lack of __LINK_STATE_PRESENT (0b10).\n\nThis is the same sort of panic as observed in commit 4224cfd7fb65\n(\"net-sysfs: add check for netdevice being present to speed_show\").\n\nThere are many other callers of __ethtool_get_link_ksettings() which\ndon't have a device presence check.\n\nMove this check into ethtool to protect all callers.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46679" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1d6d9b5b1b95bfeccb84386a51b7e6c510ec13b2" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7a8d98b6d6484d3ad358510366022da080c37cbc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/842a40c7273ba1c1cb30dda50405b328de1d860e" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/94ab317024ba373d37340893d1c0358638935fbb" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9bba5955eed160102114d4cc00c3d399be9bdae4" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/a699781c79ecf6cfe67fb00a0331b4088c7c8466" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ec7b4f7f644018ac293cb1b02528a40a32917e62" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-crwg-8vm3-26rf/GHSA-crwg-8vm3-26rf.json b/advisories/unreviewed/2024/09/GHSA-crwg-8vm3-26rf/GHSA-crwg-8vm3-26rf.json new file mode 100644 index 00000000000..20fb687ecd0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-crwg-8vm3-26rf/GHSA-crwg-8vm3-26rf.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crwg-8vm3-26rf", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46676" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Add poll mod list filling check\n\nIn case of im_protocols value is 1 and tm_protocols value is 0 this\ncombination successfully passes the check\n'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().\nBut then after pn533_poll_create_mod_list() call in pn533_start_poll()\npoll mod list will remain empty and dev->poll_mod_count will remain 0\nwhich lead to division by zero.\n\nNormally no im protocol has value 1 in the mask, so this combination is\nnot expected by driver. But these protocol values actually come from\nuserspace via Netlink interface (NFC_CMD_START_POLL operation). So a\nbroken or malicious program may pass a message containing a \"bad\"\ncombination of protocol parameter values so that dev->poll_mod_count\nis not incremented inside pn533_poll_create_mod_list(), thus leading\nto division by zero.\nCall trace looks like:\nnfc_genl_start_poll()\n nfc_start_poll()\n ->start_poll()\n pn533_start_poll()\n\nAdd poll mod list filling check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46676" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/56ad559cf6d87f250a8d203b555dfc3716afa946" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/64513d0e546a1f19e390f7e5eba3872bfcbdacf5" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7535db0624a2dede374c42040808ad9a9101d723" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7ecd3dd4f8eecd3309432156ccfe24768e009ec4" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8ddaea033de051ed61b39f6b69ad54a411172b33" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c5e05237444f32f6cfe5d907603a232c77a08b31" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/febccb39255f9df35527b88c953b2e0deae50e53" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json b/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json new file mode 100644 index 00000000000..396ea4b6a88 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cx7f-g6mp-7hqm", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-38816" + ], + "details": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions to serve static resources\n * resource handling is explicitly configured with a FileSystemResource location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use\n * the application runs on Tomcat or Jetty", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38816" + }, + { + "type": "WEB", + "url": "https://spring.io/security/cve-2024-38816" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f78v-vf29-36gj/GHSA-f78v-vf29-36gj.json b/advisories/unreviewed/2024/09/GHSA-f78v-vf29-36gj/GHSA-f78v-vf29-36gj.json new file mode 100644 index 00000000000..02a9ad31e40 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f78v-vf29-36gj/GHSA-f78v-vf29-36gj.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f78v-vf29-36gj", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-5628" + ], + "details": "The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5628" + }, + { + "type": "WEB", + "url": "https://avada.com/blog/version-7-11-9-security-update" + }, + { + "type": "WEB", + "url": "https://avada.com/documentation/avada-changelog" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c23bd29-ba02-4c90-a631-5ce6294d7760?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json b/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json new file mode 100644 index 00000000000..5b7b1582afc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fp3g-r7j4-vr8g", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46685" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference in pcs_get_function()\n\npinmux_generic_get_function() can return NULL and the pointer 'function'\nwas dereferenced without checking against NULL. Add checking of pointer\n'function' in pcs_get_function().\n\nFound by code review.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46685" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0a2bab5ed161318f57134716accba0a30f3af191" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1c38a62f15e595346a1106025722869e87ffe044" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/292151af6add3e5ab11b2e9916cffa5f52859a1f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/2cea369a5c2e85ab14ae716da1d1cc6d25c85e11" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4e9436375fcc9bd2a60ee96aba6ed53f7a377d10" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4ed45fe99ec9e3c9478bd634624cd05a57d002f7" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/6341c2856785dca7006820b127278058a180c075" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8f0bd526921b6867c2f10a83cd4fd14139adcd92" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json b/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json new file mode 100644 index 00000000000..cd0882175df --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fr4x-3m2g-jm28", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-7863" + ], + "details": "The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7863" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/5e814b02-3870-4742-905d-ec03b0d31add" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json b/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json new file mode 100644 index 00000000000..bde0fc7f4d3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gq5m-j7gp-3x7q", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-6850" + ], + "details": "The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6850" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/c06995cb-1685-4751-811f-aead52a597a7" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json b/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json new file mode 100644 index 00000000000..33ee09c8528 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gr4h-g2ph-j8j2", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-6723" + ], + "details": "The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6723" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/fbd2152e-0aa1-4b56-a6a3-2e6ec78e08a5" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json b/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json new file mode 100644 index 00000000000..48426d549b2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-grj2-x9v7-7qqx", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46687" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()\n\n[BUG]\nThere is an internal report that KASAN is reporting use-after-free, with\nthe following backtrace:\n\n BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45\n CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n Call Trace:\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x5e/0x2f0\n print_report+0x118/0x216\n kasan_report+0x11d/0x1f0\n btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n process_one_work+0xce0/0x12a0\n worker_thread+0x717/0x1250\n kthread+0x2e3/0x3c0\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n\n Allocated by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x7d/0x80\n kmem_cache_alloc_noprof+0x16e/0x3e0\n mempool_alloc_noprof+0x12e/0x310\n bio_alloc_bioset+0x3f0/0x7a0\n btrfs_bio_alloc+0x2e/0x50 [btrfs]\n submit_extent_page+0x4d1/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x4b/0x60\n kmem_cache_free+0x214/0x5d0\n bio_free+0xed/0x180\n end_bbio_data_read+0x1cc/0x580 [btrfs]\n btrfs_submit_chunk+0x98d/0x1880 [btrfs]\n btrfs_submit_bio+0x33/0x70 [btrfs]\n submit_one_bio+0xd4/0x130 [btrfs]\n submit_extent_page+0x3ea/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[CAUSE]\nAlthough I cannot reproduce the error, the report itself is good enough\nto pin down the cause.\n\nThe call trace is the regular endio workqueue context, but the\nfree-by-task trace is showing that during btrfs_submit_chunk() we\nalready hit a critical error, and is calling btrfs_bio_end_io() to error\nout. And the original endio function called bio_put() to free the whole\nbio.\n\nThis means a double freeing thus causing use-after-free, e.g.:\n\n1. Enter btrfs_submit_bio() with a read bio\n The read bio length is 128K, crossing two 64K stripes.\n\n2. The first run of btrfs_submit_chunk()\n\n2.1 Call btrfs_map_block(), which returns 64K\n2.2 Call btrfs_split_bio()\n Now there are two bios, one referring to the first 64K, the other\n referring to the second 64K.\n2.3 The first half is submitted.\n\n3. The second run of btrfs_submit_chunk()\n\n3.1 Call btrfs_map_block(), which by somehow failed\n Now we call btrfs_bio_end_io() to handle the error\n\n3.2 btrfs_bio_end_io() calls the original endio function\n Which is end_bbio_data_read(), and it calls bio_put() for the\n original bio.\n\n Now the original bio is freed.\n\n4. The submitted first 64K bio finished\n Now we call into btrfs_check_read_bio() and tries to advance the bio\n iter.\n But since the original bio (thus its iter) is already freed, we\n trigger the above use-after free.\n\n And even if the memory is not poisoned/corrupted, we will later call\n the original endio function, causing a double freeing.\n\n[FIX]\nInstead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),\nwhich has the extra check on split bios and do the pr\n---truncated---", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46687" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4a3b9e1a8e6cd1a8d427a905e159de58d38941cc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/51722b99f41f5e722ffa10b8f61e802a0e70b331" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json b/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json new file mode 100644 index 00000000000..f0913d4fd6d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gx3x-w926-g8pm", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-7133" + ], + "details": "The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7133" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/c81c1622-33d1-41f2-ba63-f06bd4c125ab" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json b/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json new file mode 100644 index 00000000000..e6a75c36020 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hggx-qfvf-7mfh", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46673" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aacraid: Fix double-free on probe failure\n\naac_probe_one() calls hardware-specific init functions through the\naac_driver_ident::init pointer, all of which eventually call down to\naac_init_adapter().\n\nIf aac_init_adapter() fails after allocating memory for aac_dev::queues,\nit frees the memory but does not clear that member.\n\nAfter the hardware-specific init function returns an error,\naac_probe_one() goes down an error path that frees the memory pointed to\nby aac_dev::queues, resulting.in a double-free.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46673" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4b540ec7c0045c2d01c4e479f34bbc8f147afa4c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/564e1986b00c5f05d75342f8407f75f0a17b94df" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/60962c3d8e18e5d8dfa16df788974dd7f35bd87a" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/85449b28ff6a89c4513115e43ddcad949b5890c9" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8a3995a3ffeca280a961b59f5c99843d81b15929" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/919ddf8336f0b84c0453bac583808c9f165a85c2" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9e96dea7eff6f2bbcd0b42a098012fc66af9eb69" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/d237c7d06ffddcdb5d36948c527dc01284388218" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hrvw-rfgx-8g4m/GHSA-hrvw-rfgx-8g4m.json b/advisories/unreviewed/2024/09/GHSA-hrvw-rfgx-8g4m/GHSA-hrvw-rfgx-8g4m.json new file mode 100644 index 00000000000..6eaa1b3be2a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hrvw-rfgx-8g4m/GHSA-hrvw-rfgx-8g4m.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hrvw-rfgx-8g4m", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46688" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails\n\nIf z_erofs_gbuf_growsize() partially fails on a global buffer due to\nmemory allocation failure or fault injection (as reported by syzbot [1]),\nnew pages need to be freed by comparing to the existing pages to avoid\nmemory leaks.\n\nHowever, the old gbuf->pages[] array may not be large enough, which can\nlead to null-ptr-deref or out-of-bound access.\n\nFix this by checking against gbuf->nrpages in advance.\n\n[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46688" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0005e01e1e875c5e27130c5e2ed0189749d1e08a" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/49c0e081998008cde0c872c0ff9affa1ece4b878" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j57f-xm3w-v49f/GHSA-j57f-xm3w-v49f.json b/advisories/unreviewed/2024/09/GHSA-j57f-xm3w-v49f/GHSA-j57f-xm3w-v49f.json new file mode 100644 index 00000000000..bde8646bc23 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j57f-xm3w-v49f/GHSA-j57f-xm3w-v49f.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j57f-xm3w-v49f", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46694" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: avoid using null object of framebuffer\n\nInstead of using state->fb->obj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer.\n\n(cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46694" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/093ee72ed35c2338c87c26b6ba6f0b7789c9e14e" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/3b9a33235c773c7a3768060cf1d2cf8a9153bc37" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/49e1b214f3239b78967c6ddb8f8ec47ae047b051" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f6f5e39a3fe7cbdba190f42b28b40bdff03c8cf0" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json b/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json new file mode 100644 index 00000000000..28f0593f41b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m8mp-83qq-7j4f", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-7129" + ], + "details": "The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7129" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json b/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json new file mode 100644 index 00000000000..dcbfa4c454b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mpm4-ggh2-c745", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46699" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable preemption while updating GPU stats\n\nWe forgot to disable preemption around the write_seqcount_begin/end() pair\nwhile updating GPU stats:\n\n [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched]\n <...snip...>\n [ ] Call trace:\n [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d]\n [ ] v3d_bin_job_run+0x23c/0x388 [v3d]\n [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]\n [ ] process_one_work+0x62c/0xb48\n [ ] worker_thread+0x468/0x5b0\n [ ] kthread+0x1c4/0x1e0\n [ ] ret_from_fork+0x10/0x20\n\nFix it.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46699" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1e93467ef20308da5a94cde548ee17d523e8ba7b" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9d824c7fce58f59982228aa85b0376b113cdfa35" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p594-vh26-gh4w/GHSA-p594-vh26-gh4w.json b/advisories/unreviewed/2024/09/GHSA-p594-vh26-gh4w/GHSA-p594-vh26-gh4w.json new file mode 100644 index 00000000000..0a9e80e7165 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p594-vh26-gh4w/GHSA-p594-vh26-gh4w.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p594-vh26-gh4w", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46695" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux,smack: don't bypass permissions check in inode_setsecctx hook\n\nMarek Gresko reports that the root user on an NFS client is able to\nchange the security labels on files on an NFS filesystem that is\nexported with root squashing enabled.\n\nThe end of the kerneldoc comment for __vfs_setxattr_noperm() states:\n\n * This function requires the caller to lock the inode's i_mutex before it\n * is executed. It also assumes that the caller will make the appropriate\n * permission checks.\n\nnfsd_setattr() does do permissions checking via fh_verify() and\nnfsd_permission(), but those don't do all the same permissions checks\nthat are done by security_inode_setxattr() and its related LSM hooks do.\n\nSince nfsd_setattr() is the only consumer of security_inode_setsecctx(),\nsimplest solution appears to be to replace the call to\n__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This\nfixes the above issue and has the added benefit of causing nfsd to\nrecall conflicting delegations on a file when a client tries to change\nits security label.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46695" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/459584258d47ec3cc6245a82e8a49c9d08eb8b57" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/76a0e79bc84f466999fa501fce5bf7a07641b8a7" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f71ec019257ba4f7ab198bd948c5902a207bad96" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p8g8-q26r-2q2r/GHSA-p8g8-q26r-2q2r.json b/advisories/unreviewed/2024/09/GHSA-p8g8-q26r-2q2r/GHSA-p8g8-q26r-2q2r.json new file mode 100644 index 00000000000..ee68e58b25a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p8g8-q26r-2q2r/GHSA-p8g8-q26r-2q2r.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p8g8-q26r-2q2r", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46684" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined\n\ncreate_elf_fdpic_tables() does not correctly account the space for the\nAUX vector when an architecture has ELF_HWCAP2 defined. Prior to the\ncommit 10e29251be0e (\"binfmt_elf_fdpic: fix /proc//auxv\") it\nresulted in the last entry of the AUX vector being set to zero, but with\nthat change it results in a kernel BUG.\n\nFix that by adding one to the number of AUXV entries (nitems) when\nELF_HWCAP2 is defined.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46684" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c507da85e4f80c630deb9e98222ccf4118cbe6f8" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c6a09e342f8e6d3cac7f7c5c14085236aca284b9" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pf4v-hxvm-3ch8/GHSA-pf4v-hxvm-3ch8.json b/advisories/unreviewed/2024/09/GHSA-pf4v-hxvm-3ch8/GHSA-pf4v-hxvm-3ch8.json new file mode 100644 index 00000000000..b71696601a0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pf4v-hxvm-3ch8/GHSA-pf4v-hxvm-3ch8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf4v-hxvm-3ch8", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-8656" + ], + "details": "The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8656" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wpcodefactory-helper/tags/1.7.0/includes/class-alg-wpcodefactory-helper-site-key-manager.php#L350" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3150715/wpcodefactory-helper/tags/1.7.1/includes/class-alg-wpcodefactory-helper-site-key-manager.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb62eefe-9993-43f7-b3ae-de47c0951bee?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T04:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pfgc-2q82-vggq/GHSA-pfgc-2q82-vggq.json b/advisories/unreviewed/2024/09/GHSA-pfgc-2q82-vggq/GHSA-pfgc-2q82-vggq.json new file mode 100644 index 00000000000..1918227319d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pfgc-2q82-vggq/GHSA-pfgc-2q82-vggq.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pfgc-2q82-vggq", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46690" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease\n\nIt is not safe to dereference fl->c.flc_owner without first confirming\nfl->fl_lmops is the expected manager. nfsd4_deleg_getattr_conflict()\ntests fl_lmops but largely ignores the result and assumes that flc_owner\nis an nfs4_delegation anyway. This is wrong.\n\nWith this patch we restore the \"!= &nfsd_lease_mng_ops\" case to behave\nas it did before the change mentioned below. This is the same as the\ncurrent code, but without any reference to a possible delegation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46690" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1b46a871e980e3daa16fd5e77539966492e8910a" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/40927f3d0972bf86357a32a5749be71a551241b6" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-prj2-h762-9j59/GHSA-prj2-h762-9j59.json b/advisories/unreviewed/2024/09/GHSA-prj2-h762-9j59/GHSA-prj2-h762-9j59.json new file mode 100644 index 00000000000..d823183e96d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-prj2-h762-9j59/GHSA-prj2-h762-9j59.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-prj2-h762-9j59", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-46697" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: ensure that nfsd4_fattr_args.context is zeroed out\n\nIf nfsd4_encode_fattr4 ends up doing a \"goto out\" before we get to\nchecking for the security label, then args.context will be set to\nuninitialized junk on the stack, which we'll then try to free.\nInitialize it early.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46697" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/dd65b324174a64558a16ebbf4c3266e5701185d0" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f58bab6fd4063913bd8321e99874b8239e9ba726" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qf44-c626-28f4/GHSA-qf44-c626-28f4.json b/advisories/unreviewed/2024/09/GHSA-qf44-c626-28f4/GHSA-qf44-c626-28f4.json new file mode 100644 index 00000000000..e4a23b403de --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qf44-c626-28f4/GHSA-qf44-c626-28f4.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qf44-c626-28f4", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46675" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: Prevent USB core invalid event buffer address access\n\nThis commit addresses an issue where the USB core could access an\ninvalid event buffer address during runtime suspend, potentially causing\nSMMU faults and other memory issues in Exynos platforms. The problem\narises from the following sequence.\n 1. In dwc3_gadget_suspend, there is a chance of a timeout when\n moving the USB core to the halt state after clearing the\n run/stop bit by software.\n 2. In dwc3_core_exit, the event buffer is cleared regardless of\n the USB core's status, which may lead to an SMMU faults and\n other memory issues. if the USB core tries to access the event\n buffer address.\n\nTo prevent this hardware quirk on Exynos platforms, this commit ensures\nthat the event buffer address is not cleared by software when the USB\ncore is active during runtime suspend by checking its status before\nclearing the buffer address.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46675" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/111277b881def3153335acfe0d1f43e6cd83ac93" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/14e497183df28c006603cc67fd3797a537eef7b9" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/2189fd13c577d7881f94affc09c950a795064c4b" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7bb11a75dd4d3612378b90e2a4aa49bdccea28ab" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b72da4d89b97da71e056cc4d1429b2bc426a9c2f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/d2afc2bffec77316b90d530b07695e3f534df914" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e23f6ad8d110bf632f7471482e10b43dc174fb72" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/eca3f543f817da87c00d1a5697b473efb548204f" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json b/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json new file mode 100644 index 00000000000..aec439f112d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r3gx-4wx6-8mr3", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46674" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: st: fix probed platform device ref count on probe error path\n\nThe probe function never performs any paltform device allocation, thus\nerror path \"undo_platform_dev_alloc\" is entirely bogus. It drops the\nreference count from the platform device being probed. If error path is\ntriggered, this will lead to unbalanced device reference counts and\npremature release of device resources, thus possible use-after-free when\nreleasing remaining devm-managed resources.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46674" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/060f41243ad7f6f5249fa7290dda0c01f723d12d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1de989668708ce5875efc9d669d227212aeb9a90" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4c6735299540f3c82a5033d35be76a5c42e0fb18" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/6aee4c5635d81f4809c3b9f0c198a65adfbb2ada" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b0979a885b9d4df2a25b88e9d444ccaa5f9f495c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ddfcfeba891064b88bb844208b43bef2ef970f0c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e1e5e8ea2731150d5ba7c707f9e02fafebcfeb49" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/f3498650df0805c75b4e1c94d07423c46cbf4ce1" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json b/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json new file mode 100644 index 00000000000..162149fe2cc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6fj-6wrc-6vhr", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46683" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: prevent UAF around preempt fence\n\nThe fence lock is part of the queue, therefore in the current design\nanything locking the fence should then also hold a ref to the queue to\nprevent the queue from being freed.\n\nHowever, currently it looks like we signal the fence and then drop the\nqueue ref, but if something is waiting on the fence, the waiter is\nkicked to wake up at some later point, where upon waking up it first\ngrabs the lock before checking the fence state. But if we have already\ndropped the queue ref, then the lock might already be freed as part of\nthe queue, leading to uaf.\n\nTo prevent this, move the fence lock into the fence itself so we don't\nrun into lifetime issues. Alternative might be to have device level\nlock, or only release the queue in the fence release callback, however\nthat might require pushing to another worker to avoid locking issues.\n\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020\n(cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46683" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/10081b0b0ed201f53e24bd92deb2e0f3c3e713d4" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/730b72480e29f63fd644f5fa57c9d46109428953" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json b/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json new file mode 100644 index 00000000000..32ec9195b2f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w8pf-f5g8-5xgv", + "modified": "2024-09-13T06:30:43Z", + "published": "2024-09-13T06:30:43Z", + "aliases": [ + "CVE-2024-6493" + ], + "details": "The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6493" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/0e3128ef-901a-42aa-9d74-c69d3241dc07" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json b/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json new file mode 100644 index 00000000000..0b5eda6c3ba --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xrjv-8x73-5h7v", + "modified": "2024-09-13T06:30:42Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-46682" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open\n\nPrior to commit 3f29cc82a84c (\"nfsd: split sc_status out of\nsc_type\") states_show() relied on sc_type field to be of valid\ntype before calling into a subfunction to show content of a\nparticular stateid. From that commit, we split the validity of\nthe stateid into sc_status and no longer changed sc_type to 0\nwhile unhashing the stateid. This resulted in kernel oopsing\nfor nfsv4.0 opens that stay around and in nfs4_show_open()\nwould derefence sc_file which was NULL.\n\nInstead, for closed open stateids forgo displaying information\nthat relies of having a valid sc_file.\n\nTo reproduce: mount the server with 4.0, read and close\na file and then on the server cat /proc/fs/nfsd/clients/2/states\n\n[ 513.590804] Call trace:\n[ 513.590925] _raw_spin_lock+0xcc/0x160\n[ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]\n[ 513.591412] states_show+0x44c/0x488 [nfsd]\n[ 513.591681] seq_read_iter+0x5d8/0x760\n[ 513.591896] seq_read+0x188/0x208\n[ 513.592075] vfs_read+0x148/0x470\n[ 513.592241] ksys_read+0xcc/0x178", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46682" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/a204501e1743d695ca2930ed25a2be9f8ced96d3" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ba0b697de298285301c71c258598226e06494236" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T06:15:12Z" + } +} \ No newline at end of file From fc129bc713ab28a4662b71862e9bd050d3ee23dd Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 09:32:01 +0000 Subject: [PATCH 033/170] Advisory Database Sync --- .../GHSA-jcfq-g9vp-gm5w.json | 6 +- .../GHSA-rx7q-7v9g-75wg.json | 6 +- .../GHSA-23pw-35mv-8qh4.json | 38 +++++++++++++ .../GHSA-32pm-mq37-w9xm.json | 46 ++++++++++++++++ .../GHSA-3g95-gcw4-qr9r.json | 38 +++++++++++++ .../GHSA-3mp4-p7x2-73pw.json | 50 +++++++++++++++++ .../GHSA-5785-6rg8-vqjc.json | 38 +++++++++++++ .../GHSA-6w4h-8r4c-vp7w.json | 38 +++++++++++++ .../GHSA-737v-3hw5-qc6j.json | 38 +++++++++++++ .../GHSA-7fgm-q7w5-rr3c.json | 50 +++++++++++++++++ .../GHSA-7q39-g4rg-578j.json | 46 ++++++++++++++++ .../GHSA-829m-frh2-j6v9.json | 39 +++++++++++++ .../GHSA-879m-9j9j-p69x.json | 38 +++++++++++++ .../GHSA-94rm-fghw-676x.json | 55 +++++++++++++++++++ .../GHSA-cp7f-67pj-cxg3.json | 39 +++++++++++++ .../GHSA-cwq2-m7r2-f7pg.json | 38 +++++++++++++ .../GHSA-f5vv-pq9r-8p2f.json | 38 +++++++++++++ .../GHSA-g6cg-hqr5-xq3g.json | 38 +++++++++++++ .../GHSA-gggx-8wfw-w6jx.json | 43 +++++++++++++++ .../GHSA-gjv7-5cpp-hqgw.json | 39 +++++++++++++ .../GHSA-gpg6-84h3-cwv8.json | 38 +++++++++++++ .../GHSA-h864-xhwh-mhc2.json | 38 +++++++++++++ .../GHSA-hf4q-fmf3-3xvp.json | 38 +++++++++++++ .../GHSA-hhg8-rc52-c9mv.json | 46 ++++++++++++++++ .../GHSA-j3v7-pr3j-rpj8.json | 38 +++++++++++++ .../GHSA-j784-pqcw-wmr3.json | 38 +++++++++++++ .../GHSA-j9c3-7w24-v75h.json | 39 +++++++++++++ .../GHSA-jc54-wrqp-vxf4.json | 43 +++++++++++++++ .../GHSA-jm64-jw7h-ffg2.json | 47 ++++++++++++++++ .../GHSA-m44h-648c-4ggp.json | 38 +++++++++++++ .../GHSA-mgxj-66hj-35x8.json | 39 +++++++++++++ .../GHSA-mj2f-6r3r-rgm8.json | 38 +++++++++++++ .../GHSA-p4r4-6239-7p4g.json | 38 +++++++++++++ .../GHSA-pf33-gpvq-8g3c.json | 38 +++++++++++++ .../GHSA-prgw-72f3-x883.json | 38 +++++++++++++ .../GHSA-q844-wpfg-w2h9.json | 39 +++++++++++++ .../GHSA-qfxc-fjvg-2qgm.json | 39 +++++++++++++ .../GHSA-r9gm-g7gv-4f8p.json | 50 +++++++++++++++++ .../GHSA-v4vv-7v49-m3wg.json | 55 +++++++++++++++++++ .../GHSA-xh5f-m55p-f9q7.json | 38 +++++++++++++ 40 files changed, 1574 insertions(+), 2 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-23pw-35mv-8qh4/GHSA-23pw-35mv-8qh4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-32pm-mq37-w9xm/GHSA-32pm-mq37-w9xm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3g95-gcw4-qr9r/GHSA-3g95-gcw4-qr9r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3mp4-p7x2-73pw/GHSA-3mp4-p7x2-73pw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6w4h-8r4c-vp7w/GHSA-6w4h-8r4c-vp7w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-737v-3hw5-qc6j/GHSA-737v-3hw5-qc6j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7fgm-q7w5-rr3c/GHSA-7fgm-q7w5-rr3c.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7q39-g4rg-578j/GHSA-7q39-g4rg-578j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-829m-frh2-j6v9/GHSA-829m-frh2-j6v9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-879m-9j9j-p69x/GHSA-879m-9j9j-p69x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-94rm-fghw-676x/GHSA-94rm-fghw-676x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cp7f-67pj-cxg3/GHSA-cp7f-67pj-cxg3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cwq2-m7r2-f7pg/GHSA-cwq2-m7r2-f7pg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f5vv-pq9r-8p2f/GHSA-f5vv-pq9r-8p2f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g6cg-hqr5-xq3g/GHSA-g6cg-hqr5-xq3g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gggx-8wfw-w6jx/GHSA-gggx-8wfw-w6jx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gjv7-5cpp-hqgw/GHSA-gjv7-5cpp-hqgw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h864-xhwh-mhc2/GHSA-h864-xhwh-mhc2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hf4q-fmf3-3xvp/GHSA-hf4q-fmf3-3xvp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hhg8-rc52-c9mv/GHSA-hhg8-rc52-c9mv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j3v7-pr3j-rpj8/GHSA-j3v7-pr3j-rpj8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j784-pqcw-wmr3/GHSA-j784-pqcw-wmr3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j9c3-7w24-v75h/GHSA-j9c3-7w24-v75h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jc54-wrqp-vxf4/GHSA-jc54-wrqp-vxf4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jm64-jw7h-ffg2/GHSA-jm64-jw7h-ffg2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m44h-648c-4ggp/GHSA-m44h-648c-4ggp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mgxj-66hj-35x8/GHSA-mgxj-66hj-35x8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mj2f-6r3r-rgm8/GHSA-mj2f-6r3r-rgm8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p4r4-6239-7p4g/GHSA-p4r4-6239-7p4g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pf33-gpvq-8g3c/GHSA-pf33-gpvq-8g3c.json create mode 100644 advisories/unreviewed/2024/09/GHSA-prgw-72f3-x883/GHSA-prgw-72f3-x883.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q844-wpfg-w2h9/GHSA-q844-wpfg-w2h9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qfxc-fjvg-2qgm/GHSA-qfxc-fjvg-2qgm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r9gm-g7gv-4f8p/GHSA-r9gm-g7gv-4f8p.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v4vv-7v49-m3wg/GHSA-v4vv-7v49-m3wg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xh5f-m55p-f9q7/GHSA-xh5f-m55p-f9q7.json diff --git a/advisories/unreviewed/2024/08/GHSA-jcfq-g9vp-gm5w/GHSA-jcfq-g9vp-gm5w.json b/advisories/unreviewed/2024/08/GHSA-jcfq-g9vp-gm5w/GHSA-jcfq-g9vp-gm5w.json index b975a343592..8f1d88a73af 100644 --- a/advisories/unreviewed/2024/08/GHSA-jcfq-g9vp-gm5w/GHSA-jcfq-g9vp-gm5w.json +++ b/advisories/unreviewed/2024/08/GHSA-jcfq-g9vp-gm5w/GHSA-jcfq-g9vp-gm5w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jcfq-g9vp-gm5w", - "modified": "2024-08-14T15:31:18Z", + "modified": "2024-09-13T09:30:31Z", "published": "2024-08-14T15:31:18Z", "aliases": [ "CVE-2024-41856" @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-45.html" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/08/GHSA-rx7q-7v9g-75wg/GHSA-rx7q-7v9g-75wg.json b/advisories/unreviewed/2024/08/GHSA-rx7q-7v9g-75wg/GHSA-rx7q-7v9g-75wg.json index fc67cbee1b6..275489c2ed7 100644 --- a/advisories/unreviewed/2024/08/GHSA-rx7q-7v9g-75wg/GHSA-rx7q-7v9g-75wg.json +++ b/advisories/unreviewed/2024/08/GHSA-rx7q-7v9g-75wg/GHSA-rx7q-7v9g-75wg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rx7q-7v9g-75wg", - "modified": "2024-08-14T15:31:17Z", + "modified": "2024-09-13T09:30:31Z", "published": "2024-08-14T15:31:17Z", "aliases": [ "CVE-2024-39420" @@ -24,6 +24,10 @@ { "type": "WEB", "url": "https://helpx.adobe.com/security/products/acrobat/apsb24-57.html" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/acrobat/apsb24-70.html" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/09/GHSA-23pw-35mv-8qh4/GHSA-23pw-35mv-8qh4.json b/advisories/unreviewed/2024/09/GHSA-23pw-35mv-8qh4/GHSA-23pw-35mv-8qh4.json new file mode 100644 index 00000000000..42974518b3b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-23pw-35mv-8qh4/GHSA-23pw-35mv-8qh4.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23pw-35mv-8qh4", + "modified": "2024-09-13T09:30:31Z", + "published": "2024-09-13T09:30:31Z", + "aliases": [ + "CVE-2024-41870" + ], + "details": "Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41870" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/media-encoder/apsb24-53.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-32pm-mq37-w9xm/GHSA-32pm-mq37-w9xm.json b/advisories/unreviewed/2024/09/GHSA-32pm-mq37-w9xm/GHSA-32pm-mq37-w9xm.json new file mode 100644 index 00000000000..bd283e10edf --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-32pm-mq37-w9xm/GHSA-32pm-mq37-w9xm.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-32pm-mq37-w9xm", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-7888" + ], + "details": "The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7888" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.6/app/Controllers/Ajax/FormBuilderAdminAjax.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3150743/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAdminAjax.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3g95-gcw4-qr9r/GHSA-3g95-gcw4-qr9r.json b/advisories/unreviewed/2024/09/GHSA-3g95-gcw4-qr9r/GHSA-3g95-gcw4-qr9r.json new file mode 100644 index 00000000000..1c486f326f3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3g95-gcw4-qr9r/GHSA-3g95-gcw4-qr9r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3g95-gcw4-qr9r", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-41859" + ], + "details": "After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41859" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb24-55.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3mp4-p7x2-73pw/GHSA-3mp4-p7x2-73pw.json b/advisories/unreviewed/2024/09/GHSA-3mp4-p7x2-73pw/GHSA-3mp4-p7x2-73pw.json new file mode 100644 index 00000000000..5af7edd7705 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3mp4-p7x2-73pw/GHSA-3mp4-p7x2-73pw.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mp4-p7x2-73pw", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-8742" + ], + "details": "The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8742" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.0.3/includes/Elements/Filterable_Gallery.php#L566" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3148624" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76c292dc-e9da-4256-82df-58ac5def4771?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json new file mode 100644 index 00000000000..0f974f79edd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5785-6rg8-vqjc", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-41867" + ], + "details": "After Effects versions 23.6.6, 24.5 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to arbitrary file system write operations. An attacker could leverage this vulnerability to modify or corrupt files, potentially leading to a compromise of system integrity. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41867" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb24-55.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6w4h-8r4c-vp7w/GHSA-6w4h-8r4c-vp7w.json b/advisories/unreviewed/2024/09/GHSA-6w4h-8r4c-vp7w/GHSA-6w4h-8r4c-vp7w.json new file mode 100644 index 00000000000..35cf11f2b63 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6w4h-8r4c-vp7w/GHSA-6w4h-8r4c-vp7w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6w4h-8r4c-vp7w", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-43758" + ], + "details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43758" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-737v-3hw5-qc6j/GHSA-737v-3hw5-qc6j.json b/advisories/unreviewed/2024/09/GHSA-737v-3hw5-qc6j/GHSA-737v-3hw5-qc6j.json new file mode 100644 index 00000000000..8e897e99fa0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-737v-3hw5-qc6j/GHSA-737v-3hw5-qc6j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-737v-3hw5-qc6j", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-34121" + ], + "details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34121" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-190" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7fgm-q7w5-rr3c/GHSA-7fgm-q7w5-rr3c.json b/advisories/unreviewed/2024/09/GHSA-7fgm-q7w5-rr3c/GHSA-7fgm-q7w5-rr3c.json new file mode 100644 index 00000000000..65bc27d9f84 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7fgm-q7w5-rr3c/GHSA-7fgm-q7w5-rr3c.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7fgm-q7w5-rr3c", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-8665" + ], + "details": "The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8665" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/yith-custom-login/tags/1.7.3/yit-common/yith-panel.php#L149" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150123%40yith-custom-login&new=3150123%40yith-custom-login&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150560%40yith-custom-login&new=3150560%40yith-custom-login&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0828a4a4-2dd5-4dff-8563-c81d6b24b949?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7q39-g4rg-578j/GHSA-7q39-g4rg-578j.json b/advisories/unreviewed/2024/09/GHSA-7q39-g4rg-578j/GHSA-7q39-g4rg-578j.json new file mode 100644 index 00000000000..738ec4f6ea2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7q39-g4rg-578j/GHSA-7q39-g4rg-578j.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7q39-g4rg-578j", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-5567" + ], + "details": "The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5567" + }, + { + "type": "WEB", + "url": "https://support.muffingroup.com/changelog" + }, + { + "type": "WEB", + "url": "https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048#item-description__changelog" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5dfaa23f-05df-423c-a5f6-02f2b714b5b6?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-829m-frh2-j6v9/GHSA-829m-frh2-j6v9.json b/advisories/unreviewed/2024/09/GHSA-829m-frh2-j6v9/GHSA-829m-frh2-j6v9.json new file mode 100644 index 00000000000..175db8d4a7f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-829m-frh2-j6v9/GHSA-829m-frh2-j6v9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-829m-frh2-j6v9", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46708" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: qcom: x1e80100: Fix special pin offsets\n\nRemove the erroneus 0x100000 offset to prevent the boards from crashing\non pin state setting, as well as for the intended state changes to take\neffect.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46708" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0197bf772f657fbdea5e9bdec5eea6e67d82cbde" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/d3692d95cc4d88114b070ee63cffc976f00f207f" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-879m-9j9j-p69x/GHSA-879m-9j9j-p69x.json b/advisories/unreviewed/2024/09/GHSA-879m-9j9j-p69x/GHSA-879m-9j9j-p69x.json new file mode 100644 index 00000000000..1360ba1a938 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-879m-9j9j-p69x/GHSA-879m-9j9j-p69x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-879m-9j9j-p69x", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-41857" + ], + "details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41857" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-191" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-94rm-fghw-676x/GHSA-94rm-fghw-676x.json b/advisories/unreviewed/2024/09/GHSA-94rm-fghw-676x/GHSA-94rm-fghw-676x.json new file mode 100644 index 00000000000..5b0f8132ee9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-94rm-fghw-676x/GHSA-94rm-fghw-676x.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-94rm-fghw-676x", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46702" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Mark XDomain as unplugged when router is removed\n\nI noticed that when we do discrete host router NVM upgrade and it gets\nhot-removed from the PCIe side as a result of NVM firmware authentication,\nif there is another host connected with enabled paths we hang in tearing\nthem down. This is due to fact that the Thunderbolt networking driver\nalso tries to cleanup the paths and ends up blocking in\ntb_disconnect_xdomain_paths() waiting for the domain lock.\n\nHowever, at this point we already cleaned the paths in tb_stop() so\nthere is really no need for tb_disconnect_xdomain_paths() to do that\nanymore. Furthermore it already checks if the XDomain is unplugged and\nbails out early so take advantage of that and mark the XDomain as\nunplugged when we remove the parent router.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46702" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/18b3ad2a3cc877dd4b16f48d84aa27b78d53bf1d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/23ce6ba3b95488a2b9e9f6d43b340da0c15395dc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/747bc154577de6e6af4bc99abfa859b8419bb4d8" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7ca24cf9163c112bb6b580c6fb57c04a1f8b76e1" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/80ac8d194831eca0c2f4fd862f7925532fda320c" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e2006140ad2e01a02ed0aff49cc2ae3ceeb11f8d" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cp7f-67pj-cxg3/GHSA-cp7f-67pj-cxg3.json b/advisories/unreviewed/2024/09/GHSA-cp7f-67pj-cxg3/GHSA-cp7f-67pj-cxg3.json new file mode 100644 index 00000000000..5b90f1f45bb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cp7f-67pj-cxg3/GHSA-cp7f-67pj-cxg3.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cp7f-67pj-cxg3", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46712" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Disable coherent dumb buffers without 3d\n\nCoherent surfaces make only sense if the host renders to them using\naccelerated apis. Without 3d the entire content of dumb buffers stays\nin the guest making all of the extra work they're doing to synchronize\nbetween guest and host useless.\n\nConfigurations without 3d also tend to run with very low graphics\nmemory limits. The pinned console fb, mob cursors and graphical login\nmanager tend to run out of 16MB graphics memory that those guests use.\n\nFix it by making sure the coherent dumb buffers are only used on\nconfigs with 3d enabled.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46712" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c45558414b8f2e0b9dc34eb8f9d4e8359b887681" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/e9fd436bb8fb9b9d31fdf07bbcdba6d30290c5e4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cwq2-m7r2-f7pg/GHSA-cwq2-m7r2-f7pg.json b/advisories/unreviewed/2024/09/GHSA-cwq2-m7r2-f7pg/GHSA-cwq2-m7r2-f7pg.json new file mode 100644 index 00000000000..dc2b6e6de24 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cwq2-m7r2-f7pg/GHSA-cwq2-m7r2-f7pg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cwq2-m7r2-f7pg", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-41869" + ], + "details": "Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41869" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/acrobat/apsb24-70.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f5vv-pq9r-8p2f/GHSA-f5vv-pq9r-8p2f.json b/advisories/unreviewed/2024/09/GHSA-f5vv-pq9r-8p2f/GHSA-f5vv-pq9r-8p2f.json new file mode 100644 index 00000000000..527c3660e55 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f5vv-pq9r-8p2f/GHSA-f5vv-pq9r-8p2f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5vv-pq9r-8p2f", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-41871" + ], + "details": "Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41871" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/media-encoder/apsb24-53.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g6cg-hqr5-xq3g/GHSA-g6cg-hqr5-xq3g.json b/advisories/unreviewed/2024/09/GHSA-g6cg-hqr5-xq3g/GHSA-g6cg-hqr5-xq3g.json new file mode 100644 index 00000000000..be38215fb49 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g6cg-hqr5-xq3g/GHSA-g6cg-hqr5-xq3g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g6cg-hqr5-xq3g", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-39382" + ], + "details": "After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39382" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb24-55.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gggx-8wfw-w6jx/GHSA-gggx-8wfw-w6jx.json b/advisories/unreviewed/2024/09/GHSA-gggx-8wfw-w6jx/GHSA-gggx-8wfw-w6jx.json new file mode 100644 index 00000000000..e9196ec1bd0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gggx-8wfw-w6jx/GHSA-gggx-8wfw-w6jx.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gggx-8wfw-w6jx", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46706" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: mark last busy before uart_add_one_port\n\nWith \"earlycon initcall_debug=1 loglevel=8\" in bootargs, kernel\nsometimes boot hang. It is because normal console still is not ready,\nbut runtime suspend is called, so early console putchar will hang\nin waiting TRDE set in UARTSTAT.\n\nThe lpuart driver has auto suspend delay set to 3000ms, but during\nuart_add_one_port, a child device serial ctrl will added and probed with\nits pm runtime enabled(see serial_ctrl.c).\nThe runtime suspend call path is:\ndevice_add\n |-> bus_probe_device\n |->device_initial_probe\n\t |->__device_attach\n |-> pm_runtime_get_sync(dev->parent);\n\t\t\t |-> pm_request_idle(dev);\n\t\t\t |-> pm_runtime_put(dev->parent);\n\nSo in the end, before normal console ready, the lpuart get runtime\nsuspended. And earlycon putchar will hang.\n\nTo address the issue, mark last busy just after pm_runtime_enable,\nthree seconds is long enough to switch from bootconsole to normal\nconsole.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46706" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/3ecf625d4acb71d726bc0b49403cf68388b3d58d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8eb92cfca6c2c5a15ab1773f3d18ab8d8f7dbb68" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/dc98d76a15bc29a9a4e76f2f65f39f3e590fb15c" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gjv7-5cpp-hqgw/GHSA-gjv7-5cpp-hqgw.json b/advisories/unreviewed/2024/09/GHSA-gjv7-5cpp-hqgw/GHSA-gjv7-5cpp-hqgw.json new file mode 100644 index 00000000000..1f7f534dd92 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gjv7-5cpp-hqgw/GHSA-gjv7-5cpp-hqgw.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gjv7-5cpp-hqgw", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46710" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Prevent unmapping active read buffers\n\nThe kms paths keep a persistent map active to read and compare the cursor\nbuffer. These maps can race with each other in simple scenario where:\na) buffer \"a\" mapped for update\nb) buffer \"a\" mapped for compare\nc) do the compare\nd) unmap \"a\" for compare\ne) update the cursor\nf) unmap \"a\" for update\nAt step \"e\" the buffer has been unmapped and the read contents is bogus.\n\nPrevent unmapping of active read buffers by simply keeping a count of\nhow many paths have currently active maps and unmap only when the count\nreaches 0.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46710" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/aba07b9a0587f50e5d3346eaa19019cf3f86c0ea" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/d5228d158e4c0b1663b3983044913c15c3d0135e" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json b/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json new file mode 100644 index 00000000000..16f72ddb53b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gpg6-84h3-cwv8", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-39380" + ], + "details": "After Effects versions 23.6.6, 24.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39380" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb24-55.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h864-xhwh-mhc2/GHSA-h864-xhwh-mhc2.json b/advisories/unreviewed/2024/09/GHSA-h864-xhwh-mhc2/GHSA-h864-xhwh-mhc2.json new file mode 100644 index 00000000000..8aa8d717acd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h864-xhwh-mhc2/GHSA-h864-xhwh-mhc2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h864-xhwh-mhc2", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-39385" + ], + "details": "Premiere Pro versions 24.5, 23.6.8 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39385" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/premiere_pro/apsb24-58.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hf4q-fmf3-3xvp/GHSA-hf4q-fmf3-3xvp.json b/advisories/unreviewed/2024/09/GHSA-hf4q-fmf3-3xvp/GHSA-hf4q-fmf3-3xvp.json new file mode 100644 index 00000000000..0304df4279a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hf4q-fmf3-3xvp/GHSA-hf4q-fmf3-3xvp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hf4q-fmf3-3xvp", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-6656" + ], + "details": "Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable.This issue affects Cockpit Software: before v2.13.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6656" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-1466" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-798" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hhg8-rc52-c9mv/GHSA-hhg8-rc52-c9mv.json b/advisories/unreviewed/2024/09/GHSA-hhg8-rc52-c9mv/GHSA-hhg8-rc52-c9mv.json new file mode 100644 index 00000000000..dc4e1a3266f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hhg8-rc52-c9mv/GHSA-hhg8-rc52-c9mv.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hhg8-rc52-c9mv", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-8664" + ], + "details": "The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8664" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-test-email/tags/1.1.7/wp-test-email.php#L189" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150538%40wp-test-email&new=3150538%40wp-test-email&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70c1ee04-cfb1-4819-95ab-497e814da16f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j3v7-pr3j-rpj8/GHSA-j3v7-pr3j-rpj8.json b/advisories/unreviewed/2024/09/GHSA-j3v7-pr3j-rpj8/GHSA-j3v7-pr3j-rpj8.json new file mode 100644 index 00000000000..604abb357db --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j3v7-pr3j-rpj8/GHSA-j3v7-pr3j-rpj8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j3v7-pr3j-rpj8", + "modified": "2024-09-13T09:30:31Z", + "published": "2024-09-13T09:30:31Z", + "aliases": [ + "CVE-2024-39377" + ], + "details": "Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39377" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/media-encoder/apsb24-53.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j784-pqcw-wmr3/GHSA-j784-pqcw-wmr3.json b/advisories/unreviewed/2024/09/GHSA-j784-pqcw-wmr3/GHSA-j784-pqcw-wmr3.json new file mode 100644 index 00000000000..1c8bbb8f500 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j784-pqcw-wmr3/GHSA-j784-pqcw-wmr3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j784-pqcw-wmr3", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-41872" + ], + "details": "Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41872" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/media-encoder/apsb24-53.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j9c3-7w24-v75h/GHSA-j9c3-7w24-v75h.json b/advisories/unreviewed/2024/09/GHSA-j9c3-7w24-v75h/GHSA-j9c3-7w24-v75h.json new file mode 100644 index 00000000000..7b36beebd30 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j9c3-7w24-v75h/GHSA-j9c3-7w24-v75h.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j9c3-7w24-v75h", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46703" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"serial: 8250_omap: Set the console genpd always on if no console suspend\"\n\nThis reverts commit 68e6939ea9ec3d6579eadeab16060339cdeaf940.\n\nKevin reported that this causes a crash during suspend on platforms that\ndont use PM domains.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46703" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0863bffda1131fd2fa9c05b653ad9ee3d8db127e" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/321aecb079e9ca8b1af90778068a6fb40f2bf22d" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jc54-wrqp-vxf4/GHSA-jc54-wrqp-vxf4.json b/advisories/unreviewed/2024/09/GHSA-jc54-wrqp-vxf4/GHSA-jc54-wrqp-vxf4.json new file mode 100644 index 00000000000..4676c409549 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jc54-wrqp-vxf4/GHSA-jc54-wrqp-vxf4.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jc54-wrqp-vxf4", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46709" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix prime with external buffers\n\nMake sure that for external buffers mapping goes through the dma_buf\ninterface instead of trying to access pages directly.\n\nExternal buffers might not provide direct access to readable/writable\npages so to make sure the bo's created from external dma_bufs can be\nread dma_buf interface has to be used.\n\nFixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't\ntrigger this due to the fact that virtual machines will not have\nmultiple GPUs but it enables better test coverage in IGT.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46709" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/50f1199250912568606b3778dc56646c10cb7b04" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/5c12391ee1ab59cb2f3be3f1f5e6d0fc0c2dc854" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9a9716bbbf3dd6b6cbefba3abcc89af8b72631f4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jm64-jw7h-ffg2/GHSA-jm64-jw7h-ffg2.json b/advisories/unreviewed/2024/09/GHSA-jm64-jw7h-ffg2/GHSA-jm64-jw7h-ffg2.json new file mode 100644 index 00000000000..17637c6775b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jm64-jw7h-ffg2/GHSA-jm64-jw7h-ffg2.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jm64-jw7h-ffg2", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46711" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: fix ID 0 endp usage after multiple re-creations\n\n'local_addr_used' and 'add_addr_accepted' are decremented for addresses\nnot related to the initial subflow (ID0), because the source and\ndestination addresses of the initial subflows are known from the\nbeginning: they don't count as \"additional local address being used\" or\n\"ADD_ADDR being accepted\".\n\nIt is then required not to increment them when the entrypoint used by\nthe initial subflow is removed and re-added during a connection. Without\nthis modification, this entrypoint cannot be removed and re-added more\nthan once.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46711" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/119806ae4e46cf239db8e6ad92bc2fd3daae86dc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/53e2173172d26c0617b29dd83618b71664bed1fb" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9366922adc6a71378ca01f898c41be295309f044" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c9c744666f7308a4daba520191e29d395260bcfe" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m44h-648c-4ggp/GHSA-m44h-648c-4ggp.json b/advisories/unreviewed/2024/09/GHSA-m44h-648c-4ggp/GHSA-m44h-648c-4ggp.json new file mode 100644 index 00000000000..2ebcad41d08 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m44h-648c-4ggp/GHSA-m44h-648c-4ggp.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m44h-648c-4ggp", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-45112" + ], + "details": "Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45112" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/acrobat/apsb24-70.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-843" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mgxj-66hj-35x8/GHSA-mgxj-66hj-35x8.json b/advisories/unreviewed/2024/09/GHSA-mgxj-66hj-35x8/GHSA-mgxj-66hj-35x8.json new file mode 100644 index 00000000000..03c014f1f1f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mgxj-66hj-35x8/GHSA-mgxj-66hj-35x8.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mgxj-66hj-35x8", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46704" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix spruious data race in __flush_work()\n\nWhen flushing a work item for cancellation, __flush_work() knows that it\nexclusively owns the work item through its PENDING bit. 134874e2eee9\n(\"workqueue: Allow cancel_work_sync() and disable_work() from atomic\ncontexts on BH work items\") added a read of @work->data to determine whether\nto use busy wait for BH work items that are being canceled. While the read\nis safe when @from_cancel, @work->data was read before testing @from_cancel\nto simplify code structure:\n\n\tdata = *work_data_bits(work);\n\tif (from_cancel &&\n\t !WARN_ON_ONCE(data & WORK_STRUCT_PWQ) && (data & WORK_OFFQ_BH)) {\n\nWhile the read data was never used if !@from_cancel, this could trigger\nKCSAN data race detection spuriously:\n\n ==================================================================\n BUG: KCSAN: data-race in __flush_work / __flush_work\n\n write to 0xffff8881223aa3e8 of 8 bytes by task 3998 on cpu 0:\n instrument_write include/linux/instrumented.h:41 [inline]\n ___set_bit include/asm-generic/bitops/instrumented-non-atomic.h:28 [inline]\n insert_wq_barrier kernel/workqueue.c:3790 [inline]\n start_flush_work kernel/workqueue.c:4142 [inline]\n __flush_work+0x30b/0x570 kernel/workqueue.c:4178\n flush_work kernel/workqueue.c:4229 [inline]\n ...\n\n read to 0xffff8881223aa3e8 of 8 bytes by task 50 on cpu 1:\n __flush_work+0x42a/0x570 kernel/workqueue.c:4188\n flush_work kernel/workqueue.c:4229 [inline]\n flush_delayed_work+0x66/0x70 kernel/workqueue.c:4251\n ...\n\n value changed: 0x0000000000400000 -> 0xffff88810006c00d\n\nReorganize the code so that @from_cancel is tested before @work->data is\naccessed. The only problem is triggering KCSAN detection spuriously. This\nshouldn't need READ_ONCE() or other access qualifiers.\n\nNo functional changes.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46704" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8bc35475ef1a23b0e224f3242eb11c76cab0ea88" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/91d09642127a32fde231face2ff489af70eef316" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mj2f-6r3r-rgm8/GHSA-mj2f-6r3r-rgm8.json b/advisories/unreviewed/2024/09/GHSA-mj2f-6r3r-rgm8/GHSA-mj2f-6r3r-rgm8.json new file mode 100644 index 00000000000..f26bac9ddd5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mj2f-6r3r-rgm8/GHSA-mj2f-6r3r-rgm8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mj2f-6r3r-rgm8", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-39384" + ], + "details": "Premiere Pro versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39384" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/premiere_pro/apsb24-58.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p4r4-6239-7p4g/GHSA-p4r4-6239-7p4g.json b/advisories/unreviewed/2024/09/GHSA-p4r4-6239-7p4g/GHSA-p4r4-6239-7p4g.json new file mode 100644 index 00000000000..d5c16355027 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p4r4-6239-7p4g/GHSA-p4r4-6239-7p4g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p4r4-6239-7p4g", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-41873" + ], + "details": "Media Encoder versions 24.5, 23.6.8 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41873" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/media-encoder/apsb24-53.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pf33-gpvq-8g3c/GHSA-pf33-gpvq-8g3c.json b/advisories/unreviewed/2024/09/GHSA-pf33-gpvq-8g3c/GHSA-pf33-gpvq-8g3c.json new file mode 100644 index 00000000000..930f8c51f93 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pf33-gpvq-8g3c/GHSA-pf33-gpvq-8g3c.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf33-gpvq-8g3c", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-39381" + ], + "details": "After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39381" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb24-55.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-prgw-72f3-x883/GHSA-prgw-72f3-x883.json b/advisories/unreviewed/2024/09/GHSA-prgw-72f3-x883/GHSA-prgw-72f3-x883.json new file mode 100644 index 00000000000..ed920dbe799 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-prgw-72f3-x883/GHSA-prgw-72f3-x883.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-prgw-72f3-x883", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-43759" + ], + "details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43759" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q844-wpfg-w2h9/GHSA-q844-wpfg-w2h9.json b/advisories/unreviewed/2024/09/GHSA-q844-wpfg-w2h9/GHSA-q844-wpfg-w2h9.json new file mode 100644 index 00000000000..5f21c2ffaf3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q844-wpfg-w2h9/GHSA-q844-wpfg-w2h9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q844-wpfg-w2h9", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46701" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibfs: fix infinite directory reads for offset dir\n\nAfter we switch tmpfs dir operations from simple_dir_operations to\nsimple_offset_dir_operations, every rename happened will fill new dentry\nto dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free\nkey starting with octx->newx_offset, and then set newx_offset equals to\nfree key + 1. This will lead to infinite readdir combine with rename\nhappened at the same time, which fail generic/736 in xfstests(detail show\nas below).\n\n1. create 5000 files(1 2 3...) under one dir\n2. call readdir(man 3 readdir) once, and get one entry\n3. rename(entry, \"TEMPFILE\"), then rename(\"TEMPFILE\", entry)\n4. loop 2~3, until readdir return nothing or we loop too many\n times(tmpfs break test with the second condition)\n\nWe choose the same logic what commit 9b378f6ad48cf (\"btrfs: fix infinite\ndirectory reads\") to fix it, record the last_index when we open dir, and\ndo not emit the entry which index >= last_index. The file->private_data\nnow used in offset dir can use directly to do this, and we also update\nthe last_index when we llseek the dir file.\n\n[brauner: only update last_index after seek when offset is zero like Jan suggested]", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46701" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/308b4fc2403b335894592ee9dc212a5e58bb309f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qfxc-fjvg-2qgm/GHSA-qfxc-fjvg-2qgm.json b/advisories/unreviewed/2024/09/GHSA-qfxc-fjvg-2qgm/GHSA-qfxc-fjvg-2qgm.json new file mode 100644 index 00000000000..4b4173378b5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qfxc-fjvg-2qgm/GHSA-qfxc-fjvg-2qgm.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qfxc-fjvg-2qgm", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46705" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: reset mmio mappings with devm\n\nSet our various mmio mappings to NULL. This should make it easier to\ncatch something rogue trying to mess with mmio after device removal. For\nexample, we might unmap everything and then start hitting some mmio\naddress which has already been unmamped by us and then remapped by\nsomething else, causing all kinds of carnage.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46705" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b1c9fbed3884d3883021d699c7cdf5253a65543a" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c7117419784f612d59ee565145f722e8b5541fe6" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r9gm-g7gv-4f8p/GHSA-r9gm-g7gv-4f8p.json b/advisories/unreviewed/2024/09/GHSA-r9gm-g7gv-4f8p/GHSA-r9gm-g7gv-4f8p.json new file mode 100644 index 00000000000..c54543e562e --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r9gm-g7gv-4f8p/GHSA-r9gm-g7gv-4f8p.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r9gm-g7gv-4f8p", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-8663" + ], + "details": "The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8663" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-simple-booking-calendar/tags/2.0.10/includes/base/admin/calendar/views/view-edit-calendar.php#L155" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-simple-booking-calendar/tags/2.0.10/includes/modules/update-checker/views/view-register-website.php#L21" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150474%40wp-simple-booking-calendar&new=3150474%40wp-simple-booking-calendar&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cad4300f-02f9-4c9f-9bb3-1c9da8b78ac9?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-v4vv-7v49-m3wg/GHSA-v4vv-7v49-m3wg.json b/advisories/unreviewed/2024/09/GHSA-v4vv-7v49-m3wg/GHSA-v4vv-7v49-m3wg.json new file mode 100644 index 00000000000..8720bdf58c2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v4vv-7v49-m3wg/GHSA-v4vv-7v49-m3wg.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v4vv-7v49-m3wg", + "modified": "2024-09-13T09:30:32Z", + "published": "2024-09-13T09:30:32Z", + "aliases": [ + "CVE-2024-46707" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3\n\nOn a system with a GICv3, if a guest hasn't been configured with\nGICv3 and that the host is not capable of GICv2 emulation,\na write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.\n\nWe therefore try to emulate the SGI access, only to hit a NULL\npointer as no private interrupt is allocated (no GIC, remember?).\n\nThe obvious fix is to give the guest what it deserves, in the\nshape of a UNDEF exception.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46707" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/15818af2f7aa55eff375333cb7689df15d3f24ef" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/2073132f6ed3079369e857a8deb33d11bdd983bc" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/3e6245ebe7ef341639e9a7e402b3ade8ad45a19f" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/94d4fbad01b19ec5eab3d6b50aaec4f9db8b2d8d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/96b076e8ee5bc3a1126848c8add0f74bd30dc9d1" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9d7629bec5c3f80bd0e3bf8103c06a2f7046bd92" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T07:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xh5f-m55p-f9q7/GHSA-xh5f-m55p-f9q7.json b/advisories/unreviewed/2024/09/GHSA-xh5f-m55p-f9q7/GHSA-xh5f-m55p-f9q7.json new file mode 100644 index 00000000000..e1a03d366d4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xh5f-m55p-f9q7/GHSA-xh5f-m55p-f9q7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xh5f-m55p-f9q7", + "modified": "2024-09-13T09:30:33Z", + "published": "2024-09-13T09:30:33Z", + "aliases": [ + "CVE-2024-45111" + ], + "details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45111" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T09:15:13Z" + } +} \ No newline at end of file From b09d1613e585b9c0f4c4dbbb3e77603e24b07a14 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:32:20 +0000 Subject: [PATCH 034/170] Publish Advisories GHSA-7882-x554-9hgx GHSA-9rg8-mfh8-fg8v GHSA-f5jx-v2mg-438v GHSA-pqq8-7w9h-7g85 GHSA-q993-jv9q-jjjm GHSA-v9mw-x36h-q548 --- .../GHSA-7882-x554-9hgx.json | 38 +++++++++++++++++++ .../GHSA-9rg8-mfh8-fg8v.json | 38 +++++++++++++++++++ .../GHSA-f5jx-v2mg-438v.json | 38 +++++++++++++++++++ .../GHSA-pqq8-7w9h-7g85.json | 38 +++++++++++++++++++ .../GHSA-q993-jv9q-jjjm.json | 38 +++++++++++++++++++ .../GHSA-v9mw-x36h-q548.json | 38 +++++++++++++++++++ 6 files changed, 228 insertions(+) create mode 100644 advisories/unreviewed/2024/09/GHSA-7882-x554-9hgx/GHSA-7882-x554-9hgx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9rg8-mfh8-fg8v/GHSA-9rg8-mfh8-fg8v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f5jx-v2mg-438v/GHSA-f5jx-v2mg-438v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pqq8-7w9h-7g85/GHSA-pqq8-7w9h-7g85.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v9mw-x36h-q548/GHSA-v9mw-x36h-q548.json diff --git a/advisories/unreviewed/2024/09/GHSA-7882-x554-9hgx/GHSA-7882-x554-9hgx.json b/advisories/unreviewed/2024/09/GHSA-7882-x554-9hgx/GHSA-7882-x554-9hgx.json new file mode 100644 index 00000000000..cbbb82c556f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7882-x554-9hgx/GHSA-7882-x554-9hgx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7882-x554-9hgx", + "modified": "2024-09-13T12:30:46Z", + "published": "2024-09-13T12:30:46Z", + "aliases": [ + "CVE-2024-43760" + ], + "details": "Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43760" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb24-72.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9rg8-mfh8-fg8v/GHSA-9rg8-mfh8-fg8v.json b/advisories/unreviewed/2024/09/GHSA-9rg8-mfh8-fg8v/GHSA-9rg8-mfh8-fg8v.json new file mode 100644 index 00000000000..60426c9796d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9rg8-mfh8-fg8v/GHSA-9rg8-mfh8-fg8v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rg8-mfh8-fg8v", + "modified": "2024-09-13T12:30:46Z", + "published": "2024-09-13T12:30:46Z", + "aliases": [ + "CVE-2024-45108" + ], + "details": "Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45108" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb24-72.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f5jx-v2mg-438v/GHSA-f5jx-v2mg-438v.json b/advisories/unreviewed/2024/09/GHSA-f5jx-v2mg-438v/GHSA-f5jx-v2mg-438v.json new file mode 100644 index 00000000000..d2827daf0fa --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f5jx-v2mg-438v/GHSA-f5jx-v2mg-438v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5jx-v2mg-438v", + "modified": "2024-09-13T12:30:47Z", + "published": "2024-09-13T12:30:47Z", + "aliases": [ + "CVE-2024-45113" + ], + "details": "ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access and affect the integrity of the application. Exploitation of this issue does not require user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45113" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pqq8-7w9h-7g85/GHSA-pqq8-7w9h-7g85.json b/advisories/unreviewed/2024/09/GHSA-pqq8-7w9h-7g85/GHSA-pqq8-7w9h-7g85.json new file mode 100644 index 00000000000..302cc08dd6e --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pqq8-7w9h-7g85/GHSA-pqq8-7w9h-7g85.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqq8-7w9h-7g85", + "modified": "2024-09-13T12:30:46Z", + "published": "2024-09-13T12:30:46Z", + "aliases": [ + "CVE-2024-41874" + ], + "details": "ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41874" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-71.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json b/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json new file mode 100644 index 00000000000..9c46e1cb6cc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q993-jv9q-jjjm", + "modified": "2024-09-13T12:30:46Z", + "published": "2024-09-13T12:30:46Z", + "aliases": [ + "CVE-2024-43756" + ], + "details": "Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43756" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb24-72.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-v9mw-x36h-q548/GHSA-v9mw-x36h-q548.json b/advisories/unreviewed/2024/09/GHSA-v9mw-x36h-q548/GHSA-v9mw-x36h-q548.json new file mode 100644 index 00000000000..3ca0391f13a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v9mw-x36h-q548/GHSA-v9mw-x36h-q548.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v9mw-x36h-q548", + "modified": "2024-09-13T12:30:46Z", + "published": "2024-09-13T12:30:46Z", + "aliases": [ + "CVE-2024-45109" + ], + "details": "Photoshop Desktop versions 24.7.4, 25.11 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45109" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb24-72.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T10:15:16Z" + } +} \ No newline at end of file From a815df412fa101ad38a16508611e73487012c540 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:37:23 +0000 Subject: [PATCH 035/170] Publish Advisories GHSA-fmj9-77q8-g6c4 GHSA-jw9c-mfg7-9rx2 --- .../GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json | 11 ++++++++--- .../GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json | 14 +++++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json b/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json index b8af79c5752..e0a66a5827a 100644 --- a/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json +++ b/advisories/github-reviewed/2024/08/GHSA-fmj9-77q8-g6c4/GHSA-fmj9-77q8-g6c4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fmj9-77q8-g6c4", - "modified": "2024-08-27T18:14:12Z", + "modified": "2024-09-13T13:35:59Z", "published": "2024-08-27T18:14:12Z", "aliases": [ "CVE-2024-43414" @@ -82,6 +82,10 @@ "type": "WEB", "url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43414" + }, { "type": "WEB", "url": "https://github.com/apollographql/router/commit/e309c9bb5a48c1304ff69c88b7eabdd08c26bf45" @@ -101,11 +105,12 @@ ], "database_specific": { "cwe_ids": [ - "CWE-673" + "CWE-673", + "CWE-674" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-08-27T18:14:12Z", - "nvd_published_at": null + "nvd_published_at": "2024-08-27T18:15:15Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json index d526586036c..500f3606405 100644 --- a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json +++ b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jw9c-mfg7-9rx2", - "modified": "2024-09-11T21:03:15Z", + "modified": "2024-09-13T13:36:37Z", "published": "2024-09-10T19:42:03Z", "aliases": [ "CVE-2024-45409" @@ -79,9 +79,21 @@ "type": "WEB", "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7" }, + { + "type": "WEB", + "url": "https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd" + }, { "type": "PACKAGE", "url": "https://github.com/SAML-Toolkits/ruby-saml" + }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/CVE-2024-45409.yml" + }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2024-45409.yml" } ], "database_specific": { From cd3b61e0fee697e2028d34c982e1b30fa9decd86 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:39:24 +0000 Subject: [PATCH 036/170] Publish GHSA-ghg6-32f9-2jp7 --- .../GHSA-ghg6-32f9-2jp7.json | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json b/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json index 2582f9dfebc..e942d4fd349 100644 --- a/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json +++ b/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ghg6-32f9-2jp7", - "modified": "2024-09-04T14:15:19Z", + "modified": "2024-09-13T13:37:31Z", "published": "2024-08-29T17:58:27Z", "aliases": [ "CVE-2024-45048" @@ -29,7 +29,26 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0.0" + "introduced": "0" + }, + { + "fixed": "1.29.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "phpoffice/phpspreadsheet" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" }, { "fixed": "2.2.1" @@ -48,10 +67,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.0" }, { - "fixed": "1.29.1" + "fixed": "2.1.1" } ] } From f817838c605ac2fb59bd331a4fa642766f8470f9 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:14:15 +0000 Subject: [PATCH 037/170] Publish Advisories GHSA-pg8m-4p8j-2p56 GHSA-q586-7p8w-9pg8 --- .../05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json | 6 +++++- .../05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json | 10 +++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json b/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json index 628e37c06de..b3c1d6a33c5 100644 --- a/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json +++ b/advisories/github-reviewed/2022/05/GHSA-pg8m-4p8j-2p56/GHSA-pg8m-4p8j-2p56.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pg8m-4p8j-2p56", - "modified": "2023-08-31T15:50:47Z", + "modified": "2024-09-13T14:12:38Z", "published": "2022-05-24T19:17:46Z", "aliases": [ "CVE-2021-41971" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json b/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json index 57333139770..ee81161b26b 100644 --- a/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json +++ b/advisories/github-reviewed/2022/05/GHSA-q586-7p8w-9pg8/GHSA-q586-7p8w-9pg8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q586-7p8w-9pg8", - "modified": "2022-11-04T18:44:00Z", + "modified": "2024-09-13T14:13:40Z", "published": "2022-05-17T01:17:12Z", "aliases": [ "CVE-2017-3155" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -59,10 +63,6 @@ { "type": "WEB", "url": "https://web.archive.org/web/20200227151159/http://www.securityfocus.com/bid/100587" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/100587" } ], "database_specific": { From dd4961ebad3252e91588d869ec2a07e9453435b0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:16:43 +0000 Subject: [PATCH 038/170] Publish Advisories GHSA-fx92-wh72-8g9q GHSA-g777-crp9-m27g --- .../2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json | 6 +++++- .../2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json b/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json index 42fca65dbe8..7f55de5102e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json +++ b/advisories/github-reviewed/2022/05/GHSA-fx92-wh72-8g9q/GHSA-fx92-wh72-8g9q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fx92-wh72-8g9q", - "modified": "2023-12-04T15:21:05Z", + "modified": "2024-09-13T14:14:32Z", "published": "2022-05-17T01:17:12Z", "aliases": [ "CVE-2017-3154" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json b/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json index 570e4bc1f27..3813c98312a 100644 --- a/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json +++ b/advisories/github-reviewed/2024/01/GHSA-g777-crp9-m27g/GHSA-g777-crp9-m27g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g777-crp9-m27g", - "modified": "2024-01-12T23:19:29Z", + "modified": "2024-09-13T14:15:59Z", "published": "2024-01-09T09:30:29Z", "aliases": [ "CVE-2023-50974" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 50b3af1f525d866471d61dc3ae89c7e780266561 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:20:13 +0000 Subject: [PATCH 039/170] Publish Advisories GHSA-7vvr-h4p5-m7fh GHSA-w3j6-8j34-q43x --- .../GHSA-7vvr-h4p5-m7fh.json | 30 ++++++++++++++++++- .../GHSA-w3j6-8j34-q43x.json | 26 ++++++++++------ 2 files changed, 46 insertions(+), 10 deletions(-) diff --git a/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json b/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json index 1c366468dbe..8543c2c7f54 100644 --- a/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json +++ b/advisories/github-reviewed/2019/07/GHSA-7vvr-h4p5-m7fh/GHSA-7vvr-h4p5-m7fh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7vvr-h4p5-m7fh", - "modified": "2023-08-07T15:09:13Z", + "modified": "2024-09-13T14:19:43Z", "published": "2019-07-26T16:10:20Z", "aliases": [ "CVE-2018-19801" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -40,6 +44,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19801" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-7vvr-h4p5-m7fh" + }, { "type": "PACKAGE", "url": "https://github.com/aubio/aubio" @@ -47,6 +55,26 @@ { "type": "WEB", "url": "https://github.com/aubio/aubio/blob/0.4.9/ChangeLog" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2019-163.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYIKPYXZIWYWWNNORSKWRCFFCP6AFMRZ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHIRMWW4JQ6UHJK4AVBJLFRLE2TPKC2W" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00063.html" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00067.html" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json b/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json index 37a4a3d4be6..571eece2709 100644 --- a/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json +++ b/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json @@ -1,15 +1,22 @@ { "schema_version": "1.4.0", "id": "GHSA-w3j6-8j34-q43x", - "modified": "2024-02-23T20:59:34Z", + "modified": "2024-09-13T14:18:40Z", "published": "2022-05-17T05:39:24Z", "aliases": [ "CVE-2010-4340" ], "summary": "Apache Libcloud does not verify SSL certificates for HTTPS connections", - "details": "libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. This is due to an upstream issue with python's SSL module rather than directly with libcloud.", + "details": "libcloud before 0.4.0 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. This is due to an upstream issue with python's SSL module rather than directly with libcloud.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -25,14 +32,11 @@ "introduced": "0" }, { - "fixed": "0.4.1" + "fixed": "0.4.0" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.4.0" - } + ] } ], "references": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/apache/libcloud" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-libcloud/PYSEC-2011-24.yaml" + }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/LIBCLOUD-55" @@ -77,7 +85,7 @@ "cwe_ids": [ "CWE-295" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-23T20:59:34Z", "nvd_published_at": "2011-09-12T12:41:00Z" From f45a37974a8c6efa61b5cdb1cc4e66e9b42e968f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:22:11 +0000 Subject: [PATCH 040/170] Publish GHSA-qhx9-7hx7-cp4r --- .../GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json b/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json index d05dba32969..92f0d4d8c13 100644 --- a/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json +++ b/advisories/github-reviewed/2021/04/GHSA-qhx9-7hx7-cp4r/GHSA-qhx9-7hx7-cp4r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qhx9-7hx7-cp4r", - "modified": "2023-09-05T14:37:12Z", + "modified": "2024-09-13T14:20:37Z", "published": "2021-04-07T21:05:21Z", "aliases": [ "CVE-2020-28473" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,10 +48,18 @@ "type": "WEB", "url": "https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qhx9-7hx7-cp4r" + }, { "type": "PACKAGE", "url": "https://github.com/bottlepy/bottle" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2021-129.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00019.html" From 74210c4df2d6f6591bf34880db9fcac1c7c1870e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:24:52 +0000 Subject: [PATCH 041/170] Publish Advisories GHSA-j6f7-hghw-g437 GHSA-v3m2-pg96-w33m --- .../GHSA-j6f7-hghw-g437.json | 18 +++++++++++++----- .../GHSA-v3m2-pg96-w33m.json | 10 +++++++++- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json b/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json index 17be0061f3d..0be77b443cc 100644 --- a/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json +++ b/advisories/github-reviewed/2022/05/GHSA-j6f7-hghw-g437/GHSA-j6f7-hghw-g437.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6f7-hghw-g437", - "modified": "2022-05-31T15:43:48Z", + "modified": "2024-09-13T14:23:26Z", "published": "2022-05-17T03:05:15Z", "aliases": [ "CVE-2016-9964" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -25,10 +29,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.10.1" }, { - "fixed": "0.12.10" + "fixed": "0.12.11" } ] } @@ -48,6 +52,10 @@ "type": "WEB", "url": "https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54" }, + { + "type": "WEB", + "url": "https://github.com/bottlepy/bottle/commit/78f67d51965db11cb1ed0003f1eb7926458b5c2c" + }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-j6f7-hghw-g437" @@ -62,11 +70,11 @@ }, { "type": "WEB", - "url": "http://www.debian.org/security/2016/dsa-3743" + "url": "https://web.archive.org/web/20170214030628/http://www.securityfocus.com/bid/94961" }, { "type": "WEB", - "url": "http://www.securityfocus.com/bid/94961" + "url": "http://www.debian.org/security/2016/dsa-3743" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json b/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json index 87dd72e28ea..1ddd119801e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json +++ b/advisories/github-reviewed/2022/05/GHSA-v3m2-pg96-w33m/GHSA-v3m2-pg96-w33m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v3m2-pg96-w33m", - "modified": "2024-04-29T10:26:03Z", + "modified": "2024-09-13T14:24:17Z", "published": "2022-05-24T17:20:04Z", "aliases": [ "CVE-2020-10755" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -151,6 +155,10 @@ "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10755" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cinder/PYSEC-2020-228.yaml" + }, { "type": "WEB", "url": "https://usn.ubuntu.com/4420-1" From ab18aad22c15baa0385412f27ec6524648363305 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:26:56 +0000 Subject: [PATCH 042/170] Publish Advisories GHSA-4wcc-jv3p-prqw GHSA-q624-9634-77gh --- .../05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json | 10 +++++++++- .../05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json b/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json index 808652ac1ad..7ff7415c9f6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json +++ b/advisories/github-reviewed/2022/05/GHSA-4wcc-jv3p-prqw/GHSA-4wcc-jv3p-prqw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4wcc-jv3p-prqw", - "modified": "2024-04-29T16:54:38Z", + "modified": "2024-09-13T14:25:50Z", "published": "2022-05-17T02:52:55Z", "aliases": [ "CVE-2015-8310" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/devsnd/cherrymusic" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-100.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200227183347/http://www.securityfocus.com/bid/97148" diff --git a/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json b/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json index dcbe813a53c..ba323d1bf37 100644 --- a/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json +++ b/advisories/github-reviewed/2022/05/GHSA-q624-9634-77gh/GHSA-q624-9634-77gh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q624-9634-77gh", - "modified": "2024-04-29T16:53:37Z", + "modified": "2024-09-13T14:25:12Z", "published": "2022-05-17T02:52:55Z", "aliases": [ "CVE-2015-8309" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/devsnd/cherrymusic" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-99.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200227183321/http://www.securityfocus.com/bid/97149" From 500c79f060592b8e068ed5e196050c2ef29867d3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:29:05 +0000 Subject: [PATCH 043/170] Publish GHSA-rv95-4wxj-6fqq --- .../GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json b/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json index a1069624ddb..5f29c93b612 100644 --- a/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json +++ b/advisories/github-reviewed/2019/02/GHSA-rv95-4wxj-6fqq/GHSA-rv95-4wxj-6fqq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rv95-4wxj-6fqq", - "modified": "2023-09-05T09:29:43Z", + "modified": "2024-09-13T14:26:33Z", "published": "2019-02-07T18:18:22Z", "aliases": [ "CVE-2017-18361" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -55,6 +59,14 @@ { "type": "PACKAGE", "url": "https://github.com/Pylons/colander" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rv95-4wxj-6fqq" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/colander/PYSEC-2019-167.yaml" } ], "database_specific": { From f3c51f0617ca1910fb8029ccd5c1f87b17d4b517 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:32:35 +0000 Subject: [PATCH 044/170] Publish Advisories GHSA-5xc6-fpc7-4qvg GHSA-h56g-v4vp-q9q6 --- .../GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json | 10 +++++++++- .../GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json | 14 +++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json b/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json index 336f79d256a..ec1a066b64d 100644 --- a/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json +++ b/advisories/github-reviewed/2019/04/GHSA-5xc6-fpc7-4qvg/GHSA-5xc6-fpc7-4qvg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5xc6-fpc7-4qvg", - "modified": "2023-09-05T18:40:23Z", + "modified": "2024-09-13T14:31:59Z", "published": "2019-04-08T15:19:01Z", "aliases": [ "CVE-2018-12680" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -51,6 +55,10 @@ { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-5xc6-fpc7-4qvg" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/coapthon/PYSEC-2019-165.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json b/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json index f5515bb41f2..6d52460ef37 100644 --- a/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json +++ b/advisories/github-reviewed/2022/01/GHSA-h56g-v4vp-q9q6/GHSA-h56g-v4vp-q9q6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h56g-v4vp-q9q6", - "modified": "2022-02-04T16:38:23Z", + "modified": "2024-09-13T14:31:05Z", "published": "2022-01-29T00:00:41Z", "aliases": [ "CVE-2022-0352" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -44,10 +48,18 @@ "type": "WEB", "url": "https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h56g-v4vp-q9q6" + }, { "type": "PACKAGE", "url": "https://github.com/janeczku/calibre-web" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-18.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717" From 2dc9c42bbe4375dd5f9af2f32aba9257a0310631 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:36:26 +0000 Subject: [PATCH 045/170] Publish Advisories GHSA-5mc5-5j6c-qmf9 GHSA-8fjr-hghr-4m99 --- .../GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json | 14 +++++++++++--- .../GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json | 6 +++++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json b/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json index 48cb42c0920..44872b3553a 100644 --- a/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json +++ b/advisories/github-reviewed/2018/07/GHSA-5mc5-5j6c-qmf9/GHSA-5mc5-5j6c-qmf9.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-5mc5-5j6c-qmf9", - "modified": "2021-09-01T22:16:38Z", + "modified": "2024-09-13T14:35:01Z", "published": "2018-07-13T16:01:01Z", "aliases": [ "CVE-2017-7235" ], - "summary": "High severity vulnerability that affects cfscrape", + "summary": "cfscrape Improper Input Validation vulnerability", "details": "An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed in 1.8.0.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -61,7 +65,11 @@ }, { "type": "WEB", - "url": "http://www.securityfocus.com/bid/97191" + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cfscrape/PYSEC-2017-7.yaml" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20170701161512/http://www.securityfocus.com/bid/97191" } ], "database_specific": { diff --git a/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json b/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json index 08a65c4c94b..100c33d7c2a 100644 --- a/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json +++ b/advisories/github-reviewed/2023/08/GHSA-8fjr-hghr-4m99/GHSA-8fjr-hghr-4m99.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8fjr-hghr-4m99", - "modified": "2023-09-06T19:17:29Z", + "modified": "2024-09-13T14:35:53Z", "published": "2023-08-30T20:09:33Z", "aliases": [ "CVE-2023-36811" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 08641e1d8992e966910597f20438a04ca5ec05ba Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 14:38:27 +0000 Subject: [PATCH 046/170] Publish Advisories GHSA-5pqf-rvm7-3wgw GHSA-rwmf-w63j-p7gv --- .../12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json | 10 +++++++++- .../03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json b/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json index d79f4010fe4..6b1050730d3 100644 --- a/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json +++ b/advisories/github-reviewed/2022/12/GHSA-5pqf-rvm7-3wgw/GHSA-5pqf-rvm7-3wgw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5pqf-rvm7-3wgw", - "modified": "2022-12-29T00:36:20Z", + "modified": "2024-09-13T14:38:04Z", "published": "2022-12-22T00:30:36Z", "aliases": [ "CVE-2022-4638" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -48,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/collective/collective.contact.widget" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/collective-contact-widget/PYSEC-2022-42988.yaml" + }, { "type": "WEB", "url": "https://vuldb.com/?id.216496" diff --git a/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json b/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json index 8536f93de5e..14b6b0c560b 100644 --- a/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json +++ b/advisories/github-reviewed/2023/03/GHSA-rwmf-w63j-p7gv/GHSA-rwmf-w63j-p7gv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rwmf-w63j-p7gv", - "modified": "2023-03-20T21:27:15Z", + "modified": "2024-09-13T14:37:05Z", "published": "2023-03-20T21:27:15Z", "aliases": [ "CVE-2023-27586" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L" } ], "affected": [ @@ -59,6 +63,10 @@ { "type": "WEB", "url": "https://github.com/Kozea/CairoSVG/releases/tag/2.7.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml" } ], "database_specific": { From d0bf59c4fd68d941460924ae48d4c3693e76584b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:05:50 +0000 Subject: [PATCH 047/170] Publish Advisories GHSA-4w8p-x6g8-fv64 GHSA-h3qr-fjhm-jphw --- .../GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json | 14 +++++++++++++- .../GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json | 12 ++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json b/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json index e90165ce91f..b84c1d27714 100644 --- a/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json +++ b/advisories/github-reviewed/2022/02/GHSA-4w8p-x6g8-fv64/GHSA-4w8p-x6g8-fv64.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4w8p-x6g8-fv64", - "modified": "2022-02-23T17:39:11Z", + "modified": "2024-09-13T15:04:25Z", "published": "2022-02-01T00:48:54Z", "aliases": [ "CVE-2022-0339" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -48,6 +52,10 @@ "type": "WEB", "url": "https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4w8p-x6g8-fv64" + }, { "type": "PACKAGE", "url": "https://github.com/janeczku/calibre-web" @@ -56,6 +64,10 @@ "type": "WEB", "url": "https://github.com/janeczku/calibre-web/releases/tag/0.6.16" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-23.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369" diff --git a/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json b/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json index 9c4a0c398ba..839dc745b8b 100644 --- a/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json +++ b/advisories/github-reviewed/2022/07/GHSA-h3qr-fjhm-jphw/GHSA-h3qr-fjhm-jphw.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-h3qr-fjhm-jphw", - "modified": "2022-07-29T18:08:32Z", + "modified": "2024-09-13T15:05:09Z", "published": "2022-07-14T00:00:23Z", "aliases": [ "CVE-2019-10800" ], - "summary": "Codecov prior to 2.0.16 does not sanitize gcov arguments", + "summary": "Codecov does not sanitize gcov arguments", "details": "This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-h3qr-fjhm-jphw" + }, { "type": "PACKAGE", "url": "https://github.com/codecov/codecov-python" From db0462dfcc195d7ca73636b32af6e121a3403f06 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:07:48 +0000 Subject: [PATCH 048/170] Publish Advisories GHSA-q65m-pv3f-wr5r GHSA-cqff-fx2x-p86v --- .../GHSA-q65m-pv3f-wr5r.json | 10 ++++++++- .../GHSA-cqff-fx2x-p86v.json | 21 ++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json b/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json index 1a779d878e8..d2cf5d31cf7 100644 --- a/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json +++ b/advisories/github-reviewed/2020/02/GHSA-q65m-pv3f-wr5r/GHSA-q65m-pv3f-wr5r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q65m-pv3f-wr5r", - "modified": "2022-10-07T13:11:43Z", + "modified": "2024-09-13T15:05:52Z", "published": "2020-02-24T17:33:44Z", "aliases": [ "CVE-2020-6802" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -64,6 +68,10 @@ "type": "PACKAGE", "url": "https://github.com/mozilla/bleach" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-27.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72R4VFFHDRSQMNT7IZU3X2755ZP4HGNI" diff --git a/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json b/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json index b538fdbe2d4..cb2a2011f83 100644 --- a/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json +++ b/advisories/github-reviewed/2021/03/GHSA-cqff-fx2x-p86v/GHSA-cqff-fx2x-p86v.json @@ -1,15 +1,22 @@ { "schema_version": "1.4.0", "id": "GHSA-cqff-fx2x-p86v", - "modified": "2021-03-08T15:48:55Z", + "modified": "2024-09-13T15:07:22Z", "published": "2021-03-08T15:50:10Z", "aliases": [ ], - "summary": "Improper Authentication", + "summary": "botframework-connector vulnerable to Improper Authentication", "details": "### Impact\nA maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.\n\n### Patches\nThe problem has been patched in all affected versions. Please see the list of patched versions for the most appropiate one for your individual case.\n\n### Workarounds\nUsers who do not wish or are not able to upgrade can add an authentication configuration containing ClaimsValidator, which throws an exception if Claims are Skill Claims. \n\nFor detailed instructions, see the link in the References section.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Microsoft Bot Builder SDK](https://github.com/microsoft/botframework-sdk)\n* Email us at [bf-reports@microsoft.com](mailto:bf-reports@microsoft.com)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -104,6 +111,14 @@ "type": "WEB", "url": "https://github.com/microsoft/botbuilder-python/blob/main/doc/SkillClaimsValidation.md" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/botframework-connector/PYSEC-2021-422.yaml" + }, + { + "type": "WEB", + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725" + }, { "type": "WEB", "url": "https://pypi.org/project/botframework-connector" From 937881ff2d03769b1993b43aff84e24741de4e63 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:12:00 +0000 Subject: [PATCH 049/170] Publish GHSA-jqqh-999x-w26w --- .../GHSA-jqqh-999x-w26w.json | 51 ++++++++++++------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json b/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json index 2aa8c302e2d..0a4360854bd 100644 --- a/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json +++ b/advisories/github-reviewed/2022/05/GHSA-jqqh-999x-w26w/GHSA-jqqh-999x-w26w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jqqh-999x-w26w", - "modified": "2024-04-01T19:29:57Z", + "modified": "2024-09-13T15:10:34Z", "published": "2022-05-02T03:40:27Z", "aliases": [ "CVE-2009-2959" @@ -9,7 +9,14 @@ "summary": "Buildbot Cross-site scripting (XSS) vulnerability", "details": "Cross-site scripting (XSS) vulnerability in the waterfall web status view (`status/web/waterfall.py`) in Buildbot 0.7.6 through 0.7.11p1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { @@ -41,6 +48,30 @@ "type": "WEB", "url": "https://github.com/buildbot/buildbot/commit/a08ee48e796ae66c54fca6a087b4adce7d1d6c06" }, + { + "type": "PACKAGE", + "url": "https://github.com/buildbot/buildbot" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2009-1.yaml" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20101118080215/http://www.vupen.com/english/advisories/2009/2352" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111225112636/http://secunia.com/advisories/36352" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111225123121/http://secunia.com/advisories/36418" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228175025/http://www.securityfocus.com/bid/36100" + }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00978.html" @@ -53,25 +84,9 @@ "type": "WEB", "url": "http://buildbot.net/trac#SecurityAlert" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36352" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/36418" - }, { "type": "WEB", "url": "http://sourceforge.net/mailarchive/message.php?msg_name=42338fbf0908121232mb790a6cn787ac3de90e8bc31%40mail.gmail.com" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/36100" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2009/2352" } ], "database_specific": { From 70777bccb712c4ff8220c9d05e2d68ce0f6ddff4 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:13:58 +0000 Subject: [PATCH 050/170] Publish Advisories GHSA-cpqf-3c3r-c9g2 GHSA-2cvf-r9jm-4qm9 --- .../GHSA-cpqf-3c3r-c9g2.json | 19 +++++++++++++++++-- .../GHSA-2cvf-r9jm-4qm9.json | 14 +++++++++++--- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json b/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json index f594b3bf42d..9428bf5f825 100644 --- a/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json +++ b/advisories/github-reviewed/2021/10/GHSA-cpqf-3c3r-c9g2/GHSA-cpqf-3c3r-c9g2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cpqf-3c3r-c9g2", - "modified": "2021-10-05T15:57:32Z", + "modified": "2024-09-13T15:11:50Z", "published": "2021-10-05T17:53:20Z", "aliases": [ "CVE-2021-40323" @@ -9,7 +9,14 @@ "summary": "Cobbler before 3.3.0 allows log poisoning", "details": "Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -41,6 +48,10 @@ "type": "WEB", "url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cpqf-3c3r-c9g2" + }, { "type": "PACKAGE", "url": "https://github.com/cobbler/cobbler" @@ -48,6 +59,10 @@ { "type": "WEB", "url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-373.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json index 4394dc47938..9d356c5d0ba 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json +++ b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2cvf-r9jm-4qm9", - "modified": "2023-07-19T20:01:06Z", + "modified": "2024-09-13T15:13:16Z", "published": "2022-05-13T01:14:22Z", "aliases": [ "CVE-2019-3830" @@ -11,7 +11,11 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -59,13 +63,17 @@ { "type": "PACKAGE", "url": "https://github.com/openstack/ceilometer" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ceilometer/PYSEC-2019-78.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-532" ], - "severity": "HIGH", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-07-19T20:01:06Z", "nvd_published_at": "2019-03-26T18:29:00Z" From 3b163065fb01fc35dff9d21f52ab5b023f19ea7c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:16:56 +0000 Subject: [PATCH 051/170] Publish Advisories GHSA-vv2x-vrpj-qqpq GHSA-2cvf-r9jm-4qm9 --- .../GHSA-vv2x-vrpj-qqpq.json | 18 +++++++++++++++++- .../GHSA-2cvf-r9jm-4qm9.json | 4 ++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json b/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json index 454eb900592..5b6fb83acab 100644 --- a/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json +++ b/advisories/github-reviewed/2021/02/GHSA-vv2x-vrpj-qqpq/GHSA-vv2x-vrpj-qqpq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vv2x-vrpj-qqpq", - "modified": "2023-08-23T22:57:36Z", + "modified": "2024-09-13T15:15:58Z", "published": "2021-02-02T17:58:40Z", "aliases": [ "CVE-2021-23980" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -53,6 +57,10 @@ "type": "WEB", "url": "https://github.com/mozilla/bleach/commit/79b7a3c5e56a09d1d323a5006afa59b56162eb13" }, + { + "type": "WEB", + "url": "https://advisory.checkmarx.net/advisory/CX-2021-4303" + }, { "type": "WEB", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1689399" @@ -65,10 +73,18 @@ "type": "WEB", "url": "https://cure53.de/fp170.pdf" }, + { + "type": "PACKAGE", + "url": "https://github.com/mozilla/bleach" + }, { "type": "WEB", "url": "https://github.com/mozilla/bleach/blob/79b7a3c5e56a09d1d323a5006afa59b56162eb13/CHANGES#L4" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2021-865.yaml" + }, { "type": "WEB", "url": "https://pypi.org/project/bleach" diff --git a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json index 9d356c5d0ba..3b42dd29e7f 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json +++ b/advisories/github-reviewed/2022/05/GHSA-2cvf-r9jm-4qm9/GHSA-2cvf-r9jm-4qm9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2cvf-r9jm-4qm9", - "modified": "2024-09-13T15:13:16Z", + "modified": "2024-09-13T15:15:21Z", "published": "2022-05-13T01:14:22Z", "aliases": [ "CVE-2019-3830" @@ -15,7 +15,7 @@ }, { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From a231c2e8152fcfcad36d2f0e13c39bd9a8839240 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:19:19 +0000 Subject: [PATCH 052/170] Publish GHSA-vgv5-cxvh-vfxh --- .../GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json b/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json index 56e6c89689e..024f7e76015 100644 --- a/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json +++ b/advisories/github-reviewed/2021/04/GHSA-vgv5-cxvh-vfxh/GHSA-vgv5-cxvh-vfxh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vgv5-cxvh-vfxh", - "modified": "2022-11-08T18:16:44Z", + "modified": "2024-09-13T15:17:57Z", "published": "2021-04-07T20:50:57Z", "aliases": [ "CVE-2020-26759" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -58,9 +62,17 @@ "type": "WEB", "url": "https://github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vgv5-cxvh-vfxh" + }, { "type": "PACKAGE", "url": "https://github.com/mymarilyn/clickhouse-driver" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/clickhouse-driver/PYSEC-2021-61.yaml" } ], "database_specific": { From 846e6e1133da4f275058e454ca66dbe378806c2d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:32:53 +0000 Subject: [PATCH 053/170] Advisory Database Sync --- .../GHSA-2wjg-qcgr-7p52.json | 11 ++-- .../GHSA-53f2-x8g3-2v76.json | 11 ++-- .../GHSA-58p8-qp66-2jq2.json | 2 +- .../GHSA-6mp3-h2gc-877w.json | 9 ++- .../GHSA-6rpx-57fj-hj72.json | 11 ++-- .../GHSA-758w-9j7r-h7p8.json | 9 ++- .../GHSA-8hwx-g945-2v69.json | 9 ++- .../GHSA-9w85-68h7-c4c7.json | 9 ++- .../GHSA-gq7c-55hq-cqqg.json | 2 +- .../GHSA-jgx4-86q4-38fm.json | 11 ++-- .../GHSA-jx88-73qr-g4w7.json | 11 ++-- .../GHSA-r5h4-2chq-43m3.json | 9 ++- .../GHSA-259g-6529-jqq8.json | 46 ++++++++++++++++ .../GHSA-2x6j-v6mv-vf98.json | 42 ++++++++++++++ .../GHSA-4r9q-49xf-jvj3.json | 42 ++++++++++++++ .../GHSA-55jp-9v82-mrww.json | 42 ++++++++++++++ .../GHSA-6f2c-7wmp-gmrf.json | 46 ++++++++++++++++ .../GHSA-6wmp-x825-hf7x.json | 46 ++++++++++++++++ .../GHSA-7r6c-3p49-xqvv.json | 42 ++++++++++++++ .../GHSA-956h-wvh5-7cgp.json | 35 ++++++++++++ .../GHSA-9672-786w-jwpr.json | 35 ++++++++++++ .../GHSA-9rpm-27w3-292g.json | 38 +++++++++++++ .../GHSA-cj63-c83g-7mc2.json | 50 +++++++++++++++++ .../GHSA-f9m9-68wf-ppcf.json | 42 ++++++++++++++ .../GHSA-g7fv-v867-rmwj.json | 50 +++++++++++++++++ .../GHSA-gm45-ppxv-rfjp.json | 42 ++++++++++++++ .../GHSA-jgpx-8fg9-hh7j.json | 55 +++++++++++++++++++ .../GHSA-jhh2-7qpr-2pv5.json | 35 ++++++++++++ .../GHSA-jw76-x8jc-r725.json | 1 + .../GHSA-m74p-p5fp-95cw.json | 42 ++++++++++++++ .../GHSA-m8mp-83qq-7j4f.json | 9 ++- .../GHSA-mvvx-479v-8cr8.json | 38 +++++++++++++ .../GHSA-p742-8whq-qv2p.json | 42 ++++++++++++++ .../GHSA-pgmw-5qx3-mhj6.json | 54 ++++++++++++++++++ .../GHSA-r6cg-gw4p-5gmj.json | 1 + .../GHSA-rvmx-xw47-rh9g.json | 42 ++++++++++++++ .../GHSA-vg62-5q72-657x.json | 35 ++++++++++++ .../GHSA-wx49-gvfc-fhrp.json | 42 ++++++++++++++ .../GHSA-xhxf-q686-3p2f.json | 42 ++++++++++++++ 39 files changed, 1100 insertions(+), 40 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-259g-6529-jqq8/GHSA-259g-6529-jqq8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-2x6j-v6mv-vf98/GHSA-2x6j-v6mv-vf98.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4r9q-49xf-jvj3/GHSA-4r9q-49xf-jvj3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-55jp-9v82-mrww/GHSA-55jp-9v82-mrww.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6f2c-7wmp-gmrf/GHSA-6f2c-7wmp-gmrf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6wmp-x825-hf7x/GHSA-6wmp-x825-hf7x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7r6c-3p49-xqvv/GHSA-7r6c-3p49-xqvv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9rpm-27w3-292g/GHSA-9rpm-27w3-292g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cj63-c83g-7mc2/GHSA-cj63-c83g-7mc2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f9m9-68wf-ppcf/GHSA-f9m9-68wf-ppcf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g7fv-v867-rmwj/GHSA-g7fv-v867-rmwj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gm45-ppxv-rfjp/GHSA-gm45-ppxv-rfjp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jgpx-8fg9-hh7j/GHSA-jgpx-8fg9-hh7j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m74p-p5fp-95cw/GHSA-m74p-p5fp-95cw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mvvx-479v-8cr8/GHSA-mvvx-479v-8cr8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p742-8whq-qv2p/GHSA-p742-8whq-qv2p.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pgmw-5qx3-mhj6/GHSA-pgmw-5qx3-mhj6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rvmx-xw47-rh9g/GHSA-rvmx-xw47-rh9g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wx49-gvfc-fhrp/GHSA-wx49-gvfc-fhrp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xhxf-q686-3p2f/GHSA-xhxf-q686-3p2f.json diff --git a/advisories/unreviewed/2024/08/GHSA-2wjg-qcgr-7p52/GHSA-2wjg-qcgr-7p52.json b/advisories/unreviewed/2024/08/GHSA-2wjg-qcgr-7p52/GHSA-2wjg-qcgr-7p52.json index 9cf0e8146a3..83865ed9dd4 100644 --- a/advisories/unreviewed/2024/08/GHSA-2wjg-qcgr-7p52/GHSA-2wjg-qcgr-7p52.json +++ b/advisories/unreviewed/2024/08/GHSA-2wjg-qcgr-7p52/GHSA-2wjg-qcgr-7p52.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2wjg-qcgr-7p52", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52903" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: lock overflowing for IOPOLL\n\nsyzbot reports an issue with overflow filling for IOPOLL:\n\nWARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\nCPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0\nWorkqueue: events_unbound io_ring_exit_work\nCall trace:\n io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734\n io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773\n io_fill_cqe_req io_uring/io_uring.h:168 [inline]\n io_do_iopoll+0x474/0x62c io_uring/rw.c:1065\n io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513\n io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056\n io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869\n process_one_work+0x2d8/0x504 kernel/workqueue.c:2289\n worker_thread+0x340/0x610 kernel/workqueue.c:2436\n kthread+0x12c/0x158 kernel/kthread.c:376\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863\n\nThere is no real problem for normal IOPOLL as flush is also called with\nuring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,\nfor which __io_cqring_overflow_flush() happens from the CQ waiting path.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-53f2-x8g3-2v76/GHSA-53f2-x8g3-2v76.json b/advisories/unreviewed/2024/08/GHSA-53f2-x8g3-2v76/GHSA-53f2-x8g3-2v76.json index 7d7cf5a1291..74269447b56 100644 --- a/advisories/unreviewed/2024/08/GHSA-53f2-x8g3-2v76/GHSA-53f2-x8g3-2v76.json +++ b/advisories/unreviewed/2024/08/GHSA-53f2-x8g3-2v76/GHSA-53f2-x8g3-2v76.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-53f2-x8g3-2v76", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52898" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci->devs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device's endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -45,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-58p8-qp66-2jq2/GHSA-58p8-qp66-2jq2.json b/advisories/unreviewed/2024/08/GHSA-58p8-qp66-2jq2/GHSA-58p8-qp66-2jq2.json index b6c954e7060..da353a78803 100644 --- a/advisories/unreviewed/2024/08/GHSA-58p8-qp66-2jq2/GHSA-58p8-qp66-2jq2.json +++ b/advisories/unreviewed/2024/08/GHSA-58p8-qp66-2jq2/GHSA-58p8-qp66-2jq2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-58p8-qp66-2jq2", - "modified": "2024-08-16T15:31:41Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-16T15:31:41Z", "aliases": [ "CVE-2024-7145" diff --git a/advisories/unreviewed/2024/08/GHSA-6mp3-h2gc-877w/GHSA-6mp3-h2gc-877w.json b/advisories/unreviewed/2024/08/GHSA-6mp3-h2gc-877w/GHSA-6mp3-h2gc-877w.json index 079c7be51a4..750b9049082 100644 --- a/advisories/unreviewed/2024/08/GHSA-6mp3-h2gc-877w/GHSA-6mp3-h2gc-877w.json +++ b/advisories/unreviewed/2024/08/GHSA-6mp3-h2gc-877w/GHSA-6mp3-h2gc-877w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6mp3-h2gc-877w", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52905" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix resource leakage in VF driver unbind\n\nresources allocated like mcam entries to support the Ntuple feature\nand hash tables for the tc feature are not getting freed in driver\nunbind. This patch fixes the issue.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-6rpx-57fj-hj72/GHSA-6rpx-57fj-hj72.json b/advisories/unreviewed/2024/08/GHSA-6rpx-57fj-hj72/GHSA-6rpx-57fj-hj72.json index 3138c076425..3b5b839f1c0 100644 --- a/advisories/unreviewed/2024/08/GHSA-6rpx-57fj-hj72/GHSA-6rpx-57fj-hj72.json +++ b/advisories/unreviewed/2024/08/GHSA-6rpx-57fj-hj72/GHSA-6rpx-57fj-hj72.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6rpx-57fj-hj72", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52899" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 67.848447] Mem abort info:\n[ 67.848449] ESR = 0x96000004\n[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 67.848454] SET = 0, FnV = 0\n[ 67.848456] EA = 0, S1PTW = 0\n[ 67.848458] Data abort info:\n[ 67.848460] ISV = 0, ISS = 0x00000004\n[ 67.848462] CM = 0, WnR = 0\n[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[ 67.848472] Internal error: Oops: 96000004 [#1] SMP\n[ 67.848475] Modules linked in: dmatest\n[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[ 67.848491] lr : axi_chan_handle_err+0x30/0x230\n[ 67.848493] sp : ffff0803fe55ae50\n[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[ 67.848512] x21: 0000000000000080 x20: 0000000000002000\n[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[ 67.848521] x17: 0000000000000000 x16: 0000000000000000\n[ 67.848525] x15: 0000000000000000 x14: 0000000000000000\n[ 67.848529] x13: 0000000000000000 x12: 0000000000000040\n[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[ 67.848550] x3 : dead000000000100 x2 : dead000000000122\n[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[ 67.848559] Call trace:\n[ 67.848562] axi_chan_handle_err+0xc4/0x230\n[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590\n[ 67.848569] __handle_irq_event_percpu+0x60/0x220\n[ 67.848573] handle_irq_event+0x64/0x120\n[ 67.848576] handle_fasteoi_irq+0xc4/0x220\n[ 67.848580] __handle_domain_irq+0x80/0xe0\n[ 67.848583] gic_handle_irq+0xc0/0x138\n[ 67.848585] el1_irq+0xc8/0x180\n[ 67.848588] arch_cpu_idle+0x14/0x2c\n[ 67.848591] default_idle_call+0x40/0x16c\n[ 67.848594] do_idle+0x1f0/0x250\n[ 67.848597] cpu_startup_entry+0x2c/0x60\n[ 67.848600] rest_init+0xc0/0xcc\n[ 67.848603] arch_call_rest_init+0x14/0x1c\n[ 67.848606] start_kernel+0x4cc/0x500\n[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[ 67.848613] ---[ end trace 585a97036f88203a ]---", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -45,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-758w-9j7r-h7p8/GHSA-758w-9j7r-h7p8.json b/advisories/unreviewed/2024/08/GHSA-758w-9j7r-h7p8/GHSA-758w-9j7r-h7p8.json index 07b480c1614..38ec55580ef 100644 --- a/advisories/unreviewed/2024/08/GHSA-758w-9j7r-h7p8/GHSA-758w-9j7r-h7p8.json +++ b/advisories/unreviewed/2024/08/GHSA-758w-9j7r-h7p8/GHSA-758w-9j7r-h7p8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-758w-9j7r-h7p8", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52897" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: do not warn on record without old_roots populated\n\n[BUG]\nThere are some reports from the mailing list that since v6.1 kernel, the\nWARN_ON() inside btrfs_qgroup_account_extent() gets triggered during\nrescan:\n\n WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7\n RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]\n Call Trace:\n \n btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]\n ? __rseq_handle_notify_resume+0xa9/0x4a0\n ? mntput_no_expire+0x4a/0x240\n ? __seccomp_filter+0x319/0x4d0\n __x64_sys_ioctl+0x90/0xd0\n do_syscall_64+0x5b/0x80\n ? syscall_exit_to_user_mode+0x17/0x40\n ? do_syscall_64+0x67/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7fd9b790d9bf\n \n\n[CAUSE]\nSince commit e15e9f43c7ca (\"btrfs: introduce\nBTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting\"), if\nour qgroup is already in inconsistent state, we will no longer do the\ntime-consuming backref walk.\n\nThis can leave some qgroup records without a valid old_roots ulist.\nNormally this is fine, as btrfs_qgroup_account_extents() would also skip\nthose records if we have NO_ACCOUNTING flag set.\n\nBut there is a small window, if we have NO_ACCOUNTING flag set, and\ninserted some qgroup_record without a old_roots ulist, but then the user\ntriggered a qgroup rescan.\n\nDuring btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then\ncommit current transaction.\n\nAnd since we have a qgroup_record with old_roots = NULL, we trigger the\nWARN_ON() during btrfs_qgroup_account_extents().\n\n[FIX]\nUnfortunately due to the introduction of NO_ACCOUNTING flag, the\nassumption that every qgroup_record would have its old_roots populated\nis no longer correct.\n\nFix the false alerts and drop the WARN_ON().", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-8hwx-g945-2v69/GHSA-8hwx-g945-2v69.json b/advisories/unreviewed/2024/08/GHSA-8hwx-g945-2v69/GHSA-8hwx-g945-2v69.json index f99dd3fbd4c..8bef0937491 100644 --- a/advisories/unreviewed/2024/08/GHSA-8hwx-g945-2v69/GHSA-8hwx-g945-2v69.json +++ b/advisories/unreviewed/2024/08/GHSA-8hwx-g945-2v69/GHSA-8hwx-g945-2v69.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8hwx-g945-2v69", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52900" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious 'not found' code from\nnilfs_btree_do_lookup(), it misunderstands that the 'not found' check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -51,7 +54,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-9w85-68h7-c4c7/GHSA-9w85-68h7-c4c7.json b/advisories/unreviewed/2024/08/GHSA-9w85-68h7-c4c7/GHSA-9w85-68h7-c4c7.json index cc02a93a4ae..066ffa6cd53 100644 --- a/advisories/unreviewed/2024/08/GHSA-9w85-68h7-c4c7/GHSA-9w85-68h7-c4c7.json +++ b/advisories/unreviewed/2024/08/GHSA-9w85-68h7-c4c7/GHSA-9w85-68h7-c4c7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9w85-68h7-c4c7", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52906" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mpls: Fix warning during failed attribute validation\n\nThe 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a\nvalidation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid\ncombination according to the comment above 'struct nla_policy':\n\n\"\nMeaning of `validate' field, use via NLA_POLICY_VALIDATE_FN:\n NLA_BINARY Validation function called for the attribute.\n All other Unused - but note that it's a union\n\"\n\nThis can trigger the warning [1] in nla_get_range_unsigned() when\nvalidation of the attribute fails. Despite being of 'NLA_U32' type, the\nassociated 'min'/'max' fields in the policy are negative as they are\naliased by the 'validate' field.\n\nFix by changing the attribute type to 'NLA_BINARY' which is consistent\nwith the above comment and all other users of NLA_POLICY_VALIDATE_FN().\nAs a result, move the length validation to the validation function.\n\nNo regressions in MPLS tests:\n\n # ./tdc.py -f tc-tests/actions/mpls.json\n [...]\n # echo $?\n 0\n\n[1]\nWARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118\nnla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\nModules linked in:\nCPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117\n[...]\nCall Trace:\n \n __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310\n netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411\n netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]\n netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506\n netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546\n rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2482\n ___sys_sendmsg net/socket.c:2536 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2565\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -43,7 +46,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-gq7c-55hq-cqqg/GHSA-gq7c-55hq-cqqg.json b/advisories/unreviewed/2024/08/GHSA-gq7c-55hq-cqqg/GHSA-gq7c-55hq-cqqg.json index 970748a42f6..55b963b097b 100644 --- a/advisories/unreviewed/2024/08/GHSA-gq7c-55hq-cqqg/GHSA-gq7c-55hq-cqqg.json +++ b/advisories/unreviewed/2024/08/GHSA-gq7c-55hq-cqqg/GHSA-gq7c-55hq-cqqg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gq7c-55hq-cqqg", - "modified": "2024-08-18T15:34:34Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-18T15:34:34Z", "aliases": [ "CVE-2024-43335" diff --git a/advisories/unreviewed/2024/08/GHSA-jgx4-86q4-38fm/GHSA-jgx4-86q4-38fm.json b/advisories/unreviewed/2024/08/GHSA-jgx4-86q4-38fm/GHSA-jgx4-86q4-38fm.json index d03493786cf..9d316d6eba2 100644 --- a/advisories/unreviewed/2024/08/GHSA-jgx4-86q4-38fm/GHSA-jgx4-86q4-38fm.json +++ b/advisories/unreviewed/2024/08/GHSA-jgx4-86q4-38fm/GHSA-jgx4-86q4-38fm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jgx4-86q4-38fm", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52902" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnommu: fix memory leak in do_mmap() error path\n\nThe preallocation of the maple tree nodes may leak if the error path to\n\"error_just_free\" is taken. Fix this by moving the freeing of the maple\ntree nodes to a shared location for all error paths.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-401" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-jx88-73qr-g4w7/GHSA-jx88-73qr-g4w7.json b/advisories/unreviewed/2024/08/GHSA-jx88-73qr-g4w7/GHSA-jx88-73qr-g4w7.json index 34f0e75d645..3095bbeec85 100644 --- a/advisories/unreviewed/2024/08/GHSA-jx88-73qr-g4w7/GHSA-jx88-73qr-g4w7.json +++ b/advisories/unreviewed/2024/08/GHSA-jx88-73qr-g4w7/GHSA-jx88-73qr-g4w7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jx88-73qr-g4w7", - "modified": "2024-08-21T09:31:32Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-21T09:31:32Z", "aliases": [ "CVE-2023-52901" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check endpoint is valid before dereferencing it\n\nWhen the host controller is not responding, all URBs queued to all\nendpoints need to be killed. This can cause a kernel panic if we\ndereference an invalid endpoint.\n\nFix this by using xhci_get_virt_ep() helper to find the endpoint and\nchecking if the endpoint is valid before dereferencing it.\n\n[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead\n[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8\n\n[233311.853964] pc : xhci_hc_died+0x10c/0x270\n[233311.853971] lr : xhci_hc_died+0x1ac/0x270\n\n[233311.854077] Call trace:\n[233311.854085] xhci_hc_died+0x10c/0x270\n[233311.854093] xhci_stop_endpoint_command_watchdog+0x100/0x1a4\n[233311.854105] call_timer_fn+0x50/0x2d4\n[233311.854112] expire_timers+0xac/0x2e4\n[233311.854118] run_timer_softirq+0x300/0xabc\n[233311.854127] __do_softirq+0x148/0x528\n[233311.854135] irq_exit+0x194/0x1a8\n[233311.854143] __handle_domain_irq+0x164/0x1d0\n[233311.854149] gic_handle_irq.22273+0x10c/0x188\n[233311.854156] el1_irq+0xfc/0x1a8\n[233311.854175] lpm_cpuidle_enter+0x25c/0x418 [msm_pm]\n[233311.854185] cpuidle_enter_state+0x1f0/0x764\n[233311.854194] do_idle+0x594/0x6ac\n[233311.854201] cpu_startup_entry+0x7c/0x80\n[233311.854209] secondary_start_kernel+0x170/0x198", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -49,9 +52,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-21T07:15:06Z" diff --git a/advisories/unreviewed/2024/08/GHSA-r5h4-2chq-43m3/GHSA-r5h4-2chq-43m3.json b/advisories/unreviewed/2024/08/GHSA-r5h4-2chq-43m3/GHSA-r5h4-2chq-43m3.json index ce0f2d2e9df..6f78b3d6503 100644 --- a/advisories/unreviewed/2024/08/GHSA-r5h4-2chq-43m3/GHSA-r5h4-2chq-43m3.json +++ b/advisories/unreviewed/2024/08/GHSA-r5h4-2chq-43m3/GHSA-r5h4-2chq-43m3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r5h4-2chq-43m3", - "modified": "2024-08-20T21:30:35Z", + "modified": "2024-09-13T15:31:31Z", "published": "2024-08-20T21:30:35Z", "aliases": [ "CVE-2024-31842" ], "details": "An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Because the access token in sent in GET requests, this vulnerability could lead to complete account takeover.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-20T20:15:08Z" diff --git a/advisories/unreviewed/2024/09/GHSA-259g-6529-jqq8/GHSA-259g-6529-jqq8.json b/advisories/unreviewed/2024/09/GHSA-259g-6529-jqq8/GHSA-259g-6529-jqq8.json new file mode 100644 index 00000000000..cddace446a5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-259g-6529-jqq8/GHSA-259g-6529-jqq8.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-259g-6529-jqq8", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8732" + ], + "details": "The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8732" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/leira-roles/trunk/admin/class-leira-roles-admin.php#L413" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/leira-roles/trunk/admin/class-leira-roles-admin.php#L541" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3956cd40-6b46-4013-9d71-a979de2c3687?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-2x6j-v6mv-vf98/GHSA-2x6j-v6mv-vf98.json b/advisories/unreviewed/2024/09/GHSA-2x6j-v6mv-vf98/GHSA-2x6j-v6mv-vf98.json new file mode 100644 index 00000000000..c193e3fb763 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2x6j-v6mv-vf98/GHSA-2x6j-v6mv-vf98.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2x6j-v6mv-vf98", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8747" + ], + "details": "The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8747" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/email-obfuscate-shortcode" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77bed6ce-84e7-4b71-8acd-bb5b73e362d2?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4r9q-49xf-jvj3/GHSA-4r9q-49xf-jvj3.json b/advisories/unreviewed/2024/09/GHSA-4r9q-49xf-jvj3/GHSA-4r9q-49xf-jvj3.json new file mode 100644 index 00000000000..2ac0bb802c2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4r9q-49xf-jvj3/GHSA-4r9q-49xf-jvj3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4r9q-49xf-jvj3", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8734" + ], + "details": "The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8734" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/lucas-string-replace/trunk/includes/class-lucas-string-replace-settings.php#L176" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf1e4b20-e7e5-4a3a-9895-02d51499d54e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-55jp-9v82-mrww/GHSA-55jp-9v82-mrww.json b/advisories/unreviewed/2024/09/GHSA-55jp-9v82-mrww/GHSA-55jp-9v82-mrww.json new file mode 100644 index 00000000000..57a56fb94a0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-55jp-9v82-mrww/GHSA-55jp-9v82-mrww.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-55jp-9v82-mrww", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-5867" + ], + "details": "The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter within the theme's Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5867" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/browser/delicate/3.5.5/functions/shortcodes.php#L128" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dbf491d6-e546-4e3f-88c2-237b647a2b1e?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6f2c-7wmp-gmrf/GHSA-6f2c-7wmp-gmrf.json b/advisories/unreviewed/2024/09/GHSA-6f2c-7wmp-gmrf/GHSA-6f2c-7wmp-gmrf.json new file mode 100644 index 00000000000..b6646b46e93 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6f2c-7wmp-gmrf/GHSA-6f2c-7wmp-gmrf.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6f2c-7wmp-gmrf", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-7423" + ], + "details": "The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7423" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/stream/tags/4.0.1/classes/class-network.php#L353" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3139815/stream/trunk/classes/class-network.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d15e418-36bb-4f53-ac67-8f6122591dd2?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6wmp-x825-hf7x/GHSA-6wmp-x825-hf7x.json b/advisories/unreviewed/2024/09/GHSA-6wmp-x825-hf7x/GHSA-6wmp-x825-hf7x.json new file mode 100644 index 00000000000..2f3e96ca328 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6wmp-x825-hf7x/GHSA-6wmp-x825-hf7x.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6wmp-x825-hf7x", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8737" + ], + "details": "The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8737" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/pdf-thumbnail-generator/tags/1.3/pdf-thumbnail-generator.php#L184" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3151055" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b183587b-95bd-4e82-bfc7-db5a8fbd58f9?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7r6c-3p49-xqvv/GHSA-7r6c-3p49-xqvv.json b/advisories/unreviewed/2024/09/GHSA-7r6c-3p49-xqvv/GHSA-7r6c-3p49-xqvv.json new file mode 100644 index 00000000000..86cba292c42 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7r6c-3p49-xqvv/GHSA-7r6c-3p49-xqvv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7r6c-3p49-xqvv", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-5870" + ], + "details": "The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5870" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/browser/tweaker5/1.2/inc/extras.php#L175" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f70ba568-b013-4177-928a-eefb606333ee?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json b/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json new file mode 100644 index 00000000000..ba149a39ee2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-956h-wvh5-7cgp", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-46048" + ], + "details": "Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46048" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/FH451/formexeCommand.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json b/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json new file mode 100644 index 00000000000..557337fcb23 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9672-786w-jwpr", + "modified": "2024-09-13T15:31:34Z", + "published": "2024-09-13T15:31:34Z", + "aliases": [ + "CVE-2024-46046" + ], + "details": "Tenda FH451 v1.0.0.9 has a stack overflow vulnerability located in the RouteStatic function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46046" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/FH451/RouteStatic.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9rpm-27w3-292g/GHSA-9rpm-27w3-292g.json b/advisories/unreviewed/2024/09/GHSA-9rpm-27w3-292g/GHSA-9rpm-27w3-292g.json new file mode 100644 index 00000000000..67d7fa5fef6 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9rpm-27w3-292g/GHSA-9rpm-27w3-292g.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rpm-27w3-292g", + "modified": "2024-09-13T15:31:34Z", + "published": "2024-09-13T15:31:34Z", + "aliases": [ + "CVE-2024-46044" + ], + "details": "CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the fromqossetting function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46044" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/CH22/fromqossetting.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cj63-c83g-7mc2/GHSA-cj63-c83g-7mc2.json b/advisories/unreviewed/2024/09/GHSA-cj63-c83g-7mc2/GHSA-cj63-c83g-7mc2.json new file mode 100644 index 00000000000..a7b46d6c21f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cj63-c83g-7mc2/GHSA-cj63-c83g-7mc2.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cj63-c83g-7mc2", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-8242" + ], + "details": "The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8242" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1053" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/controllers/flutter-user.php" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/functions/index.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe3834a6-a6f5-4cc7-951e-a6ada6346b07?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f9m9-68wf-ppcf/GHSA-f9m9-68wf-ppcf.json b/advisories/unreviewed/2024/09/GHSA-f9m9-68wf-ppcf/GHSA-f9m9-68wf-ppcf.json new file mode 100644 index 00000000000..cc3ef74d411 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f9m9-68wf-ppcf/GHSA-f9m9-68wf-ppcf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f9m9-68wf-ppcf", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-5884" + ], + "details": "The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5884" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/browser/beauty/1.1.4/functions.php#L46" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1089958-a481-47b1-9dc6-799a1a7930c8?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g7fv-v867-rmwj/GHSA-g7fv-v867-rmwj.json b/advisories/unreviewed/2024/09/GHSA-g7fv-v867-rmwj/GHSA-g7fv-v867-rmwj.json new file mode 100644 index 00000000000..ce342d66a5c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g7fv-v867-rmwj/GHSA-g7fv-v867-rmwj.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g7fv-v867-rmwj", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8269" + ], + "details": "The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8269" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.15.2/controllers/flutter-user.php#L406" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.15.2/controllers/flutter-user.php#L454" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/controllers/flutter-user.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59c5b6e7-74b0-430d-8b4a-5a42220f3ec9?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gm45-ppxv-rfjp/GHSA-gm45-ppxv-rfjp.json b/advisories/unreviewed/2024/09/GHSA-gm45-ppxv-rfjp/GHSA-gm45-ppxv-rfjp.json new file mode 100644 index 00000000000..f8599ba9232 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gm45-ppxv-rfjp/GHSA-gm45-ppxv-rfjp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gm45-ppxv-rfjp", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2022-2446" + ], + "details": "The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2446" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3151053" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jgpx-8fg9-hh7j/GHSA-jgpx-8fg9-hh7j.json b/advisories/unreviewed/2024/09/GHSA-jgpx-8fg9-hh7j/GHSA-jgpx-8fg9-hh7j.json new file mode 100644 index 00000000000..872a908ce3f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jgpx-8fg9-hh7j/GHSA-jgpx-8fg9-hh7j.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jgpx-8fg9-hh7j", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-46713" + ], + "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/aux: Fix AUX buffer serialization\n\nOle reported that event->mmap_mutex is strictly insufficient to\nserialize the AUX buffer, add a per RB mutex to fully serialize it.\n\nNote that in the lock order comment the perf_event::mmap_mutex order\nwas already wrong, that is, it nesting under mmap_lock is not new with\nthis patch.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46713" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/2ab9d830262c132ab5db2f571003d80850d56b2a" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/52d13d224fdf1299c8b642807fa1ea14d693f5ff" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7882923f1cb88dc1a17f2bf0c81b1fc80d44db82" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/9dc7ad2b67772cfb94ceb3b0c9c4023c2463215d" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b9b6882e243b653d379abbeaa64a500182aba370" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/c4b69bee3f4ef76809288fe6827bc14d4ae788ef" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json b/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json new file mode 100644 index 00000000000..bfff8143ac5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jhh2-7qpr-2pv5", + "modified": "2024-09-13T15:31:34Z", + "published": "2024-09-13T15:31:34Z", + "aliases": [ + "CVE-2024-46045" + ], + "details": "Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46045" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/CH22/frmL7PlotForm.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jw76-x8jc-r725/GHSA-jw76-x8jc-r725.json b/advisories/unreviewed/2024/09/GHSA-jw76-x8jc-r725/GHSA-jw76-x8jc-r725.json index 1a7adbf46a7..0c99a0cf862 100644 --- a/advisories/unreviewed/2024/09/GHSA-jw76-x8jc-r725/GHSA-jw76-x8jc-r725.json +++ b/advisories/unreviewed/2024/09/GHSA-jw76-x8jc-r725/GHSA-jw76-x8jc-r725.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-416", "CWE-843" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/09/GHSA-m74p-p5fp-95cw/GHSA-m74p-p5fp-95cw.json b/advisories/unreviewed/2024/09/GHSA-m74p-p5fp-95cw/GHSA-m74p-p5fp-95cw.json new file mode 100644 index 00000000000..a0741cc0c98 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m74p-p5fp-95cw/GHSA-m74p-p5fp-95cw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m74p-p5fp-95cw", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-5789" + ], + "details": "The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the theme's Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5789" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/browser/triton-lite/1.3/lib/includes/shortcodes.php#L136" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/049efe5a-3f68-46ad-b73a-1892f03c9d1d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json b/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json index 28f0593f41b..cc62f6f43ef 100644 --- a/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json +++ b/advisories/unreviewed/2024/09/GHSA-m8mp-83qq-7j4f/GHSA-m8mp-83qq-7j4f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m8mp-83qq-7j4f", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T15:31:33Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-7129" ], "details": "The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-mvvx-479v-8cr8/GHSA-mvvx-479v-8cr8.json b/advisories/unreviewed/2024/09/GHSA-mvvx-479v-8cr8/GHSA-mvvx-479v-8cr8.json new file mode 100644 index 00000000000..0de3ac139d7 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mvvx-479v-8cr8/GHSA-mvvx-479v-8cr8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvvx-479v-8cr8", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-46049" + ], + "details": "Tenda O6 V3.0 firmware V1.0.0.7(2054) contains a stack overflow vulnerability in the formexeCommand function.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46049" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/O6/formexeCommand.md" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p742-8whq-qv2p/GHSA-p742-8whq-qv2p.json b/advisories/unreviewed/2024/09/GHSA-p742-8whq-qv2p/GHSA-p742-8whq-qv2p.json new file mode 100644 index 00000000000..363f4d3e13f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p742-8whq-qv2p/GHSA-p742-8whq-qv2p.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p742-8whq-qv2p", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8731" + ], + "details": "The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8731" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/leira-cron-jobs/trunk/admin/class-leira-cron-jobs-admin.php#L147" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f6da693-4610-4875-aa14-102809309b8d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pgmw-5qx3-mhj6/GHSA-pgmw-5qx3-mhj6.json b/advisories/unreviewed/2024/09/GHSA-pgmw-5qx3-mhj6/GHSA-pgmw-5qx3-mhj6.json new file mode 100644 index 00000000000..ff4dedee023 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pgmw-5qx3-mhj6/GHSA-pgmw-5qx3-mhj6.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pgmw-5qx3-mhj6", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8714" + ], + "details": "The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8714" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/commissions/class-list-table-commissions.php#L544" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/payouts/class-list-table-payments.php#L490" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/visits/class-list-table-visits.php#L396" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3151062" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45dd22d4-9a51-4569-a756-1f1a5f8626c1?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r6cg-gw4p-5gmj/GHSA-r6cg-gw4p-5gmj.json b/advisories/unreviewed/2024/09/GHSA-r6cg-gw4p-5gmj/GHSA-r6cg-gw4p-5gmj.json index bc9975e5e90..cf01882d8cd 100644 --- a/advisories/unreviewed/2024/09/GHSA-r6cg-gw4p-5gmj/GHSA-r6cg-gw4p-5gmj.json +++ b/advisories/unreviewed/2024/09/GHSA-r6cg-gw4p-5gmj/GHSA-r6cg-gw4p-5gmj.json @@ -33,6 +33,7 @@ "database_specific": { "cwe_ids": [ "CWE-122", + "CWE-416", "CWE-787" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/09/GHSA-rvmx-xw47-rh9g/GHSA-rvmx-xw47-rh9g.json b/advisories/unreviewed/2024/09/GHSA-rvmx-xw47-rh9g/GHSA-rvmx-xw47-rh9g.json new file mode 100644 index 00000000000..f59a439d01c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rvmx-xw47-rh9g/GHSA-rvmx-xw47-rh9g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rvmx-xw47-rh9g", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-6544" + ], + "details": "The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6544" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/custom-post-limits/trunk/tests/bootstrap.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cf4a11e-ad28-4a93-9278-1d2d113a4859?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json b/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json new file mode 100644 index 00000000000..0080d4202ca --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vg62-5q72-657x", + "modified": "2024-09-13T15:31:34Z", + "published": "2024-09-13T15:31:34Z", + "aliases": [ + "CVE-2024-46047" + ], + "details": "Tenda FH451 v1.0.0.9 has a stack overflow vulnerability in the fromDhcpListClient function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46047" + }, + { + "type": "WEB", + "url": "https://github.com/BenJpopo/V/blob/main/Tenda/FH451/DhcpListClient.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T14:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wx49-gvfc-fhrp/GHSA-wx49-gvfc-fhrp.json b/advisories/unreviewed/2024/09/GHSA-wx49-gvfc-fhrp/GHSA-wx49-gvfc-fhrp.json new file mode 100644 index 00000000000..b99e6e8ad8c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wx49-gvfc-fhrp/GHSA-wx49-gvfc-fhrp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wx49-gvfc-fhrp", + "modified": "2024-09-13T15:31:35Z", + "published": "2024-09-13T15:31:35Z", + "aliases": [ + "CVE-2024-5869" + ], + "details": "The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5869" + }, + { + "type": "WEB", + "url": "https://themes.trac.wordpress.org/browser/neighborly/1.4/inc/extras.php#L151" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f65834c6-6da7-4033-aa2a-a4926d6c955d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xhxf-q686-3p2f/GHSA-xhxf-q686-3p2f.json b/advisories/unreviewed/2024/09/GHSA-xhxf-q686-3p2f/GHSA-xhxf-q686-3p2f.json new file mode 100644 index 00000000000..61d9064ca13 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xhxf-q686-3p2f/GHSA-xhxf-q686-3p2f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xhxf-q686-3p2f", + "modified": "2024-09-13T15:31:36Z", + "published": "2024-09-13T15:31:36Z", + "aliases": [ + "CVE-2024-8730" + ], + "details": "The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8730" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/exit-notifier/trunk/includes/class-exit-notifier-settings.php#L707" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc1aedb-e64f-4b61-a247-c3cdc731f001?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T15:15:17Z" + } +} \ No newline at end of file From f8fd7dc3a3f2ff342b984d6d3c7709e7ce3786f1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:36:24 +0000 Subject: [PATCH 054/170] Publish GHSA-m7wr-2xf7-cm9p --- .../03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json b/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json index 9ab7551c0eb..c5e2e55f55f 100644 --- a/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json +++ b/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m7wr-2xf7-cm9p", - "modified": "2024-03-12T15:15:00Z", + "modified": "2024-09-13T15:34:58Z", "published": "2024-03-04T20:13:11Z", "aliases": [ "CVE-2024-27289" @@ -9,7 +9,14 @@ "summary": "pgx SQL Injection via Line Comment Creation", "details": "### Impact\n\nSQL injection can occur when all of the following conditions are met:\n\n1. The non-default simple protocol is used.\n2. A placeholder for a numeric value must be immediately preceded by a minus.\n3. There must be a second placeholder for a string value after the first placeholder; both\nmust be on the same line.\n4. Both parameter values must be user-controlled.\n\ne.g. \n\nSimple mode must be enabled:\n\n```go\n// connection string includes \"prefer_simple_protocol=true\"\n// or\n// directly enabled in code\nconfig.ConnConfig.PreferSimpleProtocol = true\n```\n\nParameterized query:\n\n```sql\nSELECT * FROM example WHERE result=-$1 OR name=$2;\n```\n\nParameter values:\n\n`$1` => `-42`\n`$2` => `\"foo\\n 1 AND 1=0 UNION SELECT * FROM secrets; --\"`\n\nResulting query after preparation:\n\n```sql\nSELECT * FROM example WHERE result=--42 OR name= 'foo\n1 AND 1=0 UNION SELECT * FROM secrets; --';\n```\n\n### Patches\n\nThe problem is resolved in v4.18.2.\n\n### Workarounds\n\nDo not use the simple protocol or do not place a minus directly before a placeholder.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -69,7 +76,7 @@ "cwe_ids": [ "CWE-89" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-04T20:13:11Z", "nvd_published_at": "2024-03-06T19:15:08Z" From 94aac5ffd4a07861b4427ba4189822dee43daad1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:38:20 +0000 Subject: [PATCH 055/170] Publish Advisories GHSA-7jwh-3vrq-q3m8 GHSA-mrww-27vc-gghv --- .../GHSA-7jwh-3vrq-q3m8.json | 51 ++++--------------- .../GHSA-mrww-27vc-gghv.json | 51 ++++--------------- 2 files changed, 20 insertions(+), 82 deletions(-) diff --git a/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json b/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json index 0d553d99118..abce989f87b 100644 --- a/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json +++ b/advisories/github-reviewed/2024/03/GHSA-7jwh-3vrq-q3m8/GHSA-7jwh-3vrq-q3m8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7jwh-3vrq-q3m8", - "modified": "2024-03-14T21:46:07Z", + "modified": "2024-09-13T15:36:58Z", "published": "2024-03-04T20:45:25Z", "aliases": [ @@ -9,7 +9,14 @@ "summary": "pgproto3 SQL Injection via Protocol Message Size Overflow", "details": "### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v2.3.3\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -49,44 +56,6 @@ ] } ] - }, - { - "package": { - "ecosystem": "Go", - "name": "github.com/jackc/pgx/v4" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.18.2" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Go", - "name": "github.com/jackc/pgx/v5" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "5.0.0" - }, - { - "fixed": "5.5.4" - } - ] - } - ] } ], "references": [ @@ -128,7 +97,7 @@ "CWE-190", "CWE-89" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-04T20:45:25Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json b/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json index cba66b21901..a5aa50b359a 100644 --- a/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json +++ b/advisories/github-reviewed/2024/03/GHSA-mrww-27vc-gghv/GHSA-mrww-27vc-gghv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mrww-27vc-gghv", - "modified": "2024-03-14T21:45:18Z", + "modified": "2024-09-13T15:36:55Z", "published": "2024-03-04T20:43:24Z", "aliases": [ "CVE-2024-27304" @@ -9,7 +9,14 @@ "summary": "pgx SQL Injection via Protocol Message Size Overflow", "details": "### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v4.18.2 and v5.5.4.\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -50,44 +57,6 @@ } ] }, - { - "package": { - "ecosystem": "Go", - "name": "github.com/jackc/pgproto3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.3.3" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Go", - "name": "github.com/jackc/pgproto3/v2" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.3.3" - } - ] - } - ] - }, { "package": { "ecosystem": "Go", @@ -162,7 +131,7 @@ "CWE-190", "CWE-89" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-04T20:43:24Z", "nvd_published_at": "2024-03-06T19:15:08Z" From da7036b19d918b6748065a0fed2b569d620a9ed9 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:52:28 +0000 Subject: [PATCH 056/170] Publish GHSA-xhp9-4947-rq78 --- .../2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json b/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json index 32da13b75b2..043885d170a 100644 --- a/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json +++ b/advisories/github-reviewed/2022/06/GHSA-xhp9-4947-rq78/GHSA-xhp9-4947-rq78.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xhp9-4947-rq78", - "modified": "2022-06-14T20:06:55Z", + "modified": "2024-09-13T15:51:00Z", "published": "2022-06-03T00:01:15Z", "aliases": [ "CVE-2022-31799" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ From 1fc5082769f0d537c6aa12da1c8f4df29783adfe Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:54:36 +0000 Subject: [PATCH 057/170] Publish GHSA-9w4f-3v37-6f75 --- .../GHSA-9w4f-3v37-6f75.json | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json b/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json index ef4999e01ea..6ff52236052 100644 --- a/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json +++ b/advisories/github-reviewed/2022/05/GHSA-9w4f-3v37-6f75/GHSA-9w4f-3v37-6f75.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9w4f-3v37-6f75", - "modified": "2024-04-29T16:18:48Z", + "modified": "2024-09-13T15:52:40Z", "published": "2022-05-17T03:33:24Z", "aliases": [ "CVE-2015-3010" @@ -9,7 +9,14 @@ "summary": "ceph-deploy allows local users to obtain sensitive information by reading the file", "details": "ceph-deploy before 1.5.23 uses weak permissions (644) for `ceph/ceph.client.admin.keyring`, which allows local users to obtain sensitive information by reading the file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -53,6 +60,10 @@ "type": "PACKAGE", "url": "https://github.com/ceph/ceph-deploy" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ceph-deploy/PYSEC-2015-2.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228233028/http://www.securityfocus.com/bid/74043" @@ -76,6 +87,10 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/04/09/9" + }, + { + "type": "WEB", + "url": "http://www.securityfocus.com/bid/74043" } ], "database_specific": { From 234a34b9da4b8ac9364997439a46ac6bc9b18dff Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:57:40 +0000 Subject: [PATCH 058/170] Publish Advisories GHSA-4fpg-j5mp-783g GHSA-mqwh-r366-4224 --- .../05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json | 12 ++++++++++-- .../05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json | 12 ++++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json b/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json index 10408e74a1d..6629ced0a16 100644 --- a/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json +++ b/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4fpg-j5mp-783g", - "modified": "2024-04-22T22:45:45Z", + "modified": "2024-09-13T15:57:09Z", "published": "2022-05-13T01:49:46Z", "aliases": [ "CVE-2018-13390" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U" } ], "affected": [ @@ -43,13 +47,17 @@ { "type": "WEB", "url": "https://bitbucket.org/atlassian/cloudtoken/wiki/CVE-2018-13390%20-%20Exposed%20credentials%20in%20daemon%20mode%20on%20Linux" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cloudtoken/PYSEC-2018-1.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-522" ], - "severity": "MODERATE", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-04-22T22:45:45Z", "nvd_published_at": "2018-08-10T15:29:00Z" diff --git a/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json b/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json index 84f442fc3be..70853e2eee3 100644 --- a/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json +++ b/advisories/github-reviewed/2022/05/GHSA-mqwh-r366-4224/GHSA-mqwh-r366-4224.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mqwh-r366-4224", - "modified": "2023-08-04T21:48:39Z", + "modified": "2024-09-13T15:56:14Z", "published": "2022-05-24T17:29:11Z", "aliases": [ "CVE-2020-7734" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L/E:U" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/arachnys/cabot" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cabot/PYSEC-2020-227.yaml" + }, { "type": "WEB", "url": "https://itsmeanonartist.tech/blogs/blog2.html" @@ -69,7 +77,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": "HIGH", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-08-04T21:48:39Z", "nvd_published_at": "2020-09-22T08:15:00Z" From 34b8be18c71fe59aa4492ae93a2679e6933d997f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:39:44 +0000 Subject: [PATCH 059/170] Publish Advisories GHSA-hcvp-2cc7-jrwr GHSA-rgrf-6mf5-m882 --- .../GHSA-hcvp-2cc7-jrwr.json | 25 ++---- .../GHSA-rgrf-6mf5-m882.json | 82 +++++++++++-------- 2 files changed, 52 insertions(+), 55 deletions(-) diff --git a/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json b/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json index 47969b7ce8a..ab4f38aa182 100644 --- a/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json +++ b/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hcvp-2cc7-jrwr", - "modified": "2024-01-23T12:50:59Z", + "modified": "2024-09-13T17:38:17Z", "published": "2024-01-23T12:50:59Z", "aliases": [ "CVE-2024-23329" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" } ], "affected": [ @@ -36,25 +40,6 @@ "database_specific": { "last_known_affected_version_range": "<= 0.45.12" } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "changedetection-io" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0.39.14" - }, - { - "fixed": "0.45.13" - } - ] - } - ] } ], "references": [ diff --git a/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json b/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json index 58221531319..9643d1e666b 100644 --- a/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json +++ b/advisories/github-reviewed/2024/01/GHSA-rgrf-6mf5-m882/GHSA-rgrf-6mf5-m882.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rgrf-6mf5-m882", - "modified": "2024-01-11T15:18:51Z", + "modified": "2024-09-13T17:39:18Z", "published": "2024-01-11T15:18:51Z", "aliases": [ "CVE-2024-22194" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" } ], "affected": [ @@ -277,39 +281,7 @@ }, { "type": "WEB", - "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d" - }, - { - "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1" + "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509" }, { "type": "WEB", @@ -317,7 +289,47 @@ }, { "type": "WEB", - "url": "https://github.com/casework/CASE-Utilities-Python/commit/fdc32414eccfcbde6be0fd91b7f491cc0779b02d#diff-e60b9cb8fb480ed27283a030a0898be3475992d78228f4045b12ce5cbb2f0509" + "url": "https://github.com/casework/CASE-Utilities-Python/commit/e4ffadc3d56fd303b8f465d727c4a58213d311a1" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/db428a0745dac4fdd888ced9c52f617695519f9d" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/939775f956796d0432ecabbf62782ed7ad1007b5" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/80551f49241c874c7c50e14abe05c5017630dad2" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/7e02d18383eabbeb9fb4ec97d81438c9980a4790" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/5acb929dfb599709d1c8c90d1824dd79e0fd9e10" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/1cccae8eb3cf94b3a28f6490efa0fbf5c82ebd6b" + }, + { + "type": "WEB", + "url": "https://github.com/casework/CASE-Utilities-Python/commit/00864cd12de7c50d882dd1a74915d32e939c25f9" + }, + { + "type": "WEB", + "url": "https://github.com/Cyber-Domain-Ontology/CDO-Utility-Local-UUID/commit/9e78f7cb1075728d0aafc918514f32a1392cd235" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/case-utils/PYSEC-2024-5.yaml" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cdo-local-uuid/PYSEC-2024-6.yaml" }, { "type": "PACKAGE", From 512001f4208bc7f160c1519e6efa9a9fe6e404bf Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:41:49 +0000 Subject: [PATCH 060/170] Publish GHSA-mcg6-h362-cmq5 --- .../2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json b/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json index 0299b93925b..dd06f2f4cff 100644 --- a/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json +++ b/advisories/github-reviewed/2022/03/GHSA-mcg6-h362-cmq5/GHSA-mcg6-h362-cmq5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mcg6-h362-cmq5", - "modified": "2022-03-11T20:52:04Z", + "modified": "2024-09-13T17:40:26Z", "published": "2022-03-11T20:52:04Z", "aliases": [ "CVE-2022-0860" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" } ], "affected": [ From 71e6b24d549630ae69b54113be5a27c894770842 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:43:51 +0000 Subject: [PATCH 061/170] Publish GHSA-hq37-853p-g5cf --- .../GHSA-hq37-853p-g5cf.json | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json b/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json index 735bee6dbd3..6b83a20fa64 100644 --- a/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json +++ b/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hq37-853p-g5cf", - "modified": "2021-01-06T19:12:20Z", + "modified": "2024-09-13T17:42:15Z", "published": "2021-01-06T16:57:50Z", "aliases": [ "CVE-2021-21236" @@ -9,7 +9,14 @@ "summary": "Regular Expression Denial of Service in CairoSVG", "details": "# Doyensec Vulnerability Advisory \n\n* Regular Expression Denial of Service (REDoS) in cairosvg\n* Affected Product: CairoSVG v2.0.0+\n* Vendor: https://github.com/Kozea\n* Severity: Medium\n* Vulnerability Class: Denial of Service\n* Author(s): Ben Caller ([Doyensec](https://doyensec.com))\n\n## Summary\n\nWhen processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).\nIf an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.\n\n## Technical description\n\nThe vulnerable regular expressions are\n\nhttps://github.com/Kozea/CairoSVG/blob/9c4a982b9a021280ad90e89707eacc1d114e4ac4/cairosvg/colors.py#L190-L191\n\nThe section between 'rgb(' and the final ')' contains multiple overlapping groups.\n\nSince all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.\n\nThe complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.\n\n## Reproduction steps\n\nCreate a malicious SVG of the form:\n\n \n\nwith the following code:\n\n ''\n\nNote that there is no closing parenthesis before the semi-colon.\n\nRun cairosvg e.g.:\n\n cairosvg cairo-redos.svg -o x.png\n\nand notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.\n\n## Remediation\n\nFix the regexes to avoid overlapping parts. Perhaps remove the [ \\n\\r\\t]* groups from the regex, and use .strip() on the returned capture group.\n\n## Disclosure timeline\n\n- 2020-12-30: Vulnerability disclosed via email to CourtBouillon", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" + } ], "affected": [ { @@ -45,10 +52,18 @@ "type": "WEB", "url": "https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3" }, + { + "type": "PACKAGE", + "url": "https://github.com/Kozea/CairoSVG" + }, { "type": "WEB", "url": "https://github.com/Kozea/CairoSVG/releases/tag/2.5.1" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yaml" + }, { "type": "WEB", "url": "https://pypi.org/project/CairoSVG" @@ -58,7 +73,7 @@ "cwe_ids": [ "CWE-400" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-01-06T16:57:38Z", "nvd_published_at": "2021-01-06T17:15:00Z" From fb91cbb2fbc87f2e062b9580b7268df7340b680f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:45:54 +0000 Subject: [PATCH 062/170] Publish GHSA-f248-v4qh-x2r6 --- .../GHSA-f248-v4qh-x2r6.json | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json b/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json index 72823c32698..26f0716cacd 100644 --- a/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json +++ b/advisories/github-reviewed/2021/04/GHSA-f248-v4qh-x2r6/GHSA-f248-v4qh-x2r6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f248-v4qh-x2r6", - "modified": "2023-08-31T16:38:53Z", + "modified": "2024-09-13T17:43:29Z", "published": "2021-04-20T16:29:41Z", "aliases": [ "CVE-2020-27589" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -42,16 +46,28 @@ }, { "type": "WEB", - "url": "https://github.com/blackducksoftware/hub-rest-api-python/pull/113/commits/273b27d0de1004389dd8cf43c40b1197c787e7cd" + "url": "https://github.com/blackducksoftware/hub-rest-api-python/pull/113" + }, + { + "type": "WEB", + "url": "https://github.com/blackducksoftware/hub-rest-api-python/commit/0a25777117515b8b4ff287a98f57837a8c6bdbdb" }, { "type": "WEB", "url": "https://community.synopsys.com/s/question/0D52H00005JCZAXSA5/announcement-black-duck-defect-identified" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-f248-v4qh-x2r6" + }, { "type": "PACKAGE", "url": "https://github.com/blackducksoftware/hub-rest-api-python" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/blackduck/PYSEC-2020-26.yaml" + }, { "type": "WEB", "url": "https://pypi.org/project/blackduck" From ea48118894dc25b9617b8ebaee9e719bad6b92ec Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:47:53 +0000 Subject: [PATCH 063/170] Publish Advisories GHSA-g86p-hgx5-2pfh GHSA-43fp-rhv2-5gv8 --- .../GHSA-g86p-hgx5-2pfh.json | 22 ++++++++++++++++++- .../GHSA-43fp-rhv2-5gv8.json | 10 ++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json b/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json index d96a86fd9f4..d1ceef99de6 100644 --- a/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json +++ b/advisories/github-reviewed/2019/05/GHSA-g86p-hgx5-2pfh/GHSA-g86p-hgx5-2pfh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g86p-hgx5-2pfh", - "modified": "2022-03-04T21:16:27Z", + "modified": "2024-09-13T17:46:56Z", "published": "2019-05-29T18:48:11Z", "aliases": [ "CVE-2019-12300" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -69,6 +73,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12300" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-g86p-hgx5-2pfh" + }, { "type": "PACKAGE", "url": "https://github.com/buildbot/buildbot" @@ -76,6 +84,18 @@ { "type": "WEB", "url": "https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2019-6.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json b/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json index 957f9e6165c..54d829f4b1a 100644 --- a/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json +++ b/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-43fp-rhv2-5gv8", - "modified": "2022-12-07T23:05:18Z", + "modified": "2024-09-13T17:46:06Z", "published": "2022-12-07T23:05:18Z", "aliases": [ "CVE-2022-23491" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "PACKAGE", "url": "https://github.com/certifi/python-certifi" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2022-42986.yaml" + }, { "type": "WEB", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ" From ae886c1654439e473b193c0cfe69f4a18ea27a4d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:50:01 +0000 Subject: [PATCH 064/170] Publish Advisories GHSA-v542-8q9x-cffc GHSA-vx77-5pf4-c9wr --- .../GHSA-v542-8q9x-cffc.json | 18 ++++++++++++++- .../GHSA-vx77-5pf4-c9wr.json | 23 +++++++++++++++---- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json b/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json index 6ef84ec32ae..72d1a64693a 100644 --- a/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json +++ b/advisories/github-reviewed/2021/03/GHSA-v542-8q9x-cffc/GHSA-v542-8q9x-cffc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v542-8q9x-cffc", - "modified": "2023-09-05T14:34:15Z", + "modified": "2024-09-13T17:49:26Z", "published": "2021-03-19T21:29:02Z", "aliases": [ "CVE-2020-35681" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,9 +56,21 @@ "type": "WEB", "url": "https://channels.readthedocs.io/en/stable/releases/index.html" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v542-8q9x-cffc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/channels" + }, { "type": "WEB", "url": "https://github.com/django/channels/releases" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/channels/PYSEC-2021-113.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json b/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json index c69878b54a2..5512d7f3768 100644 --- a/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json +++ b/advisories/github-reviewed/2022/05/GHSA-vx77-5pf4-c9wr/GHSA-vx77-5pf4-c9wr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vx77-5pf4-c9wr", - "modified": "2024-04-29T14:31:33Z", + "modified": "2024-09-13T17:48:35Z", "published": "2022-05-01T06:43:18Z", "aliases": [ "CVE-2006-0847" @@ -9,7 +9,14 @@ "summary": "CherryPy Directory traversal vulnerability", "details": "Directory traversal vulnerability in the staticfilter component in CherryPy before 2.1.1 allows remote attackers to read arbitrary files via \"..\" sequences in unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -41,6 +48,14 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24809" }, + { + "type": "PACKAGE", + "url": "https://github.com/cherrypy/cherrypy" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2006-1.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20140724140216/http://secunia.com/advisories/18944" @@ -72,9 +87,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-29T14:31:33Z", "nvd_published_at": "2006-02-22T02:02:00Z" From f2450a7767a1aaf012f99d1a9d985f5c1c0c2b55 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:52:03 +0000 Subject: [PATCH 065/170] Publish Advisories GHSA-4cfr-gjfx-fj3x GHSA-cr3f-r24j-3chw --- .../GHSA-4cfr-gjfx-fj3x.json | 19 +++++++++++++++++-- .../GHSA-cr3f-r24j-3chw.json | 14 +++++++++++++- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json b/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json index e9d02224d1f..a6b75f694a0 100644 --- a/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json +++ b/advisories/github-reviewed/2021/10/GHSA-4cfr-gjfx-fj3x/GHSA-4cfr-gjfx-fj3x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4cfr-gjfx-fj3x", - "modified": "2021-10-05T15:51:30Z", + "modified": "2024-09-13T17:50:11Z", "published": "2021-10-05T17:53:11Z", "aliases": [ "CVE-2021-40324" @@ -9,7 +9,14 @@ "summary": "Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.", "details": "Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -41,6 +48,10 @@ "type": "WEB", "url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-4cfr-gjfx-fj3x" + }, { "type": "PACKAGE", "url": "https://github.com/cobbler/cobbler" @@ -48,6 +59,10 @@ { "type": "WEB", "url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-374.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json b/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json index 8c23ab8b490..41ec6175d1e 100644 --- a/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json +++ b/advisories/github-reviewed/2021/10/GHSA-cr3f-r24j-3chw/GHSA-cr3f-r24j-3chw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cr3f-r24j-3chw", - "modified": "2023-08-08T19:59:06Z", + "modified": "2024-09-13T17:50:35Z", "published": "2021-10-05T17:53:29Z", "aliases": [ "CVE-2021-40325" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-cr3f-r24j-3chw" + }, { "type": "PACKAGE", "url": "https://github.com/cobbler/cobbler" @@ -51,6 +59,10 @@ { "type": "WEB", "url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-375.yaml" } ], "database_specific": { From e63c2d712d252ab8f2565d9171f8912f93b2a9a3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:54:03 +0000 Subject: [PATCH 066/170] Publish GHSA-66x7-2r56-fj77 --- .../05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json b/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json index 8c10ae43ff9..f122743c8df 100644 --- a/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json +++ b/advisories/github-reviewed/2022/05/GHSA-66x7-2r56-fj77/GHSA-66x7-2r56-fj77.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-66x7-2r56-fj77", - "modified": "2023-09-28T20:40:46Z", + "modified": "2024-09-13T17:51:51Z", "published": "2022-05-14T01:36:13Z", "aliases": [ "CVE-2019-7313" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -25,7 +29,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.9.0" }, { "fixed": "1.8.1" @@ -55,6 +59,10 @@ { "type": "WEB", "url": "https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2019-7.yaml" } ], "database_specific": { From 794b9fa6a28894edf182bc946d2e7511b5c1f944 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 17:58:45 +0000 Subject: [PATCH 067/170] Publish GHSA-873q-wpqr-xfgw --- .../GHSA-873q-wpqr-xfgw.json | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json b/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json index dabc7c42e5d..e9dc6348ee6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json +++ b/advisories/github-reviewed/2022/05/GHSA-873q-wpqr-xfgw/GHSA-873q-wpqr-xfgw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-873q-wpqr-xfgw", - "modified": "2023-08-16T23:15:40Z", + "modified": "2024-09-13T17:57:20Z", "published": "2022-05-17T04:19:29Z", "aliases": [ "CVE-2014-3137" @@ -9,7 +9,14 @@ "summary": "Bottle does not properly limit content-types", "details": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a `;` (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -79,10 +86,22 @@ "type": "WEB", "url": "https://github.com/bottlepy/bottle/issues/616" }, + { + "type": "WEB", + "url": "https://github.com/defnull/bottle/issues/616" + }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1093255" }, + { + "type": "PACKAGE", + "url": "https://github.com/bottlepy/bottle" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2014-77.yaml" + }, { "type": "WEB", "url": "http://www.debian.org/security/2014/dsa-2948" @@ -96,7 +115,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-08-16T23:15:40Z", "nvd_published_at": "2014-10-25T22:55:00Z" From 8365d5fb6c651fc255f82021ab708abce888e750 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:04:17 +0000 Subject: [PATCH 068/170] Publish GHSA-76x8-gg39-5jjg --- .../GHSA-76x8-gg39-5jjg.json | 105 +++++++++++------- 1 file changed, 66 insertions(+), 39 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json b/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json index 4caf803e1ec..cd221a48dc0 100644 --- a/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json +++ b/advisories/github-reviewed/2022/05/GHSA-76x8-gg39-5jjg/GHSA-76x8-gg39-5jjg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-76x8-gg39-5jjg", - "modified": "2024-04-01T19:52:43Z", + "modified": "2024-09-13T18:02:56Z", "published": "2022-05-01T23:28:42Z", "aliases": [ "CVE-2008-0252" @@ -9,7 +9,14 @@ "summary": "CherryPy Malicious cookies allow access to files outside the session directory", "details": "Directory traversal vulnerability in the _get_file_path function in (1) `lib/sessions.py` in CherryPy 3.0.x up to 3.0.2, (2) `filter/sessionfilter.py` in CherryPy 2.1, and (3) `filter/sessionfilter.py` in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -25,14 +32,30 @@ "introduced": "0" }, { - "fixed": "3.0.3" + "fixed": "2.1.1" } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 3.0.2" - } + ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "cherrypy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0" + }, + { + "fixed": "3.0.2" + } + ] + } + ] } ], "references": [ @@ -48,10 +71,46 @@ "type": "WEB", "url": "https://bugs.gentoo.org/show_bug.cgi?id=204829" }, + { + "type": "PACKAGE", + "url": "https://github.com/cherrypy/cherrypy" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cherrypy/PYSEC-2008-3.yaml" + }, { "type": "WEB", "url": "https://issues.rpath.com/browse/RPL-2127" }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20080129011723/http://secunia.com/advisories/28354" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20080312130713/http://secunia.com/advisories/28353" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20080328003510/http://secunia.com/advisories/28611" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20100122080212/http://www.vupen.com/english/advisories/2008/0039" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110513223620/http://secunia.com/advisories/28769" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20111224161644/http://secunia.com/advisories/28620" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20151108024505/http://www.securityfocus.com/bid/27181" + }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00240.html" @@ -60,26 +119,6 @@ "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00297.html" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/28353" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/28354" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/28611" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/28620" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/28769" - }, { "type": "WEB", "url": "http://security.gentoo.org/glsa/glsa-200801-11.xml" @@ -103,18 +142,6 @@ { "type": "WEB", "url": "http://www.debian.org/security/2008/dsa-1481" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/487001/100/0/threaded" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/27181" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2008/0039" } ], "database_specific": { From 5f7fce5c0e8ea847f9b6c1c8f494b64cd3c6941e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:06:11 +0000 Subject: [PATCH 069/170] Publish GHSA-6w9p-88qg-p3g3 --- .../GHSA-6w9p-88qg-p3g3.json | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json b/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json index ddb7c67eebc..f8f2fdb62bb 100644 --- a/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json +++ b/advisories/github-reviewed/2021/12/GHSA-6w9p-88qg-p3g3/GHSA-6w9p-88qg-p3g3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6w9p-88qg-p3g3", - "modified": "2023-08-31T15:31:45Z", + "modified": "2024-09-13T18:03:57Z", "published": "2021-12-03T20:44:48Z", "aliases": [ "CVE-2021-25967" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -32,10 +36,7 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 2.9.3" - } + ] } ], "references": [ @@ -51,10 +52,18 @@ "type": "WEB", "url": "https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6w9p-88qg-p3g3" + }, { "type": "PACKAGE", "url": "https://github.com/ckan/ckan" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2021-841.yaml" + }, { "type": "WEB", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967" From a0bbaf9c789f7b1eb065589b9478dd6050bdf4f2 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:08:09 +0000 Subject: [PATCH 070/170] Publish GHSA-9jjr-qqfp-ppwx --- .../08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json b/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json index 0d396946bd1..75de5ca65c5 100644 --- a/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json +++ b/advisories/github-reviewed/2021/08/GHSA-9jjr-qqfp-ppwx/GHSA-9jjr-qqfp-ppwx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9jjr-qqfp-ppwx", - "modified": "2021-08-26T14:47:49Z", + "modified": "2024-09-13T18:05:58Z", "published": "2021-08-30T16:16:58Z", "aliases": [ "CVE-2021-39159" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" } ], "affected": [ @@ -60,6 +64,10 @@ { "type": "PACKAGE", "url": "https://github.com/jupyterhub/binderhub" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/binderhub/PYSEC-2021-371.yaml" } ], "database_specific": { From b83e3ffd96ecfae966c10c1fe1f41f53cfebc66e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:10:38 +0000 Subject: [PATCH 071/170] Publish GHSA-mj3x-wprp-mvj9 --- .../GHSA-mj3x-wprp-mvj9.json | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json b/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json index f4f82fd3452..e2b726bca5b 100644 --- a/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json +++ b/advisories/github-reviewed/2022/05/GHSA-mj3x-wprp-mvj9/GHSA-mj3x-wprp-mvj9.json @@ -1,15 +1,22 @@ { "schema_version": "1.4.0", "id": "GHSA-mj3x-wprp-mvj9", - "modified": "2024-04-01T19:28:56Z", + "modified": "2024-09-13T18:09:12Z", "published": "2022-05-02T03:40:28Z", "aliases": [ "CVE-2009-2967" ], - "summary": "Buildbot Multiple cross-site scripting (XSS) vulnerabilities", + "summary": "Buildbot vulnerable to cross-site scripting", "details": "Multiple cross-site scripting (XSS) vulnerabilities in Buildbot 0.7.6 through 0.7.11p2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, different vulnerabilities than CVE-2009-2959.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { @@ -45,6 +52,14 @@ "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52896" }, + { + "type": "PACKAGE", + "url": "https://github.com/buildbot/buildbot" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2009-2.yaml" + }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00978.html" From 5d1e5172f3c82a80083a7b15d991ed30a30c5d93 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:12:38 +0000 Subject: [PATCH 072/170] Publish Advisories GHSA-cf3c-fffp-34qh GHSA-f4q6-9qm4-h8j4 --- .../10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json | 10 +++++++++- .../06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json b/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json index 63dbba5ad0c..80a0a2f76c2 100644 --- a/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json +++ b/advisories/github-reviewed/2018/10/GHSA-cf3c-fffp-34qh/GHSA-cf3c-fffp-34qh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cf3c-fffp-34qh", - "modified": "2023-09-05T15:09:02Z", + "modified": "2024-09-13T18:11:18Z", "published": "2018-10-29T19:05:38Z", "aliases": [ "CVE-2018-14572" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-cf3c-fffp-34qh" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/conference-scheduler-cli/PYSEC-2018-64.yaml" + }, { "type": "WEB", "url": "https://joel-malwarebenchmark.github.io/blog/2020/04/25/cve-2018-14572-conference-scheduler-cli" diff --git a/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json b/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json index 16fde421caa..2e426895b06 100644 --- a/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json +++ b/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f4q6-9qm4-h8j4", - "modified": "2022-06-09T23:48:49Z", + "modified": "2024-09-13T18:10:22Z", "published": "2022-06-09T23:48:49Z", "aliases": [ "CVE-2022-24065" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ From 4e93b23f69139b1cb8ac9b63654726657dd2ccc9 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:14:42 +0000 Subject: [PATCH 073/170] Publish Advisories GHSA-fcf9-3qw3-gxmj GHSA-f54q-j679-p9hh --- .../GHSA-fcf9-3qw3-gxmj.json | 22 ++++++++++++++++++- .../GHSA-f54q-j679-p9hh.json | 8 +++++-- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json b/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json index 8ff5e7d4e75..0e334784f32 100644 --- a/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json +++ b/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fcf9-3qw3-gxmj", - "modified": "2024-02-23T20:24:24Z", + "modified": "2024-09-13T18:13:03Z", "published": "2018-07-31T18:28:09Z", "aliases": [ "CVE-2018-10903" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -48,13 +52,29 @@ "type": "WEB", "url": "https://github.com/pyca/cryptography/commit/d4378e42937b56f473ddade2667f919ce32208cb" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2018:3600" + }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fcf9-3qw3-gxmj" + }, { "type": "PACKAGE", "url": "https://github.com/pyca/cryptography" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2018-52.yaml" + }, + { + "type": "WEB", + "url": "https://usn.ubuntu.com/3720-1" } ], "database_specific": { diff --git a/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json b/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json index 01b83c51db1..0d8118d7420 100644 --- a/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json +++ b/advisories/github-reviewed/2023/07/GHSA-f54q-j679-p9hh/GHSA-f54q-j679-p9hh.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-f54q-j679-p9hh", - "modified": "2023-07-25T17:49:21Z", + "modified": "2024-09-13T18:12:18Z", "published": "2023-07-25T17:49:21Z", "aliases": [ "CVE-2023-38501" ], - "summary": "Reflected cross-site scripting via k304 parameter", + "summary": "copyparty vulnerable to reflected cross-site scripting via k304 parameter", "details": "### Summary\nThe application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`\n\n### Details\nA reflected cross-site scripting (XSS) vulnerability exists in the web interface of the application that could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.\n\nThe worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.\n\nIt is recommended to change the passwords of your copyparty accounts, unless you have inspected your logs and found no trace of attacks.\n\n### Checking for exposure\nif copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping for URLs containing `?hc=` with `<` somewhere in its value, for example using the following command:\n* nginx:\n ```bash\n (gzip -dc access.log*.gz; cat access.log) | sed -r 's/\" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'\n ```\nthe above commands also check for attacks against GHSA-cw7j-v52w-fp5r\n\n### PoC\n`https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E`\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" } ], "affected": [ From f76f0edd9256a813486dced90ec7348dfaeeebd8 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:17:28 +0000 Subject: [PATCH 074/170] Publish GHSA-hggm-jpg3-v476 --- .../GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json b/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json index 12e48957e8d..99a0676a380 100644 --- a/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json +++ b/advisories/github-reviewed/2020/10/GHSA-hggm-jpg3-v476/GHSA-hggm-jpg3-v476.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hggm-jpg3-v476", - "modified": "2022-07-29T18:12:08Z", + "modified": "2024-09-13T18:16:06Z", "published": "2020-10-27T20:33:13Z", "aliases": [ "CVE-2020-25659" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -46,16 +50,24 @@ }, { "type": "WEB", - "url": "https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b" + "url": "https://github.com/pyca/cryptography/pull/5507" }, { "type": "WEB", "url": "https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hggm-jpg3-v476" + }, { "type": "PACKAGE", "url": "https://github.com/pyca/cryptography" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml" + }, { "type": "WEB", "url": "https://pypi.org/project/cryptography" From 70f178a10632a159ac3dde429cb8f4cdd3e2d94f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:21:20 +0000 Subject: [PATCH 075/170] Publish GHSA-pxfv-7rr3-2qjg --- .../2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json b/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json index 2235408c4ce..6e697195532 100644 --- a/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json +++ b/advisories/github-reviewed/2023/07/GHSA-pxfv-7rr3-2qjg/GHSA-pxfv-7rr3-2qjg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pxfv-7rr3-2qjg", - "modified": "2023-11-14T19:04:47Z", + "modified": "2024-09-13T18:19:54Z", "published": "2023-07-14T21:59:23Z", "aliases": [ "CVE-2023-37474" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From f93447a4912f385bcd9acf7cb4234812ff529098 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:29:44 +0000 Subject: [PATCH 076/170] Publish Advisories GHSA-m85c-9mf8-m2m6 GHSA-jjjh-jjxp-wpff GHSA-7mgx-gvjw-m3w3 --- .../GHSA-m85c-9mf8-m2m6.json | 10 ++++++- .../GHSA-jjjh-jjxp-wpff.json | 4 +-- .../GHSA-7mgx-gvjw-m3w3.json | 29 ++++++++++++++++++- 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json b/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json index 67584db0b4c..c1c9abd0e9c 100644 --- a/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json +++ b/advisories/github-reviewed/2018/07/GHSA-m85c-9mf8-m2m6/GHSA-m85c-9mf8-m2m6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m85c-9mf8-m2m6", - "modified": "2023-08-23T22:09:03Z", + "modified": "2024-09-13T18:29:06Z", "published": "2018-07-18T18:28:26Z", "aliases": [ "CVE-2017-16763" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -61,6 +65,10 @@ "type": "PACKAGE", "url": "https://github.com/bbengfort/confire" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/confire/PYSEC-2017-78.yaml" + }, { "type": "WEB", "url": "https://joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16763-configure-loaded-through-confire" diff --git a/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json b/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json index 504375436b0..79969847321 100644 --- a/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json +++ b/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-jjjh-jjxp-wpff", - "modified": "2024-03-15T00:14:43Z", + "modified": "2024-09-13T18:29:13Z", "published": "2022-10-03T00:00:31Z", "aliases": [ "CVE-2022-42003" ], "summary": "Uncontrolled Resource Consumption in Jackson-databind", - "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", + "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.\n\nThe `2.13.4.1` release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in `2.13.4.2` which is listed in the advisory metadata so that users are not subjected to unnecessary build failures", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json index d0cbf302654..353a3427e3e 100644 --- a/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json +++ b/advisories/github-reviewed/2024/01/GHSA-7mgx-gvjw-m3w3/GHSA-7mgx-gvjw-m3w3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7mgx-gvjw-m3w3", - "modified": "2024-01-31T12:37:36Z", + "modified": "2024-09-13T18:28:16Z", "published": "2024-01-30T03:30:30Z", "aliases": [ "CVE-2023-51982" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -90,6 +94,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "crate" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.35.2" + } + ] + } + ] } ], "references": [ @@ -105,6 +128,10 @@ "type": "WEB", "url": "https://github.com/crate/crate/pull/15234" }, + { + "type": "WEB", + "url": "https://github.com/crate/crate-python/commit/813946b9420d45877ef7c369311dbc8804d6674f" + }, { "type": "WEB", "url": "https://github.com/crate/crate/commit/0c166ef083bec4d64dd55c1d8cb9b3dec350d241" From d812b15f17fe9be60bd6284aa894b7bc190ae58f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:31:53 +0000 Subject: [PATCH 077/170] Publish Advisories GHSA-5946-mpw5-pqxx GHSA-9266-j9v3-q4j5 --- .../GHSA-5946-mpw5-pqxx.json | 14 +++++++++++++- .../GHSA-9266-j9v3-q4j5.json | 18 +++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json b/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json index 56eaf5bbbfb..0b065fccd9d 100644 --- a/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json +++ b/advisories/github-reviewed/2022/02/GHSA-5946-mpw5-pqxx/GHSA-5946-mpw5-pqxx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5946-mpw5-pqxx", - "modified": "2022-03-08T18:49:35Z", + "modified": "2024-09-13T18:30:44Z", "published": "2022-02-21T00:00:20Z", "aliases": [ "CVE-2021-45083" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,6 +56,10 @@ "type": "WEB", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1193671" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-5946-mpw5-pqxx" + }, { "type": "PACKAGE", "url": "https://github.com/cobbler/cobbler" @@ -64,6 +72,10 @@ "type": "WEB", "url": "https://github.com/cobbler/cobbler/releases/tag/v3.3.1" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-38.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW" diff --git a/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json b/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json index b5cfb356502..71eeeb40bca 100644 --- a/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json +++ b/advisories/github-reviewed/2022/06/GHSA-9266-j9v3-q4j5/GHSA-9266-j9v3-q4j5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9266-j9v3-q4j5", - "modified": "2024-04-24T21:38:00Z", + "modified": "2024-09-13T18:30:10Z", "published": "2022-06-11T00:00:36Z", "aliases": [ "CVE-2022-32563" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -40,6 +44,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32563" }, + { + "type": "WEB", + "url": "https://forums.couchbase.com/tags/security" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/couchbase/PYSEC-2022-207.yaml" + }, + { + "type": "WEB", + "url": "https://www.couchbase.com/alerts" + }, { "type": "WEB", "url": "https://www.couchbase.com/alerts/#CVE-2022-32563" From 52f787d1b4634e00beac0dbc8d4e88f9a1f29394 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:34:00 +0000 Subject: [PATCH 078/170] Advisory Database Sync --- .../GHSA-rhm9-p9w5-fwm7.json | 25 +++++++- .../GHSA-g6xf-xq8f-56f4.json | 7 ++- .../GHSA-2g29-vvh2-xx4w.json | 2 +- .../GHSA-5q43-wwhh-v8wh.json | 2 +- .../GHSA-5rj2-m4rq-8fmp.json | 2 +- .../GHSA-cj23-4vc3-qpfc.json | 2 +- .../GHSA-mrh7-ghhj-6r6w.json | 2 +- .../GHSA-vjwc-c2cc-76g5.json | 2 +- .../GHSA-wqw5-fg63-857m.json | 2 +- .../GHSA-fhx8-5c23-x7x5.json | 14 ++++- .../GHSA-xfrr-fwx4-vqh9.json | 14 ++++- .../GHSA-382m-fgqc-gfhw.json | 6 +- .../GHSA-fg32-7hw7-w82p.json | 3 +- .../GHSA-jvrv-28g9-r22f.json | 11 ++-- .../GHSA-m9vj-66ph-2pqf.json | 11 ++-- .../GHSA-2qhq-448h-5333.json | 1 + .../GHSA-4r4v-2j2q-ch33.json | 2 +- .../GHSA-xj8p-vpqc-xj39.json | 2 +- .../GHSA-2h6h-vcrw-57ff.json | 11 ++-- .../GHSA-2hgx-34f4-hp3q.json | 38 ++++++++++++ .../GHSA-2hm7-3qf5-g28w.json | 6 +- .../GHSA-2qxv-pr9r-9797.json | 38 ++++++++++++ .../GHSA-34r9-jr37-pmrf.json | 11 ++-- .../GHSA-35qc-5x66-f277.json | 11 ++-- .../GHSA-375r-hmjc-j5gg.json | 11 ++-- .../GHSA-3rvq-3fc5-4w68.json | 11 ++-- .../GHSA-3w3r-r6g6-w8x5.json | 2 +- .../GHSA-3xv2-v2hj-2crv.json | 9 ++- .../GHSA-4gw2-r6x4-xxxg.json | 11 ++-- .../GHSA-4j5q-jrmv-h6pp.json | 11 ++-- .../GHSA-4qc3-9vcj-2gh8.json | 3 +- .../GHSA-5293-cf37-fxqw.json | 11 ++-- .../GHSA-5397-7533-4p4r.json | 38 ++++++++++++ .../GHSA-56j2-rfmx-x6p8.json | 11 ++-- .../GHSA-573v-9j9r-xm6w.json | 38 ++++++++++++ .../GHSA-5785-6rg8-vqjc.json | 3 +- .../GHSA-5m73-3pch-86m2.json | 11 ++-- .../GHSA-5pqc-wgxh-g2rx.json | 38 ++++++++++++ .../GHSA-5qvx-cmvh-v55m.json | 11 ++-- .../GHSA-5w55-q3rh-9cgc.json | 11 ++-- .../GHSA-62hc-56xq-xr7v.json | 38 ++++++++++++ .../GHSA-64qj-9hxc-x9rc.json | 11 ++-- .../GHSA-66cw-5j4x-3r2w.json | 11 ++-- .../GHSA-6p2q-8qfq-wq7x.json | 42 ++++++++++++++ .../GHSA-6x3x-mhgp-4j2c.json | 2 +- .../GHSA-7977-m9r5-5r9p.json | 11 ++-- .../GHSA-7f48-pc7q-83qh.json | 11 ++-- .../GHSA-7fv4-rmp7-g4qh.json | 11 ++-- .../GHSA-7g34-wcpj-vf55.json | 11 ++-- .../GHSA-8grv-f28f-g844.json | 11 ++-- .../GHSA-8v66-q974-wq26.json | 11 ++-- .../GHSA-956h-wvh5-7cgp.json | 11 ++-- .../GHSA-9672-786w-jwpr.json | 11 ++-- .../GHSA-974p-hhmc-6h46.json | 39 +++++++++++++ .../GHSA-98wp-w76v-f75p.json | 2 +- .../GHSA-9jmp-j63g-8x6m.json | 42 ++++++++++++++ .../GHSA-9mqh-56r5-64mq.json | 38 ++++++++++++ .../GHSA-9rrr-65q4-qrrq.json | 38 ++++++++++++ .../GHSA-f2v6-mw6x-qmwc.json | 3 +- .../GHSA-fr4x-3m2g-jm28.json | 9 ++- .../GHSA-fwj7-298v-7488.json | 58 +++++++++++++++++++ .../GHSA-g26j-5385-hhw3.json | 42 ++++++++++++++ .../GHSA-gpg6-84h3-cwv8.json | 1 + .../GHSA-gq5m-j7gp-3x7q.json | 9 ++- .../GHSA-gr4h-g2ph-j8j2.json | 9 ++- .../GHSA-gx3x-w926-g8pm.json | 9 ++- .../GHSA-hggx-qfvf-7mfh.json | 11 ++-- .../GHSA-hwwh-7cg2-3v75.json | 38 ++++++++++++ .../GHSA-j8r5-27mh-4xh9.json | 9 ++- .../GHSA-jf76-2c3p-rhc5.json | 11 ++-- .../GHSA-jfgw-v3p5-42qh.json | 6 +- .../GHSA-jfrm-qx4v-5m72.json | 38 ++++++++++++ .../GHSA-jhgj-6hmm-vm6v.json | 39 +++++++++++++ .../GHSA-jhh2-7qpr-2pv5.json | 11 ++-- .../GHSA-jm4p-4c99-gp7x.json | 35 +++++++++++ .../GHSA-jrpv-cgg9-hfmj.json | 11 ++-- .../GHSA-m2wr-9pq6-49jc.json | 2 +- .../GHSA-m3hv-89f3-wrrc.json | 11 ++-- .../GHSA-m48w-79jh-f8w7.json | 11 ++-- .../GHSA-mfw6-959v-265j.json | 9 ++- .../GHSA-mpm4-ggh2-c745.json | 9 ++- .../GHSA-p5f6-v7vq-6742.json | 38 ++++++++++++ .../GHSA-p5xc-g9x9-74jh.json | 11 ++-- .../GHSA-p9p3-pvmx-pxrh.json | 1 + .../GHSA-pc7p-wr8c-6r5f.json | 11 ++-- .../GHSA-q53p-qm4c-c2wj.json | 11 ++-- .../GHSA-q7vm-868g-mvqm.json | 38 ++++++++++++ .../GHSA-q993-jv9q-jjjm.json | 1 + .../GHSA-r268-64hq-mv45.json | 3 +- .../GHSA-r3gx-4wx6-8mr3.json | 11 ++-- .../GHSA-r89w-9fr4-c7c9.json | 39 +++++++++++++ .../GHSA-rhqc-rfxh-qj7g.json | 9 ++- .../GHSA-rp3x-cq62-cvh4.json | 2 +- .../GHSA-v6x6-4v4x-2fx9.json | 42 ++++++++++++++ .../GHSA-vfwm-h968-g65h.json | 39 +++++++++++++ .../GHSA-vg62-5q72-657x.json | 11 ++-- .../GHSA-vp87-57rp-pq64.json | 38 ++++++++++++ .../GHSA-w25j-fg8w-7xmx.json | 38 ++++++++++++ .../GHSA-w6fj-6wrc-6vhr.json | 11 ++-- .../GHSA-w73r-8mm4-cfvf.json | 42 ++++++++++++++ .../GHSA-w8pf-f5g8-5xgv.json | 9 ++- .../GHSA-wcv7-2grg-g5qr.json | 38 ++++++++++++ .../GHSA-ww57-48hq-5w83.json | 11 ++-- .../GHSA-wxmv-3hm7-2jqh.json | 42 ++++++++++++++ .../GHSA-x863-gchp-57m3.json | 3 +- .../GHSA-x9q5-m7gx-rf9w.json | 38 ++++++++++++ .../GHSA-xg5q-q7c3-jvmv.json | 9 ++- .../GHSA-xqww-5c9g-v62q.json | 42 ++++++++++++++ .../GHSA-xrjv-8x73-5h7v.json | 11 ++-- 109 files changed, 1582 insertions(+), 214 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-2hgx-34f4-hp3q/GHSA-2hgx-34f4-hp3q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-2qxv-pr9r-9797/GHSA-2qxv-pr9r-9797.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5397-7533-4p4r/GHSA-5397-7533-4p4r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-573v-9j9r-xm6w/GHSA-573v-9j9r-xm6w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5pqc-wgxh-g2rx/GHSA-5pqc-wgxh-g2rx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-62hc-56xq-xr7v/GHSA-62hc-56xq-xr7v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9mqh-56r5-64mq/GHSA-9mqh-56r5-64mq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9rrr-65q4-qrrq/GHSA-9rrr-65q4-qrrq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fwj7-298v-7488/GHSA-fwj7-298v-7488.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hwwh-7cg2-3v75/GHSA-hwwh-7cg2-3v75.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jfrm-qx4v-5m72/GHSA-jfrm-qx4v-5m72.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p5f6-v7vq-6742/GHSA-p5f6-v7vq-6742.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q7vm-868g-mvqm/GHSA-q7vm-868g-mvqm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vp87-57rp-pq64/GHSA-vp87-57rp-pq64.json create mode 100644 advisories/unreviewed/2024/09/GHSA-w25j-fg8w-7xmx/GHSA-w25j-fg8w-7xmx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wcv7-2grg-g5qr/GHSA-wcv7-2grg-g5qr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wxmv-3hm7-2jqh/GHSA-wxmv-3hm7-2jqh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x9q5-m7gx-rf9w/GHSA-x9q5-m7gx-rf9w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xqww-5c9g-v62q/GHSA-xqww-5c9g-v62q.json diff --git a/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json b/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json index 0cb5e88c3a2..08ba9156bc0 100644 --- a/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json +++ b/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rhm9-p9w5-fwm7", - "modified": "2023-08-30T22:06:59Z", + "modified": "2024-09-13T18:33:13Z", "published": "2021-02-10T01:32:27Z", "aliases": [ "CVE-2020-36242" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -20,6 +24,11 @@ "ecosystem": "PyPI", "name": "cryptography" }, + "ecosystem_specific": { + "affected_functions": [ + "cryptography.hazmat.backends.openssl.ciphers._CipherContext" + ] + }, "ranges": [ { "type": "ECOSYSTEM", @@ -52,6 +61,10 @@ "type": "WEB", "url": "https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-rhm9-p9w5-fwm7" + }, { "type": "PACKAGE", "url": "https://github.com/pyca/cryptography" @@ -64,6 +77,14 @@ "type": "WEB", "url": "https://github.com/pyca/cryptography/compare/3.3.1...3.3.2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-63.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E" @@ -82,7 +103,7 @@ "CWE-190", "CWE-787" ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-02-10T01:31:02Z", "nvd_published_at": "2021-02-07T20:15:00Z" diff --git a/advisories/unreviewed/2022/05/GHSA-g6xf-xq8f-56f4/GHSA-g6xf-xq8f-56f4.json b/advisories/unreviewed/2022/05/GHSA-g6xf-xq8f-56f4/GHSA-g6xf-xq8f-56f4.json index 970cb2092c0..ee496509720 100644 --- a/advisories/unreviewed/2022/05/GHSA-g6xf-xq8f-56f4/GHSA-g6xf-xq8f-56f4.json +++ b/advisories/unreviewed/2022/05/GHSA-g6xf-xq8f-56f4/GHSA-g6xf-xq8f-56f4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g6xf-xq8f-56f4", - "modified": "2024-09-12T18:31:37Z", + "modified": "2024-09-13T18:31:40Z", "published": "2022-05-02T03:26:42Z", "aliases": [ "CVE-2009-1605" ], "details": "Heap-based buffer overflow in the loadexponentialfunc function in mupdf/pdf_function.c in MuPDF in the mupdf-20090223-win32 package, as used in SumatraPDF 0.9.3 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: some of these details are obtained from third party information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } ], "affected": [ diff --git a/advisories/unreviewed/2023/07/GHSA-2g29-vvh2-xx4w/GHSA-2g29-vvh2-xx4w.json b/advisories/unreviewed/2023/07/GHSA-2g29-vvh2-xx4w/GHSA-2g29-vvh2-xx4w.json index 5d391ec794c..3c228aa01c9 100644 --- a/advisories/unreviewed/2023/07/GHSA-2g29-vvh2-xx4w/GHSA-2g29-vvh2-xx4w.json +++ b/advisories/unreviewed/2023/07/GHSA-2g29-vvh2-xx4w/GHSA-2g29-vvh2-xx4w.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/07/GHSA-5q43-wwhh-v8wh/GHSA-5q43-wwhh-v8wh.json b/advisories/unreviewed/2023/07/GHSA-5q43-wwhh-v8wh/GHSA-5q43-wwhh-v8wh.json index 8a7c835d6fd..32a5e77b4a6 100644 --- a/advisories/unreviewed/2023/07/GHSA-5q43-wwhh-v8wh/GHSA-5q43-wwhh-v8wh.json +++ b/advisories/unreviewed/2023/07/GHSA-5q43-wwhh-v8wh/GHSA-5q43-wwhh-v8wh.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-5rj2-m4rq-8fmp/GHSA-5rj2-m4rq-8fmp.json b/advisories/unreviewed/2023/10/GHSA-5rj2-m4rq-8fmp/GHSA-5rj2-m4rq-8fmp.json index 34d4af5fc62..3a6326a52db 100644 --- a/advisories/unreviewed/2023/10/GHSA-5rj2-m4rq-8fmp/GHSA-5rj2-m4rq-8fmp.json +++ b/advisories/unreviewed/2023/10/GHSA-5rj2-m4rq-8fmp/GHSA-5rj2-m4rq-8fmp.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-cj23-4vc3-qpfc/GHSA-cj23-4vc3-qpfc.json b/advisories/unreviewed/2023/10/GHSA-cj23-4vc3-qpfc/GHSA-cj23-4vc3-qpfc.json index 269884ade4e..a4082efe87c 100644 --- a/advisories/unreviewed/2023/10/GHSA-cj23-4vc3-qpfc/GHSA-cj23-4vc3-qpfc.json +++ b/advisories/unreviewed/2023/10/GHSA-cj23-4vc3-qpfc/GHSA-cj23-4vc3-qpfc.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-mrh7-ghhj-6r6w/GHSA-mrh7-ghhj-6r6w.json b/advisories/unreviewed/2023/10/GHSA-mrh7-ghhj-6r6w/GHSA-mrh7-ghhj-6r6w.json index 52e6c1f03ff..7a07553c0bd 100644 --- a/advisories/unreviewed/2023/10/GHSA-mrh7-ghhj-6r6w/GHSA-mrh7-ghhj-6r6w.json +++ b/advisories/unreviewed/2023/10/GHSA-mrh7-ghhj-6r6w/GHSA-mrh7-ghhj-6r6w.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-vjwc-c2cc-76g5/GHSA-vjwc-c2cc-76g5.json b/advisories/unreviewed/2023/10/GHSA-vjwc-c2cc-76g5/GHSA-vjwc-c2cc-76g5.json index af2a1fc978d..7b4aed7f9e0 100644 --- a/advisories/unreviewed/2023/10/GHSA-vjwc-c2cc-76g5/GHSA-vjwc-c2cc-76g5.json +++ b/advisories/unreviewed/2023/10/GHSA-vjwc-c2cc-76g5/GHSA-vjwc-c2cc-76g5.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-wqw5-fg63-857m/GHSA-wqw5-fg63-857m.json b/advisories/unreviewed/2023/10/GHSA-wqw5-fg63-857m/GHSA-wqw5-fg63-857m.json index 103eceefbc4..def3c895949 100644 --- a/advisories/unreviewed/2023/10/GHSA-wqw5-fg63-857m/GHSA-wqw5-fg63-857m.json +++ b/advisories/unreviewed/2023/10/GHSA-wqw5-fg63-857m/GHSA-wqw5-fg63-857m.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json b/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json index 5c01f5c8e7b..f4e0cfd7e5b 100644 --- a/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json +++ b/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fhx8-5c23-x7x5", - "modified": "2024-08-21T18:31:25Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-03-01T15:31:37Z", "aliases": [ "CVE-2023-46950" @@ -25,6 +25,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46950" }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7" + }, { "type": "WEB", "url": "https://link.org" @@ -32,6 +40,10 @@ { "type": "WEB", "url": "https://www.link.com" + }, + { + "type": "WEB", + "url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/03/GHSA-xfrr-fwx4-vqh9/GHSA-xfrr-fwx4-vqh9.json b/advisories/unreviewed/2024/03/GHSA-xfrr-fwx4-vqh9/GHSA-xfrr-fwx4-vqh9.json index 917980d2376..715137fcaad 100644 --- a/advisories/unreviewed/2024/03/GHSA-xfrr-fwx4-vqh9/GHSA-xfrr-fwx4-vqh9.json +++ b/advisories/unreviewed/2024/03/GHSA-xfrr-fwx4-vqh9/GHSA-xfrr-fwx4-vqh9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xfrr-fwx4-vqh9", - "modified": "2024-08-01T15:31:29Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-03-01T15:31:37Z", "aliases": [ "CVE-2023-46951" @@ -25,6 +25,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46951" }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7" + }, { "type": "WEB", "url": "https://link.org" @@ -32,6 +40,10 @@ { "type": "WEB", "url": "https://www.link.com" + }, + { + "type": "WEB", + "url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/06/GHSA-382m-fgqc-gfhw/GHSA-382m-fgqc-gfhw.json b/advisories/unreviewed/2024/06/GHSA-382m-fgqc-gfhw/GHSA-382m-fgqc-gfhw.json index 5d06fa3751c..bca274c7de6 100644 --- a/advisories/unreviewed/2024/06/GHSA-382m-fgqc-gfhw/GHSA-382m-fgqc-gfhw.json +++ b/advisories/unreviewed/2024/06/GHSA-382m-fgqc-gfhw/GHSA-382m-fgqc-gfhw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-382m-fgqc-gfhw", - "modified": "2024-06-18T00:31:28Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-06-18T00:31:28Z", "aliases": [ "CVE-2024-6082" @@ -11,6 +11,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ diff --git a/advisories/unreviewed/2024/06/GHSA-fg32-7hw7-w82p/GHSA-fg32-7hw7-w82p.json b/advisories/unreviewed/2024/06/GHSA-fg32-7hw7-w82p/GHSA-fg32-7hw7-w82p.json index b3ab2254457..e0c95c58546 100644 --- a/advisories/unreviewed/2024/06/GHSA-fg32-7hw7-w82p/GHSA-fg32-7hw7-w82p.json +++ b/advisories/unreviewed/2024/06/GHSA-fg32-7hw7-w82p/GHSA-fg32-7hw7-w82p.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/06/GHSA-jvrv-28g9-r22f/GHSA-jvrv-28g9-r22f.json b/advisories/unreviewed/2024/06/GHSA-jvrv-28g9-r22f/GHSA-jvrv-28g9-r22f.json index a216e5a1447..4ee5ee04131 100644 --- a/advisories/unreviewed/2024/06/GHSA-jvrv-28g9-r22f/GHSA-jvrv-28g9-r22f.json +++ b/advisories/unreviewed/2024/06/GHSA-jvrv-28g9-r22f/GHSA-jvrv-28g9-r22f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jvrv-28g9-r22f", - "modified": "2024-06-07T21:31:55Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-06-07T21:31:55Z", "aliases": [ "CVE-2023-49222" ], "details": "Precor touchscreen console P82 contains a private SSH key that corresponds to a default public key. A remote attacker could exploit this to gain root privileges.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-798" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-07T20:15:10Z" diff --git a/advisories/unreviewed/2024/06/GHSA-m9vj-66ph-2pqf/GHSA-m9vj-66ph-2pqf.json b/advisories/unreviewed/2024/06/GHSA-m9vj-66ph-2pqf/GHSA-m9vj-66ph-2pqf.json index e51c173ee51..256da903ffa 100644 --- a/advisories/unreviewed/2024/06/GHSA-m9vj-66ph-2pqf/GHSA-m9vj-66ph-2pqf.json +++ b/advisories/unreviewed/2024/06/GHSA-m9vj-66ph-2pqf/GHSA-m9vj-66ph-2pqf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m9vj-66ph-2pqf", - "modified": "2024-06-07T21:31:55Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-06-07T21:31:55Z", "aliases": [ "CVE-2023-49223" ], "details": "Precor touchscreen console P62, P80, and P82 could allow a remote attacker to obtain sensitive information because the root password is stored in /etc/passwd. An attacker could exploit this to extract files and obtain sensitive information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-798" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-07T20:15:10Z" diff --git a/advisories/unreviewed/2024/08/GHSA-2qhq-448h-5333/GHSA-2qhq-448h-5333.json b/advisories/unreviewed/2024/08/GHSA-2qhq-448h-5333/GHSA-2qhq-448h-5333.json index e3fba6869cb..8913d11417f 100644 --- a/advisories/unreviewed/2024/08/GHSA-2qhq-448h-5333/GHSA-2qhq-448h-5333.json +++ b/advisories/unreviewed/2024/08/GHSA-2qhq-448h-5333/GHSA-2qhq-448h-5333.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-307", "CWE-667" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/08/GHSA-4r4v-2j2q-ch33/GHSA-4r4v-2j2q-ch33.json b/advisories/unreviewed/2024/08/GHSA-4r4v-2j2q-ch33/GHSA-4r4v-2j2q-ch33.json index 645ca53c3b8..17362e29eaf 100644 --- a/advisories/unreviewed/2024/08/GHSA-4r4v-2j2q-ch33/GHSA-4r4v-2j2q-ch33.json +++ b/advisories/unreviewed/2024/08/GHSA-4r4v-2j2q-ch33/GHSA-4r4v-2j2q-ch33.json @@ -48,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-22" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-xj8p-vpqc-xj39/GHSA-xj8p-vpqc-xj39.json b/advisories/unreviewed/2024/08/GHSA-xj8p-vpqc-xj39/GHSA-xj8p-vpqc-xj39.json index 00485038b70..ac2df865e47 100644 --- a/advisories/unreviewed/2024/08/GHSA-xj8p-vpqc-xj39/GHSA-xj8p-vpqc-xj39.json +++ b/advisories/unreviewed/2024/08/GHSA-xj8p-vpqc-xj39/GHSA-xj8p-vpqc-xj39.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xj8p-vpqc-xj39", - "modified": "2024-08-29T12:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-08-29T12:31:05Z", "aliases": [ "CVE-2024-7856" diff --git a/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json b/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json index 39fc59d94dc..0338236fdc8 100644 --- a/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json +++ b/advisories/unreviewed/2024/09/GHSA-2h6h-vcrw-57ff/GHSA-2h6h-vcrw-57ff.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2h6h-vcrw-57ff", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46696" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix potential UAF in nfsd4_cb_getattr_release\n\nOnce we drop the delegation reference, the fields embedded in it are no\nlonger safe to access. Do that last.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-2hgx-34f4-hp3q/GHSA-2hgx-34f4-hp3q.json b/advisories/unreviewed/2024/09/GHSA-2hgx-34f4-hp3q/GHSA-2hgx-34f4-hp3q.json new file mode 100644 index 00000000000..23ec6da4ede --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2hgx-34f4-hp3q/GHSA-2hgx-34f4-hp3q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2hgx-34f4-hp3q", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8059" + ], + "details": "IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8059" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-172051" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-2hm7-3qf5-g28w/GHSA-2hm7-3qf5-g28w.json b/advisories/unreviewed/2024/09/GHSA-2hm7-3qf5-g28w/GHSA-2hm7-3qf5-g28w.json index 3e17e2af978..176c6cc3a24 100644 --- a/advisories/unreviewed/2024/09/GHSA-2hm7-3qf5-g28w/GHSA-2hm7-3qf5-g28w.json +++ b/advisories/unreviewed/2024/09/GHSA-2hm7-3qf5-g28w/GHSA-2hm7-3qf5-g28w.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2hm7-3qf5-g28w", - "modified": "2024-09-12T18:31:42Z", + "modified": "2024-09-13T18:31:45Z", "published": "2024-09-12T18:31:42Z", "aliases": [ "CVE-2024-8696" ], "details": "A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-2qxv-pr9r-9797/GHSA-2qxv-pr9r-9797.json b/advisories/unreviewed/2024/09/GHSA-2qxv-pr9r-9797/GHSA-2qxv-pr9r-9797.json new file mode 100644 index 00000000000..bd875b4073b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2qxv-pr9r-9797/GHSA-2qxv-pr9r-9797.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2qxv-pr9r-9797", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8280" + ], + "details": "An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8280" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-172051" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json b/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json index 3fc6b0dbaf1..059a98184d0 100644 --- a/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json +++ b/advisories/unreviewed/2024/09/GHSA-34r9-jr37-pmrf/GHSA-34r9-jr37-pmrf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-34r9-jr37-pmrf", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46700" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix mes ring buffer overflow\n\nwait memory room until enough before writing mes packets\nto avoid ring buffer overflow.\n\nv2: squash in sched_hw_submission fix\n\n(cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-35qc-5x66-f277/GHSA-35qc-5x66-f277.json b/advisories/unreviewed/2024/09/GHSA-35qc-5x66-f277/GHSA-35qc-5x66-f277.json index 8121496d2d0..45de616d3f9 100644 --- a/advisories/unreviewed/2024/09/GHSA-35qc-5x66-f277/GHSA-35qc-5x66-f277.json +++ b/advisories/unreviewed/2024/09/GHSA-35qc-5x66-f277/GHSA-35qc-5x66-f277.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-35qc-5x66-f277", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45019" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Take state lock during tx timeout reporter\n\nmlx5e_safe_reopen_channels() requires the state lock taken. The\nreferenced changed in the Fixes tag removed the lock to fix another\nissue. This patch adds it back but at a later point (when calling\nmlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the\nFixes tag.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-375r-hmjc-j5gg/GHSA-375r-hmjc-j5gg.json b/advisories/unreviewed/2024/09/GHSA-375r-hmjc-j5gg/GHSA-375r-hmjc-j5gg.json index 20356b894f1..824d5d87ff3 100644 --- a/advisories/unreviewed/2024/09/GHSA-375r-hmjc-j5gg/GHSA-375r-hmjc-j5gg.json +++ b/advisories/unreviewed/2024/09/GHSA-375r-hmjc-j5gg/GHSA-375r-hmjc-j5gg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-375r-hmjc-j5gg", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45015" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()\n\nFor cases where the crtc's connectors_changed was set without enable/active\ngetting toggled , there is an atomic_enable() call followed by an\natomic_disable() but without an atomic_mode_set().\n\nThis results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in\nthe atomic_enable() as the dpu_encoder's connector was cleared in the\natomic_disable() but not re-assigned as there was no atomic_mode_set() call.\n\nFix the NULL ptr access by moving the assignment for atomic_enable() and also\nuse drm_atomic_get_new_connector_for_encoder() to get the connector from\nthe atomic_state.\n\nPatchwork: https://patchwork.freedesktop.org/patch/606729/", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json b/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json index 5365be833cf..c5e357aa41a 100644 --- a/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json +++ b/advisories/unreviewed/2024/09/GHSA-3rvq-3fc5-4w68/GHSA-3rvq-3fc5-4w68.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3rvq-3fc5-4w68", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-7864" ], "details": "The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-3w3r-r6g6-w8x5/GHSA-3w3r-r6g6-w8x5.json b/advisories/unreviewed/2024/09/GHSA-3w3r-r6g6-w8x5/GHSA-3w3r-r6g6-w8x5.json index 676910a59bf..6e63bacfc41 100644 --- a/advisories/unreviewed/2024/09/GHSA-3w3r-r6g6-w8x5/GHSA-3w3r-r6g6-w8x5.json +++ b/advisories/unreviewed/2024/09/GHSA-3w3r-r6g6-w8x5/GHSA-3w3r-r6g6-w8x5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3w3r-r6g6-w8x5", - "modified": "2024-09-12T09:31:21Z", + "modified": "2024-09-13T18:31:44Z", "published": "2024-09-12T09:31:21Z", "aliases": [ "CVE-2024-8522" diff --git a/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json b/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json index 788c21eed50..b092ce34108 100644 --- a/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json +++ b/advisories/unreviewed/2024/09/GHSA-3xv2-v2hj-2crv/GHSA-3xv2-v2hj-2crv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3xv2-v2hj-2crv", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-6617" ], "details": "The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-4gw2-r6x4-xxxg/GHSA-4gw2-r6x4-xxxg.json b/advisories/unreviewed/2024/09/GHSA-4gw2-r6x4-xxxg/GHSA-4gw2-r6x4-xxxg.json index e4d2e63376a..3044e340b0e 100644 --- a/advisories/unreviewed/2024/09/GHSA-4gw2-r6x4-xxxg/GHSA-4gw2-r6x4-xxxg.json +++ b/advisories/unreviewed/2024/09/GHSA-4gw2-r6x4-xxxg/GHSA-4gw2-r6x4-xxxg.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4gw2-r6x4-xxxg", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45028" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmc_test: Fix NULL dereference on allocation failure\n\nIf the \"test->highmem = alloc_pages()\" allocation fails then calling\n__free_pages(test->highmem) will result in a NULL dereference. Also\nchange the error code to -ENOMEM instead of returning success.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-4j5q-jrmv-h6pp/GHSA-4j5q-jrmv-h6pp.json b/advisories/unreviewed/2024/09/GHSA-4j5q-jrmv-h6pp/GHSA-4j5q-jrmv-h6pp.json index 2451bc15dbe..f90e2fe41ba 100644 --- a/advisories/unreviewed/2024/09/GHSA-4j5q-jrmv-h6pp/GHSA-4j5q-jrmv-h6pp.json +++ b/advisories/unreviewed/2024/09/GHSA-4j5q-jrmv-h6pp/GHSA-4j5q-jrmv-h6pp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-4j5q-jrmv-h6pp", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45013" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: move stopping keep-alive into nvme_uninit_ctrl()\n\nCommit 4733b65d82bd (\"nvme: start keep-alive after admin queue setup\")\nmoves starting keep-alive from nvme_start_ctrl() into\nnvme_init_ctrl_finish(), but don't move stopping keep-alive into\nnvme_uninit_ctrl(), so keep-alive work can be started and keep pending\nafter failing to start controller, finally use-after-free is triggered if\nnvme host driver is unloaded.\n\nThis patch fixes kernel panic when running nvme/004 in case that connection\nfailure is triggered, by moving stopping keep-alive into nvme_uninit_ctrl().\n\nThis way is reasonable because keep-alive is now started in\nnvme_init_ctrl_finish().", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-4qc3-9vcj-2gh8/GHSA-4qc3-9vcj-2gh8.json b/advisories/unreviewed/2024/09/GHSA-4qc3-9vcj-2gh8/GHSA-4qc3-9vcj-2gh8.json index 4ea66ea6b9e..98e11efaa30 100644 --- a/advisories/unreviewed/2024/09/GHSA-4qc3-9vcj-2gh8/GHSA-4qc3-9vcj-2gh8.json +++ b/advisories/unreviewed/2024/09/GHSA-4qc3-9vcj-2gh8/GHSA-4qc3-9vcj-2gh8.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json b/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json index a9389d72e66..74cae30eb97 100644 --- a/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json +++ b/advisories/unreviewed/2024/09/GHSA-5293-cf37-fxqw/GHSA-5293-cf37-fxqw.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5293-cf37-fxqw", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46692" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: Mark get_wq_ctx() as atomic call\n\nCurrently get_wq_ctx() is wrongly configured as a standard call. When two\nSMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to\nresume the corresponding sleeping thread. But if get_wq_ctx() is\ninterrupted, goes to sleep and another SMC call is waiting to be allocated\na waitq context, it leads to a deadlock.\n\nTo avoid this get_wq_ctx() must be an atomic call and can't be a standard\nSMC call. Hence mark get_wq_ctx() as a fast call.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-5397-7533-4p4r/GHSA-5397-7533-4p4r.json b/advisories/unreviewed/2024/09/GHSA-5397-7533-4p4r/GHSA-5397-7533-4p4r.json new file mode 100644 index 00000000000..eaf0c5a10e6 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5397-7533-4p4r/GHSA-5397-7533-4p4r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5397-7533-4p4r", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-4550" + ], + "details": "A potential buffer overflow vulnerability was reported in some Lenovo ThinkSystem and ThinkStation products that could allow a local attacker with elevated privileges to execute arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4550" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-165524" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-56j2-rfmx-x6p8/GHSA-56j2-rfmx-x6p8.json b/advisories/unreviewed/2024/09/GHSA-56j2-rfmx-x6p8/GHSA-56j2-rfmx-x6p8.json index 4e5061b37ba..4ec72dc23f1 100644 --- a/advisories/unreviewed/2024/09/GHSA-56j2-rfmx-x6p8/GHSA-56j2-rfmx-x6p8.json +++ b/advisories/unreviewed/2024/09/GHSA-56j2-rfmx-x6p8/GHSA-56j2-rfmx-x6p8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-56j2-rfmx-x6p8", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:07Z", "aliases": [ "CVE-2024-46672" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion\n\nwpa_supplicant 2.11 sends since 1efdba5fdc2c (\"Handle PMKSA flush in the\ndriver for SAE/OWE offload cases\") SSID based PMKSA del commands.\nbrcmfmac is not prepared and tries to dereference the NULL bssid and\npmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based\nupdates so copy the SSID.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-573v-9j9r-xm6w/GHSA-573v-9j9r-xm6w.json b/advisories/unreviewed/2024/09/GHSA-573v-9j9r-xm6w/GHSA-573v-9j9r-xm6w.json new file mode 100644 index 00000000000..9bba96db561 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-573v-9j9r-xm6w/GHSA-573v-9j9r-xm6w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-573v-9j9r-xm6w", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-31415" + ], + "details": "The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31415" + }, + { + "type": "WEB", + "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json index 0f974f79edd..022975b6067 100644 --- a/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json +++ b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-121" + "CWE-121", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-5m73-3pch-86m2/GHSA-5m73-3pch-86m2.json b/advisories/unreviewed/2024/09/GHSA-5m73-3pch-86m2/GHSA-5m73-3pch-86m2.json index 46136d28c21..3e86a11602f 100644 --- a/advisories/unreviewed/2024/09/GHSA-5m73-3pch-86m2/GHSA-5m73-3pch-86m2.json +++ b/advisories/unreviewed/2024/09/GHSA-5m73-3pch-86m2/GHSA-5m73-3pch-86m2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5m73-3pch-86m2", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45021" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg_write_event_control(): fix a user-triggerable oops\n\nwe are *not* guaranteed that anything past the terminating NUL\nis mapped (let alone initialized with anything sane).", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-5pqc-wgxh-g2rx/GHSA-5pqc-wgxh-g2rx.json b/advisories/unreviewed/2024/09/GHSA-5pqc-wgxh-g2rx/GHSA-5pqc-wgxh-g2rx.json new file mode 100644 index 00000000000..4ef767bd1a0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5pqc-wgxh-g2rx/GHSA-5pqc-wgxh-g2rx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pqc-wgxh-g2rx", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-31414" + ], + "details": "The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31414" + }, + { + "type": "WEB", + "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json b/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json index f1813663280..ae0e082f8d1 100644 --- a/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json +++ b/advisories/unreviewed/2024/09/GHSA-5qvx-cmvh-v55m/GHSA-5qvx-cmvh-v55m.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5qvx-cmvh-v55m", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46693" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: pmic_glink: Fix race during initialization\n\nAs pointed out by Stephen Boyd it is possible that during initialization\nof the pmic_glink child drivers, the protection-domain notifiers fires,\nand the associated work is scheduled, before the client registration\nreturns and as a result the local \"client\" pointer has been initialized.\n\nThe outcome of this is a NULL pointer dereference as the \"client\"\npointer is blindly dereferenced.\n\nTimeline provided by Stephen:\n CPU0 CPU1\n ---- ----\n ucsi->client = NULL;\n devm_pmic_glink_register_client()\n client->pdr_notify(client->priv, pg->client_state)\n pmic_glink_ucsi_pdr_notify()\n schedule_work(&ucsi->register_work)\n \n pmic_glink_ucsi_register()\n ucsi_register()\n pmic_glink_ucsi_read_version()\n pmic_glink_ucsi_read()\n pmic_glink_ucsi_read()\n pmic_glink_send(ucsi->client)\n \n ucsi->client = client // Too late!\n\nThis code is identical across the altmode, battery manager and usci\nchild drivers.\n\nResolve this by splitting the allocation of the \"client\" object and the\nregistration thereof into two operations.\n\nThis only happens if the protection domain registry is populated at the\ntime of registration, which by the introduction of commit '1ebcde047c54\n(\"soc: qcom: add pd-mapper implementation\")' became much more likely.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json b/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json index 5238b587791..a0af7b81f13 100644 --- a/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json +++ b/advisories/unreviewed/2024/09/GHSA-5w55-q3rh-9cgc/GHSA-5w55-q3rh-9cgc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5w55-q3rh-9cgc", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46691" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Move unregister out of atomic section\n\nCommit '9329933699b3 (\"soc: qcom: pmic_glink: Make client-lock\nnon-sleeping\")' moved the pmic_glink client list under a spinlock, as it\nis accessed by the rpmsg/glink callback, which in turn is invoked from\nIRQ context.\n\nThis means that ucsi_unregister() is now called from atomic context,\nwhich isn't feasible as it's expecting a sleepable context. An effort is\nunder way to get GLINK to invoke its callbacks in a sleepable context,\nbut until then lets schedule the unregistration.\n\nA side effect of this is that ucsi_unregister() can now happen\nafter the remote processor, and thereby the communication link with it, is\ngone. pmic_glink_send() is amended with a check to avoid the resulting NULL\npointer dereference.\nThis does however result in the user being informed about this error by\nthe following entry in the kernel log:\n\n ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-62hc-56xq-xr7v/GHSA-62hc-56xq-xr7v.json b/advisories/unreviewed/2024/09/GHSA-62hc-56xq-xr7v/GHSA-62hc-56xq-xr7v.json new file mode 100644 index 00000000000..9110ae81213 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-62hc-56xq-xr7v/GHSA-62hc-56xq-xr7v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62hc-56xq-xr7v", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-42025" + ], + "details": "A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42025" + }, + { + "type": "WEB", + "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-042-042/c4f68b56-cdc4-4128-b2cb-5870209d1704" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T16:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json b/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json index d5a767a341f..fd73f242fda 100644 --- a/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json +++ b/advisories/unreviewed/2024/09/GHSA-64qj-9hxc-x9rc/GHSA-64qj-9hxc-x9rc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-64qj-9hxc-x9rc", - "modified": "2024-09-13T06:30:42Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:42Z", "aliases": [ "CVE-2024-46677" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix a potential NULL pointer dereference\n\nWhen sockfd_lookup() fails, gtp_encap_enable_socket() returns a\nNULL pointer, but its callers only check for error pointers thus miss\nthe NULL pointer case.\n\nFix it by returning an error pointer with the error code carried from\nsockfd_lookup().\n\n(I found this bug during code inspection.)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:12Z" diff --git a/advisories/unreviewed/2024/09/GHSA-66cw-5j4x-3r2w/GHSA-66cw-5j4x-3r2w.json b/advisories/unreviewed/2024/09/GHSA-66cw-5j4x-3r2w/GHSA-66cw-5j4x-3r2w.json index e2816d6bfa3..3e8d5b61bd5 100644 --- a/advisories/unreviewed/2024/09/GHSA-66cw-5j4x-3r2w/GHSA-66cw-5j4x-3r2w.json +++ b/advisories/unreviewed/2024/09/GHSA-66cw-5j4x-3r2w/GHSA-66cw-5j4x-3r2w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-66cw-5j4x-3r2w", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45026" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error recovery leading to data corruption on ESE devices\n\nExtent Space Efficient (ESE) or thin provisioned volumes need to be\nformatted on demand during usual IO processing.\n\nThe dasd_ese_needs_format function checks for error codes that signal\nthe non existence of a proper track format.\n\nThe check for incorrect length is to imprecise since other error cases\nleading to transport of insufficient data also have this flag set.\nThis might lead to data corruption in certain error cases for example\nduring a storage server warmstart.\n\nFix by removing the check for incorrect length and replacing by\nexplicitly checking for invalid track format in transport mode.\n\nAlso remove the check for file protected since this is not a valid\nESE handling case.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -49,9 +52,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json b/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json new file mode 100644 index 00000000000..45e29cfb467 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6p2q-8qfq-wq7x", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6087" + ], + "details": "An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6087" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/bd9f2301-11c7-4cbd-8d77-3e9225bd67e8" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json b/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json index a03579b95b7..8b516dac2ac 100644 --- a/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json +++ b/advisories/unreviewed/2024/09/GHSA-6x3x-mhgp-4j2c/GHSA-6x3x-mhgp-4j2c.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-7977-m9r5-5r9p/GHSA-7977-m9r5-5r9p.json b/advisories/unreviewed/2024/09/GHSA-7977-m9r5-5r9p/GHSA-7977-m9r5-5r9p.json index 1ebad70faec..f7a8e948dec 100644 --- a/advisories/unreviewed/2024/09/GHSA-7977-m9r5-5r9p/GHSA-7977-m9r5-5r9p.json +++ b/advisories/unreviewed/2024/09/GHSA-7977-m9r5-5r9p/GHSA-7977-m9r5-5r9p.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7977-m9r5-5r9p", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:07Z", "aliases": [ "CVE-2024-45025" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE\n\ncopy_fd_bitmaps(new, old, count) is expected to copy the first\ncount/BITS_PER_LONG bits from old->full_fds_bits[] and fill\nthe rest with zeroes. What it does is copying enough words\n(BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.\nThat works fine, *if* all bits past the cutoff point are\nclear. Otherwise we are risking garbage from the last word\nwe'd copied.\n\nFor most of the callers that is true - expand_fdtable() has\ncount equal to old->max_fds, so there's no open descriptors\npast count, let alone fully occupied words in ->open_fds[],\nwhich is what bits in ->full_fds_bits[] correspond to.\n\nThe other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),\nwhich is the smallest multiple of BITS_PER_LONG that covers all\nopened descriptors below max_fds. In the common case (copying on\nfork()) max_fds is ~0U, so all opened descriptors will be below\nit and we are fine, by the same reasons why the call in expand_fdtable()\nis safe.\n\nUnfortunately, there is a case where max_fds is less than that\nand where we might, indeed, end up with junk in ->full_fds_bits[] -\nclose_range(from, to, CLOSE_RANGE_UNSHARE) with\n\t* descriptor table being currently shared\n\t* 'to' being above the current capacity of descriptor table\n\t* 'from' being just under some chunk of opened descriptors.\nIn that case we end up with observably wrong behaviour - e.g. spawn\na child with CLONE_FILES, get all descriptors in range 0..127 open,\nthen close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending\nup with descriptor #128, despite #64 being observably not open.\n\nThe minimally invasive fix would be to deal with that in dup_fd().\nIf this proves to add measurable overhead, we can go that way, but\nlet's try to fix copy_fd_bitmaps() first.\n\n* new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).\n* make copy_fd_bitmaps() take the bitmap size in words, rather than\nbits; it's 'count' argument is always a multiple of BITS_PER_LONG,\nso we are not losing any information, and that way we can use the\nsame helper for all three bitmaps - compiler will see that count\nis a multiple of BITS_PER_LONG for the large ones, so it'll generate\nplain memcpy()+memset().\n\nReproducer added to tools/testing/selftests/core/close_range_test.c", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json b/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json index f0bcef967c4..7094fdc74cf 100644 --- a/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json +++ b/advisories/unreviewed/2024/09/GHSA-7f48-pc7q-83qh/GHSA-7f48-pc7q-83qh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7f48-pc7q-83qh", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46698" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo/aperture: optionally match the device in sysfb_disable()\n\nIn aperture_remove_conflicting_pci_devices(), we currently only\ncall sysfb_disable() on vga class devices. This leads to the\nfollowing problem when the pimary device is not VGA compatible:\n\n1. A PCI device with a non-VGA class is the boot display\n2. That device is probed first and it is not a VGA device so\n sysfb_disable() is not called, but the device resources\n are freed by aperture_detach_platform_device()\n3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()\n4. NULL pointer dereference via sysfb_disable() since the resources\n have already been freed by aperture_detach_platform_device() when\n it was called by the other device.\n\nFix this by passing a device pointer to sysfb_disable() and checking\nthe device to determine if we should execute it or not.\n\nv2: Fix build when CONFIG_SCREEN_INFO is not set\nv3: Move device check into the mutex\n Drop primary variable in aperture_remove_conflicting_pci_devices()\n Drop __init on pci sysfb_pci_dev_is_enabled()", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-7fv4-rmp7-g4qh/GHSA-7fv4-rmp7-g4qh.json b/advisories/unreviewed/2024/09/GHSA-7fv4-rmp7-g4qh/GHSA-7fv4-rmp7-g4qh.json index a181eb97187..a06b1db65b5 100644 --- a/advisories/unreviewed/2024/09/GHSA-7fv4-rmp7-g4qh/GHSA-7fv4-rmp7-g4qh.json +++ b/advisories/unreviewed/2024/09/GHSA-7fv4-rmp7-g4qh/GHSA-7fv4-rmp7-g4qh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7fv4-rmp7-g4qh", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45022" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0\n\nThe __vmap_pages_range_noflush() assumes its argument pages** contains\npages with the same page shift. However, since commit e9c3cda4d86e (\"mm,\nvmalloc: fix high order __GFP_NOFAIL allocations\"), if gfp_flags includes\n__GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation\nfailed for high order, the pages** may contain two different page shifts\n(high order and order-0). This could lead __vmap_pages_range_noflush() to\nperform incorrect mappings, potentially resulting in memory corruption.\n\nUsers might encounter this as follows (vmap_allow_huge = true, 2M is for\nPMD_SIZE):\n\nkvmalloc(2M, __GFP_NOFAIL|GFP_X)\n __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP)\n vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0\n vmap_pages_range()\n vmap_pages_range_noflush()\n __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens\n\nWe can remove the fallback code because if a high-order allocation fails,\n__vmalloc_node_range_noprof() will retry with order-0. Therefore, it is\nunnecessary to fallback to order-0 here. Therefore, fix this by removing\nthe fallback code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-7g34-wcpj-vf55/GHSA-7g34-wcpj-vf55.json b/advisories/unreviewed/2024/09/GHSA-7g34-wcpj-vf55/GHSA-7g34-wcpj-vf55.json index 838f615f5aa..95350c06531 100644 --- a/advisories/unreviewed/2024/09/GHSA-7g34-wcpj-vf55/GHSA-7g34-wcpj-vf55.json +++ b/advisories/unreviewed/2024/09/GHSA-7g34-wcpj-vf55/GHSA-7g34-wcpj-vf55.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7g34-wcpj-vf55", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:43Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45012" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: use dma non-coherent allocator\n\nCurrently, enabling SG_DEBUG in the kernel will cause nouveau to hit a\nBUG() on startup, when the iommu is enabled:\n\nkernel BUG at include/linux/scatterlist.h:187!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30\nHardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019\nRIP: 0010:sg_init_one+0x85/0xa0\nCode: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54\n24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b\n0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00\nRSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000\nRBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508\nR13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018\nFS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0\nCall Trace:\n \n ? die+0x36/0x90\n ? do_trap+0xdd/0x100\n ? sg_init_one+0x85/0xa0\n ? do_error_trap+0x65/0x80\n ? sg_init_one+0x85/0xa0\n ? exc_invalid_op+0x50/0x70\n ? sg_init_one+0x85/0xa0\n ? asm_exc_invalid_op+0x1a/0x20\n ? sg_init_one+0x85/0xa0\n nvkm_firmware_ctor+0x14a/0x250 [nouveau]\n nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]\n ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]\n r535_gsp_oneinit+0xb3/0x15f0 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? nvkm_udevice_new+0x95/0x140 [nouveau]\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? ktime_get+0x47/0xb0\n\nFix this by using the non-coherent allocator instead, I think there\nmight be a better answer to this, but it involve ripping up some of\nAPIs using sg lists.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-8grv-f28f-g844/GHSA-8grv-f28f-g844.json b/advisories/unreviewed/2024/09/GHSA-8grv-f28f-g844/GHSA-8grv-f28f-g844.json index 2b16a760119..83aadccf2d5 100644 --- a/advisories/unreviewed/2024/09/GHSA-8grv-f28f-g844/GHSA-8grv-f28f-g844.json +++ b/advisories/unreviewed/2024/09/GHSA-8grv-f28f-g844/GHSA-8grv-f28f-g844.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8grv-f28f-g844", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45024" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb vs. core-mm PT locking\n\nWe recently made GUP's common page table walking code to also walk hugetlb\nVMAs without most hugetlb special-casing, preparing for the future of\nhaving less hugetlb-specific page table walking code in the codebase. \nTurns out that we missed one page table locking detail: page table locking\nfor hugetlb folios that are not mapped using a single PMD/PUD.\n\nAssume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB\nhugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the\npage tables, will perform a pte_offset_map_lock() to grab the PTE table\nlock.\n\nHowever, hugetlb that concurrently modifies these page tables would\nactually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the\nlocks would differ. Something similar can happen right now with hugetlb\nfolios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.\n\nThis issue can be reproduced [1], for example triggering:\n\n[ 3105.936100] ------------[ cut here ]------------\n[ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188\n[ 3105.944634] Modules linked in: [...]\n[ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1\n[ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024\n[ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 3105.991108] pc : try_grab_folio+0x11c/0x188\n[ 3105.994013] lr : follow_page_pte+0xd8/0x430\n[ 3105.996986] sp : ffff80008eafb8f0\n[ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43\n[ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48\n[ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978\n[ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001\n[ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000\n[ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000\n[ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0\n[ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080\n[ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000\n[ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000\n[ 3106.047957] Call trace:\n[ 3106.049522] try_grab_folio+0x11c/0x188\n[ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0\n[ 3106.055527] follow_page_mask+0x1a0/0x2b8\n[ 3106.058118] __get_user_pages+0xf0/0x348\n[ 3106.060647] faultin_page_range+0xb0/0x360\n[ 3106.063651] do_madvise+0x340/0x598\n\nLet's make huge_pte_lockptr() effectively use the same PT locks as any\ncore-mm page table walker would. Add ptep_lockptr() to obtain the PTE\npage table lock using a pte pointer -- unfortunately we cannot convert\npte_lockptr() because virt_to_page() doesn't work with kmap'ed page tables\nwe can have with CONFIG_HIGHPTE.\n\nHandle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such\nthat when e.g., CONFIG_PGTABLE_LEVELS==2 with\nPGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document\nwhy that works.\n\nThere is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb\nfolio being mapped using two PTE page tables. While hugetlb wants to take\nthe PMD table lock, core-mm would grab the PTE table lock of one of both\nPTE page tables. In such corner cases, we have to make sure that both\nlocks match, which is (fortunately!) currently guaranteed for 8xx as it\ndoes not support SMP and consequently doesn't use split PT locks.\n\n[1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-8v66-q974-wq26/GHSA-8v66-q974-wq26.json b/advisories/unreviewed/2024/09/GHSA-8v66-q974-wq26/GHSA-8v66-q974-wq26.json index 4fced89175c..3eeee5831a2 100644 --- a/advisories/unreviewed/2024/09/GHSA-8v66-q974-wq26/GHSA-8v66-q974-wq26.json +++ b/advisories/unreviewed/2024/09/GHSA-8v66-q974-wq26/GHSA-8v66-q974-wq26.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8v66-q974-wq26", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45014" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/boot: Avoid possible physmem_info segment corruption\n\nWhen physical memory for the kernel image is allocated it does not\nconsider extra memory required for offsetting the image start to\nmatch it with the lower 20 bits of KASLR virtual base address. That\nmight lead to kernel access beyond its memory range.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json b/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json index ba149a39ee2..ba460c4961c 100644 --- a/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json +++ b/advisories/unreviewed/2024/09/GHSA-956h-wvh5-7cgp/GHSA-956h-wvh5-7cgp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-956h-wvh5-7cgp", - "modified": "2024-09-13T15:31:35Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T15:31:35Z", "aliases": [ "CVE-2024-46048" ], "details": "Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-77" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T14:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json b/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json index 557337fcb23..98b146c071b 100644 --- a/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json +++ b/advisories/unreviewed/2024/09/GHSA-9672-786w-jwpr/GHSA-9672-786w-jwpr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9672-786w-jwpr", - "modified": "2024-09-13T15:31:34Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T15:31:34Z", "aliases": [ "CVE-2024-46046" ], "details": "Tenda FH451 v1.0.0.9 has a stack overflow vulnerability located in the RouteStatic function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-121" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T14:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json b/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json new file mode 100644 index 00000000000..57fd4ea76c3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-974p-hhmc-6h46", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-39924" + ], + "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39924" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/api/core/emergency_access.rs#L115-L148" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-98wp-w76v-f75p/GHSA-98wp-w76v-f75p.json b/advisories/unreviewed/2024/09/GHSA-98wp-w76v-f75p/GHSA-98wp-w76v-f75p.json index 0c61da1dfd4..138aa317f41 100644 --- a/advisories/unreviewed/2024/09/GHSA-98wp-w76v-f75p/GHSA-98wp-w76v-f75p.json +++ b/advisories/unreviewed/2024/09/GHSA-98wp-w76v-f75p/GHSA-98wp-w76v-f75p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-98wp-w76v-f75p", - "modified": "2024-09-12T09:31:21Z", + "modified": "2024-09-13T18:31:44Z", "published": "2024-09-12T09:31:21Z", "aliases": [ "CVE-2024-8529" diff --git a/advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json b/advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json new file mode 100644 index 00000000000..bb54b660fe5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jmp-j63g-8x6m", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6867" + ], + "details": "An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6867" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/35afd4439464571eb016318cd7b6f85a162225ca" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/460df515-164c-4435-954b-0233a181545f" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1220" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9mqh-56r5-64mq/GHSA-9mqh-56r5-64mq.json b/advisories/unreviewed/2024/09/GHSA-9mqh-56r5-64mq/GHSA-9mqh-56r5-64mq.json new file mode 100644 index 00000000000..5f64092f325 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9mqh-56r5-64mq/GHSA-9mqh-56r5-64mq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9mqh-56r5-64mq", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-31416" + ], + "details": "The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31416" + }, + { + "type": "WEB", + "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9rrr-65q4-qrrq/GHSA-9rrr-65q4-qrrq.json b/advisories/unreviewed/2024/09/GHSA-9rrr-65q4-qrrq/GHSA-9rrr-65q4-qrrq.json new file mode 100644 index 00000000000..69a56b6d54d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9rrr-65q4-qrrq/GHSA-9rrr-65q4-qrrq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rrr-65q4-qrrq", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-45101" + ], + "details": "A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45101" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-154748" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f2v6-mw6x-qmwc/GHSA-f2v6-mw6x-qmwc.json b/advisories/unreviewed/2024/09/GHSA-f2v6-mw6x-qmwc/GHSA-f2v6-mw6x-qmwc.json index 7534c520d1d..08b76a705f4 100644 --- a/advisories/unreviewed/2024/09/GHSA-f2v6-mw6x-qmwc/GHSA-f2v6-mw6x-qmwc.json +++ b/advisories/unreviewed/2024/09/GHSA-f2v6-mw6x-qmwc/GHSA-f2v6-mw6x-qmwc.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-457" + "CWE-457", + "CWE-908" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json b/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json index cd0882175df..d9b309e1b3e 100644 --- a/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json +++ b/advisories/unreviewed/2024/09/GHSA-fr4x-3m2g-jm28/GHSA-fr4x-3m2g-jm28.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fr4x-3m2g-jm28", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-7863" ], "details": "The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-fwj7-298v-7488/GHSA-fwj7-298v-7488.json b/advisories/unreviewed/2024/09/GHSA-fwj7-298v-7488/GHSA-fwj7-298v-7488.json new file mode 100644 index 00000000000..33742836654 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fwj7-298v-7488/GHSA-fwj7-298v-7488.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fwj7-298v-7488", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8782" + ], + "details": "A vulnerability was found in JFinalCMS up to 1.0. It has been rated as critical. This issue affects the function delete of the file /admin/template/edit. The manipulation of the argument name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8782" + }, + { + "type": "WEB", + "url": "https://gitee.com/heyewei/JFinalcms/issues/IAOSJG" + }, + { + "type": "WEB", + "url": "https://github.com/yhy7612/Seccode/blob/main/README1.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277433" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277433" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.405528" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json b/advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json new file mode 100644 index 00000000000..67be8de619f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g26j-5385-hhw3", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-6587" + ], + "details": "A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6587" + }, + { + "type": "WEB", + "url": "https://github.com/berriai/litellm/commit/ba1912afd1b19e38d3704bb156adf887f91ae1e0" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/4001e1a2-7b7a-4776-a3ae-e6692ec3d997" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T16:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json b/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json index 16f72ddb53b..146eef548e9 100644 --- a/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json +++ b/advisories/unreviewed/2024/09/GHSA-gpg6-84h3-cwv8/GHSA-gpg6-84h3-cwv8.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-119", "CWE-122" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json b/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json index bde0fc7f4d3..78c4a735424 100644 --- a/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json +++ b/advisories/unreviewed/2024/09/GHSA-gq5m-j7gp-3x7q/GHSA-gq5m-j7gp-3x7q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gq5m-j7gp-3x7q", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-6850" ], "details": "The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json b/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json index 33ee09c8528..cd358ae8a2a 100644 --- a/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json +++ b/advisories/unreviewed/2024/09/GHSA-gr4h-g2ph-j8j2/GHSA-gr4h-g2ph-j8j2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gr4h-g2ph-j8j2", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-6723" ], "details": "The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json b/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json index f0913d4fd6d..aeb9ceca80c 100644 --- a/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json +++ b/advisories/unreviewed/2024/09/GHSA-gx3x-w926-g8pm/GHSA-gx3x-w926-g8pm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gx3x-w926-g8pm", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-7133" ], "details": "The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json b/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json index e6a75c36020..15cc004546b 100644 --- a/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json +++ b/advisories/unreviewed/2024/09/GHSA-hggx-qfvf-7mfh/GHSA-hggx-qfvf-7mfh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hggx-qfvf-7mfh", - "modified": "2024-09-13T06:30:42Z", + "modified": "2024-09-13T18:31:45Z", "published": "2024-09-13T06:30:42Z", "aliases": [ "CVE-2024-46673" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aacraid: Fix double-free on probe failure\n\naac_probe_one() calls hardware-specific init functions through the\naac_driver_ident::init pointer, all of which eventually call down to\naac_init_adapter().\n\nIf aac_init_adapter() fails after allocating memory for aac_dev::queues,\nit frees the memory but does not clear that member.\n\nAfter the hardware-specific init function returns an error,\naac_probe_one() goes down an error path that frees the memory pointed to\nby aac_dev::queues, resulting.in a double-free.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-415" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:11Z" diff --git a/advisories/unreviewed/2024/09/GHSA-hwwh-7cg2-3v75/GHSA-hwwh-7cg2-3v75.json b/advisories/unreviewed/2024/09/GHSA-hwwh-7cg2-3v75/GHSA-hwwh-7cg2-3v75.json new file mode 100644 index 00000000000..98ad5c078b8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hwwh-7cg2-3v75/GHSA-hwwh-7cg2-3v75.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hwwh-7cg2-3v75", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-45104" + ], + "details": "A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45104" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-154748" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-282" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j8r5-27mh-4xh9/GHSA-j8r5-27mh-4xh9.json b/advisories/unreviewed/2024/09/GHSA-j8r5-27mh-4xh9/GHSA-j8r5-27mh-4xh9.json index 55e33b9f8e6..f3fd71c9265 100644 --- a/advisories/unreviewed/2024/09/GHSA-j8r5-27mh-4xh9/GHSA-j8r5-27mh-4xh9.json +++ b/advisories/unreviewed/2024/09/GHSA-j8r5-27mh-4xh9/GHSA-j8r5-27mh-4xh9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j8r5-27mh-4xh9", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45017" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec RoCE MPV trace call\n\nPrevent the call trace below from happening, by not allowing IPsec\ncreation over a slave, if master device doesn't support IPsec.\n\nWARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94\nModules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec\n ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci]\nCPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2\nHardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021\nWorkqueue: events xfrm_state_gc_task\nRIP: 0010:down_read+0x75/0x94\nCode: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 <0f> 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0\nRSP: 0018:ffffb26387773da8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001\nRDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000\nRBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540\nR13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905\nFS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0\nCall Trace:\n \n ? show_trace_log_lvl+0x1d6/0x2f9\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]\n ? down_read+0x75/0x94\n ? __warn+0x80/0x113\n ? down_read+0x75/0x94\n ? report_bug+0xa4/0x11d\n ? handle_bug+0x35/0x8b\n ? exc_invalid_op+0x14/0x75\n ? asm_exc_invalid_op+0x16/0x1b\n ? down_read+0x75/0x94\n ? down_read+0xe/0x94\n mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]\n mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core]\n tx_destroy+0x1b/0xc0 [mlx5_core]\n tx_ft_put+0x53/0xc0 [mlx5_core]\n mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core]\n ___xfrm_state_destroy+0x10f/0x1a2\n xfrm_state_gc_task+0x81/0xa9\n process_one_work+0x1f1/0x3c6\n worker_thread+0x53/0x3e4\n ? process_one_work.cold+0x46/0x3c\n kthread+0x127/0x144\n ? set_kthread_struct+0x60/0x52\n ret_from_fork+0x22/0x2d\n \n---[ end trace 5ef7896144d398e1 ]---", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jf76-2c3p-rhc5/GHSA-jf76-2c3p-rhc5.json b/advisories/unreviewed/2024/09/GHSA-jf76-2c3p-rhc5/GHSA-jf76-2c3p-rhc5.json index 48fb462f66e..c520547a05e 100644 --- a/advisories/unreviewed/2024/09/GHSA-jf76-2c3p-rhc5/GHSA-jf76-2c3p-rhc5.json +++ b/advisories/unreviewed/2024/09/GHSA-jf76-2c3p-rhc5/GHSA-jf76-2c3p-rhc5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jf76-2c3p-rhc5", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45020" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a kernel verifier crash in stacksafe()\n\nDaniel Hodges reported a kernel verifier crash when playing with sched-ext.\nFurther investigation shows that the crash is due to invalid memory access\nin stacksafe(). More specifically, it is the following code:\n\n if (exact != NOT_EXACT &&\n old->stack[spi].slot_type[i % BPF_REG_SIZE] !=\n cur->stack[spi].slot_type[i % BPF_REG_SIZE])\n return false;\n\nThe 'i' iterates old->allocated_stack.\nIf cur->allocated_stack < old->allocated_stack the out-of-bound\naccess will happen.\n\nTo fix the issue add 'i >= cur->allocated_stack' check such that if\nthe condition is true, stacksafe() should fail. Otherwise,\ncur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jfgw-v3p5-42qh/GHSA-jfgw-v3p5-42qh.json b/advisories/unreviewed/2024/09/GHSA-jfgw-v3p5-42qh/GHSA-jfgw-v3p5-42qh.json index db639ac0253..b3bcc960a96 100644 --- a/advisories/unreviewed/2024/09/GHSA-jfgw-v3p5-42qh/GHSA-jfgw-v3p5-42qh.json +++ b/advisories/unreviewed/2024/09/GHSA-jfgw-v3p5-42qh/GHSA-jfgw-v3p5-42qh.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jfgw-v3p5-42qh", - "modified": "2024-09-11T21:30:36Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:07Z", "aliases": [ "CVE-2024-7312" ], "details": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-jfrm-qx4v-5m72/GHSA-jfrm-qx4v-5m72.json b/advisories/unreviewed/2024/09/GHSA-jfrm-qx4v-5m72/GHSA-jfrm-qx4v-5m72.json new file mode 100644 index 00000000000..feaccdbf027 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jfrm-qx4v-5m72/GHSA-jfrm-qx4v-5m72.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jfrm-qx4v-5m72", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8278" + ], + "details": "A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8278" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-172051" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json b/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json new file mode 100644 index 00000000000..3dde404e251 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jhgj-6hmm-vm6v", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-44685" + ], + "details": "Titan SFTP and Titan MFT Server 2.0.25.2426 and earlier have a vulnerability a vulnerability where sensitive information, including passwords, is exposed in clear text within the JSON response when configuring SMTP settings via the Web UI.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44685" + }, + { + "type": "WEB", + "url": "https://github.com/ShellFighter/Reports/blob/main/Titan%20MFT%20Server.md" + }, + { + "type": "WEB", + "url": "https://helpdesk.southrivertech.com/portal/en/kb/articles/security-patch-for-cve-2024-44685" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T16:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json b/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json index bfff8143ac5..dfbe41d7a0c 100644 --- a/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json +++ b/advisories/unreviewed/2024/09/GHSA-jhh2-7qpr-2pv5/GHSA-jhh2-7qpr-2pv5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jhh2-7qpr-2pv5", - "modified": "2024-09-13T15:31:34Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T15:31:34Z", "aliases": [ "CVE-2024-46045" ], "details": "Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-121" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T14:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json b/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json new file mode 100644 index 00000000000..fdd0a44a91a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jm4p-4c99-gp7x", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-44798" + ], + "details": "phpgurukul Bus Pass Management System 1.0 is vulnerable to Cross-site scripting (XSS) in /admin/pass-bwdates-reports-details.php via fromdate and todate parameters.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44798" + }, + { + "type": "WEB", + "url": "https://github.com/shouvikdutta1998/Bus_management" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T16:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jrpv-cgg9-hfmj/GHSA-jrpv-cgg9-hfmj.json b/advisories/unreviewed/2024/09/GHSA-jrpv-cgg9-hfmj/GHSA-jrpv-cgg9-hfmj.json index 4a0dd0d57f7..f4652a2e291 100644 --- a/advisories/unreviewed/2024/09/GHSA-jrpv-cgg9-hfmj/GHSA-jrpv-cgg9-hfmj.json +++ b/advisories/unreviewed/2024/09/GHSA-jrpv-cgg9-hfmj/GHSA-jrpv-cgg9-hfmj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jrpv-cgg9-hfmj", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45018" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: initialise extack before use\n\nFix missing initialisation of extack in flow offload.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -45,9 +48,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-665" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json b/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json index d7baf3ca4cc..2230ea4b559 100644 --- a/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json +++ b/advisories/unreviewed/2024/09/GHSA-m2wr-9pq6-49jc/GHSA-m2wr-9pq6-49jc.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-352" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-m3hv-89f3-wrrc/GHSA-m3hv-89f3-wrrc.json b/advisories/unreviewed/2024/09/GHSA-m3hv-89f3-wrrc/GHSA-m3hv-89f3-wrrc.json index e2bfcf62bfe..4194e6775c8 100644 --- a/advisories/unreviewed/2024/09/GHSA-m3hv-89f3-wrrc/GHSA-m3hv-89f3-wrrc.json +++ b/advisories/unreviewed/2024/09/GHSA-m3hv-89f3-wrrc/GHSA-m3hv-89f3-wrrc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m3hv-89f3-wrrc", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45027" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()\n\nIf xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop\nup the damage. If it fails early enough, before xhci->interrupters\nis allocated but after xhci->max_interrupters has been set, which\nhappens in most (all?) cases, things get uglier, as xhci_mem_cleanup()\nunconditionally derefences xhci->interrupters. With prejudice.\n\nGate the interrupt freeing loop with a check on xhci->interrupters\nbeing non-NULL.\n\nFound while debugging a DMA allocation issue that led the XHCI driver\non this exact path.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-459" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json b/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json index cbe9afd7c94..e436bf50c5d 100644 --- a/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json +++ b/advisories/unreviewed/2024/09/GHSA-m48w-79jh-f8w7/GHSA-m48w-79jh-f8w7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m48w-79jh-f8w7", - "modified": "2024-09-12T21:32:02Z", + "modified": "2024-09-13T18:31:45Z", "published": "2024-09-12T21:32:02Z", "aliases": [ "CVE-2024-25270" ], "details": "An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-639" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-12T19:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-mfw6-959v-265j/GHSA-mfw6-959v-265j.json b/advisories/unreviewed/2024/09/GHSA-mfw6-959v-265j/GHSA-mfw6-959v-265j.json index 31c801f1e6d..a9848379ac0 100644 --- a/advisories/unreviewed/2024/09/GHSA-mfw6-959v-265j/GHSA-mfw6-959v-265j.json +++ b/advisories/unreviewed/2024/09/GHSA-mfw6-959v-265j/GHSA-mfw6-959v-265j.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mfw6-959v-265j", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45010" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only mark 'subflow' endp as available\n\nAdding the following warning ...\n\n WARN_ON_ONCE(msk->pm.local_addr_used == 0)\n\n... before decrementing the local_addr_used counter helped to find a bug\nwhen running the \"remove single address\" subtest from the mptcp_join.sh\nselftests.\n\nRemoving a 'signal' endpoint will trigger the removal of all subflows\nlinked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with\nrm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used\ncounter, which is wrong in this case because this counter is linked to\n'subflow' endpoints, and here it is a 'signal' endpoint that is being\nremoved.\n\nNow, the counter is decremented, only if the ID is being used outside\nof mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and\nif the ID is not 0 -- local_addr_used is not taking into account these\nones. This marking of the ID as being available, and the decrement is\ndone no matter if a subflow using this ID is currently available,\nbecause the subflow could have been closed before.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -39,7 +42,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json b/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json index dcbfa4c454b..bf53624c756 100644 --- a/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json +++ b/advisories/unreviewed/2024/09/GHSA-mpm4-ggh2-c745/GHSA-mpm4-ggh2-c745.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mpm4-ggh2-c745", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46699" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable preemption while updating GPU stats\n\nWe forgot to disable preemption around the write_seqcount_begin/end() pair\nwhile updating GPU stats:\n\n [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched]\n <...snip...>\n [ ] Call trace:\n [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d]\n [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d]\n [ ] v3d_bin_job_run+0x23c/0x388 [v3d]\n [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched]\n [ ] process_one_work+0x62c/0xb48\n [ ] worker_thread+0x468/0x5b0\n [ ] kthread+0x1c4/0x1e0\n [ ] ret_from_fork+0x10/0x20\n\nFix it.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-p5f6-v7vq-6742/GHSA-p5f6-v7vq-6742.json b/advisories/unreviewed/2024/09/GHSA-p5f6-v7vq-6742/GHSA-p5f6-v7vq-6742.json new file mode 100644 index 00000000000..46a65114f88 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p5f6-v7vq-6742/GHSA-p5f6-v7vq-6742.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p5f6-v7vq-6742", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-45103" + ], + "details": "A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45103" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-154748" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-282" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p5xc-g9x9-74jh/GHSA-p5xc-g9x9-74jh.json b/advisories/unreviewed/2024/09/GHSA-p5xc-g9x9-74jh/GHSA-p5xc-g9x9-74jh.json index 3120a5eb309..ccb7c5d754b 100644 --- a/advisories/unreviewed/2024/09/GHSA-p5xc-g9x9-74jh/GHSA-p5xc-g9x9-74jh.json +++ b/advisories/unreviewed/2024/09/GHSA-p5xc-g9x9-74jh/GHSA-p5xc-g9x9-74jh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p5xc-g9x9-74jh", - "modified": "2024-09-11T18:31:06Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:06Z", "aliases": [ "CVE-2024-45023" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: Fix data corruption for degraded array with slow disk\n\nread_balance() will avoid reading from slow disks as much as possible,\nhowever, if valid data only lands in slow disks, and a new normal disk\nis still in recovery, unrecovered data can be read:\n\nraid1_read_request\n read_balance\n raid1_should_read_first\n -> return false\n choose_best_rdev\n -> normal disk is not recovered, return -1\n choose_bb_rdev\n -> missing the checking of recovery, return the normal disk\n -> read unrecovered data\n\nRoot cause is that the checking of recovery is missing in\nchoose_bb_rdev(). Hence add such checking to fix the problem.\n\nAlso fix similar problem in choose_slow_rdev().", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-p9p3-pvmx-pxrh/GHSA-p9p3-pvmx-pxrh.json b/advisories/unreviewed/2024/09/GHSA-p9p3-pvmx-pxrh/GHSA-p9p3-pvmx-pxrh.json index c5dca3ff8f9..6cb88a78847 100644 --- a/advisories/unreviewed/2024/09/GHSA-p9p3-pvmx-pxrh/GHSA-p9p3-pvmx-pxrh.json +++ b/advisories/unreviewed/2024/09/GHSA-p9p3-pvmx-pxrh/GHSA-p9p3-pvmx-pxrh.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-77", "CWE-94" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2024/09/GHSA-pc7p-wr8c-6r5f/GHSA-pc7p-wr8c-6r5f.json b/advisories/unreviewed/2024/09/GHSA-pc7p-wr8c-6r5f/GHSA-pc7p-wr8c-6r5f.json index 29e02814d70..41c4e5de8a6 100644 --- a/advisories/unreviewed/2024/09/GHSA-pc7p-wr8c-6r5f/GHSA-pc7p-wr8c-6r5f.json +++ b/advisories/unreviewed/2024/09/GHSA-pc7p-wr8c-6r5f/GHSA-pc7p-wr8c-6r5f.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pc7p-wr8c-6r5f", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:07Z", "aliases": [ "CVE-2024-45030" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: cope with large MAX_SKB_FRAGS\n\nSabrina reports that the igb driver does not cope well with large\nMAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload\ncorruption on TX.\n\nAn easy reproducer is to run ssh to connect to the machine. With\nMAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has\nbeen reported originally in\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2265320\n\nThe root cause of the issue is that the driver does not take into\naccount properly the (possibly large) shared info size when selecting\nthe ring layout, and will try to fit two packets inside the same 4K\npage even when the 1st fraglist will trump over the 2nd head.\n\nAddress the issue by checking if 2K buffers are insufficient.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-q53p-qm4c-c2wj/GHSA-q53p-qm4c-c2wj.json b/advisories/unreviewed/2024/09/GHSA-q53p-qm4c-c2wj/GHSA-q53p-qm4c-c2wj.json index db2f2a522f8..65a41c96879 100644 --- a/advisories/unreviewed/2024/09/GHSA-q53p-qm4c-c2wj/GHSA-q53p-qm4c-c2wj.json +++ b/advisories/unreviewed/2024/09/GHSA-q53p-qm4c-c2wj/GHSA-q53p-qm4c-c2wj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q53p-qm4c-c2wj", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45016" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: fix return value if duplicate enqueue fails\n\nThere is a bug in netem_enqueue() introduced by\ncommit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\")\nthat can lead to a use-after-free.\n\nThis commit made netem_enqueue() always return NET_XMIT_SUCCESS\nwhen a packet is duplicated, which can cause the parent qdisc's q.qlen\nto be mistakenly incremented. When this happens qlen_notify() may be\nskipped on the parent during destruction, leaving a dangling pointer\nfor some classful qdiscs like DRR.\n\nThere are two ways for the bug happen:\n\n- If the duplicated packet is dropped by rootq->enqueue() and then\n the original packet is also dropped.\n- If rootq->enqueue() sends the duplicated packet to a different qdisc\n and the original packet is dropped.\n\nIn both cases NET_XMIT_SUCCESS is returned even though no packets\nare enqueued at the netem qdisc.\n\nThe fix is to defer the enqueue of the duplicate packet until after\nthe original packet has been guaranteed to return NET_XMIT_SUCCESS.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -49,9 +52,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-q7vm-868g-mvqm/GHSA-q7vm-868g-mvqm.json b/advisories/unreviewed/2024/09/GHSA-q7vm-868g-mvqm/GHSA-q7vm-868g-mvqm.json new file mode 100644 index 00000000000..ec2cc84a264 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q7vm-868g-mvqm/GHSA-q7vm-868g-mvqm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q7vm-868g-mvqm", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-7756" + ], + "details": "A potential vulnerability was reported in the ThinkPad L390 Yoga and 10w Notebook that could allow a local attacker to escalate privileges by accessing an embedded UEFI shell.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7756" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-165524" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-489" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json b/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json index 9c46e1cb6cc..357804b7d95 100644 --- a/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json +++ b/advisories/unreviewed/2024/09/GHSA-q993-jv9q-jjjm/GHSA-q993-jv9q-jjjm.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-119", "CWE-122" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/09/GHSA-r268-64hq-mv45/GHSA-r268-64hq-mv45.json b/advisories/unreviewed/2024/09/GHSA-r268-64hq-mv45/GHSA-r268-64hq-mv45.json index ed8398b741f..a26e2b44b3b 100644 --- a/advisories/unreviewed/2024/09/GHSA-r268-64hq-mv45/GHSA-r268-64hq-mv45.json +++ b/advisories/unreviewed/2024/09/GHSA-r268-64hq-mv45/GHSA-r268-64hq-mv45.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-611" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json b/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json index aec439f112d..a94516482cb 100644 --- a/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json +++ b/advisories/unreviewed/2024/09/GHSA-r3gx-4wx6-8mr3/GHSA-r3gx-4wx6-8mr3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r3gx-4wx6-8mr3", - "modified": "2024-09-13T06:30:42Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:42Z", "aliases": [ "CVE-2024-46674" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: st: fix probed platform device ref count on probe error path\n\nThe probe function never performs any paltform device allocation, thus\nerror path \"undo_platform_dev_alloc\" is entirely bogus. It drops the\nreference count from the platform device being probed. If error path is\ntriggered, this will lead to unbalanced device reference counts and\npremature release of device resources, thus possible use-after-free when\nreleasing remaining devm-managed resources.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:12Z" diff --git a/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json b/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json new file mode 100644 index 00000000000..9ac96bbfad3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r89w-9fr4-c7c9", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-39925" + ], + "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39925" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/releases" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rhqc-rfxh-qj7g/GHSA-rhqc-rfxh-qj7g.json b/advisories/unreviewed/2024/09/GHSA-rhqc-rfxh-qj7g/GHSA-rhqc-rfxh-qj7g.json index 78b0a45fa7f..92c925a5093 100644 --- a/advisories/unreviewed/2024/09/GHSA-rhqc-rfxh-qj7g/GHSA-rhqc-rfxh-qj7g.json +++ b/advisories/unreviewed/2024/09/GHSA-rhqc-rfxh-qj7g/GHSA-rhqc-rfxh-qj7g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rhqc-rfxh-qj7g", - "modified": "2024-09-12T12:30:28Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:04Z", "aliases": [ "CVE-2024-45009" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only decrement add_addr_accepted for MPJ req\n\nAdding the following warning ...\n\n WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)\n\n... before decrementing the add_addr_accepted counter helped to find a\nbug when running the \"remove single subflow\" subtest from the\nmptcp_join.sh selftest.\n\nRemoving a 'subflow' endpoint will first trigger a RM_ADDR, then the\nsubflow closure. Before this patch, and upon the reception of the\nRM_ADDR, the other peer will then try to decrement this\nadd_addr_accepted. That's not correct because the attached subflows have\nnot been created upon the reception of an ADD_ADDR.\n\nA way to solve that is to decrement the counter only if the attached\nsubflow was an MP_JOIN to a remote id that was not 0, and initiated by\nthe host receiving the RM_ADDR.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -43,7 +46,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json b/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json index f83e15bac4d..43c5a448a32 100644 --- a/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json +++ b/advisories/unreviewed/2024/09/GHSA-rp3x-cq62-cvh4/GHSA-rp3x-cq62-cvh4.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json b/advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json new file mode 100644 index 00000000000..83eb725eb97 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v6x6-4v4x-2fx9", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6862" + ], + "details": "A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6862" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json b/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json new file mode 100644 index 00000000000..35044b5fc1b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vfwm-h968-g65h", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-39926" + ], + "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39926" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201" + }, + { + "type": "WEB", + "url": "https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json b/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json index 0080d4202ca..aefa55ab41c 100644 --- a/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json +++ b/advisories/unreviewed/2024/09/GHSA-vg62-5q72-657x/GHSA-vg62-5q72-657x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vg62-5q72-657x", - "modified": "2024-09-13T15:31:34Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T15:31:34Z", "aliases": [ "CVE-2024-46047" ], "details": "Tenda FH451 v1.0.0.9 has a stack overflow vulnerability in the fromDhcpListClient function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-121" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T14:15:14Z" diff --git a/advisories/unreviewed/2024/09/GHSA-vp87-57rp-pq64/GHSA-vp87-57rp-pq64.json b/advisories/unreviewed/2024/09/GHSA-vp87-57rp-pq64/GHSA-vp87-57rp-pq64.json new file mode 100644 index 00000000000..4cffe842f59 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vp87-57rp-pq64/GHSA-vp87-57rp-pq64.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vp87-57rp-pq64", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8279" + ], + "details": "A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8279" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-172051" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w25j-fg8w-7xmx/GHSA-w25j-fg8w-7xmx.json b/advisories/unreviewed/2024/09/GHSA-w25j-fg8w-7xmx/GHSA-w25j-fg8w-7xmx.json new file mode 100644 index 00000000000..454412cda7d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-w25j-fg8w-7xmx/GHSA-w25j-fg8w-7xmx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w25j-fg8w-7xmx", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-8281" + ], + "details": "An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection through specially crafted command line input in the XCC SSH captive shell.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8281" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-172051" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json b/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json index 162149fe2cc..6b21d35290d 100644 --- a/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json +++ b/advisories/unreviewed/2024/09/GHSA-w6fj-6wrc-6vhr/GHSA-w6fj-6wrc-6vhr.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w6fj-6wrc-6vhr", - "modified": "2024-09-13T06:30:42Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:42Z", "aliases": [ "CVE-2024-46683" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: prevent UAF around preempt fence\n\nThe fence lock is part of the queue, therefore in the current design\nanything locking the fence should then also hold a ref to the queue to\nprevent the queue from being freed.\n\nHowever, currently it looks like we signal the fence and then drop the\nqueue ref, but if something is waiting on the fence, the waiter is\nkicked to wake up at some later point, where upon waking up it first\ngrabs the lock before checking the fence state. But if we have already\ndropped the queue ref, then the lock might already be freed as part of\nthe queue, leading to uaf.\n\nTo prevent this, move the fence lock into the fence itself so we don't\nrun into lifetime issues. Alternative might be to have device level\nlock, or only release the queue in the fence release callback, however\nthat might require pushing to another worker to avoid locking issues.\n\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342\nReferences: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020\n(cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-416" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:12Z" diff --git a/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json b/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json new file mode 100644 index 00000000000..224842b106f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w73r-8mm4-cfvf", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6582" + ], + "details": "A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6582" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json b/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json index 32ec9195b2f..d811fb4bb97 100644 --- a/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json +++ b/advisories/unreviewed/2024/09/GHSA-w8pf-f5g8-5xgv/GHSA-w8pf-f5g8-5xgv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w8pf-f5g8-5xgv", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-13T18:31:47Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-6493" ], "details": "The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:15Z" diff --git a/advisories/unreviewed/2024/09/GHSA-wcv7-2grg-g5qr/GHSA-wcv7-2grg-g5qr.json b/advisories/unreviewed/2024/09/GHSA-wcv7-2grg-g5qr/GHSA-wcv7-2grg-g5qr.json new file mode 100644 index 00000000000..d99a4b36308 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wcv7-2grg-g5qr/GHSA-wcv7-2grg-g5qr.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wcv7-2grg-g5qr", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-3100" + ], + "details": "A potential buffer overflow vulnerability was reported in some Lenovo Notebook products that could allow a local attacker with elevated privileges to execute arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3100" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-165524" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-ww57-48hq-5w83/GHSA-ww57-48hq-5w83.json b/advisories/unreviewed/2024/09/GHSA-ww57-48hq-5w83/GHSA-ww57-48hq-5w83.json index bb35509e268..8d6076eb5b2 100644 --- a/advisories/unreviewed/2024/09/GHSA-ww57-48hq-5w83/GHSA-ww57-48hq-5w83.json +++ b/advisories/unreviewed/2024/09/GHSA-ww57-48hq-5w83/GHSA-ww57-48hq-5w83.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ww57-48hq-5w83", - "modified": "2024-09-11T18:31:07Z", + "modified": "2024-09-13T18:31:42Z", "published": "2024-09-11T18:31:07Z", "aliases": [ "CVE-2024-45029" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: tegra: Do not mark ACPI devices as irq safe\n\nOn ACPI machines, the tegra i2c module encounters an issue due to a\nmutex being called inside a spinlock. This leads to the following bug:\n\n\tBUG: sleeping function called from invalid context at kernel/locking/mutex.c:585\n\t...\n\n\tCall trace:\n\t__might_sleep\n\t__mutex_lock_common\n\tmutex_lock_nested\n\tacpi_subsys_runtime_resume\n\trpm_resume\n\ttegra_i2c_xfer\n\nThe problem arises because during __pm_runtime_resume(), the spinlock\n&dev->power.lock is acquired before rpm_resume() is called. Later,\nrpm_resume() invokes acpi_subsys_runtime_resume(), which relies on\nmutexes, triggering the error.\n\nTo address this issue, devices on ACPI are now marked as not IRQ-safe,\nconsidering the dependency of acpi_subsys_runtime_resume() on mutexes.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-667" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:07Z" diff --git a/advisories/unreviewed/2024/09/GHSA-wxmv-3hm7-2jqh/GHSA-wxmv-3hm7-2jqh.json b/advisories/unreviewed/2024/09/GHSA-wxmv-3hm7-2jqh/GHSA-wxmv-3hm7-2jqh.json new file mode 100644 index 00000000000..ae0e1401158 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wxmv-3hm7-2jqh/GHSA-wxmv-3hm7-2jqh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxmv-3hm7-2jqh", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-45368" + ], + "details": "The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45368" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-17" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-384" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json b/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json index 4ce6bc5468e..8783c72b263 100644 --- a/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json +++ b/advisories/unreviewed/2024/09/GHSA-x863-gchp-57m3/GHSA-x863-gchp-57m3.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-312" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-x9q5-m7gx-rf9w/GHSA-x9q5-m7gx-rf9w.json b/advisories/unreviewed/2024/09/GHSA-x9q5-m7gx-rf9w/GHSA-x9q5-m7gx-rf9w.json new file mode 100644 index 00000000000..7928eb9901d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x9q5-m7gx-rf9w/GHSA-x9q5-m7gx-rf9w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x9q5-m7gx-rf9w", + "modified": "2024-09-13T18:31:48Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-45105" + ], + "details": "An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45105" + }, + { + "type": "WEB", + "url": "https://support.lenovo.com/us/en/product_security/LEN-165524" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-825" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T18:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xg5q-q7c3-jvmv/GHSA-xg5q-q7c3-jvmv.json b/advisories/unreviewed/2024/09/GHSA-xg5q-q7c3-jvmv/GHSA-xg5q-q7c3-jvmv.json index cb5921e19bc..0a93e0dc3de 100644 --- a/advisories/unreviewed/2024/09/GHSA-xg5q-q7c3-jvmv/GHSA-xg5q-q7c3-jvmv.json +++ b/advisories/unreviewed/2024/09/GHSA-xg5q-q7c3-jvmv/GHSA-xg5q-q7c3-jvmv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xg5q-q7c3-jvmv", - "modified": "2024-09-11T18:31:05Z", + "modified": "2024-09-13T18:31:41Z", "published": "2024-09-11T18:31:05Z", "aliases": [ "CVE-2024-45011" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: xillybus: Check USB endpoints when probing device\n\nEnsure, as the driver probes the device, that all endpoints that the\ndriver may attempt to access exist and are of the correct type.\n\nAll XillyUSB devices must have a Bulk IN and Bulk OUT endpoint at\naddress 1. This is verified in xillyusb_setup_base_eps().\n\nOn top of that, a XillyUSB device may have additional Bulk OUT\nendpoints. The information about these endpoints' addresses is deduced\nfrom a data structure (the IDT) that the driver fetches from the device\nwhile probing it. These endpoints are checked in setup_channels().\n\nA XillyUSB device never has more than one IN endpoint, as all data\ntowards the host is multiplexed in this single Bulk IN endpoint. This is\nwhy setup_channels() only checks OUT endpoints.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -43,7 +46,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-11T16:15:06Z" diff --git a/advisories/unreviewed/2024/09/GHSA-xqww-5c9g-v62q/GHSA-xqww-5c9g-v62q.json b/advisories/unreviewed/2024/09/GHSA-xqww-5c9g-v62q/GHSA-xqww-5c9g-v62q.json new file mode 100644 index 00000000000..a12f67905c1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xqww-5c9g-v62q/GHSA-xqww-5c9g-v62q.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xqww-5c9g-v62q", + "modified": "2024-09-13T18:31:47Z", + "published": "2024-09-13T18:31:47Z", + "aliases": [ + "CVE-2024-43099" + ], + "details": "The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into an ongoing authenticated session. To successfully achieve this, the attacker also needs to spoof both the IP address and MAC address of the originating host which is typical of a session-based attack.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43099" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-17" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-294" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T17:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json b/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json index 0b5eda6c3ba..53775808e64 100644 --- a/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json +++ b/advisories/unreviewed/2024/09/GHSA-xrjv-8x73-5h7v/GHSA-xrjv-8x73-5h7v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xrjv-8x73-5h7v", - "modified": "2024-09-13T06:30:42Z", + "modified": "2024-09-13T18:31:46Z", "published": "2024-09-13T06:30:42Z", "aliases": [ "CVE-2024-46682" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open\n\nPrior to commit 3f29cc82a84c (\"nfsd: split sc_status out of\nsc_type\") states_show() relied on sc_type field to be of valid\ntype before calling into a subfunction to show content of a\nparticular stateid. From that commit, we split the validity of\nthe stateid into sc_status and no longer changed sc_type to 0\nwhile unhashing the stateid. This resulted in kernel oopsing\nfor nfsv4.0 opens that stay around and in nfs4_show_open()\nwould derefence sc_file which was NULL.\n\nInstead, for closed open stateids forgo displaying information\nthat relies of having a valid sc_file.\n\nTo reproduce: mount the server with 4.0, read and close\na file and then on the server cat /proc/fs/nfsd/clients/2/states\n\n[ 513.590804] Call trace:\n[ 513.590925] _raw_spin_lock+0xcc/0x160\n[ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]\n[ 513.591412] states_show+0x44c/0x488 [nfsd]\n[ 513.591681] seq_read_iter+0x5d8/0x760\n[ 513.591896] seq_read+0x188/0x208\n[ 513.592075] vfs_read+0x148/0x470\n[ 513.592241] ksys_read+0xcc/0x178", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:12Z" From 1cf73cff3962180b32045de5b3adf8e49351524b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:38:24 +0000 Subject: [PATCH 079/170] Publish Advisories GHSA-v9jh-j8px-98vq GHSA-79h8-gxhq-q3jg --- .../2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json | 2 +- .../2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json b/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json index 1a825d38960..895f4ad32cc 100644 --- a/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json +++ b/advisories/github-reviewed/2023/10/GHSA-v9jh-j8px-98vq/GHSA-v9jh-j8px-98vq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v9jh-j8px-98vq", - "modified": "2023-10-27T23:14:16Z", + "modified": "2024-09-13T18:36:55Z", "published": "2023-10-18T06:30:30Z", "aliases": [ "CVE-2023-42319" diff --git a/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json b/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json index 2fe47bbfb0b..5c846a5dfa3 100644 --- a/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json +++ b/advisories/github-reviewed/2024/06/GHSA-79h8-gxhq-q3jg/GHSA-79h8-gxhq-q3jg.json @@ -51,6 +51,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-78", "CWE-94" ], "severity": "MODERATE", From 2e40d436684b6b3e0f3ed2ebe2b0870331805b98 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 19:30:34 +0000 Subject: [PATCH 080/170] Publish Advisories GHSA-6p2q-8qfq-wq7x GHSA-g26j-5385-hhw3 GHSA-w73r-8mm4-cfvf GHSA-6p2q-8qfq-wq7x GHSA-w73r-8mm4-cfvf --- .../GHSA-6p2q-8qfq-wq7x.json | 69 +++++++++++++++++++ .../GHSA-g26j-5385-hhw3.json | 35 ++++++++-- .../GHSA-w73r-8mm4-cfvf.json | 69 +++++++++++++++++++ .../GHSA-6p2q-8qfq-wq7x.json | 42 ----------- .../GHSA-w73r-8mm4-cfvf.json | 42 ----------- 5 files changed, 169 insertions(+), 88 deletions(-) create mode 100644 advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json (64%) create mode 100644 advisories/github-reviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json diff --git a/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json b/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json new file mode 100644 index 00000000000..2986ae4b838 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6p2q-8qfq-wq7x", + "modified": "2024-09-13T19:29:12Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6087" + ], + "summary": "Lunary improper access control vulnerability", + "details": "An improper access control vulnerability exists in lunary-ai/lunary prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "lunary" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6087" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf" + }, + { + "type": "PACKAGE", + "url": "https://github.com/lunary-ai/lunary" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/bd9f2301-11c7-4cbd-8d77-3e9225bd67e8" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:29:12Z", + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json b/advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json similarity index 64% rename from advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json rename to advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json index 67be8de619f..88a9262681d 100644 --- a/advisories/unreviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json +++ b/advisories/github-reviewed/2024/09/GHSA-g26j-5385-hhw3/GHSA-g26j-5385-hhw3.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-g26j-5385-hhw3", - "modified": "2024-09-13T18:31:47Z", + "modified": "2024-09-13T19:29:08Z", "published": "2024-09-13T18:31:47Z", "aliases": [ "CVE-2024-6587" ], + "summary": "LiteLLM Server-Side Request Forgery (SSRF) vulnerability", "details": "A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "litellm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.44.8" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/berriai/litellm/commit/ba1912afd1b19e38d3704bb156adf887f91ae1e0" }, + { + "type": "PACKAGE", + "url": "https://github.com/berriai/litellm" + }, { "type": "WEB", "url": "https://huntr.com/bounties/4001e1a2-7b7a-4776-a3ae-e6692ec3d997" @@ -35,8 +62,8 @@ "CWE-918" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:29:08Z", "nvd_published_at": "2024-09-13T16:15:04Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json b/advisories/github-reviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json new file mode 100644 index 00000000000..5c4256722c3 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w73r-8mm4-cfvf", + "modified": "2024-09-13T19:29:14Z", + "published": "2024-09-13T18:31:48Z", + "aliases": [ + "CVE-2024-6582" + ], + "summary": "Lunary Improper Authentication vulnerability", + "details": "A broken access control vulnerability exists prior to commit 1f043d8798ad87346dfe378eea723bff78ad7433 of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "lunary" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6582" + }, + { + "type": "WEB", + "url": "https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433" + }, + { + "type": "PACKAGE", + "url": "https://github.com/lunary-ai/lunary" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:29:14Z", + "nvd_published_at": "2024-09-13T17:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json b/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json deleted file mode 100644 index 45e29cfb467..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6p2q-8qfq-wq7x", - "modified": "2024-09-13T18:31:48Z", - "published": "2024-09-13T18:31:48Z", - "aliases": [ - "CVE-2024-6087" - ], - "details": "An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6087" - }, - { - "type": "WEB", - "url": "https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/bd9f2301-11c7-4cbd-8d77-3e9225bd67e8" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-284" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-13T17:15:13Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json b/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json deleted file mode 100644 index 224842b106f..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-w73r-8mm4-cfvf/GHSA-w73r-8mm4-cfvf.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-w73r-8mm4-cfvf", - "modified": "2024-09-13T18:31:48Z", - "published": "2024-09-13T18:31:48Z", - "aliases": [ - "CVE-2024-6582" - ], - "details": "A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6582" - }, - { - "type": "WEB", - "url": "https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433" - }, - { - "type": "WEB", - "url": "https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-287" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-13T17:15:13Z" - } -} \ No newline at end of file From e9fe0e169d097e9e9a5c228c605fe1e59705bc71 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 19:33:49 +0000 Subject: [PATCH 081/170] Publish Advisories GHSA-cx7f-g6mp-7hqm GHSA-cx7f-g6mp-7hqm --- .../GHSA-cx7f-g6mp-7hqm.json | 103 ++++++++++++++++++ .../GHSA-cx7f-g6mp-7hqm.json | 38 ------- 2 files changed, 103 insertions(+), 38 deletions(-) create mode 100644 advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json diff --git a/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json b/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json new file mode 100644 index 00000000000..1521e55453a --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cx7f-g6mp-7hqm", + "modified": "2024-09-13T19:32:23Z", + "published": "2024-09-13T06:30:42Z", + "aliases": [ + "CVE-2024-38816" + ], + "summary": "Path traversal vulnerability in functional web frameworks", + "details": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions to serve static resources\n * resource handling is explicitly configured with a FileSystemResource location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use\n * the application runs on Tomcat or Jetty", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework:spring-webmvc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.1.0" + }, + { + "fixed": "6.1.13" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework:spring-webmvc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.0.24" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.springframework:spring-webmvc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.3.40" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38816" + }, + { + "type": "WEB", + "url": "https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49" + }, + { + "type": "PACKAGE", + "url": "https://github.com/spring-projects/spring-framework" + }, + { + "type": "WEB", + "url": "https://spring.io/security/cve-2024-38816" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:32:23Z", + "nvd_published_at": "2024-09-13T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json b/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json deleted file mode 100644 index 396ea4b6a88..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-cx7f-g6mp-7hqm/GHSA-cx7f-g6mp-7hqm.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cx7f-g6mp-7hqm", - "modified": "2024-09-13T06:30:42Z", - "published": "2024-09-13T06:30:42Z", - "aliases": [ - "CVE-2024-38816" - ], - "details": "Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions to serve static resources\n * resource handling is explicitly configured with a FileSystemResource location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use\n * the application runs on Tomcat or Jetty", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38816" - }, - { - "type": "WEB", - "url": "https://spring.io/security/cve-2024-38816" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-13T06:15:11Z" - } -} \ No newline at end of file From ac1493037e873b44edca40af0ca709389b54ae4d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 19:35:51 +0000 Subject: [PATCH 082/170] Publish Advisories GHSA-fcgg-qgxg-2g2x GHSA-pwc9-q4hj-pg8g GHSA-3x47-w4rx-6pm7 GHSA-p8h7-c8gw-6x8c GHSA-8mrm-r7h3-c3hj GHSA-9jmp-j63g-8x6m GHSA-v6x6-4v4x-2fx9 --- .../GHSA-fcgg-qgxg-2g2x.json | 4 +- .../GHSA-pwc9-q4hj-pg8g.json | 37 +++++++++++++++--- .../GHSA-3x47-w4rx-6pm7.json | 39 ++++++++++++++++--- .../GHSA-p8h7-c8gw-6x8c.json | 37 +++++++++++++++--- .../GHSA-8mrm-r7h3-c3hj.json | 35 +++++++++++++++-- .../GHSA-9jmp-j63g-8x6m.json | 31 +++++++++++++-- .../GHSA-v6x6-4v4x-2fx9.json | 37 +++++++++++++++--- 7 files changed, 189 insertions(+), 31 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json (65%) rename advisories/{unreviewed => github-reviewed}/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json (65%) rename advisories/{unreviewed => github-reviewed}/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json (69%) rename advisories/{unreviewed => github-reviewed}/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json (60%) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json (68%) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json (62%) diff --git a/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json b/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json index 4162bed80af..62a77280177 100644 --- a/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json +++ b/advisories/github-reviewed/2022/05/GHSA-fcgg-qgxg-2g2x/GHSA-fcgg-qgxg-2g2x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fcgg-qgxg-2g2x", - "modified": "2024-04-25T20:40:54Z", + "modified": "2024-09-13T19:33:37Z", "published": "2022-05-14T01:36:14Z", "aliases": [ "CVE-2018-16191" @@ -34,7 +34,7 @@ } ], "database_specific": { - "last_known_affected_version_range": "< 3.0.16" + "last_known_affected_version_range": "<= 3.0.16" } } ], diff --git a/advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json b/advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json similarity index 65% rename from advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json rename to advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json index 0277d923197..ae555185b32 100644 --- a/advisories/unreviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json +++ b/advisories/github-reviewed/2024/05/GHSA-pwc9-q4hj-pg8g/GHSA-pwc9-q4hj-pg8g.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-pwc9-q4hj-pg8g", - "modified": "2024-05-16T09:33:08Z", + "modified": "2024-09-13T19:34:51Z", "published": "2024-05-16T09:33:08Z", "aliases": [ "CVE-2024-4078" ], + "summary": "LoLLMS Command Injection vulnerability", "details": "A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "lollms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.5.0" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f" }, + { + "type": "PACKAGE", + "url": "https://github.com/parisneo/lollms" + }, { "type": "WEB", "url": "https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d" @@ -34,9 +61,9 @@ "cwe_ids": [ "CWE-77" ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:51Z", "nvd_published_at": "2024-05-16T09:15:15Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json b/advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json similarity index 65% rename from advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json rename to advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json index ac90b5bfa30..6f09a503d99 100644 --- a/advisories/unreviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json +++ b/advisories/github-reviewed/2024/06/GHSA-3x47-w4rx-6pm7/GHSA-3x47-w4rx-6pm7.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-3x47-w4rx-6pm7", - "modified": "2024-06-06T21:30:37Z", + "modified": "2024-09-13T19:34:34Z", "published": "2024-06-06T21:30:37Z", "aliases": [ "CVE-2024-3429" ], - "details": "A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\\lollms\\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.6.", + "summary": "LoLLMS Path Traversal vulnerability", + "details": "A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\\lollms\\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.5.0.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "lollms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.5.0" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/parisneo/lollms/commit/f4424cfc3d6dfb3ad5ac17dd46801efe784933e9" }, + { + "type": "PACKAGE", + "url": "https://github.com/parisneo/lollms" + }, { "type": "WEB", "url": "https://huntr.com/bounties/fd8f50c8-17f0-40be-a2c6-bb8d80f7c409" @@ -34,9 +61,9 @@ "cwe_ids": [ "CWE-29" ], - "severity": "CRITICAL", - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:34Z", "nvd_published_at": "2024-06-06T19:16:02Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json b/advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json similarity index 69% rename from advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json rename to advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json index 4cb44522e42..95986f2e964 100644 --- a/advisories/unreviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json +++ b/advisories/github-reviewed/2024/06/GHSA-p8h7-c8gw-6x8c/GHSA-p8h7-c8gw-6x8c.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-p8h7-c8gw-6x8c", - "modified": "2024-06-06T21:30:37Z", + "modified": "2024-09-13T19:34:56Z", "published": "2024-06-06T21:30:37Z", "aliases": [ "CVE-2024-4881" ], - "details": "A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\\windows\\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.", + "summary": "LoLLMS Path Traversal vulnerability", + "details": "A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 9.5.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\\windows\\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "lollms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.5.0" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6" }, + { + "type": "PACKAGE", + "url": "https://github.com/parisneo/lollms" + }, { "type": "WEB", "url": "https://huntr.com/bounties/94f7f901-80b0-4cf5-b545-ac5c1e7635e9" @@ -35,8 +62,8 @@ "CWE-36" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:56Z", "nvd_published_at": "2024-06-06T19:16:03Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json b/advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json similarity index 60% rename from advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json rename to advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json index e88ef555ca1..45e5ed2d269 100644 --- a/advisories/unreviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json +++ b/advisories/github-reviewed/2024/07/GHSA-8mrm-r7h3-c3hj/GHSA-8mrm-r7h3-c3hj.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-8mrm-r7h3-c3hj", - "modified": "2024-07-20T06:30:35Z", + "modified": "2024-09-13T19:34:25Z", "published": "2024-07-20T06:30:35Z", "aliases": [ "CVE-2024-6281" ], + "summary": "LoLLMS vulnerable to Expected Behavior Violation", "details": "A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "lollms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.5.1" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092" }, + { + "type": "PACKAGE", + "url": "https://github.com/parisneo/lollms" + }, { "type": "WEB", "url": "https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61" @@ -35,8 +62,8 @@ "CWE-440" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:25Z", "nvd_published_at": "2024-07-20T04:15:05Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json b/advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json similarity index 68% rename from advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json rename to advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json index bb54b660fe5..dab93e9fab8 100644 --- a/advisories/unreviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json +++ b/advisories/github-reviewed/2024/09/GHSA-9jmp-j63g-8x6m/GHSA-9jmp-j63g-8x6m.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-9jmp-j63g-8x6m", - "modified": "2024-09-13T18:31:48Z", + "modified": "2024-09-13T19:34:16Z", "published": "2024-09-13T18:31:48Z", "aliases": [ "CVE-2024-6867" ], + "summary": "Lunary information disclosure vulnerability", "details": "An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "npm", + "name": "lunary" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.10" + } + ] + } + ] + } ], "references": [ { @@ -35,8 +58,8 @@ "CWE-1220" ], "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:16Z", "nvd_published_at": "2024-09-13T17:15:13Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json b/advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json similarity index 62% rename from advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json rename to advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json index 83eb725eb97..9fcf06f6c95 100644 --- a/advisories/unreviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json +++ b/advisories/github-reviewed/2024/09/GHSA-v6x6-4v4x-2fx9/GHSA-v6x6-4v4x-2fx9.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-v6x6-4v4x-2fx9", - "modified": "2024-09-13T18:31:48Z", + "modified": "2024-09-13T19:34:09Z", "published": "2024-09-13T18:31:48Z", "aliases": [ "CVE-2024-6862" ], + "summary": "Lunary Cross-Site Request Forgery (CSRF) vulnerability", "details": "A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "npm", + "name": "lunary" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.10" + } + ] + } + ] + } ], "references": [ { @@ -25,6 +48,10 @@ "type": "WEB", "url": "https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54" }, + { + "type": "PACKAGE", + "url": "https://github.com/lunary-ai/lunary" + }, { "type": "WEB", "url": "https://huntr.com/bounties/0b1d851e-3455-480c-ad5a-23565894976f" @@ -34,9 +61,9 @@ "cwe_ids": [ "CWE-352" ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-13T19:34:09Z", "nvd_published_at": "2024-09-13T17:15:13Z" } } \ No newline at end of file From 75413ad44dc339c4fefcc686ba50b9ac5bcabde6 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 20:06:45 +0000 Subject: [PATCH 083/170] Publish Advisories GHSA-4r9h-x77w-mffv GHSA-cf7p-gm2m-833m --- .../GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json | 14 +++++++++++++- .../GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json b/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json index bde0870ffe8..7d6da343171 100644 --- a/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json +++ b/advisories/github-reviewed/2022/12/GHSA-4r9h-x77w-mffv/GHSA-4r9h-x77w-mffv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4r9h-x77w-mffv", - "modified": "2022-12-21T17:23:08Z", + "modified": "2024-09-13T20:05:21Z", "published": "2022-12-15T21:30:26Z", "aliases": [ "CVE-2022-4527" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -48,10 +52,18 @@ "type": "PACKAGE", "url": "https://github.com/collective/collective.task" }, + { + "type": "WEB", + "url": "https://github.com/collective/collective.task/releases/tag/3.0.10" + }, { "type": "WEB", "url": "https://github.com/collective/collective.task/releases/tag/3.0.9" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/collective-task/PYSEC-2022-42990.yaml" + }, { "type": "WEB", "url": "https://vuldb.com/?id.215907" diff --git a/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json b/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json index a9eef70fc6f..88fe50ca91f 100644 --- a/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json +++ b/advisories/github-reviewed/2023/07/GHSA-cf7p-gm2m-833m/GHSA-cf7p-gm2m-833m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cf7p-gm2m-833m", - "modified": "2023-08-15T20:39:56Z", + "modified": "2024-09-13T20:06:10Z", "published": "2023-07-14T21:31:08Z", "aliases": [ "CVE-2023-38325" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -20,6 +24,11 @@ "ecosystem": "PyPI", "name": "cryptography" }, + "ecosystem_specific": { + "affected_functions": [ + "cryptography.hazmat.primitives.serialization.ssh.SSHCertificateBuilder.sign" + ] + }, "ranges": [ { "type": "ECOSYSTEM", @@ -68,6 +77,10 @@ "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK" From 5a31ef5f77d52dfee8c2502aea9627f39ed1e476 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 20:08:46 +0000 Subject: [PATCH 084/170] Publish Advisories GHSA-8rh6-h94m-vj54 GHSA-w7pp-m8wf-vj6r --- .../GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json | 14 +++++++++++++- .../GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json | 12 ++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json b/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json index e5f944f7439..ec35275f7a7 100644 --- a/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json +++ b/advisories/github-reviewed/2022/01/GHSA-8rh6-h94m-vj54/GHSA-8rh6-h94m-vj54.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8rh6-h94m-vj54", - "modified": "2022-01-04T16:55:20Z", + "modified": "2024-09-13T20:07:10Z", "published": "2022-01-07T00:01:11Z", "aliases": [ "CVE-2021-41500" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -48,10 +52,18 @@ "type": "WEB", "url": "https://github.com/cvxopt/cvxopt/commit/d5a21cf1da62e4269176384b1ff62edac5579f94" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8rh6-h94m-vj54" + }, { "type": "PACKAGE", "url": "https://github.com/cvxopt/cvxopt" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cvxopt/PYSEC-2021-870.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CXTPM3DGVYTYQ54OFCMXZVWVOMR7JM2D" diff --git a/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json b/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json index 20fe237d449..c917c98e128 100644 --- a/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json +++ b/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w7pp-m8wf-vj6r", - "modified": "2023-02-16T19:07:57Z", + "modified": "2024-09-13T20:07:50Z", "published": "2023-02-07T20:54:10Z", "aliases": [ "CVE-2023-23931" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" } ], "affected": [ @@ -51,7 +55,7 @@ }, { "type": "WEB", - "url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3" + "url": "https://github.com/pyca/cryptography/pull/8230" }, { "type": "WEB", @@ -60,6 +64,10 @@ { "type": "PACKAGE", "url": "https://github.com/pyca/cryptography" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml" } ], "database_specific": { From 1caa98bf1a23755f954ab1c02054d38eadad0800 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 20:10:48 +0000 Subject: [PATCH 085/170] Publish Advisories GHSA-pghf-347x-c2gj GHSA-q3cj-2r34-2cwc --- .../GHSA-pghf-347x-c2gj.json | 23 +++++++++++++++---- .../GHSA-q3cj-2r34-2cwc.json | 18 ++++++++++++++- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json b/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json index 5dd77b5a056..6eb5144d6d8 100644 --- a/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json +++ b/advisories/github-reviewed/2021/04/GHSA-pghf-347x-c2gj/GHSA-pghf-347x-c2gj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pghf-347x-c2gj", - "modified": "2021-04-14T22:22:37Z", + "modified": "2024-09-13T20:10:20Z", "published": "2021-04-16T19:53:28Z", "aliases": [ "CVE-2021-30459" @@ -9,7 +9,14 @@ "summary": "SQL Injection via in django-debug-toolbar", "details": "### Impact\nWith Django Debug Toolbar attackers are able to execute SQL by changing the `raw_sql` input of the SQL explain, analyze or select forms and submitting the form.\n\n**NOTE:** This is a high severity issue for anyone using the toolbar in a **production environment**.\n\nGenerally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.\n\n### Patches\nPlease upgrade to one of the following versions, depending on the major version you're using:\n\n- Version 1.x: [django-debug-toolbar 1.11.1](https://pypi.org/project/django-debug-toolbar/1.11.1/)\n- Version 2.x: [django-debug-toolbar 2.2.1](https://pypi.org/project/django-debug-toolbar/2.2.1/)\n- Version 3.x: [django-debug-toolbar 3.2.1](https://pypi.org/project/django-debug-toolbar/3.2.1/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [django-debug-toolbar repo](https://github.com/jazzband/django-debug-toolbar/issues/new) (Please NO SENSITIVE INFORMATION, send an email instead!)\n* Email us at [security@jazzband.co](mailto:security@jazzband.co)", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "2.0.0" + "introduced": "2.0a1" }, { "fixed": "2.2.1" @@ -60,7 +67,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.0.0" + "introduced": "3.0a1" }, { "fixed": "3.2.1" @@ -83,10 +90,18 @@ "type": "WEB", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459" }, + { + "type": "PACKAGE", + "url": "https://github.com/jazzband/django-debug-toolbar" + }, { "type": "WEB", "url": "https://github.com/jazzband/django-debug-toolbar/releases" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-debug-toolbar/PYSEC-2021-10.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases" diff --git a/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json b/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json index ee50726a3f4..3c663a50b0e 100644 --- a/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json +++ b/advisories/github-reviewed/2022/05/GHSA-q3cj-2r34-2cwc/GHSA-q3cj-2r34-2cwc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q3cj-2r34-2cwc", - "modified": "2022-06-17T21:29:04Z", + "modified": "2024-09-13T20:08:25Z", "published": "2022-05-17T02:51:56Z", "aliases": [ "CVE-2016-9243" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -68,6 +72,18 @@ "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2017-8.yaml" }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL" From bc4205a8641d69ef895e54681dc8d701c944dc1f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 20:12:50 +0000 Subject: [PATCH 086/170] Publish Advisories GHSA-v4x4-98cg-wr4g GHSA-9x43-5qcq-h79q --- .../GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json | 16 ++++++++++++++-- .../GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json | 6 +++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json b/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json index 4782cb736e3..57c694393c9 100644 --- a/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json +++ b/advisories/github-reviewed/2018/12/GHSA-v4x4-98cg-wr4g/GHSA-v4x4-98cg-wr4g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v4x4-98cg-wr4g", - "modified": "2023-09-05T17:59:57Z", + "modified": "2024-09-13T20:11:10Z", "published": "2018-12-26T17:45:19Z", "aliases": [ "CVE-2018-20325" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" } ], "affected": [ @@ -49,16 +53,24 @@ "type": "WEB", "url": "https://github.com/danijar/definitions/issues/14" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v4x4-98cg-wr4g" + }, { "type": "PACKAGE", "url": "https://github.com/danijar/definitions" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/definitions/PYSEC-2018-82.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], - "severity": "CRITICAL", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:56:38Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json b/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json index dc8fc6f7835..8dcd1a34458 100644 --- a/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json +++ b/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9x43-5qcq-h79q", - "modified": "2023-10-31T22:10:27Z", + "modified": "2024-09-13T20:12:08Z", "published": "2023-10-22T21:36:10Z", "aliases": [ "CVE-2021-46898" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ From c4ccedd9655d1b42cd9566193db4bcd94f25b963 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 20:14:50 +0000 Subject: [PATCH 087/170] Publish GHSA-fvx8-v524-8579 --- .../GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json b/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json index 5368300e01f..d844cd05721 100644 --- a/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json +++ b/advisories/github-reviewed/2021/06/GHSA-fvx8-v524-8579/GHSA-fvx8-v524-8579.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fvx8-v524-8579", - "modified": "2023-08-30T21:23:58Z", + "modified": "2024-09-13T20:13:25Z", "published": "2021-06-04T21:46:52Z", "aliases": [ "CVE-2020-17495" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -54,11 +58,19 @@ }, { "type": "WEB", - "url": "https://github.com/celery/django-celery-results/pull/316/commits/f4af2810dd2f70718a757f733b43225527f6aa3d" + "url": "https://github.com/celery/django-celery-results/commit/ad508fe3433499e5fc94645412d911e174863f28" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-fvx8-v524-8579" }, { "type": "PACKAGE", "url": "https://github.com/celery/django-celery-results" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-celery-results/PYSEC-2020-38.yaml" } ], "database_specific": { From 002804aa0357c3400cad741d914f3609114ec197 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 21:32:48 +0000 Subject: [PATCH 088/170] Advisory Database Sync --- .../GHSA-mqq7-v29v-25f6.json | 4 +- .../GHSA-5px3-vmv6-3cq9.json | 2 +- .../GHSA-35p2-9fg3-f2p2.json | 2 +- .../GHSA-7x98-4rw8-872g.json | 2 +- .../GHSA-h3j8-wx8r-29j6.json | 2 +- .../GHSA-h9px-j846-3j9p.json | 2 +- .../GHSA-h6m5-xj4q-9xw4.json | 2 +- .../GHSA-j66v-q82h-4f8h.json | 2 +- .../GHSA-g458-xvmc-qg2r.json | 2 +- .../GHSA-5vpg-rf76-m7c5.json | 1 + .../GHSA-hqhw-r7ww-86xw.json | 1 + .../GHSA-gfgx-4754-9hhp.json | 11 ++-- .../GHSA-hx83-hmj3-pffc.json | 9 ++- .../GHSA-364p-86w3-x6rv.json | 9 ++- .../GHSA-8423-fqh5-4pfr.json | 6 +- .../GHSA-j2ww-8383-6mw8.json | 2 +- .../GHSA-mvj8-h6fp-pcrp.json | 9 ++- .../GHSA-q7v4-578f-ph8j.json | 2 +- .../GHSA-24xq-67qf-j3xr.json | 1 + .../GHSA-2mjg-798r-mxwh.json | 3 +- .../GHSA-3q68-hm47-94vg.json | 3 +- .../GHSA-3x4g-4374-v83h.json | 35 +++++++++++ .../GHSA-48wc-9j2c-rwp5.json | 3 +- .../GHSA-6qq3-v7mp-wx7q.json | 35 +++++++++++ .../GHSA-974p-hhmc-6h46.json | 11 ++-- .../GHSA-9g66-w5hj-vhx4.json | 35 +++++++++++ .../GHSA-cc7f-7qrj-r4v2.json | 6 +- .../GHSA-cf2w-h975-2fpg.json | 3 +- .../GHSA-cx6w-h9jj-x2vr.json | 3 +- .../GHSA-h827-7423-x2vc.json | 11 ++-- .../GHSA-jhgj-6hmm-vm6v.json | 11 ++-- .../GHSA-jm4p-4c99-gp7x.json | 11 ++-- .../GHSA-mcxm-8hr3-frmx.json | 1 + .../GHSA-p47w-6xhw-hhxj.json | 35 +++++++++++ .../GHSA-p7wm-h6q7-mx95.json | 2 +- .../GHSA-pq2c-46q4-qwg3.json | 11 ++-- .../GHSA-q74x-f8wx-jrgv.json | 35 +++++++++++ .../GHSA-qf89-78m6-x24m.json | 62 +++++++++++++++++++ .../GHSA-r89w-9fr4-c7c9.json | 11 ++-- .../GHSA-rvhr-9pp2-823m.json | 4 +- .../GHSA-v3gc-cff3-2vg3.json | 39 ++++++++++++ .../GHSA-vfwm-h968-g65h.json | 11 ++-- .../GHSA-vp6m-7x2g-h3wf.json | 11 ++-- .../GHSA-x6p2-rpj7-w423.json | 62 +++++++++++++++++++ .../GHSA-xr4c-mmrv-3h6c.json | 35 +++++++++++ 45 files changed, 495 insertions(+), 65 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qf89-78m6-x24m/GHSA-qf89-78m6-x24m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x6p2-rpj7-w423/GHSA-x6p2-rpj7-w423.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json diff --git a/advisories/unreviewed/2023/01/GHSA-mqq7-v29v-25f6/GHSA-mqq7-v29v-25f6.json b/advisories/unreviewed/2023/01/GHSA-mqq7-v29v-25f6/GHSA-mqq7-v29v-25f6.json index 99f839e671a..2831d8afca4 100644 --- a/advisories/unreviewed/2023/01/GHSA-mqq7-v29v-25f6/GHSA-mqq7-v29v-25f6.json +++ b/advisories/unreviewed/2023/01/GHSA-mqq7-v29v-25f6/GHSA-mqq7-v29v-25f6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mqq7-v29v-25f6", - "modified": "2023-01-25T21:30:18Z", + "modified": "2024-09-13T21:31:18Z", "published": "2023-01-18T18:30:16Z", "aliases": [ "CVE-2022-47966" @@ -68,7 +68,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-20" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-5px3-vmv6-3cq9/GHSA-5px3-vmv6-3cq9.json b/advisories/unreviewed/2023/04/GHSA-5px3-vmv6-3cq9/GHSA-5px3-vmv6-3cq9.json index 36c090edf4a..4f01a0aed5c 100644 --- a/advisories/unreviewed/2023/04/GHSA-5px3-vmv6-3cq9/GHSA-5px3-vmv6-3cq9.json +++ b/advisories/unreviewed/2023/04/GHSA-5px3-vmv6-3cq9/GHSA-5px3-vmv6-3cq9.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-400" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/07/GHSA-35p2-9fg3-f2p2/GHSA-35p2-9fg3-f2p2.json b/advisories/unreviewed/2023/07/GHSA-35p2-9fg3-f2p2/GHSA-35p2-9fg3-f2p2.json index 919e256aa7f..1b48b7411e5 100644 --- a/advisories/unreviewed/2023/07/GHSA-35p2-9fg3-f2p2/GHSA-35p2-9fg3-f2p2.json +++ b/advisories/unreviewed/2023/07/GHSA-35p2-9fg3-f2p2/GHSA-35p2-9fg3-f2p2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-35p2-9fg3-f2p2", - "modified": "2024-02-11T06:30:25Z", + "modified": "2024-09-13T21:31:19Z", "published": "2023-07-24T18:30:44Z", "aliases": [ "CVE-2023-3750" diff --git a/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json b/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json index 27392eef60d..dab4d92364e 100644 --- a/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json +++ b/advisories/unreviewed/2023/07/GHSA-7x98-4rw8-872g/GHSA-7x98-4rw8-872g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7x98-4rw8-872g", - "modified": "2024-01-30T18:30:18Z", + "modified": "2024-09-13T21:31:19Z", "published": "2023-07-25T18:30:32Z", "aliases": [ "CVE-2023-3772" diff --git a/advisories/unreviewed/2023/07/GHSA-h3j8-wx8r-29j6/GHSA-h3j8-wx8r-29j6.json b/advisories/unreviewed/2023/07/GHSA-h3j8-wx8r-29j6/GHSA-h3j8-wx8r-29j6.json index 74460d305fa..8bce952ccfa 100644 --- a/advisories/unreviewed/2023/07/GHSA-h3j8-wx8r-29j6/GHSA-h3j8-wx8r-29j6.json +++ b/advisories/unreviewed/2023/07/GHSA-h3j8-wx8r-29j6/GHSA-h3j8-wx8r-29j6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h3j8-wx8r-29j6", - "modified": "2023-11-21T18:30:25Z", + "modified": "2024-09-13T21:31:19Z", "published": "2023-07-31T18:30:22Z", "aliases": [ "CVE-2023-4004" diff --git a/advisories/unreviewed/2023/07/GHSA-h9px-j846-3j9p/GHSA-h9px-j846-3j9p.json b/advisories/unreviewed/2023/07/GHSA-h9px-j846-3j9p/GHSA-h9px-j846-3j9p.json index 55368cf0ecf..78fca3d5a90 100644 --- a/advisories/unreviewed/2023/07/GHSA-h9px-j846-3j9p/GHSA-h9px-j846-3j9p.json +++ b/advisories/unreviewed/2023/07/GHSA-h9px-j846-3j9p/GHSA-h9px-j846-3j9p.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/09/GHSA-h6m5-xj4q-9xw4/GHSA-h6m5-xj4q-9xw4.json b/advisories/unreviewed/2023/09/GHSA-h6m5-xj4q-9xw4/GHSA-h6m5-xj4q-9xw4.json index 2a267d859d7..f5870fae332 100644 --- a/advisories/unreviewed/2023/09/GHSA-h6m5-xj4q-9xw4/GHSA-h6m5-xj4q-9xw4.json +++ b/advisories/unreviewed/2023/09/GHSA-h6m5-xj4q-9xw4/GHSA-h6m5-xj4q-9xw4.json @@ -48,7 +48,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-20" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json b/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json index df10c723344..77662fafd4c 100644 --- a/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json +++ b/advisories/unreviewed/2023/09/GHSA-j66v-q82h-4f8h/GHSA-j66v-q82h-4f8h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j66v-q82h-4f8h", - "modified": "2024-02-27T21:31:25Z", + "modified": "2024-09-13T21:31:20Z", "published": "2023-09-25T21:30:26Z", "aliases": [ "CVE-2023-42753" diff --git a/advisories/unreviewed/2023/10/GHSA-g458-xvmc-qg2r/GHSA-g458-xvmc-qg2r.json b/advisories/unreviewed/2023/10/GHSA-g458-xvmc-qg2r/GHSA-g458-xvmc-qg2r.json index 11293eae163..153b8d7ae2c 100644 --- a/advisories/unreviewed/2023/10/GHSA-g458-xvmc-qg2r/GHSA-g458-xvmc-qg2r.json +++ b/advisories/unreviewed/2023/10/GHSA-g458-xvmc-qg2r/GHSA-g458-xvmc-qg2r.json @@ -44,7 +44,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-20" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/12/GHSA-5vpg-rf76-m7c5/GHSA-5vpg-rf76-m7c5.json b/advisories/unreviewed/2023/12/GHSA-5vpg-rf76-m7c5/GHSA-5vpg-rf76-m7c5.json index 6098ff0766a..0d4681291cc 100644 --- a/advisories/unreviewed/2023/12/GHSA-5vpg-rf76-m7c5/GHSA-5vpg-rf76-m7c5.json +++ b/advisories/unreviewed/2023/12/GHSA-5vpg-rf76-m7c5/GHSA-5vpg-rf76-m7c5.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-121", "CWE-787" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2023/12/GHSA-hqhw-r7ww-86xw/GHSA-hqhw-r7ww-86xw.json b/advisories/unreviewed/2023/12/GHSA-hqhw-r7ww-86xw/GHSA-hqhw-r7ww-86xw.json index 64ad2ad0f96..a5803cb9f96 100644 --- a/advisories/unreviewed/2023/12/GHSA-hqhw-r7ww-86xw/GHSA-hqhw-r7ww-86xw.json +++ b/advisories/unreviewed/2023/12/GHSA-hqhw-r7ww-86xw/GHSA-hqhw-r7ww-86xw.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-120", "CWE-787" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2024/06/GHSA-gfgx-4754-9hhp/GHSA-gfgx-4754-9hhp.json b/advisories/unreviewed/2024/06/GHSA-gfgx-4754-9hhp/GHSA-gfgx-4754-9hhp.json index c120fcb2096..18c5e7de37d 100644 --- a/advisories/unreviewed/2024/06/GHSA-gfgx-4754-9hhp/GHSA-gfgx-4754-9hhp.json +++ b/advisories/unreviewed/2024/06/GHSA-gfgx-4754-9hhp/GHSA-gfgx-4754-9hhp.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gfgx-4754-9hhp", - "modified": "2024-06-11T15:31:14Z", + "modified": "2024-09-13T21:31:20Z", "published": "2024-06-11T15:31:14Z", "aliases": [ "CVE-2024-5695" ], "details": "If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could have occurred. This vulnerability affects Firefox < 127.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-787" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-11T13:15:51Z" diff --git a/advisories/unreviewed/2024/06/GHSA-hx83-hmj3-pffc/GHSA-hx83-hmj3-pffc.json b/advisories/unreviewed/2024/06/GHSA-hx83-hmj3-pffc/GHSA-hx83-hmj3-pffc.json index d5c2bdb799b..1841b9c99dc 100644 --- a/advisories/unreviewed/2024/06/GHSA-hx83-hmj3-pffc/GHSA-hx83-hmj3-pffc.json +++ b/advisories/unreviewed/2024/06/GHSA-hx83-hmj3-pffc/GHSA-hx83-hmj3-pffc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hx83-hmj3-pffc", - "modified": "2024-06-11T15:31:13Z", + "modified": "2024-09-13T21:31:20Z", "published": "2024-06-11T15:31:13Z", "aliases": [ "CVE-2024-5689" ], "details": "In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-11T13:15:50Z" diff --git a/advisories/unreviewed/2024/08/GHSA-364p-86w3-x6rv/GHSA-364p-86w3-x6rv.json b/advisories/unreviewed/2024/08/GHSA-364p-86w3-x6rv/GHSA-364p-86w3-x6rv.json index 65c29eee3d7..1fb66181477 100644 --- a/advisories/unreviewed/2024/08/GHSA-364p-86w3-x6rv/GHSA-364p-86w3-x6rv.json +++ b/advisories/unreviewed/2024/08/GHSA-364p-86w3-x6rv/GHSA-364p-86w3-x6rv.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-364p-86w3-x6rv", - "modified": "2024-08-29T12:31:05Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-08-29T12:31:05Z", "aliases": [ "CVE-2024-5622" ], "details": "An untrusted search path vulnerability in the AprolConfigureCCServices of B&R APROL <= R 4.2.-07P3 and <= R 4.4-00P3 may allow an authenticated local attacker to execute arbitrary code with elevated privileges.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" @@ -28,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-250" + "CWE-250", + "CWE-426" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-8423-fqh5-4pfr/GHSA-8423-fqh5-4pfr.json b/advisories/unreviewed/2024/08/GHSA-8423-fqh5-4pfr/GHSA-8423-fqh5-4pfr.json index 38f97e76156..9b618e05021 100644 --- a/advisories/unreviewed/2024/08/GHSA-8423-fqh5-4pfr/GHSA-8423-fqh5-4pfr.json +++ b/advisories/unreviewed/2024/08/GHSA-8423-fqh5-4pfr/GHSA-8423-fqh5-4pfr.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8423-fqh5-4pfr", - "modified": "2024-08-29T12:31:05Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-08-29T12:31:05Z", "aliases": [ "CVE-2024-5624" ], "details": "Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL <= R 4.4-00P3 may allow a network-based attacker to execute arbitrary JavaScript code in the context of the user's browser session", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/08/GHSA-j2ww-8383-6mw8/GHSA-j2ww-8383-6mw8.json b/advisories/unreviewed/2024/08/GHSA-j2ww-8383-6mw8/GHSA-j2ww-8383-6mw8.json index 915f63e8447..2a5e7d59995 100644 --- a/advisories/unreviewed/2024/08/GHSA-j2ww-8383-6mw8/GHSA-j2ww-8383-6mw8.json +++ b/advisories/unreviewed/2024/08/GHSA-j2ww-8383-6mw8/GHSA-j2ww-8383-6mw8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j2ww-8383-6mw8", - "modified": "2024-08-31T09:30:44Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-08-31T09:30:44Z", "aliases": [ "CVE-2024-8276" diff --git a/advisories/unreviewed/2024/08/GHSA-mvj8-h6fp-pcrp/GHSA-mvj8-h6fp-pcrp.json b/advisories/unreviewed/2024/08/GHSA-mvj8-h6fp-pcrp/GHSA-mvj8-h6fp-pcrp.json index f88cb5d929b..35eb1cfafba 100644 --- a/advisories/unreviewed/2024/08/GHSA-mvj8-h6fp-pcrp/GHSA-mvj8-h6fp-pcrp.json +++ b/advisories/unreviewed/2024/08/GHSA-mvj8-h6fp-pcrp/GHSA-mvj8-h6fp-pcrp.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mvj8-h6fp-pcrp", - "modified": "2024-08-29T12:31:05Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-08-29T12:31:05Z", "aliases": [ "CVE-2024-5623" ], "details": "An untrusted search path vulnerability in B&R APROL <= R 4.4-00P3 may be used by an authenticated local attacker to get other users to execute arbitrary code under their privileges.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" @@ -28,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-250" + "CWE-250", + "CWE-426" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/08/GHSA-q7v4-578f-ph8j/GHSA-q7v4-578f-ph8j.json b/advisories/unreviewed/2024/08/GHSA-q7v4-578f-ph8j/GHSA-q7v4-578f-ph8j.json index b28cbaf01aa..072aedff77d 100644 --- a/advisories/unreviewed/2024/08/GHSA-q7v4-578f-ph8j/GHSA-q7v4-578f-ph8j.json +++ b/advisories/unreviewed/2024/08/GHSA-q7v4-578f-ph8j/GHSA-q7v4-578f-ph8j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q7v4-578f-ph8j", - "modified": "2024-08-28T12:30:33Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-08-28T12:30:33Z", "aliases": [ "CVE-2024-7447" diff --git a/advisories/unreviewed/2024/09/GHSA-24xq-67qf-j3xr/GHSA-24xq-67qf-j3xr.json b/advisories/unreviewed/2024/09/GHSA-24xq-67qf-j3xr/GHSA-24xq-67qf-j3xr.json index c6384ee890c..280804206b9 100644 --- a/advisories/unreviewed/2024/09/GHSA-24xq-67qf-j3xr/GHSA-24xq-67qf-j3xr.json +++ b/advisories/unreviewed/2024/09/GHSA-24xq-67qf-j3xr/GHSA-24xq-67qf-j3xr.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-770", "CWE-789" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/09/GHSA-2mjg-798r-mxwh/GHSA-2mjg-798r-mxwh.json b/advisories/unreviewed/2024/09/GHSA-2mjg-798r-mxwh/GHSA-2mjg-798r-mxwh.json index 9e649870653..8161b007dd8 100644 --- a/advisories/unreviewed/2024/09/GHSA-2mjg-798r-mxwh/GHSA-2mjg-798r-mxwh.json +++ b/advisories/unreviewed/2024/09/GHSA-2mjg-798r-mxwh/GHSA-2mjg-798r-mxwh.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-457" + "CWE-457", + "CWE-908" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-3q68-hm47-94vg/GHSA-3q68-hm47-94vg.json b/advisories/unreviewed/2024/09/GHSA-3q68-hm47-94vg/GHSA-3q68-hm47-94vg.json index 6d140d8d36f..244cb9ca70b 100644 --- a/advisories/unreviewed/2024/09/GHSA-3q68-hm47-94vg/GHSA-3q68-hm47-94vg.json +++ b/advisories/unreviewed/2024/09/GHSA-3q68-hm47-94vg/GHSA-3q68-hm47-94vg.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-457" + "CWE-457", + "CWE-908" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json b/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json new file mode 100644 index 00000000000..0154d9d07b5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3x4g-4374-v83h", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44096" + ], + "details": "there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44096" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json b/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json index 733722c1036..d4ecec4320f 100644 --- a/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json +++ b/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-259" + "CWE-259", + "CWE-798" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json b/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json new file mode 100644 index 00000000000..fc2a7d16e4f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6qq3-v7mp-wx7q", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44095" + ], + "details": "In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible corrupt memory due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44095" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json b/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json index 57fd4ea76c3..f0d579bcaef 100644 --- a/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json +++ b/advisories/unreviewed/2024/09/GHSA-974p-hhmc-6h46/GHSA-974p-hhmc-6h46.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-974p-hhmc-6h46", - "modified": "2024-09-13T18:31:48Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-13T18:31:48Z", "aliases": [ "CVE-2024-39924" ], "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T18:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json b/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json new file mode 100644 index 00000000000..335f63fe7d7 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9g66-w5hj-vhx4", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44092" + ], + "details": "In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44092" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cc7f-7qrj-r4v2/GHSA-cc7f-7qrj-r4v2.json b/advisories/unreviewed/2024/09/GHSA-cc7f-7qrj-r4v2/GHSA-cc7f-7qrj-r4v2.json index 88baf4312c7..f768c073ba9 100644 --- a/advisories/unreviewed/2024/09/GHSA-cc7f-7qrj-r4v2/GHSA-cc7f-7qrj-r4v2.json +++ b/advisories/unreviewed/2024/09/GHSA-cc7f-7qrj-r4v2/GHSA-cc7f-7qrj-r4v2.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cc7f-7qrj-r4v2", - "modified": "2024-09-06T15:32:58Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-09-06T15:32:58Z", "aliases": [ "CVE-2024-1744" ], "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ariva Computer Accord ORS allows Retrieve Embedded Sensitive Data.This issue affects Accord ORS: before 7.3.2.1.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-cf2w-h975-2fpg/GHSA-cf2w-h975-2fpg.json b/advisories/unreviewed/2024/09/GHSA-cf2w-h975-2fpg/GHSA-cf2w-h975-2fpg.json index cb7a2a62e72..c56d2a8e445 100644 --- a/advisories/unreviewed/2024/09/GHSA-cf2w-h975-2fpg/GHSA-cf2w-h975-2fpg.json +++ b/advisories/unreviewed/2024/09/GHSA-cf2w-h975-2fpg/GHSA-cf2w-h975-2fpg.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-457" + "CWE-457", + "CWE-908" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-cx6w-h9jj-x2vr/GHSA-cx6w-h9jj-x2vr.json b/advisories/unreviewed/2024/09/GHSA-cx6w-h9jj-x2vr/GHSA-cx6w-h9jj-x2vr.json index 21a440e2b6b..d4ba2e5e31c 100644 --- a/advisories/unreviewed/2024/09/GHSA-cx6w-h9jj-x2vr/GHSA-cx6w-h9jj-x2vr.json +++ b/advisories/unreviewed/2024/09/GHSA-cx6w-h9jj-x2vr/GHSA-cx6w-h9jj-x2vr.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-311" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-h827-7423-x2vc/GHSA-h827-7423-x2vc.json b/advisories/unreviewed/2024/09/GHSA-h827-7423-x2vc/GHSA-h827-7423-x2vc.json index 9911623d99e..5f262800cbf 100644 --- a/advisories/unreviewed/2024/09/GHSA-h827-7423-x2vc/GHSA-h827-7423-x2vc.json +++ b/advisories/unreviewed/2024/09/GHSA-h827-7423-x2vc/GHSA-h827-7423-x2vc.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-h827-7423-x2vc", - "modified": "2024-09-05T00:31:23Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-09-05T00:31:23Z", "aliases": [ "CVE-2024-45429" ], "details": "Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-04T23:15:12Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json b/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json index 3dde404e251..c16bb7a4cc6 100644 --- a/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json +++ b/advisories/unreviewed/2024/09/GHSA-jhgj-6hmm-vm6v/GHSA-jhgj-6hmm-vm6v.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jhgj-6hmm-vm6v", - "modified": "2024-09-13T18:31:47Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-13T18:31:47Z", "aliases": [ "CVE-2024-44685" ], "details": "Titan SFTP and Titan MFT Server 2.0.25.2426 and earlier have a vulnerability a vulnerability where sensitive information, including passwords, is exposed in clear text within the JSON response when configuring SMTP settings via the Web UI.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-200" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T16:15:04Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json b/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json index fdd0a44a91a..2bdbbda25b8 100644 --- a/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json +++ b/advisories/unreviewed/2024/09/GHSA-jm4p-4c99-gp7x/GHSA-jm4p-4c99-gp7x.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jm4p-4c99-gp7x", - "modified": "2024-09-13T18:31:47Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-13T18:31:47Z", "aliases": [ "CVE-2024-44798" ], "details": "phpgurukul Bus Pass Management System 1.0 is vulnerable to Cross-site scripting (XSS) in /admin/pass-bwdates-reports-details.php via fromdate and todate parameters.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T16:15:04Z" diff --git a/advisories/unreviewed/2024/09/GHSA-mcxm-8hr3-frmx/GHSA-mcxm-8hr3-frmx.json b/advisories/unreviewed/2024/09/GHSA-mcxm-8hr3-frmx/GHSA-mcxm-8hr3-frmx.json index 15da548c13e..e5dd2c60775 100644 --- a/advisories/unreviewed/2024/09/GHSA-mcxm-8hr3-frmx/GHSA-mcxm-8hr3-frmx.json +++ b/advisories/unreviewed/2024/09/GHSA-mcxm-8hr3-frmx/GHSA-mcxm-8hr3-frmx.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-798", "CWE-912" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json b/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json new file mode 100644 index 00000000000..062220d8289 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p47w-6xhw-hhxj", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44094" + ], + "details": "In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44094" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p7wm-h6q7-mx95/GHSA-p7wm-h6q7-mx95.json b/advisories/unreviewed/2024/09/GHSA-p7wm-h6q7-mx95/GHSA-p7wm-h6q7-mx95.json index 52a381efe1e..83ef5ceab5b 100644 --- a/advisories/unreviewed/2024/09/GHSA-p7wm-h6q7-mx95/GHSA-p7wm-h6q7-mx95.json +++ b/advisories/unreviewed/2024/09/GHSA-p7wm-h6q7-mx95/GHSA-p7wm-h6q7-mx95.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-pq2c-46q4-qwg3/GHSA-pq2c-46q4-qwg3.json b/advisories/unreviewed/2024/09/GHSA-pq2c-46q4-qwg3/GHSA-pq2c-46q4-qwg3.json index 89a593ab95c..2be2e0d8f71 100644 --- a/advisories/unreviewed/2024/09/GHSA-pq2c-46q4-qwg3/GHSA-pq2c-46q4-qwg3.json +++ b/advisories/unreviewed/2024/09/GHSA-pq2c-46q4-qwg3/GHSA-pq2c-46q4-qwg3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pq2c-46q4-qwg3", - "modified": "2024-09-04T03:30:44Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-09-04T03:30:44Z", "aliases": [ "CVE-2024-41716" ], "details": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-312" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-04T01:15:11Z" diff --git a/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json b/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json new file mode 100644 index 00000000000..88d66a54012 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q74x-f8wx-jrgv", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44093" + ], + "details": "In ppmp_unprotect_buf of drm/code/drm_fw.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44093" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qf89-78m6-x24m/GHSA-qf89-78m6-x24m.json b/advisories/unreviewed/2024/09/GHSA-qf89-78m6-x24m/GHSA-qf89-78m6-x24m.json new file mode 100644 index 00000000000..69a200be01d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qf89-78m6-x24m/GHSA-qf89-78m6-x24m.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qf89-78m6-x24m", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-8783" + ], + "details": "A vulnerability classified as problematic has been found in OpenTibiaBR MyAAC up to 0.8.16. Affected is an unknown function of the file system/pages/forum/new_post.php of the component Post Reply Handler. The manipulation of the argument post_topic leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as bf6ae3df0d32fa22552bb44ca4f8489a6e78cc1c. It is recommended to apply a patch to fix this issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8783" + }, + { + "type": "WEB", + "url": "https://github.com/opentibiabr/myaac/issues/121" + }, + { + "type": "WEB", + "url": "https://github.com/opentibiabr/myaac/pull/122" + }, + { + "type": "WEB", + "url": "https://github.com/opentibiabr/myaac/pull/122/commits/bf6ae3df0d32fa22552bb44ca4f8489a6e78cc1c" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277434" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277434" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.406368" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T19:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json b/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json index 9ac96bbfad3..75c38723a28 100644 --- a/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json +++ b/advisories/unreviewed/2024/09/GHSA-r89w-9fr4-c7c9/GHSA-r89w-9fr4-c7c9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r89w-9fr4-c7c9", - "modified": "2024-09-13T18:31:48Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-13T18:31:48Z", "aliases": [ "CVE-2024-39925" ], "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T18:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-rvhr-9pp2-823m/GHSA-rvhr-9pp2-823m.json b/advisories/unreviewed/2024/09/GHSA-rvhr-9pp2-823m/GHSA-rvhr-9pp2-823m.json index 59f94e46dba..b7fdc4375a9 100644 --- a/advisories/unreviewed/2024/09/GHSA-rvhr-9pp2-823m/GHSA-rvhr-9pp2-823m.json +++ b/advisories/unreviewed/2024/09/GHSA-rvhr-9pp2-823m/GHSA-rvhr-9pp2-823m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rvhr-9pp2-823m", - "modified": "2024-09-12T00:31:22Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-12T00:31:22Z", "aliases": [ "CVE-2024-7889" @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-664" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json b/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json new file mode 100644 index 00000000000..1a3686911bd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v3gc-cff3-2vg3", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-44430" + ], + "details": "SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44430" + }, + { + "type": "WEB", + "url": "https://blog.csdn.net/samwbs/article/details/140954482" + }, + { + "type": "WEB", + "url": "https://github.com/samwbs/kortexcve/blob/main/xss_register_case/XSS_register_case.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T20:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json b/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json index 35044b5fc1b..03ac2b86be9 100644 --- a/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json +++ b/advisories/unreviewed/2024/09/GHSA-vfwm-h968-g65h/GHSA-vfwm-h968-g65h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vfwm-h968-g65h", - "modified": "2024-09-13T18:31:48Z", + "modified": "2024-09-13T21:31:22Z", "published": "2024-09-13T18:31:48Z", "aliases": [ "CVE-2024-39926" ], "details": "An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T18:15:04Z" diff --git a/advisories/unreviewed/2024/09/GHSA-vp6m-7x2g-h3wf/GHSA-vp6m-7x2g-h3wf.json b/advisories/unreviewed/2024/09/GHSA-vp6m-7x2g-h3wf/GHSA-vp6m-7x2g-h3wf.json index fefca255e4e..ceb1451d47d 100644 --- a/advisories/unreviewed/2024/09/GHSA-vp6m-7x2g-h3wf/GHSA-vp6m-7x2g-h3wf.json +++ b/advisories/unreviewed/2024/09/GHSA-vp6m-7x2g-h3wf/GHSA-vp6m-7x2g-h3wf.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vp6m-7x2g-h3wf", - "modified": "2024-09-03T21:31:12Z", + "modified": "2024-09-13T21:31:21Z", "published": "2024-09-03T21:31:12Z", "aliases": [ "CVE-2024-45180" ], "details": "SquaredUp DS for SCOM 6.2.1.11104 allows XSS.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-03T20:15:08Z" diff --git a/advisories/unreviewed/2024/09/GHSA-x6p2-rpj7-w423/GHSA-x6p2-rpj7-w423.json b/advisories/unreviewed/2024/09/GHSA-x6p2-rpj7-w423/GHSA-x6p2-rpj7-w423.json new file mode 100644 index 00000000000..4cf977ba082 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x6p2-rpj7-w423/GHSA-x6p2-rpj7-w423.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x6p2-rpj7-w423", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-8784" + ], + "details": "A vulnerability classified as critical was found in QDocs Smart School Management System 7.0.0. Affected by this vulnerability is an unknown functionality of the file /user/chat/mynewuser of the component Chat. The manipulation of the argument users[] with the input 1'+AND+(SELECT+3220+FROM+(SELECT(SLEEP(5)))ZNun)+AND+'WwBM'%3d'WwBM as part of POST Request Parameter leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.1 is able to address this issue. It is recommended to upgrade the affected component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8784" + }, + { + "type": "WEB", + "url": "https://codecanyon.net/item/smart-school-school-management-system/19426018" + }, + { + "type": "WEB", + "url": "https://github.com/bytium/vulnerability-research/blob/main/Advisory%20for%20Time-Based%20Blind%20SQL%20Injection%20in%20QDocs%20Smart%20School.md" + }, + { + "type": "WEB", + "url": "https://smart-school.in/article/version-7-0-1" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277435" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277435" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.407385" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T19:15:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json b/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json new file mode 100644 index 00000000000..cdbe01fdcda --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xr4c-mmrv-3h6c", + "modified": "2024-09-13T21:31:22Z", + "published": "2024-09-13T21:31:22Z", + "aliases": [ + "CVE-2024-29779" + ], + "details": "there is a possible escalation of privilege due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29779" + }, + { + "type": "WEB", + "url": "https://source.android.com/security/bulletin/pixel/2024-09-01" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-13T21:15:10Z" + } +} \ No newline at end of file From b823aed1896c616bbdbe0d5263f1732205f0c652 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 21:44:21 +0000 Subject: [PATCH 089/170] Publish Advisories GHSA-hx54-pf28-7xch GHSA-whf4-fpj8-pgg8 --- .../2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json | 1 + .../2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json | 1 + 2 files changed, 2 insertions(+) diff --git a/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json b/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json index 44d4128401e..6a0f37f5660 100644 --- a/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json +++ b/advisories/github-reviewed/2024/06/GHSA-hx54-pf28-7xch/GHSA-hx54-pf28-7xch.json @@ -51,6 +51,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-611", "CWE-776" ], "severity": "CRITICAL", diff --git a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json index 55c001b6c97..1ea633805d3 100644 --- a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json +++ b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json @@ -51,6 +51,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-611", "CWE-776" ], "severity": "HIGH", From efedee73b8c402e32f632ce4f3ace8252ff0aa33 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:30:36 +0000 Subject: [PATCH 090/170] Publish Advisories GHSA-8p5c-f328-9fvv GHSA-pg2f-r7pc-6fxx GHSA-j8fq-86c5-5v2r GHSA-5v8v-66v8-mwm7 GHSA-hwqr-f3v9-hwxr GHSA-5c8p-qhch-qhx6 GHSA-547x-748v-vp6p --- .../GHSA-8p5c-f328-9fvv.json | 18 ++++++++- .../GHSA-pg2f-r7pc-6fxx.json | 18 ++++++++- .../GHSA-j8fq-86c5-5v2r.json | 26 +++++++++---- .../GHSA-5v8v-66v8-mwm7.json | 37 ++++++++++++++++++- .../GHSA-hwqr-f3v9-hwxr.json | 29 +++++++++++++-- .../GHSA-5c8p-qhch-qhx6.json | 6 ++- .../GHSA-547x-748v-vp6p.json | 6 ++- 7 files changed, 123 insertions(+), 17 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json b/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json index fc9c78a47f6..bbdf19c67d6 100644 --- a/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json +++ b/advisories/github-reviewed/2018/07/GHSA-8p5c-f328-9fvv/GHSA-8p5c-f328-9fvv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8p5c-f328-9fvv", - "modified": "2022-04-26T18:15:07Z", + "modified": "2024-09-16T13:49:58Z", "published": "2018-07-13T16:01:21Z", "aliases": [ "CVE-2017-0359" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -55,14 +59,26 @@ "type": "WEB", "url": "https://github.com/anthraxx/diffoscope/commit/f379d1f611dbd5d361e12b732e07c8aee45ff226" }, + { + "type": "WEB", + "url": "https://bugs.debian.org/854723" + }, { "type": "WEB", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8p5c-f328-9fvv" + }, { "type": "PACKAGE", "url": "https://github.com/anthraxx/diffoscope" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/diffoscope/PYSEC-2018-83.yaml" + }, { "type": "WEB", "url": "https://security-tracker.debian.org/tracker/CVE-2017-0359" diff --git a/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json b/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json index a53eacf8472..42bc7c23414 100644 --- a/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json +++ b/advisories/github-reviewed/2019/09/GHSA-pg2f-r7pc-6fxx/GHSA-pg2f-r7pc-6fxx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pg2f-r7pc-6fxx", - "modified": "2021-08-17T22:19:46Z", + "modified": "2024-09-16T13:44:56Z", "published": "2019-09-11T22:57:57Z", "aliases": [ "CVE-2019-11457" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -40,6 +44,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11457" }, + { + "type": "PACKAGE", + "url": "https://github.com/MicroPyramid/Django-CRM" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-pg2f-r7pc-6fxx" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-crm/PYSEC-2019-174.yaml" + }, { "type": "WEB", "url": "https://www.netsparker.com/blog/web-security" diff --git a/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json b/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json index ae759eb0ee4..b4302a8b569 100644 --- a/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json +++ b/advisories/github-reviewed/2021/10/GHSA-j8fq-86c5-5v2r/GHSA-j8fq-86c5-5v2r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j8fq-86c5-5v2r", - "modified": "2022-03-21T19:58:43Z", + "modified": "2024-09-16T13:56:48Z", "published": "2021-10-27T18:53:48Z", "aliases": [ "CVE-2021-42343" @@ -12,19 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "distributed" - }, - "ecosystem_specific": { - "affected_functions": [ - "dask.distributed.LocalCluster", - "dask.distributed.Client" - ] + "name": "dask" }, "ranges": [ { @@ -62,9 +60,21 @@ "type": "WEB", "url": "https://docs.dask.org/en/latest/changelog.html" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-j8fq-86c5-5v2r" + }, + { + "type": "WEB", + "url": "https://github.com/dask/dask/tags" + }, { "type": "PACKAGE", "url": "https://github.com/dask/distributed" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/dask/PYSEC-2021-387.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json b/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json index 33067b6ffa1..5a190a23f39 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json +++ b/advisories/github-reviewed/2022/05/GHSA-5v8v-66v8-mwm7/GHSA-5v8v-66v8-mwm7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5v8v-66v8-mwm7", - "modified": "2022-06-16T23:47:42Z", + "modified": "2024-09-16T13:48:46Z", "published": "2022-05-24T17:28:21Z", "aliases": [ "CVE-2020-8927" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" } ], "affected": [ @@ -2826,6 +2830,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "brotli" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.8" + } + ] + } + ] } ], "references": [ @@ -2841,6 +2864,10 @@ "type": "WEB", "url": "https://github.com/github/advisory-database/issues/785" }, + { + "type": "WEB", + "url": "https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6" + }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4801" @@ -2897,10 +2924,18 @@ "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/brotli/PYSEC-2020-29.yaml" + }, { "type": "WEB", "url": "https://github.com/google/brotli/releases/tag/v1.0.9" }, + { + "type": "WEB", + "url": "https://github.com/google/brotli/releases/tag/v1.0.8" + }, { "type": "PACKAGE", "url": "https://github.com/bitemyapp/brotli2-rs" diff --git a/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json b/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json index 032af7d4484..929b4ba2ee5 100644 --- a/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json +++ b/advisories/github-reviewed/2022/07/GHSA-hwqr-f3v9-hwxr/GHSA-hwqr-f3v9-hwxr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hwqr-f3v9-hwxr", - "modified": "2022-07-15T21:56:08Z", + "modified": "2024-09-16T13:56:39Z", "published": "2022-07-15T21:56:08Z", "aliases": [ @@ -9,7 +9,14 @@ "summary": "Workers for local Dask clusters mistakenly listened on public interfaces", "details": "Versions of `distributed` earlier than `2021.10.0` had a potential security vulnerability relating to single-machine Dask clusters.\n\nClusters started with `dask.distributed.LocalCluster` or `dask.distributed.Client()` (which defaults to using `LocalCluster`) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on `localhost`. A Dask cluster created using this method AND running on a machine that has these ports exposed could be used by a sophisticated attacker to enable remote code execution. Users running on machines with standard firewalls in place, or using clusters created via cluster objects other than `LocalCluster` (e.g. `dask_kubernetes.KubeCluster`) should not be affected. This vulnerability is documented in CVE-2021-42343, and was fixed in version `2021.10.0` (PR #5427).", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -17,6 +24,12 @@ "ecosystem": "PyPI", "name": "distributed" }, + "ecosystem_specific": { + "affected_functions": [ + "dask.distributed.LocalCluster", + "dask.distributed.Client" + ] + }, "ranges": [ { "type": "ECOSYSTEM", @@ -37,6 +50,14 @@ "type": "WEB", "url": "https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr" }, + { + "type": "WEB", + "url": "https://github.com/dask/distributed/pull/5427" + }, + { + "type": "WEB", + "url": "https://github.com/dask/distributed/commit/afce4be8e05fb180e50a9d9e38465f1a82295e1b" + }, { "type": "WEB", "url": "https://docs.dask.org/en/latest/changelog.html" @@ -64,9 +85,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-668" ], - "severity": "MODERATE", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-07-15T21:56:08Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json b/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json index 6cad70f7525..9a4281d5684 100644 --- a/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json +++ b/advisories/github-reviewed/2022/08/GHSA-5c8p-qhch-qhx6/GHSA-5c8p-qhch-qhx6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5c8p-qhch-qhx6", - "modified": "2022-09-01T22:19:29Z", + "modified": "2024-09-16T13:50:34Z", "published": "2022-08-27T00:00:44Z", "aliases": [ "CVE-2021-3427" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json index 8f7a6b81641..1d0607b9c34 100644 --- a/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json +++ b/advisories/github-reviewed/2024/02/GHSA-547x-748v-vp6p/GHSA-547x-748v-vp6p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-547x-748v-vp6p", - "modified": "2024-03-06T16:21:30Z", + "modified": "2024-09-16T13:44:03Z", "published": "2024-02-02T06:30:31Z", "aliases": [ "CVE-2024-21485" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" } ], "affected": [ From 2923f1409a626011880c1858dd638311cb3b2255 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:41:30 +0000 Subject: [PATCH 091/170] Publish GHSA-2gjh-m4gq-rxrh --- .../09/GHSA-2gjh-m4gq-rxrh/GHSA-2gjh-m4gq-rxrh.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/advisories/unreviewed/2024/09/GHSA-2gjh-m4gq-rxrh/GHSA-2gjh-m4gq-rxrh.json b/advisories/unreviewed/2024/09/GHSA-2gjh-m4gq-rxrh/GHSA-2gjh-m4gq-rxrh.json index ebe8a66b089..66cdc3d3f9b 100644 --- a/advisories/unreviewed/2024/09/GHSA-2gjh-m4gq-rxrh/GHSA-2gjh-m4gq-rxrh.json +++ b/advisories/unreviewed/2024/09/GHSA-2gjh-m4gq-rxrh/GHSA-2gjh-m4gq-rxrh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2gjh-m4gq-rxrh", - "modified": "2024-09-04T21:30:32Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-04T21:30:32Z", "aliases": [ "CVE-2024-44996" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix recursive ->recvmsg calls\n\nAfter a vsock socket has been added to a BPF sockmap, its prot->recvmsg\nhas been replaced with vsock_bpf_recvmsg(). Thus the following\nrecursiion could happen:\n\nvsock_bpf_recvmsg()\n -> __vsock_recvmsg()\n -> vsock_connectible_recvmsg()\n -> prot->recvmsg()\n -> vsock_bpf_recvmsg() again\n\nWe need to fix it by calling the original ->recvmsg() without any BPF\nsockmap logic in __vsock_recvmsg().", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-674" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-04T20:15:08Z" From ec024fb1c352dee26bd97326a953e7f73eb2e334 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:44:50 +0000 Subject: [PATCH 092/170] Advisory Database Sync --- .../GHSA-2pqc-gv8q-pvqv.json | 16 ++++- .../GHSA-2m35-m4g6-x835.json | 2 +- .../GHSA-86p4-vhr6-2vv3.json | 2 +- .../GHSA-cfhp-p6xr-24g5.json | 2 +- .../GHSA-pcv9-72q8-27vc.json | 2 +- .../GHSA-wm25-c777-f2h3.json | 7 ++- .../GHSA-wp8h-m67c-cxpw.json | 2 +- .../GHSA-5f52-v49r-796w.json | 2 +- .../GHSA-hmf7-f8gf-8f4p.json | 2 +- .../GHSA-qx6j-g797-jg9r.json | 2 +- .../GHSA-3f9w-7983-qcmq.json | 2 +- .../GHSA-488m-w9fp-5mm2.json | 2 +- .../GHSA-5gp7-j4r7-g66f.json | 2 +- .../GHSA-9625-p7pg-3cxg.json | 2 +- .../GHSA-fhr7-8jx4-r9cp.json | 2 +- .../GHSA-r4w2-hjmr-36m7.json | 2 +- .../GHSA-qmff-49xc-7rf6.json | 2 +- .../GHSA-pcqx-8h4p-6r69.json | 3 +- .../GHSA-4433-jwm9-48r5.json | 3 +- .../GHSA-xp6h-p4cj-42w8.json | 3 +- .../GHSA-2774-v47p-f5v6.json | 13 ++++- .../GHSA-c8f7-vvrw-73c7.json | 3 +- .../GHSA-f935-6jhc-wv29.json | 1 + .../GHSA-gxqj-2fg2-r9jh.json | 6 +- .../GHSA-hfr5-33pv-p28w.json | 13 ++++- .../GHSA-mg3w-329f-wm8c.json | 13 ++++- .../GHSA-r24r-m7ff-ghq2.json | 1 + .../GHSA-ffrr-6f6g-mc3r.json | 11 ++-- .../GHSA-hcp4-6c7v-w8f2.json | 11 ++-- .../GHSA-hq79-5p4q-xv2w.json | 11 ++-- .../GHSA-vc72-g5gr-jp4w.json | 11 ++-- .../GHSA-vmr8-6pr2-r534.json | 9 ++- .../GHSA-c3hg-qcg2-fhv2.json | 11 ++-- .../GHSA-263w-f6fg-v2x5.json | 11 ++-- .../GHSA-32p2-3fx9-4m6x.json | 38 ++++++++++++ .../GHSA-36p3-3fj3-g9p5.json | 42 ++++++++++++++ .../GHSA-3f92-cwf9-rgvq.json | 42 ++++++++++++++ .../GHSA-3xq2-w6j4-c99r.json | 35 +++++++++++ .../GHSA-46hr-3cq3-mcgp.json | 43 ++++++++++++++ .../GHSA-499r-h8wp-rfvm.json | 9 ++- .../GHSA-4jmq-3rrv-cmcc.json | 38 ++++++++++++ .../GHSA-4xg2-5xf7-v37m.json | 38 ++++++++++++ .../GHSA-5785-6rg8-vqjc.json | 1 + .../GHSA-58rh-53vh-8w68.json | 6 +- .../GHSA-5fx5-p3qx-6q26.json | 35 +++++++++++ .../GHSA-66r2-xm28-74w9.json | 54 +++++++++++++++++ .../GHSA-678c-c78x-9mgf.json | 38 ++++++++++++ .../GHSA-6hmq-m3mm-wvrh.json | 46 +++++++++++++++ .../GHSA-754w-8w8c-rvmg.json | 42 ++++++++++++++ .../GHSA-78c9-5p24-9jcg.json | 6 +- .../GHSA-7gm4-4495-5666.json | 42 ++++++++++++++ .../GHSA-7mqh-9jjg-r8c8.json | 35 +++++++++++ .../GHSA-7v6r-jgcw-v2j9.json | 39 +++++++++++++ .../GHSA-83f6-495c-ff9q.json | 46 +++++++++++++++ .../GHSA-8v8r-m9m9-p8q3.json | 38 ++++++++++++ .../GHSA-8x4p-8r4m-q8jg.json | 38 ++++++++++++ .../GHSA-9h42-jv2f-gc8x.json | 54 +++++++++++++++++ .../GHSA-9q57-6634-5vrw.json | 46 +++++++++++++++ .../GHSA-9wfx-jpxp-q2rh.json | 38 ++++++++++++ .../GHSA-c476-5cw2-72fp.json | 46 +++++++++++++++ .../GHSA-c8rc-rqhp-jx57.json | 54 +++++++++++++++++ .../GHSA-c8w2-qg5p-pfw5.json | 38 ++++++++++++ .../GHSA-chwm-h2rg-vxxf.json | 42 ++++++++++++++ .../GHSA-cqpv-2227-9mjj.json | 46 +++++++++++++++ .../GHSA-crwj-f9hc-c6g4.json | 6 +- .../GHSA-cvq3-wg24-45v2.json | 38 ++++++++++++ .../GHSA-cwqr-9j7q-r9xh.json | 39 +++++++++++++ .../GHSA-f4cg-5v3q-jpw3.json | 38 ++++++++++++ .../GHSA-f5ww-mg69-335r.json | 38 ++++++++++++ .../GHSA-fg5m-m723-7mv6.json | 54 +++++++++++++++++ .../GHSA-fp3g-r7j4-vr8g.json | 11 ++-- .../GHSA-fq8w-cfr6-8fqg.json | 38 ++++++++++++ .../GHSA-g5x5-v9cp-7w65.json | 42 ++++++++++++++ .../GHSA-g766-f3jj-h73r.json | 42 ++++++++++++++ .../GHSA-gcwq-2mx4-wmcp.json | 51 ++++++++++++++++ .../GHSA-gp73-hc78-3ch8.json | 38 ++++++++++++ .../GHSA-grj2-x9v7-7qqx.json | 11 ++-- .../GHSA-gvcc-mwhq-ccvw.json | 42 ++++++++++++++ .../GHSA-gx7g-q2xr-xm5f.json | 46 +++++++++++++++ .../GHSA-h478-hrvj-hrjq.json | 50 ++++++++++++++++ .../GHSA-h73x-4wxr-7f79.json | 54 +++++++++++++++++ .../GHSA-h9rg-jfq5-wf8g.json | 42 ++++++++++++++ .../GHSA-hh55-xqjj-vxv4.json | 35 +++++++++++ .../GHSA-hv38-h5pj-c96j.json | 43 ++++++++++++++ .../GHSA-j7q4-4r7g-3jf4.json | 42 ++++++++++++++ .../GHSA-jf5x-p6mg-vvp7.json | 35 +++++++++++ .../GHSA-jfw4-5phw-5pw7.json | 38 ++++++++++++ .../GHSA-jpxc-vmjf-9fcj.json | 42 ++++++++++++++ .../GHSA-m62g-7v8j-3fwc.json | 39 +++++++++++++ .../GHSA-mfr5-p5vc-mx4q.json | 58 +++++++++++++++++++ .../GHSA-mrmh-3hqh-pfw7.json | 54 +++++++++++++++++ .../GHSA-ph9f-2c4w-rghv.json | 2 +- .../GHSA-pmhg-f7wc-c97m.json | 54 +++++++++++++++++ .../GHSA-q2wf-44h2-28xg.json | 38 ++++++++++++ .../GHSA-q6v4-gcc8-vrgw.json | 54 +++++++++++++++++ .../GHSA-qcv9-p6c5-w5pr.json | 54 +++++++++++++++++ .../GHSA-rhpc-qcxc-cfwf.json | 46 +++++++++++++++ .../GHSA-rpwv-q4ch-7pvm.json | 42 ++++++++++++++ .../GHSA-rwqg-xwvm-5mmj.json | 38 ++++++++++++ .../GHSA-vhp8-r33q-gvq2.json | 38 ++++++++++++ .../GHSA-wj4j-qc2m-fgh7.json | 38 ++++++++++++ .../GHSA-wxf3-97x6-x82w.json | 42 ++++++++++++++ .../GHSA-xj9g-c23g-r4pj.json | 42 ++++++++++++++ 103 files changed, 2782 insertions(+), 74 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-32p2-3fx9-4m6x/GHSA-32p2-3fx9-4m6x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-36p3-3fj3-g9p5/GHSA-36p3-3fj3-g9p5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3f92-cwf9-rgvq/GHSA-3f92-cwf9-rgvq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4jmq-3rrv-cmcc/GHSA-4jmq-3rrv-cmcc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4xg2-5xf7-v37m/GHSA-4xg2-5xf7-v37m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5fx5-p3qx-6q26/GHSA-5fx5-p3qx-6q26.json create mode 100644 advisories/unreviewed/2024/09/GHSA-66r2-xm28-74w9/GHSA-66r2-xm28-74w9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-678c-c78x-9mgf/GHSA-678c-c78x-9mgf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6hmq-m3mm-wvrh/GHSA-6hmq-m3mm-wvrh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-754w-8w8c-rvmg/GHSA-754w-8w8c-rvmg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7gm4-4495-5666/GHSA-7gm4-4495-5666.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-83f6-495c-ff9q/GHSA-83f6-495c-ff9q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8v8r-m9m9-p8q3/GHSA-8v8r-m9m9-p8q3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8x4p-8r4m-q8jg/GHSA-8x4p-8r4m-q8jg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9h42-jv2f-gc8x/GHSA-9h42-jv2f-gc8x.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9q57-6634-5vrw/GHSA-9q57-6634-5vrw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9wfx-jpxp-q2rh/GHSA-9wfx-jpxp-q2rh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c476-5cw2-72fp/GHSA-c476-5cw2-72fp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c8rc-rqhp-jx57/GHSA-c8rc-rqhp-jx57.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c8w2-qg5p-pfw5/GHSA-c8w2-qg5p-pfw5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-chwm-h2rg-vxxf/GHSA-chwm-h2rg-vxxf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cqpv-2227-9mjj/GHSA-cqpv-2227-9mjj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cvq3-wg24-45v2/GHSA-cvq3-wg24-45v2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f4cg-5v3q-jpw3/GHSA-f4cg-5v3q-jpw3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f5ww-mg69-335r/GHSA-f5ww-mg69-335r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fq8w-cfr6-8fqg/GHSA-fq8w-cfr6-8fqg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g5x5-v9cp-7w65/GHSA-g5x5-v9cp-7w65.json create mode 100644 advisories/unreviewed/2024/09/GHSA-g766-f3jj-h73r/GHSA-g766-f3jj-h73r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gcwq-2mx4-wmcp/GHSA-gcwq-2mx4-wmcp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gp73-hc78-3ch8/GHSA-gp73-hc78-3ch8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gvcc-mwhq-ccvw/GHSA-gvcc-mwhq-ccvw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gx7g-q2xr-xm5f/GHSA-gx7g-q2xr-xm5f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h478-hrvj-hrjq/GHSA-h478-hrvj-hrjq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h73x-4wxr-7f79/GHSA-h73x-4wxr-7f79.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h9rg-jfq5-wf8g/GHSA-h9rg-jfq5-wf8g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jfw4-5phw-5pw7/GHSA-jfw4-5phw-5pw7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m62g-7v8j-3fwc/GHSA-m62g-7v8j-3fwc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mfr5-p5vc-mx4q/GHSA-mfr5-p5vc-mx4q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mrmh-3hqh-pfw7/GHSA-mrmh-3hqh-pfw7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pmhg-f7wc-c97m/GHSA-pmhg-f7wc-c97m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q2wf-44h2-28xg/GHSA-q2wf-44h2-28xg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q6v4-gcc8-vrgw/GHSA-q6v4-gcc8-vrgw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qcv9-p6c5-w5pr/GHSA-qcv9-p6c5-w5pr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rhpc-qcxc-cfwf/GHSA-rhpc-qcxc-cfwf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rpwv-q4ch-7pvm/GHSA-rpwv-q4ch-7pvm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rwqg-xwvm-5mmj/GHSA-rwqg-xwvm-5mmj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vhp8-r33q-gvq2/GHSA-vhp8-r33q-gvq2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wxf3-97x6-x82w/GHSA-wxf3-97x6-x82w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xj9g-c23g-r4pj/GHSA-xj9g-c23g-r4pj.json diff --git a/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json b/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json index 10cc278be1d..2ad1ceb6451 100644 --- a/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json +++ b/advisories/github-reviewed/2022/05/GHSA-2pqc-gv8q-pvqv/GHSA-2pqc-gv8q-pvqv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2pqc-gv8q-pvqv", - "modified": "2023-08-03T19:53:31Z", + "modified": "2024-09-16T14:42:41Z", "published": "2022-05-17T01:57:52Z", "aliases": [ "CVE-2015-5081" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "3.1.0" + "introduced": "3.1.0b1" }, { "fixed": "3.1.1" @@ -59,10 +63,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5081" }, + { + "type": "WEB", + "url": "https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a" + }, { "type": "WEB", "url": "https://github.com/django-cms/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-cms/PYSEC-2017-11.yaml" + }, { "type": "WEB", "url": "https://www.django-cms.org/en/blog/2015/06/27/311-3014-release" diff --git a/advisories/unreviewed/2023/07/GHSA-2m35-m4g6-x835/GHSA-2m35-m4g6-x835.json b/advisories/unreviewed/2023/07/GHSA-2m35-m4g6-x835/GHSA-2m35-m4g6-x835.json index e40d917c070..25ebaab18d9 100644 --- a/advisories/unreviewed/2023/07/GHSA-2m35-m4g6-x835/GHSA-2m35-m4g6-x835.json +++ b/advisories/unreviewed/2023/07/GHSA-2m35-m4g6-x835/GHSA-2m35-m4g6-x835.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2m35-m4g6-x835", - "modified": "2024-04-04T06:21:09Z", + "modified": "2024-09-16T14:37:20Z", "published": "2023-07-25T18:30:32Z", "aliases": [ "CVE-2023-3773" diff --git a/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json b/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json index 3982c6188c1..0262ea39ae5 100644 --- a/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json +++ b/advisories/unreviewed/2023/07/GHSA-86p4-vhr6-2vv3/GHSA-86p4-vhr6-2vv3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-86p4-vhr6-2vv3", - "modified": "2023-11-14T21:30:49Z", + "modified": "2024-09-16T14:37:20Z", "published": "2023-07-20T18:33:43Z", "aliases": [ "CVE-2023-34967" diff --git a/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json b/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json index 90e0098a556..e073c38f62c 100644 --- a/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json +++ b/advisories/unreviewed/2023/07/GHSA-cfhp-p6xr-24g5/GHSA-cfhp-p6xr-24g5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cfhp-p6xr-24g5", - "modified": "2023-11-14T21:30:49Z", + "modified": "2024-09-16T14:37:20Z", "published": "2023-07-20T18:33:43Z", "aliases": [ "CVE-2023-34968" diff --git a/advisories/unreviewed/2023/08/GHSA-pcv9-72q8-27vc/GHSA-pcv9-72q8-27vc.json b/advisories/unreviewed/2023/08/GHSA-pcv9-72q8-27vc/GHSA-pcv9-72q8-27vc.json index 4200fc71e99..e94106b2946 100644 --- a/advisories/unreviewed/2023/08/GHSA-pcv9-72q8-27vc/GHSA-pcv9-72q8-27vc.json +++ b/advisories/unreviewed/2023/08/GHSA-pcv9-72q8-27vc/GHSA-pcv9-72q8-27vc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pcv9-72q8-27vc", - "modified": "2024-08-26T18:33:31Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-08-07T15:30:27Z", "aliases": [ "CVE-2023-4147" diff --git a/advisories/unreviewed/2023/08/GHSA-wm25-c777-f2h3/GHSA-wm25-c777-f2h3.json b/advisories/unreviewed/2023/08/GHSA-wm25-c777-f2h3/GHSA-wm25-c777-f2h3.json index 8e559bac6cd..dfcebf9a5b4 100644 --- a/advisories/unreviewed/2023/08/GHSA-wm25-c777-f2h3/GHSA-wm25-c777-f2h3.json +++ b/advisories/unreviewed/2023/08/GHSA-wm25-c777-f2h3/GHSA-wm25-c777-f2h3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wm25-c777-f2h3", - "modified": "2023-11-02T03:30:25Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-08-09T15:30:15Z", "aliases": [ "CVE-2023-4273" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4273" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:6583" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-4273" @@ -60,6 +64,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-121", "CWE-787" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2023/08/GHSA-wp8h-m67c-cxpw/GHSA-wp8h-m67c-cxpw.json b/advisories/unreviewed/2023/08/GHSA-wp8h-m67c-cxpw/GHSA-wp8h-m67c-cxpw.json index 8383ea9f17c..312ee5645bf 100644 --- a/advisories/unreviewed/2023/08/GHSA-wp8h-m67c-cxpw/GHSA-wp8h-m67c-cxpw.json +++ b/advisories/unreviewed/2023/08/GHSA-wp8h-m67c-cxpw/GHSA-wp8h-m67c-cxpw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wp8h-m67c-cxpw", - "modified": "2023-11-09T21:30:34Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-08-23T12:30:28Z", "aliases": [ "CVE-2023-3899" diff --git a/advisories/unreviewed/2023/09/GHSA-5f52-v49r-796w/GHSA-5f52-v49r-796w.json b/advisories/unreviewed/2023/09/GHSA-5f52-v49r-796w/GHSA-5f52-v49r-796w.json index 4ebf05fc01f..839e80ae537 100644 --- a/advisories/unreviewed/2023/09/GHSA-5f52-v49r-796w/GHSA-5f52-v49r-796w.json +++ b/advisories/unreviewed/2023/09/GHSA-5f52-v49r-796w/GHSA-5f52-v49r-796w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5f52-v49r-796w", - "modified": "2023-11-21T18:30:25Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-09-18T18:30:28Z", "aliases": [ "CVE-2023-4806" diff --git a/advisories/unreviewed/2023/09/GHSA-hmf7-f8gf-8f4p/GHSA-hmf7-f8gf-8f4p.json b/advisories/unreviewed/2023/09/GHSA-hmf7-f8gf-8f4p/GHSA-hmf7-f8gf-8f4p.json index 9d26927fa35..d02c7e598e5 100644 --- a/advisories/unreviewed/2023/09/GHSA-hmf7-f8gf-8f4p/GHSA-hmf7-f8gf-8f4p.json +++ b/advisories/unreviewed/2023/09/GHSA-hmf7-f8gf-8f4p/GHSA-hmf7-f8gf-8f4p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hmf7-f8gf-8f4p", - "modified": "2023-11-16T18:30:23Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-09-18T18:30:28Z", "aliases": [ "CVE-2023-4527" diff --git a/advisories/unreviewed/2023/09/GHSA-qx6j-g797-jg9r/GHSA-qx6j-g797-jg9r.json b/advisories/unreviewed/2023/09/GHSA-qx6j-g797-jg9r/GHSA-qx6j-g797-jg9r.json index 1b4a4d2845f..575d2966974 100644 --- a/advisories/unreviewed/2023/09/GHSA-qx6j-g797-jg9r/GHSA-qx6j-g797-jg9r.json +++ b/advisories/unreviewed/2023/09/GHSA-qx6j-g797-jg9r/GHSA-qx6j-g797-jg9r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qx6j-g797-jg9r", - "modified": "2023-11-10T18:30:18Z", + "modified": "2024-09-16T14:37:21Z", "published": "2023-09-13T00:30:18Z", "aliases": [ "CVE-2023-4813" diff --git a/advisories/unreviewed/2023/12/GHSA-3f9w-7983-qcmq/GHSA-3f9w-7983-qcmq.json b/advisories/unreviewed/2023/12/GHSA-3f9w-7983-qcmq/GHSA-3f9w-7983-qcmq.json index 5b388b0b4e3..15fa0f3ecfe 100644 --- a/advisories/unreviewed/2023/12/GHSA-3f9w-7983-qcmq/GHSA-3f9w-7983-qcmq.json +++ b/advisories/unreviewed/2023/12/GHSA-3f9w-7983-qcmq/GHSA-3f9w-7983-qcmq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3f9w-7983-qcmq", - "modified": "2023-12-10T18:30:18Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-10T18:30:18Z", "aliases": [ "CVE-2023-5868" diff --git a/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json b/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json index 4653f227856..d2f4aa2c9f3 100644 --- a/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json +++ b/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-488m-w9fp-5mm2", - "modified": "2023-12-28T21:30:37Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-28T21:30:37Z", "aliases": [ "CVE-2023-5236" diff --git a/advisories/unreviewed/2023/12/GHSA-5gp7-j4r7-g66f/GHSA-5gp7-j4r7-g66f.json b/advisories/unreviewed/2023/12/GHSA-5gp7-j4r7-g66f/GHSA-5gp7-j4r7-g66f.json index 848136f25e7..0e8ed929637 100644 --- a/advisories/unreviewed/2023/12/GHSA-5gp7-j4r7-g66f/GHSA-5gp7-j4r7-g66f.json +++ b/advisories/unreviewed/2023/12/GHSA-5gp7-j4r7-g66f/GHSA-5gp7-j4r7-g66f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5gp7-j4r7-g66f", - "modified": "2023-12-10T18:30:18Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-10T18:30:18Z", "aliases": [ "CVE-2023-5870" diff --git a/advisories/unreviewed/2023/12/GHSA-9625-p7pg-3cxg/GHSA-9625-p7pg-3cxg.json b/advisories/unreviewed/2023/12/GHSA-9625-p7pg-3cxg/GHSA-9625-p7pg-3cxg.json index 7a5fb48d36f..5fd774ae76f 100644 --- a/advisories/unreviewed/2023/12/GHSA-9625-p7pg-3cxg/GHSA-9625-p7pg-3cxg.json +++ b/advisories/unreviewed/2023/12/GHSA-9625-p7pg-3cxg/GHSA-9625-p7pg-3cxg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9625-p7pg-3cxg", - "modified": "2023-12-10T18:30:18Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-10T18:30:18Z", "aliases": [ "CVE-2023-5869" diff --git a/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json b/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json index 876bd8dfeca..80c7bcd7ee8 100644 --- a/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json +++ b/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fhr7-8jx4-r9cp", - "modified": "2023-12-30T00:30:23Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-30T00:30:23Z", "aliases": [ "CVE-2023-3628" diff --git a/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json b/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json index ce76b1f3825..730c90b34f3 100644 --- a/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json +++ b/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r4w2-hjmr-36m7", - "modified": "2023-12-30T00:30:23Z", + "modified": "2024-09-16T14:37:22Z", "published": "2023-12-30T00:30:23Z", "aliases": [ "CVE-2023-3629" diff --git a/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json b/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json index a7e8ece3173..56f8e966757 100644 --- a/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json +++ b/advisories/unreviewed/2024/01/GHSA-qmff-49xc-7rf6/GHSA-qmff-49xc-7rf6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qmff-49xc-7rf6", - "modified": "2024-07-08T18:31:15Z", + "modified": "2024-09-16T14:37:23Z", "published": "2024-01-17T18:31:36Z", "aliases": [ "CVE-2024-0646" diff --git a/advisories/unreviewed/2024/04/GHSA-pcqx-8h4p-6r69/GHSA-pcqx-8h4p-6r69.json b/advisories/unreviewed/2024/04/GHSA-pcqx-8h4p-6r69/GHSA-pcqx-8h4p-6r69.json index 4eeec4369ac..2b85f702b7e 100644 --- a/advisories/unreviewed/2024/04/GHSA-pcqx-8h4p-6r69/GHSA-pcqx-8h4p-6r69.json +++ b/advisories/unreviewed/2024/04/GHSA-pcqx-8h4p-6r69/GHSA-pcqx-8h4p-6r69.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-89" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/05/GHSA-4433-jwm9-48r5/GHSA-4433-jwm9-48r5.json b/advisories/unreviewed/2024/05/GHSA-4433-jwm9-48r5/GHSA-4433-jwm9-48r5.json index 97ed2412c54..0b0db617e05 100644 --- a/advisories/unreviewed/2024/05/GHSA-4433-jwm9-48r5/GHSA-4433-jwm9-48r5.json +++ b/advisories/unreviewed/2024/05/GHSA-4433-jwm9-48r5/GHSA-4433-jwm9-48r5.json @@ -40,7 +40,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-22" + "CWE-22", + "CWE-843" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/05/GHSA-xp6h-p4cj-42w8/GHSA-xp6h-p4cj-42w8.json b/advisories/unreviewed/2024/05/GHSA-xp6h-p4cj-42w8/GHSA-xp6h-p4cj-42w8.json index 84d57730062..c2bff0616ed 100644 --- a/advisories/unreviewed/2024/05/GHSA-xp6h-p4cj-42w8/GHSA-xp6h-p4cj-42w8.json +++ b/advisories/unreviewed/2024/05/GHSA-xp6h-p4cj-42w8/GHSA-xp6h-p4cj-42w8.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-79" + "CWE-79", + "CWE-90" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/06/GHSA-2774-v47p-f5v6/GHSA-2774-v47p-f5v6.json b/advisories/unreviewed/2024/06/GHSA-2774-v47p-f5v6/GHSA-2774-v47p-f5v6.json index 2d5069c62ac..c4d82251423 100644 --- a/advisories/unreviewed/2024/06/GHSA-2774-v47p-f5v6/GHSA-2774-v47p-f5v6.json +++ b/advisories/unreviewed/2024/06/GHSA-2774-v47p-f5v6/GHSA-2774-v47p-f5v6.json @@ -1,14 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-2774-v47p-f5v6", - "modified": "2024-06-25T18:31:21Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-06-25T18:31:21Z", "aliases": [ "CVE-2024-5988" ], "details": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } ], "affected": [ @@ -27,7 +34,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-25T16:15:24Z" diff --git a/advisories/unreviewed/2024/06/GHSA-c8f7-vvrw-73c7/GHSA-c8f7-vvrw-73c7.json b/advisories/unreviewed/2024/06/GHSA-c8f7-vvrw-73c7/GHSA-c8f7-vvrw-73c7.json index bfd7d09b22b..254d8e77483 100644 --- a/advisories/unreviewed/2024/06/GHSA-c8f7-vvrw-73c7/GHSA-c8f7-vvrw-73c7.json +++ b/advisories/unreviewed/2024/06/GHSA-c8f7-vvrw-73c7/GHSA-c8f7-vvrw-73c7.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-22" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/06/GHSA-f935-6jhc-wv29/GHSA-f935-6jhc-wv29.json b/advisories/unreviewed/2024/06/GHSA-f935-6jhc-wv29/GHSA-f935-6jhc-wv29.json index 5cc6365417d..fb189532921 100644 --- a/advisories/unreviewed/2024/06/GHSA-f935-6jhc-wv29/GHSA-f935-6jhc-wv29.json +++ b/advisories/unreviewed/2024/06/GHSA-f935-6jhc-wv29/GHSA-f935-6jhc-wv29.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-352", "CWE-79" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2024/06/GHSA-gxqj-2fg2-r9jh/GHSA-gxqj-2fg2-r9jh.json b/advisories/unreviewed/2024/06/GHSA-gxqj-2fg2-r9jh/GHSA-gxqj-2fg2-r9jh.json index 723c74c941c..3cfbd84fe3b 100644 --- a/advisories/unreviewed/2024/06/GHSA-gxqj-2fg2-r9jh/GHSA-gxqj-2fg2-r9jh.json +++ b/advisories/unreviewed/2024/06/GHSA-gxqj-2fg2-r9jh/GHSA-gxqj-2fg2-r9jh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gxqj-2fg2-r9jh", - "modified": "2024-06-18T00:31:28Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-06-18T00:31:28Z", "aliases": [ "CVE-2024-6083" @@ -11,6 +11,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ diff --git a/advisories/unreviewed/2024/06/GHSA-hfr5-33pv-p28w/GHSA-hfr5-33pv-p28w.json b/advisories/unreviewed/2024/06/GHSA-hfr5-33pv-p28w/GHSA-hfr5-33pv-p28w.json index 543fefa77d9..49cc6e01b16 100644 --- a/advisories/unreviewed/2024/06/GHSA-hfr5-33pv-p28w/GHSA-hfr5-33pv-p28w.json +++ b/advisories/unreviewed/2024/06/GHSA-hfr5-33pv-p28w/GHSA-hfr5-33pv-p28w.json @@ -1,14 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-hfr5-33pv-p28w", - "modified": "2024-06-25T18:31:22Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-06-25T18:31:22Z", "aliases": [ "CVE-2024-5990" ], "details": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within Rockwell Automation ThinServer™ and cause a denial-of-service condition on the affected device.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } ], "affected": [ @@ -27,7 +34,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-25T16:15:25Z" diff --git a/advisories/unreviewed/2024/06/GHSA-mg3w-329f-wm8c/GHSA-mg3w-329f-wm8c.json b/advisories/unreviewed/2024/06/GHSA-mg3w-329f-wm8c/GHSA-mg3w-329f-wm8c.json index 95c4e21e124..3b737cc2461 100644 --- a/advisories/unreviewed/2024/06/GHSA-mg3w-329f-wm8c/GHSA-mg3w-329f-wm8c.json +++ b/advisories/unreviewed/2024/06/GHSA-mg3w-329f-wm8c/GHSA-mg3w-329f-wm8c.json @@ -1,14 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-mg3w-329f-wm8c", - "modified": "2024-06-25T18:31:21Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-06-25T18:31:21Z", "aliases": [ "CVE-2024-5989" ], "details": "Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } ], "affected": [ @@ -27,7 +34,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-06-25T16:15:25Z" diff --git a/advisories/unreviewed/2024/06/GHSA-r24r-m7ff-ghq2/GHSA-r24r-m7ff-ghq2.json b/advisories/unreviewed/2024/06/GHSA-r24r-m7ff-ghq2/GHSA-r24r-m7ff-ghq2.json index be193cf5359..46a7a2246fe 100644 --- a/advisories/unreviewed/2024/06/GHSA-r24r-m7ff-ghq2/GHSA-r24r-m7ff-ghq2.json +++ b/advisories/unreviewed/2024/06/GHSA-r24r-m7ff-ghq2/GHSA-r24r-m7ff-ghq2.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-200", "CWE-22", "CWE-400" ], diff --git a/advisories/unreviewed/2024/07/GHSA-ffrr-6f6g-mc3r/GHSA-ffrr-6f6g-mc3r.json b/advisories/unreviewed/2024/07/GHSA-ffrr-6f6g-mc3r/GHSA-ffrr-6f6g-mc3r.json index cfa17d53526..cfec3cffef3 100644 --- a/advisories/unreviewed/2024/07/GHSA-ffrr-6f6g-mc3r/GHSA-ffrr-6f6g-mc3r.json +++ b/advisories/unreviewed/2024/07/GHSA-ffrr-6f6g-mc3r/GHSA-ffrr-6f6g-mc3r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-ffrr-6f6g-mc3r", - "modified": "2024-07-30T09:32:02Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-07-30T09:32:02Z", "aliases": [ "CVE-2024-42144" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data\n\nVerify that lvts_data is not NULL before using it.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-30T08:15:06Z" diff --git a/advisories/unreviewed/2024/07/GHSA-hcp4-6c7v-w8f2/GHSA-hcp4-6c7v-w8f2.json b/advisories/unreviewed/2024/07/GHSA-hcp4-6c7v-w8f2/GHSA-hcp4-6c7v-w8f2.json index 13df11c0bd8..38f20ca4749 100644 --- a/advisories/unreviewed/2024/07/GHSA-hcp4-6c7v-w8f2/GHSA-hcp4-6c7v-w8f2.json +++ b/advisories/unreviewed/2024/07/GHSA-hcp4-6c7v-w8f2/GHSA-hcp4-6c7v-w8f2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hcp4-6c7v-w8f2", - "modified": "2024-07-30T09:32:02Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-07-30T09:32:02Z", "aliases": [ "CVE-2024-42136" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid unintentional overflow\n\nWhen running syzkaller with the newly reintroduced signed integer wrap\nsanitizer we encounter this splat:\n\n[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33\n[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')\n[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO\n[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1\n[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 366.027518] Call Trace:\n[ 366.027523] \n[ 366.027533] dump_stack_lvl+0x93/0xd0\n[ 366.027899] handle_overflow+0x171/0x1b0\n[ 366.038787] ata1.00: invalid multi_count 32 ignored\n[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10\n[ 366.063932] ? __pm_runtime_resume+0xe6/0x130\n[ 366.071923] sr_block_ioctl+0x15d/0x1d0\n[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10\n[ 366.077642] blkdev_ioctl+0x419/0x500\n[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10\n...\n\nHistorically, the signed integer overflow sanitizer did not work in the\nkernel due to its interaction with `-fwrapv` but this has since been\nchanged [1] in the newest version of Clang. It was re-enabled in the\nkernel with Commit 557f8c582a9ba8ab (\"ubsan: Reintroduce signed overflow\nsanitizer\").\n\nLet's rearrange the check to not perform any arithmetic, thus not\ntripping the sanitizer.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-30T08:15:05Z" diff --git a/advisories/unreviewed/2024/07/GHSA-hq79-5p4q-xv2w/GHSA-hq79-5p4q-xv2w.json b/advisories/unreviewed/2024/07/GHSA-hq79-5p4q-xv2w/GHSA-hq79-5p4q-xv2w.json index bbce6ca8367..e4020a6787e 100644 --- a/advisories/unreviewed/2024/07/GHSA-hq79-5p4q-xv2w/GHSA-hq79-5p4q-xv2w.json +++ b/advisories/unreviewed/2024/07/GHSA-hq79-5p4q-xv2w/GHSA-hq79-5p4q-xv2w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hq79-5p4q-xv2w", - "modified": "2024-07-30T09:31:52Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-07-30T09:31:52Z", "aliases": [ "CVE-2024-42122" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer check for kzalloc\n\n[Why & How]\nCheck return pointer of kzalloc before using it.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-30T08:15:04Z" diff --git a/advisories/unreviewed/2024/07/GHSA-vc72-g5gr-jp4w/GHSA-vc72-g5gr-jp4w.json b/advisories/unreviewed/2024/07/GHSA-vc72-g5gr-jp4w/GHSA-vc72-g5gr-jp4w.json index 215589b45d1..86ba3aaa076 100644 --- a/advisories/unreviewed/2024/07/GHSA-vc72-g5gr-jp4w/GHSA-vc72-g5gr-jp4w.json +++ b/advisories/unreviewed/2024/07/GHSA-vc72-g5gr-jp4w/GHSA-vc72-g5gr-jp4w.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vc72-g5gr-jp4w", - "modified": "2024-08-19T06:30:52Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-07-30T09:32:01Z", "aliases": [ "CVE-2024-42131" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn't so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don't allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to >16 TB.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-190" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-30T08:15:05Z" diff --git a/advisories/unreviewed/2024/07/GHSA-vmr8-6pr2-r534/GHSA-vmr8-6pr2-r534.json b/advisories/unreviewed/2024/07/GHSA-vmr8-6pr2-r534/GHSA-vmr8-6pr2-r534.json index 14f593b1833..5cd7e0acab3 100644 --- a/advisories/unreviewed/2024/07/GHSA-vmr8-6pr2-r534/GHSA-vmr8-6pr2-r534.json +++ b/advisories/unreviewed/2024/07/GHSA-vmr8-6pr2-r534/GHSA-vmr8-6pr2-r534.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-vmr8-6pr2-r534", - "modified": "2024-07-30T09:32:02Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-07-30T09:32:02Z", "aliases": [ "CVE-2024-42137" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot\n\nCommit 272970be3dab (\"Bluetooth: hci_qca: Fix driver shutdown on closed\nserdev\") will cause below regression issue:\n\nBT can't be enabled after below steps:\ncold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure\nif property enable-gpios is not configured within DT|ACPI for QCA6390.\n\nThe commit is to fix a use-after-free issue within qca_serdev_shutdown()\nby adding condition to avoid the serdev is flushed or wrote after closed\nbut also introduces this regression issue regarding above steps since the\nVSC is not sent to reset controller during warm reboot.\n\nFixed by sending the VSC to reset controller within qca_serdev_shutdown()\nonce BT was ever enabled, and the use-after-free issue is also fixed by\nthis change since the serdev is still opened before it is flushed or wrote.\n\nVerified by the reported machine Dell XPS 13 9310 laptop over below two\nkernel commits:\ncommit e00fc2700a3f (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of bluetooth-next tree.\ncommit b23d98d46d28 (\"Bluetooth: btusb: Fix triggering coredump\nimplementation for QCA\") of linus mainline tree.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -47,7 +50,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-30T08:15:05Z" diff --git a/advisories/unreviewed/2024/08/GHSA-c3hg-qcg2-fhv2/GHSA-c3hg-qcg2-fhv2.json b/advisories/unreviewed/2024/08/GHSA-c3hg-qcg2-fhv2/GHSA-c3hg-qcg2-fhv2.json index 32c15fc4bb8..1a599d7f27f 100644 --- a/advisories/unreviewed/2024/08/GHSA-c3hg-qcg2-fhv2/GHSA-c3hg-qcg2-fhv2.json +++ b/advisories/unreviewed/2024/08/GHSA-c3hg-qcg2-fhv2/GHSA-c3hg-qcg2-fhv2.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-c3hg-qcg2-fhv2", - "modified": "2024-08-12T15:30:50Z", + "modified": "2024-09-16T14:37:24Z", "published": "2024-08-12T15:30:50Z", "aliases": [ "CVE-2024-40478" ], "details": "A Stored Cross Site Scripting (XSS) vulnerability was found in \"/admin/afeedback.php\" in Kashipara Online Exam System v1.0, which allows remote attackers to execute arbitrary code via \"rname\" and \"email\" parameter fields", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-12T13:38:28Z" diff --git a/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json b/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json index 0ab5bb43584..df876238373 100644 --- a/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json +++ b/advisories/unreviewed/2024/09/GHSA-263w-f6fg-v2x5/GHSA-263w-f6fg-v2x5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-263w-f6fg-v2x5", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-16T14:37:26Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46686" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()\n\nThis happens when called from SMB2_read() while using rdma\nand reaching the rdma_readwrite_threshold.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -37,9 +40,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-32p2-3fx9-4m6x/GHSA-32p2-3fx9-4m6x.json b/advisories/unreviewed/2024/09/GHSA-32p2-3fx9-4m6x/GHSA-32p2-3fx9-4m6x.json new file mode 100644 index 00000000000..e8c433f9b31 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-32p2-3fx9-4m6x/GHSA-32p2-3fx9-4m6x.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-32p2-3fx9-4m6x", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44060" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jennifer Hall Filmix allows Reflected XSS.This issue affects Filmix: from n/a through 1.1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44060" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/filmix/wordpress-filmix-theme-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-36p3-3fj3-g9p5/GHSA-36p3-3fj3-g9p5.json b/advisories/unreviewed/2024/09/GHSA-36p3-3fj3-g9p5/GHSA-36p3-3fj3-g9p5.json new file mode 100644 index 00000000000..16873d5b34d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-36p3-3fj3-g9p5/GHSA-36p3-3fj3-g9p5.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-36p3-3fj3-g9p5", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8776" + ], + "details": "SmartRobot from INTUMIT does not properly validate a specific page parameter, allowing unautheticated remote attackers to inject JavaScript code to the parameter for Reflected Cross-site Scripting attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8776" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8070-d10bc-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8069-73393-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3f92-cwf9-rgvq/GHSA-3f92-cwf9-rgvq.json b/advisories/unreviewed/2024/09/GHSA-3f92-cwf9-rgvq/GHSA-3f92-cwf9-rgvq.json new file mode 100644 index 00000000000..b84607090b7 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3f92-cwf9-rgvq/GHSA-3f92-cwf9-rgvq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3f92-cwf9-rgvq", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8246" + ], + "details": "The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8246" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3149760/buddyforms/trunk/includes/admin/form-builder/meta-boxes/metabox-registration.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40760f60-b81a-447b-a2c8-83c7666ce410?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T04:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json b/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json new file mode 100644 index 00000000000..a4f939d346d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xq2-w6j4-c99r", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-22399" + ], + "details": "Deserialization of Untrusted Data vulnerability in Apache Seata. \n\nWhen developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.\n\nThis issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.\n\nUsers are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22399" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T12:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json b/advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json new file mode 100644 index 00000000000..4c60140271f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-46hr-3cq3-mcgp", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46943" + ], + "details": "An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46943" + }, + { + "type": "WEB", + "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/aaa.html" + }, + { + "type": "WEB", + "url": "https://doi.org/10.48550/arXiv.2408.16940" + }, + { + "type": "WEB", + "url": "https://lf-opendaylight.atlassian.net/browse/AAA-285" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-499r-h8wp-rfvm/GHSA-499r-h8wp-rfvm.json b/advisories/unreviewed/2024/09/GHSA-499r-h8wp-rfvm/GHSA-499r-h8wp-rfvm.json index 9bd6822b49e..a6077edd8af 100644 --- a/advisories/unreviewed/2024/09/GHSA-499r-h8wp-rfvm/GHSA-499r-h8wp-rfvm.json +++ b/advisories/unreviewed/2024/09/GHSA-499r-h8wp-rfvm/GHSA-499r-h8wp-rfvm.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-499r-h8wp-rfvm", - "modified": "2024-09-09T09:30:45Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-09T09:30:45Z", "aliases": [ "CVE-2024-45203" ], "details": "Improper authorization in handler for custom URL scheme issue in \"@cosme\" App for Android versions prior 5.69.0 and \"@cosme\" App for iOS versions prior to 6.74.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-09T07:15:17Z" diff --git a/advisories/unreviewed/2024/09/GHSA-4jmq-3rrv-cmcc/GHSA-4jmq-3rrv-cmcc.json b/advisories/unreviewed/2024/09/GHSA-4jmq-3rrv-cmcc/GHSA-4jmq-3rrv-cmcc.json new file mode 100644 index 00000000000..1dcfd3579dc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4jmq-3rrv-cmcc/GHSA-4jmq-3rrv-cmcc.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jmq-3rrv-cmcc", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44062" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6.5.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44062" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/custom-field-template/wordpress-custom-field-template-plugin-2-6-5-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4xg2-5xf7-v37m/GHSA-4xg2-5xf7-v37m.json b/advisories/unreviewed/2024/09/GHSA-4xg2-5xf7-v37m/GHSA-4xg2-5xf7-v37m.json new file mode 100644 index 00000000000..d3d328d9ad2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4xg2-5xf7-v37m/GHSA-4xg2-5xf7-v37m.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4xg2-5xf7-v37m", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45455" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45455" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-meta-seo/wordpress-wp-meta-seo-plugin-4-5-13-cross-site-scripting-xss-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json index 022975b6067..b116cff7b96 100644 --- a/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json +++ b/advisories/unreviewed/2024/09/GHSA-5785-6rg8-vqjc/GHSA-5785-6rg8-vqjc.json @@ -29,6 +29,7 @@ "database_specific": { "cwe_ids": [ "CWE-121", + "CWE-125", "CWE-787" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/09/GHSA-58rh-53vh-8w68/GHSA-58rh-53vh-8w68.json b/advisories/unreviewed/2024/09/GHSA-58rh-53vh-8w68/GHSA-58rh-53vh-8w68.json index bf0e1343297..85a651c35f9 100644 --- a/advisories/unreviewed/2024/09/GHSA-58rh-53vh-8w68/GHSA-58rh-53vh-8w68.json +++ b/advisories/unreviewed/2024/09/GHSA-58rh-53vh-8w68/GHSA-58rh-53vh-8w68.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-58rh-53vh-8w68", - "modified": "2024-09-06T18:31:35Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-06T18:31:35Z", "aliases": [ "CVE-2024-38640" ], "details": "A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following version:\nDownload Station 5.8.6.283 ( 2024/06/21 ) and later", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-5fx5-p3qx-6q26/GHSA-5fx5-p3qx-6q26.json b/advisories/unreviewed/2024/09/GHSA-5fx5-p3qx-6q26/GHSA-5fx5-p3qx-6q26.json new file mode 100644 index 00000000000..9b631fe8077 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5fx5-p3qx-6q26/GHSA-5fx5-p3qx-6q26.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fx5-p3qx-6q26", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46938" + ], + "details": "An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46938" + }, + { + "type": "WEB", + "url": "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003408" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-66r2-xm28-74w9/GHSA-66r2-xm28-74w9.json b/advisories/unreviewed/2024/09/GHSA-66r2-xm28-74w9/GHSA-66r2-xm28-74w9.json new file mode 100644 index 00000000000..6ee792f4b7f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-66r2-xm28-74w9/GHSA-66r2-xm28-74w9.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-66r2-xm28-74w9", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8865" + ], + "details": "A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\\server\\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8865" + }, + { + "type": "WEB", + "url": "https://rumbling-slice-eb0.notion.site/There-is-an-arbitrary-file-read-vulnerability-at-api-download-in-composiohq-composio-f0ec1ec26a5f434a97bb1ffde435a35b?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277502" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277502" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.403206" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T01:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-678c-c78x-9mgf/GHSA-678c-c78x-9mgf.json b/advisories/unreviewed/2024/09/GHSA-678c-c78x-9mgf/GHSA-678c-c78x-9mgf.json new file mode 100644 index 00000000000..d899af67064 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-678c-c78x-9mgf/GHSA-678c-c78x-9mgf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-678c-c78x-9mgf", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44058" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Parabola allows Stored XSS.This issue affects Parabola: from n/a through 2.4.1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44058" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/parabola/wordpress-parabola-theme-2-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6hmq-m3mm-wvrh/GHSA-6hmq-m3mm-wvrh.json b/advisories/unreviewed/2024/09/GHSA-6hmq-m3mm-wvrh/GHSA-6hmq-m3mm-wvrh.json new file mode 100644 index 00000000000..d2a7096e542 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6hmq-m3mm-wvrh/GHSA-6hmq-m3mm-wvrh.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6hmq-m3mm-wvrh", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8797" + ], + "details": "The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8797" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wp-booking-system/tags/2.0.19.10/includes/modules/update-checker/views/view-register-website.php#L21" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150487%40wp-booking-system&new=3150487%40wp-booking-system&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bea55b5-b2d7-4eaf-8868-d2645ce18619?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T06:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-754w-8w8c-rvmg/GHSA-754w-8w8c-rvmg.json b/advisories/unreviewed/2024/09/GHSA-754w-8w8c-rvmg/GHSA-754w-8w8c-rvmg.json new file mode 100644 index 00000000000..a00338334d2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-754w-8w8c-rvmg/GHSA-754w-8w8c-rvmg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-754w-8w8c-rvmg", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45694" + ], + "details": "The web service of certain models of D-Link wireless routers contains a Stack-based Buffer Overflow vulnerability, which allows unauthenticated remote attackers to exploit this vulnerability to execute arbitrary code on the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45694" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8081-3fb39-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8080-7f494-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-78c9-5p24-9jcg/GHSA-78c9-5p24-9jcg.json b/advisories/unreviewed/2024/09/GHSA-78c9-5p24-9jcg/GHSA-78c9-5p24-9jcg.json index 49f1afdfdb0..0a301ec8ac5 100644 --- a/advisories/unreviewed/2024/09/GHSA-78c9-5p24-9jcg/GHSA-78c9-5p24-9jcg.json +++ b/advisories/unreviewed/2024/09/GHSA-78c9-5p24-9jcg/GHSA-78c9-5p24-9jcg.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-78c9-5p24-9jcg", - "modified": "2024-09-06T18:31:35Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-06T18:31:35Z", "aliases": [ "CVE-2024-38642" ], "details": "An improper certificate validation vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow local network users to compromise the security of the system via unspecified vectors.\n\nWe have already fixed the vulnerability in the following version:\nQuMagie 2.3.1 and later", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-7gm4-4495-5666/GHSA-7gm4-4495-5666.json b/advisories/unreviewed/2024/09/GHSA-7gm4-4495-5666/GHSA-7gm4-4495-5666.json new file mode 100644 index 00000000000..3d439e269d1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7gm4-4495-5666/GHSA-7gm4-4495-5666.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7gm4-4495-5666", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8777" + ], + "details": "OMFLOW from The SYSCOM Group has an information leakage vulnerability, allowing unauthorized remote attackers to read arbitrary system configurations. If LDAP authentication is enabled, attackers can obtain plaintext credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8777" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8072-928a5-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8071-46589-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json b/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json new file mode 100644 index 00000000000..a6e7630b7f9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mqh-9jjg-r8c8", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46451" + ], + "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the setWiFiAclRules function via the desc parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46451" + }, + { + "type": "WEB", + "url": "https://github.com/offshore0315/loT-vulnerable/blob/main/TOTOLINK/AC1200%20T8/setWiFiAclRules.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json b/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json new file mode 100644 index 00000000000..883a2498358 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7v6r-jgcw-v2j9", + "modified": "2024-09-16T14:37:29Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46937" + ], + "details": "An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46937" + }, + { + "type": "WEB", + "url": "https://github.com/WI1D-41/IDOR-in-MFASOFT-Secure-Authentication-Server" + }, + { + "type": "WEB", + "url": "https://mfasoft.ru" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-83f6-495c-ff9q/GHSA-83f6-495c-ff9q.json b/advisories/unreviewed/2024/09/GHSA-83f6-495c-ff9q/GHSA-83f6-495c-ff9q.json new file mode 100644 index 00000000000..fc23373eed7 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-83f6-495c-ff9q/GHSA-83f6-495c-ff9q.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83f6-495c-ff9q", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8271" + ], + "details": "The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8271" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/tags/1.4.2.1/classes/woocs.php#L4604" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150596%40woocommerce-currency-switcher&new=3150596%40woocommerce-currency-switcher&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dec51bd6-2ffe-47b6-9423-6131395bf439?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8v8r-m9m9-p8q3/GHSA-8v8r-m9m9-p8q3.json b/advisories/unreviewed/2024/09/GHSA-8v8r-m9m9-p8q3/GHSA-8v8r-m9m9-p8q3.json new file mode 100644 index 00000000000..03615b46fdb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8v8r-m9m9-p8q3/GHSA-8v8r-m9m9-p8q3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8v8r-m9m9-p8q3", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44063" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Happyforms allows Stored XSS.This issue affects Happyforms: from n/a through 1.26.0.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44063" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/happyforms/wordpress-happyforms-plugin-1-26-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8x4p-8r4m-q8jg/GHSA-8x4p-8r4m-q8jg.json b/advisories/unreviewed/2024/09/GHSA-8x4p-8r4m-q8jg/GHSA-8x4p-8r4m-q8jg.json new file mode 100644 index 00000000000..856441b842c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8x4p-8r4m-q8jg/GHSA-8x4p-8r4m-q8jg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8x4p-8r4m-q8jg", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45460" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Manu225 Flipping Cards allows Stored XSS.This issue affects Flipping Cards: from n/a through 1.30.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45460" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/flipping-cards/wordpress-flipping-cards-plugin-1-30-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9h42-jv2f-gc8x/GHSA-9h42-jv2f-gc8x.json b/advisories/unreviewed/2024/09/GHSA-9h42-jv2f-gc8x/GHSA-9h42-jv2f-gc8x.json new file mode 100644 index 00000000000..fb2ee43120d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9h42-jv2f-gc8x/GHSA-9h42-jv2f-gc8x.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9h42-jv2f-gc8x", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8869" + ], + "details": "A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5. Affected is the function exportOvpn. The manipulation leads to os command injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8869" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277506" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277506" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.403211" + }, + { + "type": "WEB", + "url": "https://www.totolink.net" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T11:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9q57-6634-5vrw/GHSA-9q57-6634-5vrw.json b/advisories/unreviewed/2024/09/GHSA-9q57-6634-5vrw/GHSA-9q57-6634-5vrw.json new file mode 100644 index 00000000000..e80a2251efd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9q57-6634-5vrw/GHSA-9q57-6634-5vrw.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9q57-6634-5vrw", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8669" + ], + "details": "The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8669" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/backuply/trunk/functions.php#L1477" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3151205" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a061553-c988-4a31-a0a2-7a2608faa33f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T04:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9wfx-jpxp-q2rh/GHSA-9wfx-jpxp-q2rh.json b/advisories/unreviewed/2024/09/GHSA-9wfx-jpxp-q2rh/GHSA-9wfx-jpxp-q2rh.json new file mode 100644 index 00000000000..8ea6f619fd5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9wfx-jpxp-q2rh/GHSA-9wfx-jpxp-q2rh.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9wfx-jpxp-q2rh", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44054" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Fluida allows Stored XSS.This issue affects Fluida: from n/a through 1.8.8.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44054" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/fluida/wordpress-fluida-theme-1-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c476-5cw2-72fp/GHSA-c476-5cw2-72fp.json b/advisories/unreviewed/2024/09/GHSA-c476-5cw2-72fp/GHSA-c476-5cw2-72fp.json new file mode 100644 index 00000000000..02164b07448 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c476-5cw2-72fp/GHSA-c476-5cw2-72fp.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c476-5cw2-72fp", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8479" + ], + "details": "The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8479" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/simple-spoiler/trunk/simple-spoiler.php#L108" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3151179%40simple-spoiler&new=3151179%40simple-spoiler&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ffc76d8-b841-4c26-bbc6-1f96664efe36?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T04:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c8rc-rqhp-jx57/GHSA-c8rc-rqhp-jx57.json b/advisories/unreviewed/2024/09/GHSA-c8rc-rqhp-jx57/GHSA-c8rc-rqhp-jx57.json new file mode 100644 index 00000000000..24b3ecc2a11 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c8rc-rqhp-jx57/GHSA-c8rc-rqhp-jx57.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8rc-rqhp-jx57", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8875" + ], + "details": "A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8875" + }, + { + "type": "WEB", + "url": "https://github.com/acmglz/bug2_report/blob/main/wcms%20has%20arbitrary%20file%20deletion.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277507" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277507" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.404206" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T22:15:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c8w2-qg5p-pfw5/GHSA-c8w2-qg5p-pfw5.json b/advisories/unreviewed/2024/09/GHSA-c8w2-qg5p-pfw5/GHSA-c8w2-qg5p-pfw5.json new file mode 100644 index 00000000000..35b4cfd2274 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c8w2-qg5p-pfw5/GHSA-c8w2-qg5p-pfw5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8w2-qg5p-pfw5", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44053" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mohammad Arif Opor Ayam allows Reflected XSS.This issue affects Opor Ayam: from n/a through 1.8.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44053" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/opor-ayam/wordpress-opor-ayam-theme-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-chwm-h2rg-vxxf/GHSA-chwm-h2rg-vxxf.json b/advisories/unreviewed/2024/09/GHSA-chwm-h2rg-vxxf/GHSA-chwm-h2rg-vxxf.json new file mode 100644 index 00000000000..42aac92d667 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-chwm-h2rg-vxxf/GHSA-chwm-h2rg-vxxf.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chwm-h2rg-vxxf", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8780" + ], + "details": "OMFLOW from The SYSCOM Group does not properly restrict the query range of its data query functionality, allowing remote attackers with regular privileges to obtain accounts and password hashes of other users.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8780" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8078-36fc9-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8077-7a7c0-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cqpv-2227-9mjj/GHSA-cqpv-2227-9mjj.json b/advisories/unreviewed/2024/09/GHSA-cqpv-2227-9mjj/GHSA-cqpv-2227-9mjj.json new file mode 100644 index 00000000000..676be3db55c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cqpv-2227-9mjj/GHSA-cqpv-2227-9mjj.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cqpv-2227-9mjj", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2023-3410" + ], + "details": "The Bricks theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customTag' attribute in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Bricks Builder (admin-only by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This becomes more of an issue when Bricks Builder access is granted to lower-privileged users.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3410" + }, + { + "type": "WEB", + "url": "https://bricksbuilder.io" + }, + { + "type": "WEB", + "url": "https://bricksbuilder.io/release/bricks-1-10-2" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba5e93a2-8f42-4747-86fa-297ba709be8f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T09:15:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-crwj-f9hc-c6g4/GHSA-crwj-f9hc-c6g4.json b/advisories/unreviewed/2024/09/GHSA-crwj-f9hc-c6g4/GHSA-crwj-f9hc-c6g4.json index aacf47cb9cf..e3a60571acb 100644 --- a/advisories/unreviewed/2024/09/GHSA-crwj-f9hc-c6g4/GHSA-crwj-f9hc-c6g4.json +++ b/advisories/unreviewed/2024/09/GHSA-crwj-f9hc-c6g4/GHSA-crwj-f9hc-c6g4.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-crwj-f9hc-c6g4", - "modified": "2024-09-06T18:31:35Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-06T18:31:35Z", "aliases": [ "CVE-2024-38641" ], "details": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-cvq3-wg24-45v2/GHSA-cvq3-wg24-45v2.json b/advisories/unreviewed/2024/09/GHSA-cvq3-wg24-45v2/GHSA-cvq3-wg24-45v2.json new file mode 100644 index 00000000000..54af249ab6f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cvq3-wg24-45v2/GHSA-cvq3-wg24-45v2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvq3-wg24-45v2", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44057" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Nirvana allows Stored XSS.This issue affects Nirvana: from n/a through 1.6.3.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44057" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/nirvana/wordpress-nirvana-theme-1-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json b/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json new file mode 100644 index 00000000000..c60a368eddb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cwqr-9j7q-r9xh", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8039" + ], + "details": "Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8039" + }, + { + "type": "WEB", + "url": "https://security.tecno.com/SRC/blogdetail/307?lang=en_US" + }, + { + "type": "WEB", + "url": "https://security.tecno.com/SRC/securityUpdates?type=SA" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T04:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f4cg-5v3q-jpw3/GHSA-f4cg-5v3q-jpw3.json b/advisories/unreviewed/2024/09/GHSA-f4cg-5v3q-jpw3/GHSA-f4cg-5v3q-jpw3.json new file mode 100644 index 00000000000..7cabe2182e5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f4cg-5v3q-jpw3/GHSA-f4cg-5v3q-jpw3.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f4cg-5v3q-jpw3", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45459" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Product Slider for WooCommerce allows Reflected XSS.This issue affects Product Slider for WooCommerce: from n/a through 1.13.50.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45459" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/woocommerce-products-slider/wordpress-product-slider-for-woocommerce-by-pickplugins-plugin-1-13-50-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f5ww-mg69-335r/GHSA-f5ww-mg69-335r.json b/advisories/unreviewed/2024/09/GHSA-f5ww-mg69-335r/GHSA-f5ww-mg69-335r.json new file mode 100644 index 00000000000..9f282163ca9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f5ww-mg69-335r/GHSA-f5ww-mg69-335r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5ww-mg69-335r", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45458" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Reflected XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45458" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json b/advisories/unreviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json new file mode 100644 index 00000000000..4d43d4a5d4f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fg5m-m723-7mv6", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8862" + ], + "details": "A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8862" + }, + { + "type": "WEB", + "url": "https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277499" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277499" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.403200" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T20:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json b/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json index 5b7b1582afc..20612dc88ff 100644 --- a/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json +++ b/advisories/unreviewed/2024/09/GHSA-fp3g-r7j4-vr8g/GHSA-fp3g-r7j4-vr8g.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fp3g-r7j4-vr8g", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-16T14:37:26Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46685" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: single: fix potential NULL dereference in pcs_get_function()\n\npinmux_generic_get_function() can return NULL and the pointer 'function'\nwas dereferenced without checking against NULL. Add checking of pointer\n'function' in pcs_get_function().\n\nFound by code review.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-476" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-fq8w-cfr6-8fqg/GHSA-fq8w-cfr6-8fqg.json b/advisories/unreviewed/2024/09/GHSA-fq8w-cfr6-8fqg/GHSA-fq8w-cfr6-8fqg.json new file mode 100644 index 00000000000..c240c2d138c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fq8w-cfr6-8fqg/GHSA-fq8w-cfr6-8fqg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fq8w-cfr6-8fqg", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45833" + ], + "details": "Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character..", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45833" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-693" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g5x5-v9cp-7w65/GHSA-g5x5-v9cp-7w65.json b/advisories/unreviewed/2024/09/GHSA-g5x5-v9cp-7w65/GHSA-g5x5-v9cp-7w65.json new file mode 100644 index 00000000000..67c698c89da --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g5x5-v9cp-7w65/GHSA-g5x5-v9cp-7w65.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g5x5-v9cp-7w65", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8779" + ], + "details": "OMFLOW from The SYSCOM Group does not properly restrict access to the system settings modification functionality, allowing remote attackers with regular privileges to update system settings or create accounts with administrator privileges, thereby gaining control of the server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8779" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8076-6ade0-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8075-a0d06-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T06:15:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-g766-f3jj-h73r/GHSA-g766-f3jj-h73r.json b/advisories/unreviewed/2024/09/GHSA-g766-f3jj-h73r/GHSA-g766-f3jj-h73r.json new file mode 100644 index 00000000000..1e54170d81b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-g766-f3jj-h73r/GHSA-g766-f3jj-h73r.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g766-f3jj-h73r", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8778" + ], + "details": "OMFLOW from The SYSCOM Group does not properly validate user input of the download functionality, allowing remote attackers with regular privileges to read arbitrary system files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8778" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8074-66457-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8073-ff771-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-36" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T06:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gcwq-2mx4-wmcp/GHSA-gcwq-2mx4-wmcp.json b/advisories/unreviewed/2024/09/GHSA-gcwq-2mx4-wmcp/GHSA-gcwq-2mx4-wmcp.json new file mode 100644 index 00000000000..bbd7c30dbf0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gcwq-2mx4-wmcp/GHSA-gcwq-2mx4-wmcp.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gcwq-2mx4-wmcp", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46958" + ], + "details": "In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46958" + }, + { + "type": "WEB", + "url": "https://github.com/nextcloud/desktop/issues/6863" + }, + { + "type": "WEB", + "url": "https://github.com/nextcloud/desktop/pull/6949" + }, + { + "type": "WEB", + "url": "https://github.com/nextcloud/desktop/pull/7092" + }, + { + "type": "WEB", + "url": "https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4" + }, + { + "type": "WEB", + "url": "https://github.com/nextcloud/security-advisories/security/advisories" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T02:15:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gp73-hc78-3ch8/GHSA-gp73-hc78-3ch8.json b/advisories/unreviewed/2024/09/GHSA-gp73-hc78-3ch8/GHSA-gp73-hc78-3ch8.json new file mode 100644 index 00000000000..0bfde4e6d84 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gp73-hc78-3ch8/GHSA-gp73-hc78-3ch8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gp73-hc78-3ch8", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45456" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JoomUnited WP Meta SEO allows Stored XSS.This issue affects WP Meta SEO: from n/a through 4.5.13.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45456" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/wp-meta-seo/wordpress-wp-meta-seo-plugin-4-5-13-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json b/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json index 48426d549b2..ed171346089 100644 --- a/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json +++ b/advisories/unreviewed/2024/09/GHSA-grj2-x9v7-7qqx/GHSA-grj2-x9v7-7qqx.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-grj2-x9v7-7qqx", - "modified": "2024-09-13T06:30:43Z", + "modified": "2024-09-16T14:37:26Z", "published": "2024-09-13T06:30:43Z", "aliases": [ "CVE-2024-46687" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()\n\n[BUG]\nThere is an internal report that KASAN is reporting use-after-free, with\nthe following backtrace:\n\n BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45\n CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n Call Trace:\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x5e/0x2f0\n print_report+0x118/0x216\n kasan_report+0x11d/0x1f0\n btrfs_check_read_bio+0xa68/0xb70 [btrfs]\n process_one_work+0xce0/0x12a0\n worker_thread+0x717/0x1250\n kthread+0x2e3/0x3c0\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x11/0x20\n\n Allocated by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x7d/0x80\n kmem_cache_alloc_noprof+0x16e/0x3e0\n mempool_alloc_noprof+0x12e/0x310\n bio_alloc_bioset+0x3f0/0x7a0\n btrfs_bio_alloc+0x2e/0x50 [btrfs]\n submit_extent_page+0x4d1/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 20917:\n kasan_save_stack+0x37/0x60\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x4b/0x60\n kmem_cache_free+0x214/0x5d0\n bio_free+0xed/0x180\n end_bbio_data_read+0x1cc/0x580 [btrfs]\n btrfs_submit_chunk+0x98d/0x1880 [btrfs]\n btrfs_submit_bio+0x33/0x70 [btrfs]\n submit_one_bio+0xd4/0x130 [btrfs]\n submit_extent_page+0x3ea/0xdb0 [btrfs]\n btrfs_do_readpage+0x8b4/0x12a0 [btrfs]\n btrfs_readahead+0x29a/0x430 [btrfs]\n read_pages+0x1a7/0xc60\n page_cache_ra_unbounded+0x2ad/0x560\n filemap_get_pages+0x629/0xa20\n filemap_read+0x335/0xbf0\n vfs_read+0x790/0xcb0\n ksys_read+0xfd/0x1d0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[CAUSE]\nAlthough I cannot reproduce the error, the report itself is good enough\nto pin down the cause.\n\nThe call trace is the regular endio workqueue context, but the\nfree-by-task trace is showing that during btrfs_submit_chunk() we\nalready hit a critical error, and is calling btrfs_bio_end_io() to error\nout. And the original endio function called bio_put() to free the whole\nbio.\n\nThis means a double freeing thus causing use-after-free, e.g.:\n\n1. Enter btrfs_submit_bio() with a read bio\n The read bio length is 128K, crossing two 64K stripes.\n\n2. The first run of btrfs_submit_chunk()\n\n2.1 Call btrfs_map_block(), which returns 64K\n2.2 Call btrfs_split_bio()\n Now there are two bios, one referring to the first 64K, the other\n referring to the second 64K.\n2.3 The first half is submitted.\n\n3. The second run of btrfs_submit_chunk()\n\n3.1 Call btrfs_map_block(), which by somehow failed\n Now we call btrfs_bio_end_io() to handle the error\n\n3.2 btrfs_bio_end_io() calls the original endio function\n Which is end_bbio_data_read(), and it calls bio_put() for the\n original bio.\n\n Now the original bio is freed.\n\n4. The submitted first 64K bio finished\n Now we call into btrfs_check_read_bio() and tries to advance the bio\n iter.\n But since the original bio (thus its iter) is already freed, we\n trigger the above use-after free.\n\n And even if the memory is not poisoned/corrupted, we will later call\n the original endio function, causing a double freeing.\n\n[FIX]\nInstead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),\nwhich has the extra check on split bios and do the pr\n---truncated---", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-415" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T06:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-gvcc-mwhq-ccvw/GHSA-gvcc-mwhq-ccvw.json b/advisories/unreviewed/2024/09/GHSA-gvcc-mwhq-ccvw/GHSA-gvcc-mwhq-ccvw.json new file mode 100644 index 00000000000..244aaf244bb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gvcc-mwhq-ccvw/GHSA-gvcc-mwhq-ccvw.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvcc-mwhq-ccvw", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45695" + ], + "details": "The web service of certain models of D-Link wireless routers contains a Stack-based Buffer Overflow vulnerability, which allows unauthenticated remote attackers to exploit this vulnerability to execute arbitrary code on the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45695" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8083-a299e-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8082-f1687-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gx7g-q2xr-xm5f/GHSA-gx7g-q2xr-xm5f.json b/advisories/unreviewed/2024/09/GHSA-gx7g-q2xr-xm5f/GHSA-gx7g-q2xr-xm5f.json new file mode 100644 index 00000000000..6558f18fdf5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gx7g-q2xr-xm5f/GHSA-gx7g-q2xr-xm5f.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gx7g-q2xr-xm5f", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-6482" + ], + "details": "The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6482" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php#L3803" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3129185" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h478-hrvj-hrjq/GHSA-h478-hrvj-hrjq.json b/advisories/unreviewed/2024/09/GHSA-h478-hrvj-hrjq/GHSA-h478-hrvj-hrjq.json new file mode 100644 index 00000000000..0d184f1e2bf --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h478-hrvj-hrjq/GHSA-h478-hrvj-hrjq.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h478-hrvj-hrjq", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8880" + ], + "details": "A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8880" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277524" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277524" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.406095" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T01:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h73x-4wxr-7f79/GHSA-h73x-4wxr-7f79.json b/advisories/unreviewed/2024/09/GHSA-h73x-4wxr-7f79/GHSA-h73x-4wxr-7f79.json new file mode 100644 index 00000000000..56de3e76f92 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h73x-4wxr-7f79/GHSA-h73x-4wxr-7f79.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h73x-4wxr-7f79", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-8876" + ], + "details": "A vulnerability, which was classified as problematic, has been found in xiaohe4966 TpMeCMS up to 1.3.3.1. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.3.2 is able to address this issue. It is recommended to upgrade the affected component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8876" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277508" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277508" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.404560" + }, + { + "type": "WEB", + "url": "https://wiki.shikangsi.com/post/share/12da81ed-2dad-4a75-9b1a-db9afe1e7b7b" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T22:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h9rg-jfq5-wf8g/GHSA-h9rg-jfq5-wf8g.json b/advisories/unreviewed/2024/09/GHSA-h9rg-jfq5-wf8g/GHSA-h9rg-jfq5-wf8g.json new file mode 100644 index 00000000000..69334fba1e8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h9rg-jfq5-wf8g/GHSA-h9rg-jfq5-wf8g.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h9rg-jfq5-wf8g", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45696" + ], + "details": "Certain models of D-Link wireless routers contain hidden functionality. By sending specific packets to the web service, the attacker can forcibly enable the telnet service and log in using hard-coded credentials. The telnet service enabled through this method can only be accessed from within the same local network as the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45696" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8087-c3e70-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8086-93ed5-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-912" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json b/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json new file mode 100644 index 00000000000..96fa273630f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hh55-xqjj-vxv4", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46424" + ], + "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the UploadCustomModule function, which allows attackers to cause a Denial of Service (DoS) via the File parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46424" + }, + { + "type": "WEB", + "url": "https://github.com/TTTJJJWWW/AHU-IoT-vulnerable/blob/main/TOTOLINK/AC1200T8/UploadCustomModule.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T13:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json b/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json new file mode 100644 index 00000000000..fee08130162 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hv38-h5pj-c96j", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46942" + ], + "details": "In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46942" + }, + { + "type": "WEB", + "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/mdsal.html" + }, + { + "type": "WEB", + "url": "https://doi.org/10.48550/arXiv.2408.16940" + }, + { + "type": "WEB", + "url": "https://lf-opendaylight.atlassian.net/browse/MDSAL-869" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json b/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json new file mode 100644 index 00000000000..2dc953e4f73 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j7q4-4r7g-3jf4", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-1578" + ], + "details": "The MiCard PLUS Ci and MiCard PLUS BLE reader products developed by rf IDEAS and rebranded by NT-ware have a firmware fault that may result in characters randomly being dropped from some ID card reads, which would result in the wrong ID card number being assigned during ID card self-registration and might result in failed login attempts for end-users. Random characters being dropped from ID card numbers compromises the uniqueness of ID cards that can, therefore, result in a security issue if the users are using the ‘ID card self-registration’ function.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1578" + }, + { + "type": "WEB", + "url": "https://ntware.atlassian.net/wiki/spaces/SA/pages/11973853216/2024+Security+Advisory+Multiple+MiCard+PLUS+card+reader+dropped+characters" + }, + { + "type": "WEB", + "url": "https://www.canon-europe.com/psirt/advisory-information" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json b/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json new file mode 100644 index 00000000000..ba7813fb630 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jf5x-p6mg-vvp7", + "modified": "2024-09-16T14:37:29Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46419" + ], + "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the setWizardCfg function via the ssid5g parameter.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46419" + }, + { + "type": "WEB", + "url": "https://github.com/TTTJJJWWW/AHU-IoT-vulnerable/blob/main/TOTOLINK/AC1200T8/setWizardCfg.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T14:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jfw4-5phw-5pw7/GHSA-jfw4-5phw-5pw7.json b/advisories/unreviewed/2024/09/GHSA-jfw4-5phw-5pw7/GHSA-jfw4-5phw-5pw7.json new file mode 100644 index 00000000000..2f2b0b709dd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jfw4-5phw-5pw7/GHSA-jfw4-5phw-5pw7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jfw4-5phw-5pw7", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46970" + ], + "details": "In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46970" + }, + { + "type": "WEB", + "url": "https://www.jetbrains.com/privacy-security/issues-fixed" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T11:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json b/advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json new file mode 100644 index 00000000000..6bfad4c3da4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jpxc-vmjf-9fcj", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8775" + ], + "details": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8775" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-8775" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T03:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m62g-7v8j-3fwc/GHSA-m62g-7v8j-3fwc.json b/advisories/unreviewed/2024/09/GHSA-m62g-7v8j-3fwc/GHSA-m62g-7v8j-3fwc.json new file mode 100644 index 00000000000..5fffe4b878a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m62g-7v8j-3fwc/GHSA-m62g-7v8j-3fwc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m62g-7v8j-3fwc", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46918" + ], + "details": "app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46918" + }, + { + "type": "WEB", + "url": "https://github.com/MISP/MISP/commit/3a5227d7b3d4518ac109af61979a00145a0de6fa" + }, + { + "type": "WEB", + "url": "https://github.com/MISP/MISP/compare/v2.4.197...v2.4.198" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T20:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mfr5-p5vc-mx4q/GHSA-mfr5-p5vc-mx4q.json b/advisories/unreviewed/2024/09/GHSA-mfr5-p5vc-mx4q/GHSA-mfr5-p5vc-mx4q.json new file mode 100644 index 00000000000..f5cf6973b52 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mfr5-p5vc-mx4q/GHSA-mfr5-p5vc-mx4q.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mfr5-p5vc-mx4q", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8868" + ], + "details": "A vulnerability was found in code-projects Crud Operation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file savedata.php. The manipulation of the argument sname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8868" + }, + { + "type": "WEB", + "url": "https://github.com/ppp-src/a/issues/7" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277505" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277505" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.408322" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T03:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mrmh-3hqh-pfw7/GHSA-mrmh-3hqh-pfw7.json b/advisories/unreviewed/2024/09/GHSA-mrmh-3hqh-pfw7/GHSA-mrmh-3hqh-pfw7.json new file mode 100644 index 00000000000..e41465d58c5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mrmh-3hqh-pfw7/GHSA-mrmh-3hqh-pfw7.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrmh-3hqh-pfw7", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8864" + ], + "details": "A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8864" + }, + { + "type": "WEB", + "url": "https://rumbling-slice-eb0.notion.site/Composio-s-Local-tools-Mathematical-has-a-code-injection-risk-in-composiohq-composio-ea0e89ee10fe4edfb9a8cfeed158c765?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277501" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277501" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.403204" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T01:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-ph9f-2c4w-rghv/GHSA-ph9f-2c4w-rghv.json b/advisories/unreviewed/2024/09/GHSA-ph9f-2c4w-rghv/GHSA-ph9f-2c4w-rghv.json index 587ddb95044..80b45b0facc 100644 --- a/advisories/unreviewed/2024/09/GHSA-ph9f-2c4w-rghv/GHSA-ph9f-2c4w-rghv.json +++ b/advisories/unreviewed/2024/09/GHSA-ph9f-2c4w-rghv/GHSA-ph9f-2c4w-rghv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ph9f-2c4w-rghv", - "modified": "2024-09-09T09:30:45Z", + "modified": "2024-09-16T14:37:25Z", "published": "2024-09-09T09:30:45Z", "aliases": [ "CVE-2024-37288" diff --git a/advisories/unreviewed/2024/09/GHSA-pmhg-f7wc-c97m/GHSA-pmhg-f7wc-c97m.json b/advisories/unreviewed/2024/09/GHSA-pmhg-f7wc-c97m/GHSA-pmhg-f7wc-c97m.json new file mode 100644 index 00000000000..b32e1fecb28 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pmhg-f7wc-c97m/GHSA-pmhg-f7wc-c97m.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pmhg-f7wc-c97m", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8863" + ], + "details": "A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8863" + }, + { + "type": "WEB", + "url": "https://rumbling-slice-eb0.notion.site/Stored-XSS-through-TEXT-EXPLORER-in-aimhubio-aim-d0f07b7194724950a673498546d80d43?pvs=4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277500" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277500" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.403203" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q2wf-44h2-28xg/GHSA-q2wf-44h2-28xg.json b/advisories/unreviewed/2024/09/GHSA-q2wf-44h2-28xg/GHSA-q2wf-44h2-28xg.json new file mode 100644 index 00000000000..d2c4fab7c62 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q2wf-44h2-28xg/GHSA-q2wf-44h2-28xg.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2wf-44h2-28xg", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44056" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Mantra allows Stored XSS.This issue affects Mantra: from n/a through 3.3.2.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44056" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/mantra/wordpress-mantra-theme-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q6v4-gcc8-vrgw/GHSA-q6v4-gcc8-vrgw.json b/advisories/unreviewed/2024/09/GHSA-q6v4-gcc8-vrgw/GHSA-q6v4-gcc8-vrgw.json new file mode 100644 index 00000000000..9979df16b64 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q6v4-gcc8-vrgw/GHSA-q6v4-gcc8-vrgw.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q6v4-gcc8-vrgw", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8867" + ], + "details": "A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8867" + }, + { + "type": "WEB", + "url": "https://bytium.com/stored-cross-site-scripting-xss-vulnerability-in-perfex-crm" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277504" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277504" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.408014" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T03:15:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qcv9-p6c5-w5pr/GHSA-qcv9-p6c5-w5pr.json b/advisories/unreviewed/2024/09/GHSA-qcv9-p6c5-w5pr/GHSA-qcv9-p6c5-w5pr.json new file mode 100644 index 00000000000..2568acf3564 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qcv9-p6c5-w5pr/GHSA-qcv9-p6c5-w5pr.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcv9-p6c5-w5pr", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-8866" + ], + "details": "A vulnerability was found in AutoCMS 5.4. It has been classified as problematic. This affects an unknown part of the file /admin/robot.php. The manipulation of the argument sidebar leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8866" + }, + { + "type": "WEB", + "url": "https://github.com/Hebing123/cve/issues/68" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.277503" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.277503" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.407460" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T02:15:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rhpc-qcxc-cfwf/GHSA-rhpc-qcxc-cfwf.json b/advisories/unreviewed/2024/09/GHSA-rhpc-qcxc-cfwf/GHSA-rhpc-qcxc-cfwf.json new file mode 100644 index 00000000000..284591a0e1b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rhpc-qcxc-cfwf/GHSA-rhpc-qcxc-cfwf.json @@ -0,0 +1,46 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rhpc-qcxc-cfwf", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2024-8724" + ], + "details": "The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8724" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/trunk/admin/templates/xoo-wl-import-form.php#L8" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3151186%40waitlist-woocommerce&new=3151186%40waitlist-woocommerce&sfp_email=&sfph_mail=" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c298c87e-cf3c-4b72-bb0e-a01ca2dfe52f?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T04:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rpwv-q4ch-7pvm/GHSA-rpwv-q4ch-7pvm.json b/advisories/unreviewed/2024/09/GHSA-rpwv-q4ch-7pvm/GHSA-rpwv-q4ch-7pvm.json new file mode 100644 index 00000000000..264fb3199b5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rpwv-q4ch-7pvm/GHSA-rpwv-q4ch-7pvm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rpwv-q4ch-7pvm", + "modified": "2024-09-16T14:37:26Z", + "published": "2024-09-16T14:37:26Z", + "aliases": [ + "CVE-2022-3459" + ], + "details": "The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated attackers to add non-gift items to their cart as a gift.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3459" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/woocommerce-multiple-free-gift/trunk/lib/WFG_Frontend.class.php#L189" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cdb9c321-1a2c-4593-9947-2071a908ee1c?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-14T03:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rwqg-xwvm-5mmj/GHSA-rwqg-xwvm-5mmj.json b/advisories/unreviewed/2024/09/GHSA-rwqg-xwvm-5mmj/GHSA-rwqg-xwvm-5mmj.json new file mode 100644 index 00000000000..c254dabcfb1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rwqg-xwvm-5mmj/GHSA-rwqg-xwvm-5mmj.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rwqg-xwvm-5mmj", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-45457" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45457" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-13-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T08:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vhp8-r33q-gvq2/GHSA-vhp8-r33q-gvq2.json b/advisories/unreviewed/2024/09/GHSA-vhp8-r33q-gvq2/GHSA-vhp8-r33q-gvq2.json new file mode 100644 index 00000000000..5793c9b9e2e --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vhp8-r33q-gvq2/GHSA-vhp8-r33q-gvq2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vhp8-r33q-gvq2", + "modified": "2024-09-16T14:37:27Z", + "published": "2024-09-16T14:37:27Z", + "aliases": [ + "CVE-2024-44059" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MediaRon LLC Custom Query Blocks allows Stored XSS.This issue affects Custom Query Blocks: from n/a through 5.3.1.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44059" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/post-type-archive-mapping/wordpress-custom-query-blocks-plugin-5-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-15T09:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json b/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json new file mode 100644 index 00000000000..f76df72f568 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wj4j-qc2m-fgh7", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-39613" + ], + "details": "Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39613" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wxf3-97x6-x82w/GHSA-wxf3-97x6-x82w.json b/advisories/unreviewed/2024/09/GHSA-wxf3-97x6-x82w/GHSA-wxf3-97x6-x82w.json new file mode 100644 index 00000000000..ee7061b71ed --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wxf3-97x6-x82w/GHSA-wxf3-97x6-x82w.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxf3-97x6-x82w", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45697" + ], + "details": "Certain models of D-Link wireless routers have a hidden functionality where the telnet service is enabled when the WAN port is plugged in. Unauthorized remote attackers can log in and execute OS commands using hard-coded credentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45697" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8089-32df6-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8088-590ed-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-912" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xj9g-c23g-r4pj/GHSA-xj9g-c23g-r4pj.json b/advisories/unreviewed/2024/09/GHSA-xj9g-c23g-r4pj/GHSA-xj9g-c23g-r4pj.json new file mode 100644 index 00000000000..33b1d167057 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xj9g-c23g-r4pj/GHSA-xj9g-c23g-r4pj.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xj9g-c23g-r4pj", + "modified": "2024-09-16T14:37:28Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-45698" + ], + "details": "Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45698" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-8090-bf06b-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T07:15:03Z" + } +} \ No newline at end of file From 75c180b148f8b0788305d87ae355b046d31fcf99 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:53:06 +0000 Subject: [PATCH 093/170] Publish GHSA-m3px-vjxr-fx4m --- .../GHSA-m3px-vjxr-fx4m.json | 31 +++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json b/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json index 71516dc7dab..6bb94aa8128 100644 --- a/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json +++ b/advisories/github-reviewed/2024/08/GHSA-m3px-vjxr-fx4m/GHSA-m3px-vjxr-fx4m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m3px-vjxr-fx4m", - "modified": "2024-08-12T18:36:10Z", + "modified": "2024-09-16T14:51:34Z", "published": "2024-08-12T18:36:10Z", "aliases": [ "CVE-2024-42485" @@ -29,7 +29,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.0-alpha" }, { "fixed": "2.3.3" @@ -37,6 +37,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "pxlrbt/filament-excel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.14" + } + ] + } + ] } ], "references": [ @@ -48,6 +67,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42485" }, + { + "type": "WEB", + "url": "https://github.com/pxlrbt/filament-excel/commit/af36f933b032aefccc87d17431b6e74673b04af5" + }, { "type": "WEB", "url": "https://github.com/pxlrbt/filament-excel/commit/bda42891a4b0c15d5dab5da8c53a006ddadccfb7" @@ -55,6 +78,10 @@ { "type": "PACKAGE", "url": "https://github.com/pxlrbt/filament-excel" + }, + { + "type": "WEB", + "url": "https://github.com/pxlrbt/filament-excel/releases/tag/v1.1.14" } ], "database_specific": { From 223ff4d0a0ad39f493cf52a05d9fd6c211380f17 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:01:57 +0000 Subject: [PATCH 094/170] Publish GHSA-wp7w-vx86-vj9h --- .../05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json b/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json index 59bc25833a8..9fb4994fac1 100644 --- a/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json +++ b/advisories/github-reviewed/2022/05/GHSA-wp7w-vx86-vj9h/GHSA-wp7w-vx86-vj9h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wp7w-vx86-vj9h", - "modified": "2023-07-21T21:42:33Z", + "modified": "2024-09-16T15:00:24Z", "published": "2022-05-13T01:34:58Z", "aliases": [ "CVE-2018-10856" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "github.com/containers/podman/v4" + "name": "github.com/containers/podman" }, "ranges": [ { @@ -51,6 +55,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10856" + }, + { + "type": "PACKAGE", + "url": "https://github.com/containers/podman" } ], "database_specific": { From 09afbd61ee66d6385ed15d567acd17e731a8cf84 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:04:06 +0000 Subject: [PATCH 095/170] Publish Advisories GHSA-gff3-739c-gxfq GHSA-xw7c-jx9m-xh5g --- .../GHSA-gff3-739c-gxfq.json | 9 +++--- .../GHSA-xw7c-jx9m-xh5g.json | 32 +++++++++++++++++-- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json b/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json index 14abe8ca5a3..80e7b7eeff9 100644 --- a/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json +++ b/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json @@ -1,13 +1,14 @@ { "schema_version": "1.4.0", "id": "GHSA-gff3-739c-gxfq", - "modified": "2021-06-09T20:39:24Z", + "modified": "2024-09-16T15:03:13Z", "published": "2021-06-10T17:22:59Z", + "withdrawn": "2024-09-16T15:02:24Z", "aliases": [ - "CVE-2021-32670" + ], - "summary": "Reflected cross-site scripting issue in Datasette", - "details": "Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.", + "summary": "Duplicate Advisory: Reflected cross-site scripting issue in Datasette", + "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xw7c-jx9m-xh5g. This link is maintained to preserve external references.\n\n## Original Description\nDatasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.", "severity": [ { "type": "CVSS_V3", diff --git a/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json b/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json index 7c3515c3553..1218763b574 100644 --- a/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json +++ b/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json @@ -1,10 +1,10 @@ { "schema_version": "1.4.0", "id": "GHSA-xw7c-jx9m-xh5g", - "modified": "2021-10-05T17:23:33Z", + "modified": "2024-09-16T15:03:38Z", "published": "2021-06-07T21:47:41Z", "aliases": [ - + "CVE-2021-32670" ], "summary": "Reflected cross-site scripting issue in Datasette", "details": "### Impact\n\nThe `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability.\n\nThis vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data.\n\n### Patches\n\nDatasette 0.57 and 0.56.1 both include patches for this issue.\n\n### Workarounds\n\nIf you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.\n\n### References\n\n- [OWASP guide to reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks)\n- [Datasette issue #1360](https://github.com/simonw/datasette/issues/1360)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in [simonw/datasette](https://github.com/simonw/datasette/discussions)\n* Email us at `swillison+datasette @ gmail.com`\n", @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -40,9 +44,33 @@ "type": "WEB", "url": "https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g" }, + { + "type": "WEB", + "url": "https://github.com/simonw/datasette/issues/1360" + }, + { + "type": "WEB", + "url": "https://datasette.io/plugins/datasette-auth-passwords" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-gff3-739c-gxfq" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2021-89.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/simonw/datasette" + }, + { + "type": "WEB", + "url": "https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks" + }, + { + "type": "WEB", + "url": "https://pypi.org/project/datasette" } ], "database_specific": { From c875ab8303aac2a9fc9399d2db9901abc10da774 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:06:40 +0000 Subject: [PATCH 096/170] Publish GHSA-46v3-ggjg-qq3x --- .../06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json b/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json index 32968628a9b..2722307c138 100644 --- a/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json +++ b/advisories/github-reviewed/2023/06/GHSA-46v3-ggjg-qq3x/GHSA-46v3-ggjg-qq3x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-46v3-ggjg-qq3x", - "modified": "2023-06-06T01:59:54Z", + "modified": "2024-09-16T15:05:11Z", "published": "2023-06-06T01:59:54Z", "aliases": [ "CVE-2022-43760" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "rancher/rancher" + "name": "github.com/rancher/rancher" }, "ranges": [ { @@ -37,7 +41,7 @@ { "package": { "ecosystem": "Go", - "name": "rancher/rancher" + "name": "github.com/rancher/rancher" }, "ranges": [ { @@ -84,7 +88,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": "HIGH", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-06-06T01:59:54Z", "nvd_published_at": "2023-06-01T13:15:10Z" From 281380c26cfea0249f865cbf26a02880156effeb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:08:39 +0000 Subject: [PATCH 097/170] Publish Advisories GHSA-p976-h52c-26p6 GHSA-j6vv-vv26-rh7c --- .../06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json | 10 +++++++--- .../01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json | 12 ++++++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json b/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json index 835528d0b28..00aec7a0fd8 100644 --- a/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json +++ b/advisories/github-reviewed/2023/06/GHSA-p976-h52c-26p6/GHSA-p976-h52c-26p6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p976-h52c-26p6", - "modified": "2023-06-06T02:00:28Z", + "modified": "2024-09-16T15:07:40Z", "published": "2023-06-06T02:00:28Z", "aliases": [ "CVE-2023-22647" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "rancher/rancher" + "name": "github.com/rancher/rancher" }, "ranges": [ { @@ -37,7 +41,7 @@ { "package": { "ecosystem": "Go", - "name": "rancher/rancher" + "name": "github.com/rancher/rancher" }, "ranges": [ { diff --git a/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json index e241f600150..d5eec56bb56 100644 --- a/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json +++ b/advisories/github-reviewed/2024/01/GHSA-j6vv-vv26-rh7c/GHSA-j6vv-vv26-rh7c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6vv-vv26-rh7c", - "modified": "2024-01-30T23:40:40Z", + "modified": "2024-09-16T15:06:33Z", "published": "2024-01-30T23:40:40Z", "aliases": [ "CVE-2020-10661" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/vault" + }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" From cf3642eaf40437ddbdccce37799d54b5bab8ffd1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:30:40 +0000 Subject: [PATCH 098/170] Publish Advisories GHSA-cvp8-5r8g-fhvq GHSA-jw9c-mfg7-9rx2 --- .../2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json | 6 +++++- .../2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json b/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json index 61638954c61..3e907561b5f 100644 --- a/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json +++ b/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cvp8-5r8g-fhvq", - "modified": "2024-09-12T13:53:00Z", + "modified": "2024-09-16T15:29:12Z", "published": "2024-09-11T21:08:26Z", "aliases": [ @@ -59,6 +59,10 @@ { "type": "PACKAGE", "url": "https://github.com/omniauth/omniauth-saml" + }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json index 500f3606405..e10dad76a9f 100644 --- a/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json +++ b/advisories/github-reviewed/2024/09/GHSA-jw9c-mfg7-9rx2/GHSA-jw9c-mfg7-9rx2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jw9c-mfg7-9rx2", - "modified": "2024-09-13T13:36:37Z", + "modified": "2024-09-16T15:29:25Z", "published": "2024-09-10T19:42:03Z", "aliases": [ "CVE-2024-45409" @@ -91,6 +91,10 @@ "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/CVE-2024-45409.yml" }, + { + "type": "WEB", + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml" + }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2024-45409.yml" From fcac6824342a28f43a7a68c7edc0100dcea092ae Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 15:34:07 +0000 Subject: [PATCH 099/170] Publish Advisories GHSA-94rv-4qh8-r994 GHSA-29p8-776w-hr3v GHSA-gqhx-wxjr-rphx GHSA-8m6h-6qw7-f6cg GHSA-8q58-8vm2-mf3q GHSA-qvvr-wcmf-4v5h GHSA-v6cc-j2v5-w3jj GHSA-gj98-p2xm-q3hc GHSA-5777-rcjj-9p22 GHSA-gc2c-r5jf-whf8 GHSA-hg4p-55w9-888w GHSA-rh54-7qq9-x5v8 GHSA-w784-6hh8-995v GHSA-xgq9-7gw6-jr5r --- .../GHSA-94rv-4qh8-r994.json | 10 ++++- .../GHSA-29p8-776w-hr3v.json | 3 +- .../GHSA-gqhx-wxjr-rphx.json | 5 ++- .../GHSA-8m6h-6qw7-f6cg.json | 2 +- .../GHSA-8q58-8vm2-mf3q.json | 2 +- .../GHSA-qvvr-wcmf-4v5h.json | 1 + .../GHSA-v6cc-j2v5-w3jj.json | 3 +- .../GHSA-gj98-p2xm-q3hc.json | 3 +- .../GHSA-5777-rcjj-9p22.json | 38 +++++++++++++++++ .../GHSA-gc2c-r5jf-whf8.json | 42 +++++++++++++++++++ .../GHSA-hg4p-55w9-888w.json | 38 +++++++++++++++++ .../GHSA-rh54-7qq9-x5v8.json | 38 +++++++++++++++++ .../GHSA-w784-6hh8-995v.json | 38 +++++++++++++++++ .../GHSA-xgq9-7gw6-jr5r.json | 38 +++++++++++++++++ 14 files changed, 253 insertions(+), 8 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gc2c-r5jf-whf8/GHSA-gc2c-r5jf-whf8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hg4p-55w9-888w/GHSA-hg4p-55w9-888w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rh54-7qq9-x5v8/GHSA-rh54-7qq9-x5v8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-w784-6hh8-995v/GHSA-w784-6hh8-995v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json diff --git a/advisories/unreviewed/2023/04/GHSA-94rv-4qh8-r994/GHSA-94rv-4qh8-r994.json b/advisories/unreviewed/2023/04/GHSA-94rv-4qh8-r994/GHSA-94rv-4qh8-r994.json index d5746962cc6..e6976d1abd7 100644 --- a/advisories/unreviewed/2023/04/GHSA-94rv-4qh8-r994/GHSA-94rv-4qh8-r994.json +++ b/advisories/unreviewed/2023/04/GHSA-94rv-4qh8-r994/GHSA-94rv-4qh8-r994.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-94rv-4qh8-r994", - "modified": "2023-04-21T06:30:17Z", + "modified": "2024-09-16T15:32:44Z", "published": "2023-04-14T12:30:23Z", "aliases": [ "CVE-2023-2042" @@ -11,6 +11,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ @@ -32,6 +36,10 @@ { "type": "WEB", "url": "https://vuldb.com/?id.225920" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.109292" } ], "database_specific": { diff --git a/advisories/unreviewed/2023/06/GHSA-29p8-776w-hr3v/GHSA-29p8-776w-hr3v.json b/advisories/unreviewed/2023/06/GHSA-29p8-776w-hr3v/GHSA-29p8-776w-hr3v.json index 91aafb4658d..0171f709515 100644 --- a/advisories/unreviewed/2023/06/GHSA-29p8-776w-hr3v/GHSA-29p8-776w-hr3v.json +++ b/advisories/unreviewed/2023/06/GHSA-29p8-776w-hr3v/GHSA-29p8-776w-hr3v.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/06/GHSA-gqhx-wxjr-rphx/GHSA-gqhx-wxjr-rphx.json b/advisories/unreviewed/2023/06/GHSA-gqhx-wxjr-rphx/GHSA-gqhx-wxjr-rphx.json index 8941aa3d257..3f021ec6b04 100644 --- a/advisories/unreviewed/2023/06/GHSA-gqhx-wxjr-rphx/GHSA-gqhx-wxjr-rphx.json +++ b/advisories/unreviewed/2023/06/GHSA-gqhx-wxjr-rphx/GHSA-gqhx-wxjr-rphx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gqhx-wxjr-rphx", - "modified": "2024-04-04T05:10:46Z", + "modified": "2024-09-16T15:32:44Z", "published": "2023-06-26T21:30:59Z", "aliases": [ "CVE-2023-2992" @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-405" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/11/GHSA-8m6h-6qw7-f6cg/GHSA-8m6h-6qw7-f6cg.json b/advisories/unreviewed/2023/11/GHSA-8m6h-6qw7-f6cg/GHSA-8m6h-6qw7-f6cg.json index fb73cc92c46..ee693f57f78 100644 --- a/advisories/unreviewed/2023/11/GHSA-8m6h-6qw7-f6cg/GHSA-8m6h-6qw7-f6cg.json +++ b/advisories/unreviewed/2023/11/GHSA-8m6h-6qw7-f6cg/GHSA-8m6h-6qw7-f6cg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8m6h-6qw7-f6cg", - "modified": "2023-11-03T15:33:55Z", + "modified": "2024-09-16T15:32:45Z", "published": "2023-11-03T15:33:55Z", "aliases": [ "CVE-2023-3961" diff --git a/advisories/unreviewed/2023/11/GHSA-8q58-8vm2-mf3q/GHSA-8q58-8vm2-mf3q.json b/advisories/unreviewed/2023/11/GHSA-8q58-8vm2-mf3q/GHSA-8q58-8vm2-mf3q.json index ec53ff3c9d8..7a2a51c45bc 100644 --- a/advisories/unreviewed/2023/11/GHSA-8q58-8vm2-mf3q/GHSA-8q58-8vm2-mf3q.json +++ b/advisories/unreviewed/2023/11/GHSA-8q58-8vm2-mf3q/GHSA-8q58-8vm2-mf3q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8q58-8vm2-mf3q", - "modified": "2023-11-06T09:30:14Z", + "modified": "2024-09-16T15:32:45Z", "published": "2023-11-06T09:30:14Z", "aliases": [ "CVE-2023-42669" diff --git a/advisories/unreviewed/2024/01/GHSA-qvvr-wcmf-4v5h/GHSA-qvvr-wcmf-4v5h.json b/advisories/unreviewed/2024/01/GHSA-qvvr-wcmf-4v5h/GHSA-qvvr-wcmf-4v5h.json index 9135ce3356a..2dca04df191 100644 --- a/advisories/unreviewed/2024/01/GHSA-qvvr-wcmf-4v5h/GHSA-qvvr-wcmf-4v5h.json +++ b/advisories/unreviewed/2024/01/GHSA-qvvr-wcmf-4v5h/GHSA-qvvr-wcmf-4v5h.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-266", "CWE-269" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2024/01/GHSA-v6cc-j2v5-w3jj/GHSA-v6cc-j2v5-w3jj.json b/advisories/unreviewed/2024/01/GHSA-v6cc-j2v5-w3jj/GHSA-v6cc-j2v5-w3jj.json index ea1b620a635..6b38493959f 100644 --- a/advisories/unreviewed/2024/01/GHSA-v6cc-j2v5-w3jj/GHSA-v6cc-j2v5-w3jj.json +++ b/advisories/unreviewed/2024/01/GHSA-v6cc-j2v5-w3jj/GHSA-v6cc-j2v5-w3jj.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-497" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/04/GHSA-gj98-p2xm-q3hc/GHSA-gj98-p2xm-q3hc.json b/advisories/unreviewed/2024/04/GHSA-gj98-p2xm-q3hc/GHSA-gj98-p2xm-q3hc.json index f4f5b38a794..365b16f4c19 100644 --- a/advisories/unreviewed/2024/04/GHSA-gj98-p2xm-q3hc/GHSA-gj98-p2xm-q3hc.json +++ b/advisories/unreviewed/2024/04/GHSA-gj98-p2xm-q3hc/GHSA-gj98-p2xm-q3hc.json @@ -28,7 +28,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-287" + "CWE-287", + "CWE-306" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json b/advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json new file mode 100644 index 00000000000..05eb2eb9e5d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5777-rcjj-9p22", + "modified": "2024-09-16T15:32:46Z", + "published": "2024-09-16T15:32:46Z", + "aliases": [ + "CVE-2024-39772" + ], + "details": "Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39772" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gc2c-r5jf-whf8/GHSA-gc2c-r5jf-whf8.json b/advisories/unreviewed/2024/09/GHSA-gc2c-r5jf-whf8/GHSA-gc2c-r5jf-whf8.json new file mode 100644 index 00000000000..ed3f72dbed1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gc2c-r5jf-whf8/GHSA-gc2c-r5jf-whf8.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gc2c-r5jf-whf8", + "modified": "2024-09-16T15:32:46Z", + "published": "2024-09-16T15:32:46Z", + "aliases": [ + "CVE-2024-38315" + ], + "details": "IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38315" + }, + { + "type": "WEB", + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294742" + }, + { + "type": "WEB", + "url": "https://www.ibm.com/support/pages/node/7168379" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-613" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hg4p-55w9-888w/GHSA-hg4p-55w9-888w.json b/advisories/unreviewed/2024/09/GHSA-hg4p-55w9-888w/GHSA-hg4p-55w9-888w.json new file mode 100644 index 00000000000..9249268f592 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hg4p-55w9-888w/GHSA-hg4p-55w9-888w.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hg4p-55w9-888w", + "modified": "2024-09-16T15:32:46Z", + "published": "2024-09-16T15:32:46Z", + "aliases": [ + "CVE-2024-6401" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection.This issue affects InsureE GL: before 4.6.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6401" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-1475" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rh54-7qq9-x5v8/GHSA-rh54-7qq9-x5v8.json b/advisories/unreviewed/2024/09/GHSA-rh54-7qq9-x5v8/GHSA-rh54-7qq9-x5v8.json new file mode 100644 index 00000000000..9d8d6d6fcb9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rh54-7qq9-x5v8/GHSA-rh54-7qq9-x5v8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rh54-7qq9-x5v8", + "modified": "2024-09-16T15:32:47Z", + "published": "2024-09-16T15:32:46Z", + "aliases": [ + "CVE-2024-7098" + ], + "details": "Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7098" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-1475" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-w784-6hh8-995v/GHSA-w784-6hh8-995v.json b/advisories/unreviewed/2024/09/GHSA-w784-6hh8-995v/GHSA-w784-6hh8-995v.json new file mode 100644 index 00000000000..6bccad01146 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-w784-6hh8-995v/GHSA-w784-6hh8-995v.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w784-6hh8-995v", + "modified": "2024-09-16T15:32:47Z", + "published": "2024-09-16T15:32:47Z", + "aliases": [ + "CVE-2024-7104" + ], + "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection.This issue affects ww.Winsure: before 4.6.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7104" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-1475" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json b/advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json new file mode 100644 index 00000000000..190adc63683 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xgq9-7gw6-jr5r", + "modified": "2024-09-16T15:32:46Z", + "published": "2024-09-16T15:32:46Z", + "aliases": [ + "CVE-2024-45835" + ], + "details": "Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45835" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-693" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T15:15:16Z" + } +} \ No newline at end of file From 75983a6a24b2eff040618fa3ba137d540044b07f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:07:03 +0000 Subject: [PATCH 100/170] Publish GHSA-cj55-gc7m-wvcq --- .../GHSA-cj55-gc7m-wvcq.json | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json b/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json index f3f73e933a0..d6596c7d6cc 100644 --- a/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json +++ b/advisories/github-reviewed/2024/08/GHSA-cj55-gc7m-wvcq/GHSA-cj55-gc7m-wvcq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cj55-gc7m-wvcq", - "modified": "2024-08-26T15:54:18Z", + "modified": "2024-09-16T16:05:30Z", "published": "2024-08-26T00:30:54Z", "aliases": [ "CVE-2024-45258" @@ -37,6 +37,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/imroc/req" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.43.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/imroc/req/v2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.43.4" + } + ] + } + ] } ], "references": [ @@ -55,6 +93,10 @@ { "type": "WEB", "url": "https://github.com/imroc/req/compare/v3.43.3...v3.43.4" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3098" } ], "database_specific": { From 25b016226b6f04659237808a921366d0a0dbd6c0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:09:11 +0000 Subject: [PATCH 101/170] Publish GHSA-9xcg-3q8v-7fq6 --- .../GHSA-9xcg-3q8v-7fq6.json | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json b/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json index 1b9a88d34d9..bab723d27ff 100644 --- a/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json +++ b/advisories/github-reviewed/2024/09/GHSA-9xcg-3q8v-7fq6/GHSA-9xcg-3q8v-7fq6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9xcg-3q8v-7fq6", - "modified": "2024-09-06T19:52:45Z", + "modified": "2024-09-16T16:07:15Z", "published": "2024-09-06T19:40:01Z", "aliases": [ "CVE-2024-45040" @@ -36,10 +36,26 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.10.0" - } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/consensys/gnark" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.11.0" + } + ] + } + ] } ], "references": [ @@ -62,6 +78,10 @@ { "type": "PACKAGE", "url": "https://github.com/Consensys/gnark" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3123" } ], "database_specific": { From abb22da50c95155f6f3e05fd4e819972f06c583e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:11:54 +0000 Subject: [PATCH 102/170] Publish GHSA-qwgc-rr35-h4x9 --- .../2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json b/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json index 6b9ae86e297..509f5bce84d 100644 --- a/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json +++ b/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qwgc-rr35-h4x9", - "modified": "2024-09-09T18:16:22Z", + "modified": "2024-09-16T16:10:29Z", "published": "2024-09-09T18:16:22Z", "aliases": [ "CVE-2024-45041" @@ -67,6 +67,10 @@ { "type": "WEB", "url": "https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3126" } ], "database_specific": { From 922a54b84e6d554a7f9c334531b9f035950a9b6e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:15:11 +0000 Subject: [PATCH 103/170] Publish GHSA-g5xx-c4hv-9ccc --- .../GHSA-g5xx-c4hv-9ccc.json | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json b/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json index 8a2ed0e3e4c..a99282287ef 100644 --- a/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json +++ b/advisories/github-reviewed/2024/09/GHSA-g5xx-c4hv-9ccc/GHSA-g5xx-c4hv-9ccc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g5xx-c4hv-9ccc", - "modified": "2024-09-03T20:03:08Z", + "modified": "2024-09-16T16:13:43Z", "published": "2024-09-03T20:03:08Z", "aliases": [ @@ -75,6 +75,44 @@ ] } ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/cometbft/cometbft" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.37.0" + }, + { + "fixed": "0.37.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/cometbft/cometbft" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.38.0" + }, + { + "fixed": "0.38.12" + } + ] + } + ] } ], "references": [ @@ -93,6 +131,10 @@ { "type": "PACKAGE", "url": "https://github.com/cometbft/cometbft" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3112" } ], "database_specific": { From 0333f8e7b4fb50804c6d944509f8670b3bc51f9d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:17:15 +0000 Subject: [PATCH 104/170] Publish GHSA-pv7h-hg6m-82j8 --- .../2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json b/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json index 0aad1ceaa10..b67e6540ba0 100644 --- a/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json +++ b/advisories/github-reviewed/2024/09/GHSA-pv7h-hg6m-82j8/GHSA-pv7h-hg6m-82j8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pv7h-hg6m-82j8", - "modified": "2024-09-09T18:17:47Z", + "modified": "2024-09-16T16:15:43Z", "published": "2024-09-08T09:30:27Z", "aliases": [ "CVE-2024-8572" @@ -64,6 +64,10 @@ "type": "WEB", "url": "https://github.com/gouniverse/cms/releases/tag/v1.4.1" }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3125" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.276802" From 286114d1594b0be79c5459c3e7fc13d99e9d3193 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:51:41 +0000 Subject: [PATCH 105/170] Publish GHSA-c2hm-mjxv-89r4 --- .../09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json b/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json index 1be09fccf17..adcf748c433 100644 --- a/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json +++ b/advisories/github-reviewed/2023/09/GHSA-c2hm-mjxv-89r4/GHSA-c2hm-mjxv-89r4.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-c2hm-mjxv-89r4", - "modified": "2024-07-05T18:07:13Z", + "modified": "2024-09-16T16:50:14Z", "published": "2023-09-04T17:02:00Z", "aliases": [ ], "summary": "Multiple soundness issues in lexical", - "details": "`lexical` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n\nThe crate also has some correctness issues and appears to be unmaintained.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.\n\nFor quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.\n\nFor formatting integers in a `#[no_std]` context consider the [`numtoa`](https://crates.io/crates/numtoa) crate.\n\nFor working with big numbers consider `num-bigint` and `num-traits`.\n", + "details": "`lexical` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126)\n\nThe crate also has some correctness issues.\n\n## Alternatives\n\nFor quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.\n\nFor quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.\n\nFor formatting integers in a `#[no_std]` context consider the [`numtoa`](https://crates.io/crates/numtoa) crate.\n\nFor working with big numbers consider `num-bigint` and `num-traits`.\n", "severity": [ ], @@ -25,11 +25,14 @@ "introduced": "0" }, { - "last_affected": "6.1.1" + "fixed": "7.0.0" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 6.1.1" + } } ], "references": [ @@ -46,7 +49,7 @@ "cwe_ids": [ ], - "severity": "MODERATE", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-09-04T17:02:00Z", "nvd_published_at": null From b152e0a0a2ff518cfa2ec5844049a78446300e5b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 16:55:33 +0000 Subject: [PATCH 106/170] Publish GHSA-whf4-fpj8-pgg8 --- .../06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json index 1ea633805d3..149266bcc8a 100644 --- a/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json +++ b/advisories/github-reviewed/2024/06/GHSA-whf4-fpj8-pgg8/GHSA-whf4-fpj8-pgg8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-whf4-fpj8-pgg8", - "modified": "2024-06-07T21:54:40Z", + "modified": "2024-09-16T16:54:09Z", "published": "2024-06-07T21:31:54Z", "aliases": [ "CVE-2024-36827" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -47,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/dnkorpushov/ebookmeta" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ebookmeta/PYSEC-2024-76.yaml" } ], "database_specific": { From 70898c0904092c96e831ee8c3a6775464f6d78bc Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:18:47 +0000 Subject: [PATCH 107/170] Publish Advisories GHSA-rx9f-5ggv-5rh6 GHSA-vvqw-fqwx-mqmm --- .../GHSA-rx9f-5ggv-5rh6.json | 86 +++++++++++++++++++ .../GHSA-vvqw-fqwx-mqmm.json | 68 +++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json create mode 100644 advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json diff --git a/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json new file mode 100644 index 00000000000..daedfdbdaf5 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rx9f-5ggv-5rh6", + "modified": "2024-09-16T17:17:20Z", + "published": "2024-09-16T17:17:20Z", + "aliases": [ + "CVE-2024-32034" + ], + "summary": "Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log", + "details": "### Impact\nThe admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. \n\n### Patches\n\nN/A\n\n### Workarounds\n\nRedirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`)\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "decidim-admin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.27.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.27.6" + } + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "decidim-admin" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.28.0" + }, + { + "fixed": "0.28.2" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.28.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6" + }, + { + "type": "PACKAGE", + "url": "https://github.com/decidim/decidim" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T17:17:20Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json new file mode 100644 index 00000000000..b09b85dd713 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vvqw-fqwx-mqmm", + "modified": "2024-09-16T17:17:54Z", + "published": "2024-09-16T17:17:54Z", + "aliases": [ + "CVE-2024-39910" + ], + "summary": " Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor", + "details": "### Impact\n\nThe WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.\n\nThe attacker is able to change e.g. to if they know how to craft these requests themselves. \n\n### Patches\n\nN/A\n\n### Workarounds\n\nReview the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. \n\nDisable the \"Enable rich text editor for participants\" setting in the admin dashboard\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "decidim" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.27.7" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.27.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm" + }, + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f" + }, + { + "type": "PACKAGE", + "url": "https://github.com/decidim/decidim" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T17:17:54Z", + "nvd_published_at": null + } +} \ No newline at end of file From 99499cb76b4588ba73910d4d126e3c68e3d7ba09 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:20:51 +0000 Subject: [PATCH 108/170] Publish Advisories GHSA-fhr7-8jx4-r9cp GHSA-r4w2-hjmr-36m7 GHSA-2326-pfpj-vx3h GHSA-fhr7-8jx4-r9cp GHSA-r4w2-hjmr-36m7 --- .../GHSA-fhr7-8jx4-r9cp.json | 104 ++++++++++++++++++ .../GHSA-r4w2-hjmr-36m7.json | 104 ++++++++++++++++++ .../GHSA-2326-pfpj-vx3h.json | 82 ++++++++++++++ .../GHSA-fhr7-8jx4-r9cp.json | 50 --------- .../GHSA-r4w2-hjmr-36m7.json | 50 --------- 5 files changed, 290 insertions(+), 100 deletions(-) create mode 100644 advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json create mode 100644 advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json create mode 100644 advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json delete mode 100644 advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json delete mode 100644 advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json diff --git a/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json b/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json new file mode 100644 index 00000000000..eb680efaee9 --- /dev/null +++ b/advisories/github-reviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json @@ -0,0 +1,104 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhr7-8jx4-r9cp", + "modified": "2024-09-16T17:19:18Z", + "published": "2023-12-30T00:30:23Z", + "aliases": [ + "CVE-2023-3628" + ], + "summary": "Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions", + "details": "A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-server-rest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev04" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-server-rest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.18.Final" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:5396" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-3628" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924" + }, + { + "type": "PACKAGE", + "url": "https://github.com/infinispan/infinispan" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240125-0004" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-304" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T17:19:18Z", + "nvd_published_at": "2023-12-18T14:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json b/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json new file mode 100644 index 00000000000..79c0688b3a2 --- /dev/null +++ b/advisories/github-reviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json @@ -0,0 +1,104 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r4w2-hjmr-36m7", + "modified": "2024-09-16T17:19:37Z", + "published": "2023-12-30T00:30:23Z", + "aliases": [ + "CVE-2023-3629" + ], + "summary": " Infinispan REST Server's cache retrieval endpoints do not properly evaluate the necessary admin permissions", + "details": "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-server-rest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev04" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-server-rest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.18.Final" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/11b3cb0f7ba68b73dd32f655ff3f3df842a0c6bd" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/1e3cc542336d2f49743ab8176ed6f1175e034c59" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:5396" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-3629" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926" + }, + { + "type": "PACKAGE", + "url": "https://github.com/infinispan/infinispan" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240125-0004" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-304" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T17:19:37Z", + "nvd_published_at": "2023-12-18T14:15:08Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json b/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json new file mode 100644 index 00000000000..d42498ee1fa --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-2326-pfpj-vx3h/GHSA-2326-pfpj-vx3h.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2326-pfpj-vx3h", + "modified": "2024-09-16T17:19:01Z", + "published": "2024-09-16T17:19:01Z", + "aliases": [ + + ], + "summary": "lexical-core has multiple soundness issues", + "details": "`RUSTSEC-2024-0377` contains multiple soundness issues:\n\n 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102)\n 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101)\n 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104)\n 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95)\n 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126)\n\nVersion 1.0 fixes these issues, removes the vast majority of `unsafe` code, and also fixes some correctness issues.\n", + "severity": [ + + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "lexical-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/Alexhuszagh/rust-lexical/issues/101" + }, + { + "type": "WEB", + "url": "https://github.com/Alexhuszagh/rust-lexical/issues/102" + }, + { + "type": "WEB", + "url": "https://github.com/Alexhuszagh/rust-lexical/issues/104" + }, + { + "type": "WEB", + "url": "https://github.com/Alexhuszagh/rust-lexical/issues/126" + }, + { + "type": "WEB", + "url": "https://github.com/Alexhuszagh/rust-lexical/issues/95" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Alexhuszagh/rust-lexical" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c2hm-mjxv-89r4" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0055" + }, + { + "type": "WEB", + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0086.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T17:19:01Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json b/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json deleted file mode 100644 index 80c7bcd7ee8..00000000000 --- a/advisories/unreviewed/2023/12/GHSA-fhr7-8jx4-r9cp/GHSA-fhr7-8jx4-r9cp.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-fhr7-8jx4-r9cp", - "modified": "2024-09-16T14:37:22Z", - "published": "2023-12-30T00:30:23Z", - "aliases": [ - "CVE-2023-3628" - ], - "details": "A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/errata/RHSA-2023:5396" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-3628" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20240125-0004" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-304" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-12-18T14:15:08Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json b/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json deleted file mode 100644 index 730c90b34f3..00000000000 --- a/advisories/unreviewed/2023/12/GHSA-r4w2-hjmr-36m7/GHSA-r4w2-hjmr-36m7.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-r4w2-hjmr-36m7", - "modified": "2024-09-16T14:37:22Z", - "published": "2023-12-30T00:30:23Z", - "aliases": [ - "CVE-2023-3629" - ], - "details": "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/errata/RHSA-2023:5396" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-3629" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20240125-0004" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-304" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-12-18T14:15:08Z" - } -} \ No newline at end of file From 231edf3c3c11b52b85ba5a575949f579c9e92291 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:22:59 +0000 Subject: [PATCH 109/170] Publish GHSA-4mp7-2m29-gqxf --- .../GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json index 3df1beb1e3e..70203b6f7de 100644 --- a/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json +++ b/advisories/github-reviewed/2024/01/GHSA-4mp7-2m29-gqxf/GHSA-4mp7-2m29-gqxf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4mp7-2m29-gqxf", - "modified": "2024-01-31T00:21:58Z", + "modified": "2024-09-16T17:21:31Z", "published": "2024-01-31T00:21:58Z", "aliases": [ "CVE-2020-16251" @@ -18,7 +18,7 @@ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -37,7 +37,7 @@ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -56,7 +56,7 @@ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -75,7 +75,7 @@ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -97,6 +97,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16251" }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/vault" + }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151" From 25a3279989168e7d6a711d9e6723783ae262a332 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:25:02 +0000 Subject: [PATCH 110/170] Publish Advisories GHSA-66vw-v2x9-hw75 GHSA-m979-w9wj-qfj9 --- .../GHSA-66vw-v2x9-hw75.json | 25 ++++--------------- .../GHSA-m979-w9wj-qfj9.json | 12 +++++++-- 2 files changed, 15 insertions(+), 22 deletions(-) diff --git a/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json b/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json index f801ad67631..9582eed7dc2 100644 --- a/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json +++ b/advisories/github-reviewed/2022/04/GHSA-66vw-v2x9-hw75/GHSA-66vw-v2x9-hw75.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-66vw-v2x9-hw75", - "modified": "2024-06-28T18:58:58Z", + "modified": "2024-09-16T17:22:51Z", "published": "2022-04-30T00:00:35Z", "aliases": [ "CVE-2022-1227" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -52,25 +56,6 @@ ] } ] - }, - { - "package": { - "ecosystem": "Go", - "name": "github.com/containers/psgo/internal/proc" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.7.2" - } - ] - } - ] } ], "references": [ diff --git a/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json index 70107cc5c97..ac3a4cf9d20 100644 --- a/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json +++ b/advisories/github-reviewed/2024/01/GHSA-m979-w9wj-qfj9/GHSA-m979-w9wj-qfj9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m979-w9wj-qfj9", - "modified": "2024-01-30T23:40:43Z", + "modified": "2024-09-16T17:23:48Z", "published": "2024-01-30T23:40:43Z", "aliases": [ "CVE-2020-10660" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "github.com/hashicorp/vault/vault" + "name": "github.com/hashicorp/vault" }, "ranges": [ { @@ -48,6 +52,10 @@ "type": "WEB", "url": "https://github.com/hashicorp/vault/commit/18485ee9d4352ac8e8396c580b5941ccf8e5b31a" }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/vault" + }, { "type": "WEB", "url": "https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020" From 1c28c3242d91f9fe79f6386f90900c5540d6482e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:34:53 +0000 Subject: [PATCH 111/170] Publish GHSA-4pwp-cx67-5cpx --- .../GHSA-4pwp-cx67-5cpx.json | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json index 21b0d4b1d1d..e965125cc0f 100644 --- a/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json +++ b/advisories/github-reviewed/2024/01/GHSA-4pwp-cx67-5cpx/GHSA-4pwp-cx67-5cpx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4pwp-cx67-5cpx", - "modified": "2024-01-31T23:11:17Z", + "modified": "2024-09-16T17:33:27Z", "published": "2024-01-31T23:11:17Z", "aliases": [ "CVE-2019-19499" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" } ], "affected": [ { "package": { "ecosystem": "Go", - "name": "github.com/grafana/grafana/pkg/tsdb/mysql" + "name": "github.com/grafana/grafana" }, "ranges": [ { @@ -44,6 +48,14 @@ "type": "WEB", "url": "https://github.com/grafana/grafana/pull/20192" }, + { + "type": "WEB", + "url": "https://github.com/grafana/grafana/commit/19dbd27c5caa1a160bd5854b65a4e1fe2a8a4f00" + }, + { + "type": "PACKAGE", + "url": "https://github.com/grafana/grafana" + }, { "type": "WEB", "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#644-2019-11-06" @@ -51,10 +63,6 @@ { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200918-0003" - }, - { - "type": "WEB", - "url": "https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read" } ], "database_specific": { From f154ef070df198cb1a6cdba35f51ea3fe8872f64 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 18:27:43 +0000 Subject: [PATCH 112/170] Publish Advisories GHSA-6pxh-2557-5cj5 GHSA-6pxh-2557-5cj5 --- .../GHSA-6pxh-2557-5cj5.json | 158 ++++++++++++++++++ .../GHSA-6pxh-2557-5cj5.json | 38 ----- 2 files changed, 158 insertions(+), 38 deletions(-) create mode 100644 advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json delete mode 100644 advisories/unreviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json diff --git a/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json b/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json new file mode 100644 index 00000000000..8f5672e2a45 --- /dev/null +++ b/advisories/github-reviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json @@ -0,0 +1,158 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6pxh-2557-5cj5", + "modified": "2024-09-16T18:26:41Z", + "published": "2024-08-14T12:35:02Z", + "aliases": [ + "CVE-2024-39406" + ], + "summary": "Magento Open Source Path Traversal vulnerability", + "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.7-p1" + }, + { + "fixed": "2.4.7-p2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.7" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.6-p1" + }, + { + "fixed": "2.4.6-p7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.6" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.5-p1" + }, + { + "fixed": "2.4.5-p9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.5" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.4-p10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.4" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39406" + }, + { + "type": "PACKAGE", + "url": "https://github.com/magento/magento2" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T18:26:14Z", + "nvd_published_at": "2024-08-14T12:15:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json b/advisories/unreviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json deleted file mode 100644 index 43e8a68dce7..00000000000 --- a/advisories/unreviewed/2024/08/GHSA-6pxh-2557-5cj5/GHSA-6pxh-2557-5cj5.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-6pxh-2557-5cj5", - "modified": "2024-08-14T12:35:02Z", - "published": "2024-08-14T12:35:02Z", - "aliases": [ - "CVE-2024-39406" - ], - "details": "Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39406" - }, - { - "type": "WEB", - "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-22" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-08-14T12:15:26Z" - } -} \ No newline at end of file From 319cb9e9fcaba3acd365de0601526ae6c0be770f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 18:32:53 +0000 Subject: [PATCH 113/170] Advisory Database Sync --- .../GHSA-843j-8fp3-h6f6.json | 2 +- .../GHSA-x568-473g-qj6x.json | 2 +- .../GHSA-5m5r-69xr-2fx8.json | 14 +++++- .../GHSA-6ggq-gv3v-v28c.json | 2 +- .../GHSA-9v5c-3867-7h2w.json | 10 +++- .../GHSA-wg6r-fv2h-h7xm.json | 2 +- .../GHSA-c83p-m9mw-q96q.json | 2 +- .../GHSA-v7hq-gmm8-4vwh.json | 2 +- .../GHSA-3x7j-9p25-v8r6.json | 2 +- .../GHSA-4297-gpxg-66rx.json | 2 +- .../GHSA-59pc-fqhf-v493.json | 2 +- .../GHSA-c492-fr35-c3wf.json | 2 +- .../GHSA-fw34-gjff-gr9g.json | 2 +- .../GHSA-gq4c-x6cg-qppv.json | 2 +- .../GHSA-grrp-hf9w-3vjm.json | 2 +- .../GHSA-m9rj-w763-3x3j.json | 2 +- .../GHSA-w25v-58xw-9xcx.json | 2 +- .../GHSA-2c2j-2pgv-gfgc.json | 2 +- .../GHSA-7635-x5f9-5458.json | 2 +- .../GHSA-9vh7-c87x-8q9v.json | 2 +- .../GHSA-gg57-587f-h5v6.json | 2 +- .../GHSA-45hh-rj6v-548f.json | 2 +- .../GHSA-rj56-mm47-cqp3.json | 1 + .../GHSA-34h3-77mg-mfgh.json | 42 ++++++++++++++++ .../GHSA-3frm-3q2w-pp83.json | 42 ++++++++++++++++ .../GHSA-3x4g-4374-v83h.json | 11 ++-- .../GHSA-5wmr-r266-pc3m.json | 42 ++++++++++++++++ .../GHSA-6qq3-v7mp-wx7q.json | 11 ++-- .../GHSA-77rm-8jvr-hfgm.json | 42 ++++++++++++++++ .../GHSA-7c78-g5wc-hcch.json | 38 ++++++++++++++ .../GHSA-7whw-68xg-fr5c.json | 43 ++++++++++++++++ .../GHSA-899w-w5qq-hg5v.json | 42 ++++++++++++++++ .../GHSA-8q6q-j6wg-846f.json | 38 ++++++++++++++ .../GHSA-9g66-w5hj-vhx4.json | 11 ++-- .../GHSA-9v23-3rf5-vx8j.json | 38 ++++++++++++++ .../GHSA-c7c7-8frm-jcmp.json | 42 ++++++++++++++++ .../GHSA-gjx4-p4f2-33wq.json | 42 ++++++++++++++++ .../GHSA-gpvf-6hpf-4f9h.json | 11 ++-- .../GHSA-gw2j-g839-3547.json | 38 ++++++++++++++ .../GHSA-h2w5-3v43-j5c8.json | 38 ++++++++++++++ .../GHSA-j7q4-4r7g-3jf4.json | 6 ++- .../GHSA-jx9q-9xj3-cp3g.json | 1 + .../GHSA-m5wh-wcvg-3f5f.json | 42 ++++++++++++++++ .../GHSA-p47w-6xhw-hhxj.json | 11 ++-- .../GHSA-p4m2-q7r3-j2h5.json | 38 ++++++++++++++ .../GHSA-p5c4-rjq3-8654.json | 38 ++++++++++++++ .../GHSA-pcx7-83rx-78c2.json | 42 ++++++++++++++++ .../GHSA-pppq-wphf-gg65.json | 38 ++++++++++++++ .../GHSA-q74x-f8wx-jrgv.json | 11 ++-- .../GHSA-r3xc-mh5x-gjfq.json | 42 ++++++++++++++++ .../GHSA-rq4p-jrjr-m4mq.json | 38 ++++++++++++++ .../GHSA-v3gc-cff3-2vg3.json | 11 ++-- .../GHSA-v63p-x2p8-f754.json | 42 ++++++++++++++++ .../GHSA-vpc7-hmh5-3wx6.json | 42 ++++++++++++++++ .../GHSA-vrj2-p3r5-2mq6.json | 38 ++++++++++++++ .../GHSA-vw3f-8r5j-7wqm.json | 39 +++++++++++++++ .../GHSA-xjwh-3rm6-w25h.json | 11 ++-- .../GHSA-xmxj-v2q8-8qx6.json | 50 +++++++++++++++++++ .../GHSA-xp7v-r3c8-pp3w.json | 42 ++++++++++++++++ .../GHSA-xr4c-mmrv-3h6c.json | 9 ++-- 60 files changed, 1169 insertions(+), 58 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-34h3-77mg-mfgh/GHSA-34h3-77mg-mfgh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3frm-3q2w-pp83/GHSA-3frm-3q2w-pp83.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5wmr-r266-pc3m/GHSA-5wmr-r266-pc3m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-77rm-8jvr-hfgm/GHSA-77rm-8jvr-hfgm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7c78-g5wc-hcch/GHSA-7c78-g5wc-hcch.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json create mode 100644 advisories/unreviewed/2024/09/GHSA-899w-w5qq-hg5v/GHSA-899w-w5qq-hg5v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8q6q-j6wg-846f/GHSA-8q6q-j6wg-846f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9v23-3rf5-vx8j/GHSA-9v23-3rf5-vx8j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c7c7-8frm-jcmp/GHSA-c7c7-8frm-jcmp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gjx4-p4f2-33wq/GHSA-gjx4-p4f2-33wq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gw2j-g839-3547/GHSA-gw2j-g839-3547.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h2w5-3v43-j5c8/GHSA-h2w5-3v43-j5c8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m5wh-wcvg-3f5f/GHSA-m5wh-wcvg-3f5f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p4m2-q7r3-j2h5/GHSA-p4m2-q7r3-j2h5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p5c4-rjq3-8654/GHSA-p5c4-rjq3-8654.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pcx7-83rx-78c2/GHSA-pcx7-83rx-78c2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-pppq-wphf-gg65/GHSA-pppq-wphf-gg65.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r3xc-mh5x-gjfq/GHSA-r3xc-mh5x-gjfq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rq4p-jrjr-m4mq/GHSA-rq4p-jrjr-m4mq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v63p-x2p8-f754/GHSA-v63p-x2p8-f754.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vpc7-hmh5-3wx6/GHSA-vpc7-hmh5-3wx6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vrj2-p3r5-2mq6/GHSA-vrj2-p3r5-2mq6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vw3f-8r5j-7wqm/GHSA-vw3f-8r5j-7wqm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xp7v-r3c8-pp3w/GHSA-xp7v-r3c8-pp3w.json diff --git a/advisories/unreviewed/2022/03/GHSA-843j-8fp3-h6f6/GHSA-843j-8fp3-h6f6.json b/advisories/unreviewed/2022/03/GHSA-843j-8fp3-h6f6/GHSA-843j-8fp3-h6f6.json index f82dfcb04f5..bedd390b97b 100644 --- a/advisories/unreviewed/2022/03/GHSA-843j-8fp3-h6f6/GHSA-843j-8fp3-h6f6.json +++ b/advisories/unreviewed/2022/03/GHSA-843j-8fp3-h6f6/GHSA-843j-8fp3-h6f6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-843j-8fp3-h6f6", - "modified": "2023-02-12T00:30:24Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-03-19T00:00:59Z", "aliases": [ "CVE-2021-23150" diff --git a/advisories/unreviewed/2022/04/GHSA-x568-473g-qj6x/GHSA-x568-473g-qj6x.json b/advisories/unreviewed/2022/04/GHSA-x568-473g-qj6x/GHSA-x568-473g-qj6x.json index 9c06553daac..174a14947b4 100644 --- a/advisories/unreviewed/2022/04/GHSA-x568-473g-qj6x/GHSA-x568-473g-qj6x.json +++ b/advisories/unreviewed/2022/04/GHSA-x568-473g-qj6x/GHSA-x568-473g-qj6x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x568-473g-qj6x", - "modified": "2022-05-07T00:01:00Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-04-28T00:00:29Z", "aliases": [ "CVE-2022-22521" diff --git a/advisories/unreviewed/2022/05/GHSA-5m5r-69xr-2fx8/GHSA-5m5r-69xr-2fx8.json b/advisories/unreviewed/2022/05/GHSA-5m5r-69xr-2fx8/GHSA-5m5r-69xr-2fx8.json index 5a90198b5cd..1a206442727 100644 --- a/advisories/unreviewed/2022/05/GHSA-5m5r-69xr-2fx8/GHSA-5m5r-69xr-2fx8.json +++ b/advisories/unreviewed/2022/05/GHSA-5m5r-69xr-2fx8/GHSA-5m5r-69xr-2fx8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5m5r-69xr-2fx8", - "modified": "2022-05-02T03:51:53Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-05-02T03:51:53Z", "aliases": [ "CVE-2009-4117" @@ -18,6 +18,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4117" }, + { + "type": "WEB", + "url": "https://bugs.ghostscript.com/show_bug.cgi?id=708030" + }, + { + "type": "WEB", + "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=a21cc1548993c392e474817bb3d656eb3730d88f" + }, + { + "type": "WEB", + "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=cf6860c3d70a2f7a63cdb621cc3b58c891915deb" + }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54441" diff --git a/advisories/unreviewed/2022/05/GHSA-6ggq-gv3v-v28c/GHSA-6ggq-gv3v-v28c.json b/advisories/unreviewed/2022/05/GHSA-6ggq-gv3v-v28c/GHSA-6ggq-gv3v-v28c.json index a811f58c177..f9ff9d443b0 100644 --- a/advisories/unreviewed/2022/05/GHSA-6ggq-gv3v-v28c/GHSA-6ggq-gv3v-v28c.json +++ b/advisories/unreviewed/2022/05/GHSA-6ggq-gv3v-v28c/GHSA-6ggq-gv3v-v28c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6ggq-gv3v-v28c", - "modified": "2023-03-17T06:30:34Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-05-24T22:28:18Z", "aliases": [ "CVE-2020-5367" diff --git a/advisories/unreviewed/2022/05/GHSA-9v5c-3867-7h2w/GHSA-9v5c-3867-7h2w.json b/advisories/unreviewed/2022/05/GHSA-9v5c-3867-7h2w/GHSA-9v5c-3867-7h2w.json index 0689a39ef7a..6caecc0b1de 100644 --- a/advisories/unreviewed/2022/05/GHSA-9v5c-3867-7h2w/GHSA-9v5c-3867-7h2w.json +++ b/advisories/unreviewed/2022/05/GHSA-9v5c-3867-7h2w/GHSA-9v5c-3867-7h2w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9v5c-3867-7h2w", - "modified": "2024-09-12T18:31:38Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-05-14T01:00:37Z", "aliases": [ "CVE-2018-19881" @@ -25,10 +25,18 @@ "type": "WEB", "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700342" }, + { + "type": "WEB", + "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700442" + }, { "type": "WEB", "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=a7f7d91cdff8d303c11d458fa8b802776f73c8cc" }, + { + "type": "WEB", + "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b" + }, { "type": "WEB", "url": "https://github.com/TeamSeri0us/pocs/tree/master/mupdf/20181203" diff --git a/advisories/unreviewed/2022/05/GHSA-wg6r-fv2h-h7xm/GHSA-wg6r-fv2h-h7xm.json b/advisories/unreviewed/2022/05/GHSA-wg6r-fv2h-h7xm/GHSA-wg6r-fv2h-h7xm.json index 533362bd31e..af0cbdad0b6 100644 --- a/advisories/unreviewed/2022/05/GHSA-wg6r-fv2h-h7xm/GHSA-wg6r-fv2h-h7xm.json +++ b/advisories/unreviewed/2022/05/GHSA-wg6r-fv2h-h7xm/GHSA-wg6r-fv2h-h7xm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wg6r-fv2h-h7xm", - "modified": "2022-05-24T19:03:03Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-05-24T19:03:03Z", "aliases": [ "CVE-2021-3485" diff --git a/advisories/unreviewed/2022/11/GHSA-c83p-m9mw-q96q/GHSA-c83p-m9mw-q96q.json b/advisories/unreviewed/2022/11/GHSA-c83p-m9mw-q96q/GHSA-c83p-m9mw-q96q.json index c1d89da26f0..ee85135fa5a 100644 --- a/advisories/unreviewed/2022/11/GHSA-c83p-m9mw-q96q/GHSA-c83p-m9mw-q96q.json +++ b/advisories/unreviewed/2022/11/GHSA-c83p-m9mw-q96q/GHSA-c83p-m9mw-q96q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c83p-m9mw-q96q", - "modified": "2022-12-02T00:30:25Z", + "modified": "2024-09-16T18:31:17Z", "published": "2022-11-28T18:30:17Z", "aliases": [ "CVE-2021-45036" diff --git a/advisories/unreviewed/2023/01/GHSA-v7hq-gmm8-4vwh/GHSA-v7hq-gmm8-4vwh.json b/advisories/unreviewed/2023/01/GHSA-v7hq-gmm8-4vwh/GHSA-v7hq-gmm8-4vwh.json index 3ec19151c93..40da50482bb 100644 --- a/advisories/unreviewed/2023/01/GHSA-v7hq-gmm8-4vwh/GHSA-v7hq-gmm8-4vwh.json +++ b/advisories/unreviewed/2023/01/GHSA-v7hq-gmm8-4vwh/GHSA-v7hq-gmm8-4vwh.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-3x7j-9p25-v8r6/GHSA-3x7j-9p25-v8r6.json b/advisories/unreviewed/2023/04/GHSA-3x7j-9p25-v8r6/GHSA-3x7j-9p25-v8r6.json index b2c447de033..03a12de74d8 100644 --- a/advisories/unreviewed/2023/04/GHSA-3x7j-9p25-v8r6/GHSA-3x7j-9p25-v8r6.json +++ b/advisories/unreviewed/2023/04/GHSA-3x7j-9p25-v8r6/GHSA-3x7j-9p25-v8r6.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-4297-gpxg-66rx/GHSA-4297-gpxg-66rx.json b/advisories/unreviewed/2023/04/GHSA-4297-gpxg-66rx/GHSA-4297-gpxg-66rx.json index 9fdacb0e662..36326f7a4a2 100644 --- a/advisories/unreviewed/2023/04/GHSA-4297-gpxg-66rx/GHSA-4297-gpxg-66rx.json +++ b/advisories/unreviewed/2023/04/GHSA-4297-gpxg-66rx/GHSA-4297-gpxg-66rx.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-59pc-fqhf-v493/GHSA-59pc-fqhf-v493.json b/advisories/unreviewed/2023/04/GHSA-59pc-fqhf-v493/GHSA-59pc-fqhf-v493.json index 5a3a3ce07ac..87f108ca87c 100644 --- a/advisories/unreviewed/2023/04/GHSA-59pc-fqhf-v493/GHSA-59pc-fqhf-v493.json +++ b/advisories/unreviewed/2023/04/GHSA-59pc-fqhf-v493/GHSA-59pc-fqhf-v493.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-c492-fr35-c3wf/GHSA-c492-fr35-c3wf.json b/advisories/unreviewed/2023/04/GHSA-c492-fr35-c3wf/GHSA-c492-fr35-c3wf.json index 5b91d18d28f..b286f988b7c 100644 --- a/advisories/unreviewed/2023/04/GHSA-c492-fr35-c3wf/GHSA-c492-fr35-c3wf.json +++ b/advisories/unreviewed/2023/04/GHSA-c492-fr35-c3wf/GHSA-c492-fr35-c3wf.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-400" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-fw34-gjff-gr9g/GHSA-fw34-gjff-gr9g.json b/advisories/unreviewed/2023/04/GHSA-fw34-gjff-gr9g/GHSA-fw34-gjff-gr9g.json index 0bac38926bb..879f8718642 100644 --- a/advisories/unreviewed/2023/04/GHSA-fw34-gjff-gr9g/GHSA-fw34-gjff-gr9g.json +++ b/advisories/unreviewed/2023/04/GHSA-fw34-gjff-gr9g/GHSA-fw34-gjff-gr9g.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-400" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-gq4c-x6cg-qppv/GHSA-gq4c-x6cg-qppv.json b/advisories/unreviewed/2023/04/GHSA-gq4c-x6cg-qppv/GHSA-gq4c-x6cg-qppv.json index 52c7867c527..169769e7b9a 100644 --- a/advisories/unreviewed/2023/04/GHSA-gq4c-x6cg-qppv/GHSA-gq4c-x6cg-qppv.json +++ b/advisories/unreviewed/2023/04/GHSA-gq4c-x6cg-qppv/GHSA-gq4c-x6cg-qppv.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-grrp-hf9w-3vjm/GHSA-grrp-hf9w-3vjm.json b/advisories/unreviewed/2023/04/GHSA-grrp-hf9w-3vjm/GHSA-grrp-hf9w-3vjm.json index 8b762e4253a..a5e79bc9c9e 100644 --- a/advisories/unreviewed/2023/04/GHSA-grrp-hf9w-3vjm/GHSA-grrp-hf9w-3vjm.json +++ b/advisories/unreviewed/2023/04/GHSA-grrp-hf9w-3vjm/GHSA-grrp-hf9w-3vjm.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-m9rj-w763-3x3j/GHSA-m9rj-w763-3x3j.json b/advisories/unreviewed/2023/04/GHSA-m9rj-w763-3x3j/GHSA-m9rj-w763-3x3j.json index 9898ed0c18b..cd000601747 100644 --- a/advisories/unreviewed/2023/04/GHSA-m9rj-w763-3x3j/GHSA-m9rj-w763-3x3j.json +++ b/advisories/unreviewed/2023/04/GHSA-m9rj-w763-3x3j/GHSA-m9rj-w763-3x3j.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-w25v-58xw-9xcx/GHSA-w25v-58xw-9xcx.json b/advisories/unreviewed/2023/10/GHSA-w25v-58xw-9xcx/GHSA-w25v-58xw-9xcx.json index 7559a34d691..4539f54dd37 100644 --- a/advisories/unreviewed/2023/10/GHSA-w25v-58xw-9xcx/GHSA-w25v-58xw-9xcx.json +++ b/advisories/unreviewed/2023/10/GHSA-w25v-58xw-9xcx/GHSA-w25v-58xw-9xcx.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-34" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/11/GHSA-2c2j-2pgv-gfgc/GHSA-2c2j-2pgv-gfgc.json b/advisories/unreviewed/2023/11/GHSA-2c2j-2pgv-gfgc/GHSA-2c2j-2pgv-gfgc.json index 72f9ed8c931..9857451379f 100644 --- a/advisories/unreviewed/2023/11/GHSA-2c2j-2pgv-gfgc/GHSA-2c2j-2pgv-gfgc.json +++ b/advisories/unreviewed/2023/11/GHSA-2c2j-2pgv-gfgc/GHSA-2c2j-2pgv-gfgc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2c2j-2pgv-gfgc", - "modified": "2023-11-06T18:30:19Z", + "modified": "2024-09-16T18:31:18Z", "published": "2023-11-06T18:30:19Z", "aliases": [ "CVE-2023-40661" diff --git a/advisories/unreviewed/2023/11/GHSA-7635-x5f9-5458/GHSA-7635-x5f9-5458.json b/advisories/unreviewed/2023/11/GHSA-7635-x5f9-5458/GHSA-7635-x5f9-5458.json index 916da258049..3d5fa83ad96 100644 --- a/advisories/unreviewed/2023/11/GHSA-7635-x5f9-5458/GHSA-7635-x5f9-5458.json +++ b/advisories/unreviewed/2023/11/GHSA-7635-x5f9-5458/GHSA-7635-x5f9-5458.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7635-x5f9-5458", - "modified": "2023-11-06T18:30:19Z", + "modified": "2024-09-16T18:31:18Z", "published": "2023-11-06T18:30:19Z", "aliases": [ "CVE-2023-40660" diff --git a/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json b/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json index bea6d480d8b..3d326e6a451 100644 --- a/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json +++ b/advisories/unreviewed/2023/12/GHSA-9vh7-c87x-8q9v/GHSA-9vh7-c87x-8q9v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9vh7-c87x-8q9v", - "modified": "2023-12-11T21:30:21Z", + "modified": "2024-09-16T18:31:18Z", "published": "2023-12-11T21:30:21Z", "aliases": [ "CVE-2023-6679" diff --git a/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json b/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json index 1254647f716..0e4a0ebd61e 100644 --- a/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json +++ b/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gg57-587f-h5v6", - "modified": "2023-12-28T18:30:32Z", + "modified": "2024-09-16T18:31:18Z", "published": "2023-12-28T18:30:32Z", "aliases": [ "CVE-2023-5384" diff --git a/advisories/unreviewed/2024/01/GHSA-45hh-rj6v-548f/GHSA-45hh-rj6v-548f.json b/advisories/unreviewed/2024/01/GHSA-45hh-rj6v-548f/GHSA-45hh-rj6v-548f.json index 6346b947f99..797e542cdd4 100644 --- a/advisories/unreviewed/2024/01/GHSA-45hh-rj6v-548f/GHSA-45hh-rj6v-548f.json +++ b/advisories/unreviewed/2024/01/GHSA-45hh-rj6v-548f/GHSA-45hh-rj6v-548f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-45hh-rj6v-548f", - "modified": "2024-02-20T21:30:20Z", + "modified": "2024-09-16T18:31:19Z", "published": "2024-01-10T15:30:19Z", "aliases": [ "CVE-2023-5455" diff --git a/advisories/unreviewed/2024/08/GHSA-rj56-mm47-cqp3/GHSA-rj56-mm47-cqp3.json b/advisories/unreviewed/2024/08/GHSA-rj56-mm47-cqp3/GHSA-rj56-mm47-cqp3.json index 73d5bd79014..00250ebe216 100644 --- a/advisories/unreviewed/2024/08/GHSA-rj56-mm47-cqp3/GHSA-rj56-mm47-cqp3.json +++ b/advisories/unreviewed/2024/08/GHSA-rj56-mm47-cqp3/GHSA-rj56-mm47-cqp3.json @@ -32,6 +32,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-434", "CWE-89" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2024/09/GHSA-34h3-77mg-mfgh/GHSA-34h3-77mg-mfgh.json b/advisories/unreviewed/2024/09/GHSA-34h3-77mg-mfgh/GHSA-34h3-77mg-mfgh.json new file mode 100644 index 00000000000..de9d7d279f9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-34h3-77mg-mfgh/GHSA-34h3-77mg-mfgh.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34h3-77mg-mfgh", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-21871" + ], + "details": "Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21871" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3frm-3q2w-pp83/GHSA-3frm-3q2w-pp83.json b/advisories/unreviewed/2024/09/GHSA-3frm-3q2w-pp83/GHSA-3frm-3q2w-pp83.json new file mode 100644 index 00000000000..5dacf6a57d8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3frm-3q2w-pp83/GHSA-3frm-3q2w-pp83.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3frm-3q2w-pp83", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-25546" + ], + "details": "Out-of-bounds read in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25546" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json b/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json index 0154d9d07b5..e7a8929b7fe 100644 --- a/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json +++ b/advisories/unreviewed/2024/09/GHSA-3x4g-4374-v83h/GHSA-3x4g-4374-v83h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-3x4g-4374-v83h", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:21Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44096" ], "details": "there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-453" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-5wmr-r266-pc3m/GHSA-5wmr-r266-pc3m.json b/advisories/unreviewed/2024/09/GHSA-5wmr-r266-pc3m/GHSA-5wmr-r266-pc3m.json new file mode 100644 index 00000000000..dff43188028 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5wmr-r266-pc3m/GHSA-5wmr-r266-pc3m.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5wmr-r266-pc3m", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-43753" + ], + "details": "Improper conditions check in some Intel(R) Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43753" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json b/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json index fc2a7d16e4f..00befcc6ae1 100644 --- a/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json +++ b/advisories/unreviewed/2024/09/GHSA-6qq3-v7mp-wx7q/GHSA-6qq3-v7mp-wx7q.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-6qq3-v7mp-wx7q", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:21Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44095" ], "details": "In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible corrupt memory due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-783" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-77rm-8jvr-hfgm/GHSA-77rm-8jvr-hfgm.json b/advisories/unreviewed/2024/09/GHSA-77rm-8jvr-hfgm/GHSA-77rm-8jvr-hfgm.json new file mode 100644 index 00000000000..9acd87e3cd8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-77rm-8jvr-hfgm/GHSA-77rm-8jvr-hfgm.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-77rm-8jvr-hfgm", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-41833" + ], + "details": "A race condition in UEFI firmware for some Intel(R) processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41833" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7c78-g5wc-hcch/GHSA-7c78-g5wc-hcch.json b/advisories/unreviewed/2024/09/GHSA-7c78-g5wc-hcch/GHSA-7c78-g5wc-hcch.json new file mode 100644 index 00000000000..77621217151 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7c78-g5wc-hcch/GHSA-7c78-g5wc-hcch.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7c78-g5wc-hcch", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-8752" + ], + "details": "The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8752" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/research/tra-2024-38" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T16:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json b/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json new file mode 100644 index 00000000000..590382dbc8c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7whw-68xg-fr5c", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-44623" + ], + "details": "An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44623" + }, + { + "type": "WEB", + "url": "https://github.com/TuomoKu/SPX-GC" + }, + { + "type": "WEB", + "url": "https://github.com/TuomoKu/SPX-GC/blob/v.1.3.0/routes/routes-api.js#L39" + }, + { + "type": "WEB", + "url": "https://github.com/merbinr/CVE-2024-44623" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T16:15:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-899w-w5qq-hg5v/GHSA-899w-w5qq-hg5v.json b/advisories/unreviewed/2024/09/GHSA-899w-w5qq-hg5v/GHSA-899w-w5qq-hg5v.json new file mode 100644 index 00000000000..707b11684fd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-899w-w5qq-hg5v/GHSA-899w-w5qq-hg5v.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-899w-w5qq-hg5v", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-42772" + ], + "details": "Untrusted pointer dereference in UEFI firmware for some Intel(R) reference processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42772" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-822" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8q6q-j6wg-846f/GHSA-8q6q-j6wg-846f.json b/advisories/unreviewed/2024/09/GHSA-8q6q-j6wg-846f/GHSA-8q6q-j6wg-846f.json new file mode 100644 index 00000000000..cf3db5adc51 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8q6q-j6wg-846f/GHSA-8q6q-j6wg-846f.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8q6q-j6wg-846f", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-34545" + ], + "details": "Improper input validation in some Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable information disclosure via adjacent access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34545" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json b/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json index 335f63fe7d7..43a684d912c 100644 --- a/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json +++ b/advisories/unreviewed/2024/09/GHSA-9g66-w5hj-vhx4/GHSA-9g66-w5hj-vhx4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9g66-w5hj-vhx4", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:20Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44092" ], "details": "In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-489" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-9v23-3rf5-vx8j/GHSA-9v23-3rf5-vx8j.json b/advisories/unreviewed/2024/09/GHSA-9v23-3rf5-vx8j/GHSA-9v23-3rf5-vx8j.json new file mode 100644 index 00000000000..ee37bf073af --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9v23-3rf5-vx8j/GHSA-9v23-3rf5-vx8j.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9v23-3rf5-vx8j", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-34543" + ], + "details": "Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34543" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c7c7-8frm-jcmp/GHSA-c7c7-8frm-jcmp.json b/advisories/unreviewed/2024/09/GHSA-c7c7-8frm-jcmp/GHSA-c7c7-8frm-jcmp.json new file mode 100644 index 00000000000..57659c7dbef --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c7c7-8frm-jcmp/GHSA-c7c7-8frm-jcmp.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7c7-8frm-jcmp", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-23904" + ], + "details": "NULL pointer dereference in the UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23904" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-395" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gjx4-p4f2-33wq/GHSA-gjx4-p4f2-33wq.json b/advisories/unreviewed/2024/09/GHSA-gjx4-p4f2-33wq/GHSA-gjx4-p4f2-33wq.json new file mode 100644 index 00000000000..c7d681f76ea --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gjx4-p4f2-33wq/GHSA-gjx4-p4f2-33wq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gjx4-p4f2-33wq", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-22351" + ], + "details": "Out-of-bounds write in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22351" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gpvf-6hpf-4f9h/GHSA-gpvf-6hpf-4f9h.json b/advisories/unreviewed/2024/09/GHSA-gpvf-6hpf-4f9h/GHSA-gpvf-6hpf-4f9h.json index 1416aa4ee28..dcc5c36b786 100644 --- a/advisories/unreviewed/2024/09/GHSA-gpvf-6hpf-4f9h/GHSA-gpvf-6hpf-4f9h.json +++ b/advisories/unreviewed/2024/09/GHSA-gpvf-6hpf-4f9h/GHSA-gpvf-6hpf-4f9h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gpvf-6hpf-4f9h", - "modified": "2024-09-02T21:30:30Z", + "modified": "2024-09-16T18:31:20Z", "published": "2024-09-02T21:30:30Z", "aliases": [ "CVE-2024-45621" ], "details": "The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-02T19:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-gw2j-g839-3547/GHSA-gw2j-g839-3547.json b/advisories/unreviewed/2024/09/GHSA-gw2j-g839-3547/GHSA-gw2j-g839-3547.json new file mode 100644 index 00000000000..c2be99b3a23 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gw2j-g839-3547/GHSA-gw2j-g839-3547.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gw2j-g839-3547", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-34153" + ], + "details": "Uncontrolled search path element in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34153" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h2w5-3v43-j5c8/GHSA-h2w5-3v43-j5c8.json b/advisories/unreviewed/2024/09/GHSA-h2w5-3v43-j5c8/GHSA-h2w5-3v43-j5c8.json new file mode 100644 index 00000000000..0c911717dd2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h2w5-3v43-j5c8/GHSA-h2w5-3v43-j5c8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h2w5-3v43-j5c8", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-28170" + ], + "details": "Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable information disclosure via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28170" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json b/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json index 2dc953e4f73..8343fa61d7b 100644 --- a/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json +++ b/advisories/unreviewed/2024/09/GHSA-j7q4-4r7g-3jf4/GHSA-j7q4-4r7g-3jf4.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-j7q4-4r7g-3jf4", - "modified": "2024-09-16T14:37:28Z", + "modified": "2024-09-16T18:31:21Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-1578" ], "details": "The MiCard PLUS Ci and MiCard PLUS BLE reader products developed by rf IDEAS and rebranded by NT-ware have a firmware fault that may result in characters randomly being dropped from some ID card reads, which would result in the wrong ID card number being assigned during ID card self-registration and might result in failed login attempts for end-users. Random characters being dropped from ID card numbers compromises the uniqueness of ID cards that can, therefore, result in a security issue if the users are using the ‘ID card self-registration’ function.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-jx9q-9xj3-cp3g/GHSA-jx9q-9xj3-cp3g.json b/advisories/unreviewed/2024/09/GHSA-jx9q-9xj3-cp3g/GHSA-jx9q-9xj3-cp3g.json index e089edc2ec4..13b207c0827 100644 --- a/advisories/unreviewed/2024/09/GHSA-jx9q-9xj3-cp3g/GHSA-jx9q-9xj3-cp3g.json +++ b/advisories/unreviewed/2024/09/GHSA-jx9q-9xj3-cp3g/GHSA-jx9q-9xj3-cp3g.json @@ -28,6 +28,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-119", "CWE-788" ], "severity": "LOW", diff --git a/advisories/unreviewed/2024/09/GHSA-m5wh-wcvg-3f5f/GHSA-m5wh-wcvg-3f5f.json b/advisories/unreviewed/2024/09/GHSA-m5wh-wcvg-3f5f/GHSA-m5wh-wcvg-3f5f.json new file mode 100644 index 00000000000..fe77f87bbf8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m5wh-wcvg-3f5f/GHSA-m5wh-wcvg-3f5f.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m5wh-wcvg-3f5f", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-23984" + ], + "details": "Observable discrepancy in RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23984" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-203" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json b/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json index 062220d8289..9730d444950 100644 --- a/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json +++ b/advisories/unreviewed/2024/09/GHSA-p47w-6xhw-hhxj/GHSA-p47w-6xhw-hhxj.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p47w-6xhw-hhxj", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:21Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44094" ], "details": "In ppmp_protect_mfcfw_buf of code/drm_fw.c, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-20" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-p4m2-q7r3-j2h5/GHSA-p4m2-q7r3-j2h5.json b/advisories/unreviewed/2024/09/GHSA-p4m2-q7r3-j2h5/GHSA-p4m2-q7r3-j2h5.json new file mode 100644 index 00000000000..337fd41f80c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p4m2-q7r3-j2h5/GHSA-p4m2-q7r3-j2h5.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p4m2-q7r3-j2h5", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-33848" + ], + "details": "Uncaught exception in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33848" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-248" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p5c4-rjq3-8654/GHSA-p5c4-rjq3-8654.json b/advisories/unreviewed/2024/09/GHSA-p5c4-rjq3-8654/GHSA-p5c4-rjq3-8654.json new file mode 100644 index 00000000000..4be03c61a88 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p5c4-rjq3-8654/GHSA-p5c4-rjq3-8654.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p5c4-rjq3-8654", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-32666" + ], + "details": "NULL pointer dereference in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32666" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pcx7-83rx-78c2/GHSA-pcx7-83rx-78c2.json b/advisories/unreviewed/2024/09/GHSA-pcx7-83rx-78c2/GHSA-pcx7-83rx-78c2.json new file mode 100644 index 00000000000..bb3943f2a02 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pcx7-83rx-78c2/GHSA-pcx7-83rx-78c2.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pcx7-83rx-78c2", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-21781" + ], + "details": "Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to enable information disclosure or denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21781" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-pppq-wphf-gg65/GHSA-pppq-wphf-gg65.json b/advisories/unreviewed/2024/09/GHSA-pppq-wphf-gg65/GHSA-pppq-wphf-gg65.json new file mode 100644 index 00000000000..1cffe9afdd1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-pppq-wphf-gg65/GHSA-pppq-wphf-gg65.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pppq-wphf-gg65", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-36261" + ], + "details": "Improper access control in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via adjacent access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36261" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json b/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json index 88d66a54012..4f67e4b1b08 100644 --- a/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json +++ b/advisories/unreviewed/2024/09/GHSA-q74x-f8wx-jrgv/GHSA-q74x-f8wx-jrgv.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-q74x-f8wx-jrgv", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:21Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44093" ], "details": "In ppmp_unprotect_buf of drm/code/drm_fw.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-783" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-r3xc-mh5x-gjfq/GHSA-r3xc-mh5x-gjfq.json b/advisories/unreviewed/2024/09/GHSA-r3xc-mh5x-gjfq/GHSA-r3xc-mh5x-gjfq.json new file mode 100644 index 00000000000..759cb953bfd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r3xc-mh5x-gjfq/GHSA-r3xc-mh5x-gjfq.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r3xc-mh5x-gjfq", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-24968" + ], + "details": "Improper finite state machines (FSMs) in hardware logic in some Intel(R) Processors may allow an privileged user to potentially enable a denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24968" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1245" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rq4p-jrjr-m4mq/GHSA-rq4p-jrjr-m4mq.json b/advisories/unreviewed/2024/09/GHSA-rq4p-jrjr-m4mq/GHSA-rq4p-jrjr-m4mq.json new file mode 100644 index 00000000000..96e12259f53 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rq4p-jrjr-m4mq/GHSA-rq4p-jrjr-m4mq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rq4p-jrjr-m4mq", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-36247" + ], + "details": "Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable denial of service via adjacent access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36247" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json b/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json index 1a3686911bd..8ada3fbd9bc 100644 --- a/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json +++ b/advisories/unreviewed/2024/09/GHSA-v3gc-cff3-2vg3/GHSA-v3gc-cff3-2vg3.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-v3gc-cff3-2vg3", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:20Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-44430" ], "details": "SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T20:15:02Z" diff --git a/advisories/unreviewed/2024/09/GHSA-v63p-x2p8-f754/GHSA-v63p-x2p8-f754.json b/advisories/unreviewed/2024/09/GHSA-v63p-x2p8-f754/GHSA-v63p-x2p8-f754.json new file mode 100644 index 00000000000..2f90d994218 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v63p-x2p8-f754/GHSA-v63p-x2p8-f754.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v63p-x2p8-f754", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-23599" + ], + "details": "Race condition in Seamless Firmware Updates for some Intel(R) reference platforms may allow a privileged user to potentially enable denial of service via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23599" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-362" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vpc7-hmh5-3wx6/GHSA-vpc7-hmh5-3wx6.json b/advisories/unreviewed/2024/09/GHSA-vpc7-hmh5-3wx6/GHSA-vpc7-hmh5-3wx6.json new file mode 100644 index 00000000000..2ce9ab40245 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vpc7-hmh5-3wx6/GHSA-vpc7-hmh5-3wx6.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vpc7-hmh5-3wx6", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-21829" + ], + "details": "Improper input validation in UEFI firmware error handler for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21829" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vrj2-p3r5-2mq6/GHSA-vrj2-p3r5-2mq6.json b/advisories/unreviewed/2024/09/GHSA-vrj2-p3r5-2mq6/GHSA-vrj2-p3r5-2mq6.json new file mode 100644 index 00000000000..9e2c0045633 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vrj2-p3r5-2mq6/GHSA-vrj2-p3r5-2mq6.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vrj2-p3r5-2mq6", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2024-32940" + ], + "details": "Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable denial of service via adjacent access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32940" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vw3f-8r5j-7wqm/GHSA-vw3f-8r5j-7wqm.json b/advisories/unreviewed/2024/09/GHSA-vw3f-8r5j-7wqm/GHSA-vw3f-8r5j-7wqm.json new file mode 100644 index 00000000000..fb90d9e1231 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vw3f-8r5j-7wqm/GHSA-vw3f-8r5j-7wqm.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vw3f-8r5j-7wqm", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2023-45854" + ], + "details": "A Business Logic vulnerability in Shopkit 1.0 allows an attacker to add products with negative quantities to the shopping cart via the qtd parameter in the add-to-cart function.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45854" + }, + { + "type": "WEB", + "url": "https://kafka-esc.com/posts/2024/09/cve-2023-45854-interger-overflow-in-shopkit-1.0" + }, + { + "type": "WEB", + "url": "https://shopk.it" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T18:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xjwh-3rm6-w25h/GHSA-xjwh-3rm6-w25h.json b/advisories/unreviewed/2024/09/GHSA-xjwh-3rm6-w25h/GHSA-xjwh-3rm6-w25h.json index ec7f55dca7f..0dfbec37eed 100644 --- a/advisories/unreviewed/2024/09/GHSA-xjwh-3rm6-w25h/GHSA-xjwh-3rm6-w25h.json +++ b/advisories/unreviewed/2024/09/GHSA-xjwh-3rm6-w25h/GHSA-xjwh-3rm6-w25h.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xjwh-3rm6-w25h", - "modified": "2024-09-04T12:30:37Z", + "modified": "2024-09-16T18:31:20Z", "published": "2024-09-02T18:31:25Z", "aliases": [ "CVE-2024-44947" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Initialize beyond-EOF page contents before setting uptodate\n\nfuse_notify_store(), unlike fuse_do_readpage(), does not enable page\nzeroing (because it can be used to change partial page contents).\n\nSo fuse_notify_store() must be more careful to fully initialize page\ncontents (including parts of the page that are beyond end-of-file)\nbefore marking the page uptodate.\n\nThe current code can leave beyond-EOF page contents uninitialized, which\nmakes these uninitialized page contents visible to userspace via mmap().\n\nThis is an information leak, but only affects systems which do not\nenable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the\ncorresponding kernel command line parameter).", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -53,9 +56,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-665" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-02T18:15:36Z" diff --git a/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json b/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json new file mode 100644 index 00000000000..38db45998a6 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xmxj-v2q8-8qx6", + "modified": "2024-09-16T18:31:22Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-8661" + ], + "details": "Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the \"Next&Previous Nav\" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N  Since the \"Next&Previous Nav\" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661" + }, + { + "type": "WEB", + "url": "https://github.com/concretecms/concretecms/pull/12204" + }, + { + "type": "WEB", + "url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4" + }, + { + "type": "WEB", + "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" + }, + { + "type": "WEB", + "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T18:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xp7v-r3c8-pp3w/GHSA-xp7v-r3c8-pp3w.json b/advisories/unreviewed/2024/09/GHSA-xp7v-r3c8-pp3w/GHSA-xp7v-r3c8-pp3w.json new file mode 100644 index 00000000000..c4b3fda8378 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xp7v-r3c8-pp3w/GHSA-xp7v-r3c8-pp3w.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xp7v-r3c8-pp3w", + "modified": "2024-09-16T18:31:21Z", + "published": "2024-09-16T18:31:21Z", + "aliases": [ + "CVE-2023-43626" + ], + "details": "Improper access control in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43626" + }, + { + "type": "WEB", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T17:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json b/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json index cdbe01fdcda..18d1392ccc8 100644 --- a/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json +++ b/advisories/unreviewed/2024/09/GHSA-xr4c-mmrv-3h6c/GHSA-xr4c-mmrv-3h6c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xr4c-mmrv-3h6c", - "modified": "2024-09-13T21:31:22Z", + "modified": "2024-09-16T18:31:20Z", "published": "2024-09-13T21:31:22Z", "aliases": [ "CVE-2024-29779" ], "details": "there is a possible escalation of privilege due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-13T21:15:10Z" From 733afdcd8a357a08af072472d4c9f4d366327960 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:11:11 +0000 Subject: [PATCH 114/170] Publish Advisories GHSA-4323-f82v-f6jr GHSA-4cj6-f32v-6hgx GHSA-7472-vw39-g2j3 GHSA-rf4q-m23c-7q8r GHSA-4323-f82v-f6jr GHSA-4cj6-f32v-6hgx GHSA-7472-vw39-g2j3 GHSA-rf4q-m23c-7q8r --- .../GHSA-4323-f82v-f6jr.json | 158 ++++++++++++++++++ .../GHSA-4cj6-f32v-6hgx.json | 158 ++++++++++++++++++ .../GHSA-7472-vw39-g2j3.json | 158 ++++++++++++++++++ .../GHSA-rf4q-m23c-7q8r.json | 158 ++++++++++++++++++ .../GHSA-4323-f82v-f6jr.json | 38 ----- .../GHSA-4cj6-f32v-6hgx.json | 38 ----- .../GHSA-7472-vw39-g2j3.json | 38 ----- .../GHSA-rf4q-m23c-7q8r.json | 38 ----- 8 files changed, 632 insertions(+), 152 deletions(-) create mode 100644 advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json create mode 100644 advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json create mode 100644 advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json create mode 100644 advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json delete mode 100644 advisories/unreviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json delete mode 100644 advisories/unreviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json delete mode 100644 advisories/unreviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json delete mode 100644 advisories/unreviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json diff --git a/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json b/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json new file mode 100644 index 00000000000..839ce618199 --- /dev/null +++ b/advisories/github-reviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json @@ -0,0 +1,158 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4323-f82v-f6jr", + "modified": "2024-09-16T20:09:42Z", + "published": "2024-08-14T12:35:02Z", + "aliases": [ + "CVE-2024-39410" + ], + "summary": "Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability", + "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.7-p1" + }, + { + "fixed": "2.4.7-p2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.7" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.6-p1" + }, + { + "fixed": "2.4.6-p7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.6" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.5-p1" + }, + { + "fixed": "2.4.5-p9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.5" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.4-p10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.4" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39410" + }, + { + "type": "PACKAGE", + "url": "https://github.com/magento/magento2" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:09:42Z", + "nvd_published_at": "2024-08-14T12:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json b/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json new file mode 100644 index 00000000000..579f2246079 --- /dev/null +++ b/advisories/github-reviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json @@ -0,0 +1,158 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4cj6-f32v-6hgx", + "modified": "2024-09-16T20:09:17Z", + "published": "2024-08-14T12:35:02Z", + "aliases": [ + "CVE-2024-39408" + ], + "summary": "Magento Open Source Cross-Site Request Forgery vulnerability", + "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.7-p1" + }, + { + "fixed": "2.4.7-p2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.7" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.6-p1" + }, + { + "fixed": "2.4.6-p7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.6" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.5-p1" + }, + { + "fixed": "2.4.5-p9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.5" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.4-p10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.4" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39408" + }, + { + "type": "PACKAGE", + "url": "https://github.com/magento/magento2" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:09:17Z", + "nvd_published_at": "2024-08-14T12:15:26Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json b/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json new file mode 100644 index 00000000000..8eb7d1f1cce --- /dev/null +++ b/advisories/github-reviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json @@ -0,0 +1,158 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7472-vw39-g2j3", + "modified": "2024-09-16T20:10:08Z", + "published": "2024-08-14T12:35:02Z", + "aliases": [ + "CVE-2024-39412" + ], + "summary": "Magento Open Source Improper Authorization vulnerability", + "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.7-p1" + }, + { + "fixed": "2.4.7-p2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.7" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.6-p1" + }, + { + "fixed": "2.4.6-p7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.6" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.5-p1" + }, + { + "fixed": "2.4.5-p9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.5" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.4-p10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.4" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39412" + }, + { + "type": "PACKAGE", + "url": "https://github.com/magento/magento2" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:10:08Z", + "nvd_published_at": "2024-08-14T12:15:27Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json b/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json new file mode 100644 index 00000000000..e98bb9817c8 --- /dev/null +++ b/advisories/github-reviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json @@ -0,0 +1,158 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rf4q-m23c-7q8r", + "modified": "2024-09-16T20:09:34Z", + "published": "2024-08-14T12:35:02Z", + "aliases": [ + "CVE-2024-39409" + ], + "summary": "Magento Open Source Cross-Site Request Forgery (CSRF) vulnerability", + "details": "Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.7-p1" + }, + { + "fixed": "2.4.7-p2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.7" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.6-p1" + }, + { + "fixed": "2.4.6-p7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.6" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.4.5-p1" + }, + { + "fixed": "2.4.5-p9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.5" + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.4-p10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "magento/community-edition" + }, + "versions": [ + "2.4.4" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39409" + }, + { + "type": "PACKAGE", + "url": "https://github.com/magento/magento2" + }, + { + "type": "WEB", + "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:09:33Z", + "nvd_published_at": "2024-08-14T12:15:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json b/advisories/unreviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json deleted file mode 100644 index ce9906c18c2..00000000000 --- a/advisories/unreviewed/2024/08/GHSA-4323-f82v-f6jr/GHSA-4323-f82v-f6jr.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4323-f82v-f6jr", - "modified": "2024-08-14T12:35:02Z", - "published": "2024-08-14T12:35:02Z", - "aliases": [ - "CVE-2024-39410" - ], - "details": "Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39410" - }, - { - "type": "WEB", - "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-08-14T12:15:27Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json b/advisories/unreviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json deleted file mode 100644 index 532e8d2b426..00000000000 --- a/advisories/unreviewed/2024/08/GHSA-4cj6-f32v-6hgx/GHSA-4cj6-f32v-6hgx.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-4cj6-f32v-6hgx", - "modified": "2024-08-14T12:35:02Z", - "published": "2024-08-14T12:35:02Z", - "aliases": [ - "CVE-2024-39408" - ], - "details": "Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39408" - }, - { - "type": "WEB", - "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-08-14T12:15:26Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json b/advisories/unreviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json deleted file mode 100644 index 92053b62eac..00000000000 --- a/advisories/unreviewed/2024/08/GHSA-7472-vw39-g2j3/GHSA-7472-vw39-g2j3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-7472-vw39-g2j3", - "modified": "2024-08-14T12:35:02Z", - "published": "2024-08-14T12:35:02Z", - "aliases": [ - "CVE-2024-39412" - ], - "details": "Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39412" - }, - { - "type": "WEB", - "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-285" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-08-14T12:15:27Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json b/advisories/unreviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json deleted file mode 100644 index 5f2b75f7283..00000000000 --- a/advisories/unreviewed/2024/08/GHSA-rf4q-m23c-7q8r/GHSA-rf4q-m23c-7q8r.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-rf4q-m23c-7q8r", - "modified": "2024-08-14T12:35:02Z", - "published": "2024-08-14T12:35:02Z", - "aliases": [ - "CVE-2024-39409" - ], - "details": "Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor unauthorised actions on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39409" - }, - { - "type": "WEB", - "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-352" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-08-14T12:15:26Z" - } -} \ No newline at end of file From ea8d49762fe6915ce2801fd908a12c69a8a7fc41 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:16:33 +0000 Subject: [PATCH 115/170] Publish Advisories GHSA-wj4j-qc2m-fgh7 GHSA-wj4j-qc2m-fgh7 --- .../GHSA-wj4j-qc2m-fgh7.json | 69 +++++++++++++++++++ .../GHSA-wj4j-qc2m-fgh7.json | 38 ---------- 2 files changed, 69 insertions(+), 38 deletions(-) create mode 100644 advisories/github-reviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json diff --git a/advisories/github-reviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json b/advisories/github-reviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json new file mode 100644 index 00000000000..2d06fa27d88 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wj4j-qc2m-fgh7", + "modified": "2024-09-16T20:14:50Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-39613" + ], + "summary": "Mattermost Desktop App Uncontrolled Search Path Vulnerability", + "details": "Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "mattermost-desktop" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.9.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39613" + }, + { + "type": "WEB", + "url": "https://docs.mattermost.com/about/desktop-app-changelog.html" + }, + { + "type": "PACKAGE", + "url": "https://github.com/mattermost/desktop" + }, + { + "type": "WEB", + "url": "https://mattermost.com/security-updates" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:14:50Z", + "nvd_published_at": "2024-09-16T07:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json b/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json deleted file mode 100644 index f76df72f568..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-wj4j-qc2m-fgh7/GHSA-wj4j-qc2m-fgh7.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-wj4j-qc2m-fgh7", - "modified": "2024-09-16T14:37:28Z", - "published": "2024-09-16T14:37:28Z", - "aliases": [ - "CVE-2024-39613" - ], - "details": "Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39613" - }, - { - "type": "WEB", - "url": "https://mattermost.com/security-updates" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-427" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-16T07:15:02Z" - } -} \ No newline at end of file From 05d1792faf2d6428540b3792c44affaae53feefb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:19:04 +0000 Subject: [PATCH 116/170] Publish Advisories GHSA-46hr-3cq3-mcgp GHSA-hv38-h5pj-c96j GHSA-hv38-h5pj-c96j --- .../GHSA-46hr-3cq3-mcgp.json | 45 ++++++++++-- .../GHSA-hv38-h5pj-c96j.json | 73 +++++++++++++++++++ .../GHSA-hv38-h5pj-c96j.json | 43 ----------- 3 files changed, 111 insertions(+), 50 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json (51%) create mode 100644 advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json diff --git a/advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json b/advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json similarity index 51% rename from advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json rename to advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json index 4c60140271f..6e4b29556ff 100644 --- a/advisories/unreviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json +++ b/advisories/github-reviewed/2024/09/GHSA-46hr-3cq3-mcgp/GHSA-46hr-3cq3-mcgp.json @@ -1,17 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-46hr-3cq3-mcgp", - "modified": "2024-09-16T14:37:28Z", + "modified": "2024-09-16T20:16:16Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-46943" ], + "summary": "OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability", "details": "An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "org.opendaylight.aaa:aaa-artifacts" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.19.3" + } + ] + } + ] + } ], "references": [ { @@ -26,6 +52,10 @@ "type": "WEB", "url": "https://doi.org/10.48550/arXiv.2408.16940" }, + { + "type": "PACKAGE", + "url": "https://github.com/opendaylight/aaa" + }, { "type": "WEB", "url": "https://lf-opendaylight.atlassian.net/browse/AAA-285" @@ -33,11 +63,12 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-285", + "CWE-287" ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:16:16Z", "nvd_published_at": "2024-09-15T23:15:11Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json b/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json new file mode 100644 index 00000000000..b43dd3581f9 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hv38-h5pj-c96j", + "modified": "2024-09-16T20:16:14Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-46942" + ], + "summary": "OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries", + "details": "In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.opendaylight.mdsal:mdsal-artifacts" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "13.0.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46942" + }, + { + "type": "WEB", + "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/mdsal.html" + }, + { + "type": "WEB", + "url": "https://doi.org/10.48550/arXiv.2408.16940" + }, + { + "type": "PACKAGE", + "url": "https://github.com/opendaylight/mdsal" + }, + { + "type": "WEB", + "url": "https://lf-opendaylight.atlassian.net/browse/MDSAL-869" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:16:14Z", + "nvd_published_at": "2024-09-15T23:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json b/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json deleted file mode 100644 index fee08130162..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-hv38-h5pj-c96j/GHSA-hv38-h5pj-c96j.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-hv38-h5pj-c96j", - "modified": "2024-09-16T14:37:28Z", - "published": "2024-09-16T14:37:28Z", - "aliases": [ - "CVE-2024-46942" - ], - "details": "In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46942" - }, - { - "type": "WEB", - "url": "https://docs.opendaylight.org/en/latest/release-notes/projects/mdsal.html" - }, - { - "type": "WEB", - "url": "https://doi.org/10.48550/arXiv.2408.16940" - }, - { - "type": "WEB", - "url": "https://lf-opendaylight.atlassian.net/browse/MDSAL-869" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-15T23:15:11Z" - } -} \ No newline at end of file From 9821b41a364a651b2b968b8638f0b8e82dc66b57 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:21:19 +0000 Subject: [PATCH 117/170] Publish Advisories GHSA-3xq2-w6j4-c99r GHSA-5777-rcjj-9p22 GHSA-3xq2-w6j4-c99r --- .../GHSA-3xq2-w6j4-c99r.json | 87 +++++++++++++++++++ .../GHSA-5777-rcjj-9p22.json | 35 +++++++- .../GHSA-3xq2-w6j4-c99r.json | 35 -------- 3 files changed, 118 insertions(+), 39 deletions(-) create mode 100644 advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json (52%) delete mode 100644 advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json diff --git a/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json b/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json new file mode 100644 index 00000000000..aeeceeb3b9e --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json @@ -0,0 +1,87 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3xq2-w6j4-c99r", + "modified": "2024-09-16T20:19:35Z", + "published": "2024-09-16T14:37:28Z", + "aliases": [ + "CVE-2024-22399" + ], + "summary": "Apache Seata Deserialization of Untrusted Data vulnerability", + "details": "Deserialization of Untrusted Data vulnerability in Apache Seata. \n\nWhen developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.\n\nThis issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.\n\nUsers are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.seata:seata-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.1.0" + } + ] + } + ], + "versions": [ + "2.0.0" + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.seata:seata-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.8.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22399" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/incubator-seata" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:18:41Z", + "nvd_published_at": "2024-09-16T12:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json b/advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json similarity index 52% rename from advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json rename to advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json index 05eb2eb9e5d..1aa8295774e 100644 --- a/advisories/unreviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json +++ b/advisories/github-reviewed/2024/09/GHSA-5777-rcjj-9p22/GHSA-5777-rcjj-9p22.json @@ -1,26 +1,53 @@ { "schema_version": "1.4.0", "id": "GHSA-5777-rcjj-9p22", - "modified": "2024-09-16T15:32:46Z", + "modified": "2024-09-16T20:20:49Z", "published": "2024-09-16T15:32:46Z", "aliases": [ "CVE-2024-39772" ], + "summary": "Mattermost Desktop App fails to safeguard screen capture functionality", "details": "Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "npm", + "name": "mattermost-desktop" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.9.0" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39772" }, + { + "type": "PACKAGE", + "url": "https://github.com/mattermost/desktop" + }, { "type": "WEB", "url": "https://mattermost.com/security-updates" @@ -31,8 +58,8 @@ "CWE-284" ], "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:20:49Z", "nvd_published_at": "2024-09-16T15:15:16Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json b/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json deleted file mode 100644 index a4f939d346d..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-3xq2-w6j4-c99r/GHSA-3xq2-w6j4-c99r.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-3xq2-w6j4-c99r", - "modified": "2024-09-16T14:37:28Z", - "published": "2024-09-16T14:37:28Z", - "aliases": [ - "CVE-2024-22399" - ], - "details": "Deserialization of Untrusted Data vulnerability in Apache Seata. \n\nWhen developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol.\n\nThis issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0.\n\nUsers are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22399" - }, - { - "type": "WEB", - "url": "https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-502" - ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-16T12:15:02Z" - } -} \ No newline at end of file From 99db90df7969326d966b828d2a96eff6092d377a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:23:24 +0000 Subject: [PATCH 118/170] Publish GHSA-xgq9-7gw6-jr5r --- .../GHSA-xgq9-7gw6-jr5r.json | 35 ++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json (53%) diff --git a/advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json b/advisories/github-reviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json similarity index 53% rename from advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json rename to advisories/github-reviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json index 190adc63683..6254fdf3225 100644 --- a/advisories/unreviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json +++ b/advisories/github-reviewed/2024/09/GHSA-xgq9-7gw6-jr5r/GHSA-xgq9-7gw6-jr5r.json @@ -1,26 +1,53 @@ { "schema_version": "1.4.0", "id": "GHSA-xgq9-7gw6-jr5r", - "modified": "2024-09-16T15:32:46Z", + "modified": "2024-09-16T20:20:59Z", "published": "2024-09-16T15:32:46Z", "aliases": [ "CVE-2024-45835" ], + "summary": "Mattermost Desktop App fails to sufficiently configure Electron Fuses", "details": "Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "npm", + "name": "mattermost-desktop" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.9.0" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45835" }, + { + "type": "PACKAGE", + "url": "https://github.com/mattermost/desktop" + }, { "type": "WEB", "url": "https://mattermost.com/security-updates" @@ -31,8 +58,8 @@ "CWE-693" ], "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:20:59Z", "nvd_published_at": "2024-09-16T15:15:16Z" } } \ No newline at end of file From a8c89e7e3aef4d4c8744c3d24ef3f015b43de2c6 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:35:53 +0000 Subject: [PATCH 119/170] Publish GHSA-mmhx-hmjr-r674 --- .../GHSA-mmhx-hmjr-r674.json | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json diff --git a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json new file mode 100644 index 00000000000..3dda8872c21 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json @@ -0,0 +1,88 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmhx-hmjr-r674", + "modified": "2024-09-16T20:34:26Z", + "published": "2024-09-16T20:34:26Z", + "aliases": [ + "CVE-2024-45801" + ], + "summary": "DOMPurify allows tampering by prototype pol;ution", + "details": "It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "dompurify" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "dompurify" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.1.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674" + }, + { + "type": "WEB", + "url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21" + }, + { + "type": "WEB", + "url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc" + }, + { + "type": "PACKAGE", + "url": "https://github.com/cure53/DOMPurify" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1321" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T20:34:26Z", + "nvd_published_at": null + } +} \ No newline at end of file From 63d782d101418c47fec0ccc451bf0d9fdfda7f24 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 20:38:47 +0000 Subject: [PATCH 120/170] Publish GHSA-mmhx-hmjr-r674 --- .../2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json index 3dda8872c21..cb82ee1b9da 100644 --- a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json +++ b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-mmhx-hmjr-r674", - "modified": "2024-09-16T20:34:26Z", + "modified": "2024-09-16T20:36:52Z", "published": "2024-09-16T20:34:26Z", "aliases": [ "CVE-2024-45801" ], - "summary": "DOMPurify allows tampering by prototype pol;ution", + "summary": "DOMPurify allows tampering by prototype pollution", "details": "It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).", "severity": [ { From 0be05b5ab81ce76d0c1c00c04dd29203ddcb826d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:10:35 +0000 Subject: [PATCH 121/170] Publish GHSA-7j69-qfc3-2fq9 --- .../2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json b/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json index 10e282315ce..b6d8d46bd56 100644 --- a/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json +++ b/advisories/github-reviewed/2023/12/GHSA-7j69-qfc3-2fq9/GHSA-7j69-qfc3-2fq9.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-7j69-qfc3-2fq9", - "modified": "2024-04-25T18:49:43Z", + "modified": "2024-09-16T21:08:57Z", "published": "2023-12-13T00:30:37Z", "aliases": [ "CVE-2023-5764" ], "summary": "Ansible template injection vulnerability", - "details": "A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.", + "details": "A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.", "severity": [ { "type": "CVSS_V3", From a35ad1a1d9883900a226a0be02f25b99f7cc940f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:13:13 +0000 Subject: [PATCH 122/170] Publish Advisories GHSA-9gq6-6936-885w GHSA-c85f-pcx6-2ghm GHSA-crmg-rp64-5cm3 GHSA-v6g6-3cm3-vf6c GHSA-wcjw-3v6p-4v3r GHSA-wf9g-c67g-h4ch --- .../2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json | 3 ++- .../2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json | 3 ++- .../2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json | 3 ++- .../2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json | 3 ++- .../2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json | 3 ++- .../2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json index 49d4c618f5d..82aebe29b26 100644 --- a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json +++ b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9gq6-6936-885w", - "modified": "2024-09-12T17:03:57Z", + "modified": "2024-09-16T21:12:06Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45848" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json index 900f25ee716..385110b7575 100644 --- a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json +++ b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c85f-pcx6-2ghm", - "modified": "2024-09-12T17:03:55Z", + "modified": "2024-09-16T21:12:15Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45849" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json b/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json index eb7a7d8d96d..65fa1ce031d 100644 --- a/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json +++ b/advisories/github-reviewed/2024/09/GHSA-crmg-rp64-5cm3/GHSA-crmg-rp64-5cm3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-crmg-rp64-5cm3", - "modified": "2024-09-12T17:03:59Z", + "modified": "2024-09-16T21:11:56Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45847" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json index 03a15966b58..30b7298779a 100644 --- a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json +++ b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v6g6-3cm3-vf6c", - "modified": "2024-09-12T17:03:53Z", + "modified": "2024-09-16T21:12:25Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45850" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json b/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json index 6ecc1746562..77c3d8fe26b 100644 --- a/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json +++ b/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wcjw-3v6p-4v3r", - "modified": "2024-09-12T17:04:01Z", + "modified": "2024-09-16T21:11:46Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45846" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json b/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json index a1062131926..5a5c6877796 100644 --- a/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json +++ b/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wf9g-c67g-h4ch", - "modified": "2024-09-12T17:03:51Z", + "modified": "2024-09-16T21:12:35Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45851" @@ -59,6 +59,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-94", "CWE-95" ], "severity": "HIGH", From 73158873a61d22224186e143dcbb2be2f7f4450b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:24:05 +0000 Subject: [PATCH 123/170] Publish Advisories GHSA-w6qf-42m7-vh68 GHSA-xmxj-v2q8-8qx6 GHSA-xmxj-v2q8-8qx6 --- .../GHSA-w6qf-42m7-vh68.json | 62 ++++++++++- .../GHSA-xmxj-v2q8-8qx6.json | 100 ++++++++++++++++++ .../GHSA-xmxj-v2q8-8qx6.json | 50 --------- 3 files changed, 158 insertions(+), 54 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json (67%) create mode 100644 advisories/github-reviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json delete mode 100644 advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json diff --git a/advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json b/advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json similarity index 67% rename from advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json rename to advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json index a60d96696bb..769b193165c 100644 --- a/advisories/unreviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json +++ b/advisories/github-reviewed/2024/02/GHSA-w6qf-42m7-vh68/GHSA-w6qf-42m7-vh68.json @@ -1,26 +1,76 @@ { "schema_version": "1.4.0", "id": "GHSA-w6qf-42m7-vh68", - "modified": "2024-04-17T18:31:31Z", + "modified": "2024-09-16T21:22:33Z", "published": "2024-02-20T00:30:36Z", "aliases": [ "CVE-2024-1635" ], + "summary": "Undertow Uncontrolled Resource Consumption Vulnerability", "details": "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \n\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "Maven", + "name": "io.undertow:undertow-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0.Final" + }, + { + "fixed": "2.3.12.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "io.undertow:undertow-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.31.Final" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1635" }, + { + "type": "WEB", + "url": "https://github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19" + }, + { + "type": "WEB", + "url": "https://github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4de" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:1674" @@ -65,6 +115,10 @@ "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928" }, + { + "type": "PACKAGE", + "url": "https://github.com/undertow-io/undertow" + }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240322-0007" @@ -75,8 +129,8 @@ "CWE-400" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T21:22:33Z", "nvd_published_at": "2024-02-19T22:15:48Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json b/advisories/github-reviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json new file mode 100644 index 00000000000..5542643279e --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xmxj-v2q8-8qx6", + "modified": "2024-09-16T21:23:24Z", + "published": "2024-09-16T18:31:22Z", + "aliases": [ + "CVE-2024-8661" + ], + "summary": "Concrete CMS Stored XSS in the \"Next&Previous Nav\" block", + "details": "Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.19 are vulnerable to Stored XSS in the \"Next&Previous Nav\" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. Since the \"Next&Previous Nav\" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "concrete5/concrete5" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "8.5.19" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "concrete5/concrete5" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.3.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661" + }, + { + "type": "WEB", + "url": "https://github.com/concretecms/concretecms/pull/12204" + }, + { + "type": "WEB", + "url": "https://github.com/concretecms/concretecms/commit/3e548b416ae32efee1e0a42c4510be1106c7eb25" + }, + { + "type": "WEB", + "url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4" + }, + { + "type": "WEB", + "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" + }, + { + "type": "WEB", + "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" + }, + { + "type": "PACKAGE", + "url": "https://github.com/concretecms/concretecms" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T21:23:24Z", + "nvd_published_at": "2024-09-16T18:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json b/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json deleted file mode 100644 index 38db45998a6..00000000000 --- a/advisories/unreviewed/2024/09/GHSA-xmxj-v2q8-8qx6/GHSA-xmxj-v2q8-8qx6.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-xmxj-v2q8-8qx6", - "modified": "2024-09-16T18:31:22Z", - "published": "2024-09-16T18:31:22Z", - "aliases": [ - "CVE-2024-8661" - ], - "details": "Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the \"Next&Previous Nav\" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N  Since the \"Next&Previous Nav\" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting.", - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661" - }, - { - "type": "WEB", - "url": "https://github.com/concretecms/concretecms/pull/12204" - }, - { - "type": "WEB", - "url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4" - }, - { - "type": "WEB", - "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" - }, - { - "type": "WEB", - "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-09-16T18:15:54Z" - } -} \ No newline at end of file From 52ac8e06a3c15e0767fa555717b1b43a453d648b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:26:09 +0000 Subject: [PATCH 124/170] Publish Advisories GHSA-hxf9-7h4c-f5jv GHSA-hq4r-47qc-3jhc --- .../07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json | 10 +++++++++- .../05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json | 12 ++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json b/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json index d6b6c2da662..3a87cf35d92 100644 --- a/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json +++ b/advisories/github-reviewed/2018/07/GHSA-hxf9-7h4c-f5jv/GHSA-hxf9-7h4c-f5jv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hxf9-7h4c-f5jv", - "modified": "2022-04-26T18:07:11Z", + "modified": "2024-09-16T21:24:24Z", "published": "2018-07-12T20:30:40Z", "aliases": [ "CVE-2018-6596" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -73,6 +77,10 @@ "type": "WEB", "url": "https://github.com/anymail/django-anymail/releases/tag/v1.3" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-anymail/PYSEC-2018-7.yaml" + }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4107" diff --git a/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json b/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json index 954f2d10ff4..73432e4e9b3 100644 --- a/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json +++ b/advisories/github-reviewed/2022/05/GHSA-hq4r-47qc-3jhc/GHSA-hq4r-47qc-3jhc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hq4r-47qc-3jhc", - "modified": "2023-08-31T16:12:41Z", + "modified": "2024-09-16T21:25:32Z", "published": "2022-05-13T01:11:25Z", "aliases": [ "CVE-2018-16552" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "Django-CRM" + "name": "django-crm" }, "ranges": [ { @@ -47,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/MicroPyramid/Django-CRM" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-crm/PYSEC-2018-65.yaml" } ], "database_specific": { From 08289c595918d3c51f0d3ee98bc1c2c00ac9e2ab Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:28:11 +0000 Subject: [PATCH 125/170] Publish Advisories GHSA-m38j-pmg3-v5x5 GHSA-qh9x-mc42-vg4g --- .../GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json | 14 +++++++++++++- .../GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json | 6 +++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json b/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json index e2e93698e53..1286bb641b7 100644 --- a/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json +++ b/advisories/github-reviewed/2020/06/GHSA-m38j-pmg3-v5x5/GHSA-m38j-pmg3-v5x5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m38j-pmg3-v5x5", - "modified": "2021-01-07T23:50:14Z", + "modified": "2024-09-16T21:26:35Z", "published": "2020-06-23T19:58:27Z", "aliases": [ "CVE-2020-4071" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" } ], "affected": [ @@ -48,6 +52,14 @@ "type": "WEB", "url": "https://github.com/tm-kn/django-basic-auth-ip-whitelist/commit/effe05ed1ed9e1ccc675a65b69d36217e5c5dfc6" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-basic-auth-ip-whitelist/PYSEC-2020-37.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/tm-kn/django-basic-auth-ip-whitelist" + }, { "type": "WEB", "url": "https://groups.google.com/forum/#!msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ" diff --git a/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json b/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json index 14774c6a1f6..02d628c5af0 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json +++ b/advisories/github-reviewed/2022/05/GHSA-qh9x-mc42-vg4g/GHSA-qh9x-mc42-vg4g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qh9x-mc42-vg4g", - "modified": "2022-07-27T21:33:52Z", + "modified": "2024-09-16T21:27:22Z", "published": "2022-05-14T03:32:28Z", "aliases": [ "CVE-2018-1000089" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From 3c88e5a21df3eb2ed8a17ddc94e5443f6669a0a7 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:30:10 +0000 Subject: [PATCH 126/170] Publish Advisories GHSA-58c7-px5v-82hh GHSA-wxmr-7xjv-8xqw --- .../GHSA-58c7-px5v-82hh.json | 10 ++++++- .../GHSA-wxmr-7xjv-8xqw.json | 26 ++++++++++++++++--- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json b/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json index f9ba78c972e..1428feb16bd 100644 --- a/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json +++ b/advisories/github-reviewed/2021/04/GHSA-58c7-px5v-82hh/GHSA-58c7-px5v-82hh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-58c7-px5v-82hh", - "modified": "2023-03-30T14:48:14Z", + "modified": "2024-09-16T21:29:06Z", "published": "2021-04-06T17:28:59Z", "aliases": [ "CVE-2021-21416" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -48,6 +52,10 @@ "type": "WEB", "url": "https://github.com/ubernostrum/django-registration/commit/2db0bb7ec35636ea46b07b146328b87b2cb13ca5" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-registration/PYSEC-2021-11.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/ubernostrum/django-registration" diff --git a/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json b/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json index 1d269de0176..162b197876f 100644 --- a/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json +++ b/advisories/github-reviewed/2022/05/GHSA-wxmr-7xjv-8xqw/GHSA-wxmr-7xjv-8xqw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wxmr-7xjv-8xqw", - "modified": "2023-08-04T23:07:33Z", + "modified": "2024-09-16T21:28:10Z", "published": "2022-05-17T04:13:43Z", "aliases": [ "CVE-2015-0846" @@ -9,7 +9,14 @@ "summary": "django-markupfield Arbitrary File Read", "details": "django-markupfield before 1.3.2 uses the default docutils `RESTRUCTUREDTEXT_FILTER_SETTINGS` settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -17,6 +24,11 @@ "ecosystem": "PyPI", "name": "django-markupfield" }, + "ecosystem_specific": { + "affected_functions": [ + "markupfield.markup.render_rest" + ] + }, "ranges": [ { "type": "ECOSYSTEM", @@ -49,6 +61,14 @@ "type": "WEB", "url": "https://github.com/jamesturk/django-markupfield/blob/1.3.3/CHANGELOG" }, + { + "type": "WEB", + "url": "https://github.com/jamesturk/django-markupfield/blob/master/CHANGELOG" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-markupfield/PYSEC-2015-12.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2015/apr/21/docutils-security-advisory" @@ -62,7 +82,7 @@ "cwe_ids": [ "CWE-200" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-08-04T23:07:33Z", "nvd_published_at": "2015-04-24T14:59:00Z" From 5bbfa2c1211008d086fb969890f574f93b709e6b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:32:20 +0000 Subject: [PATCH 127/170] Publish Advisories GHSA-5j2h-h5hg-3wf8 GHSA-qg36-9jxh-fj25 GHSA-pw8x-9www-h93w GHSA-5f54-x7j7-36p3 GHSA-9jg3-6mw2-g4q7 GHSA-5g5h-vp5m-chrx GHSA-v979-36xg-vp67 GHSA-r827-5p5r-w6f5 GHSA-3fpg-j8cw-vcjq GHSA-mqqf-4p7r-rf89 GHSA-q6w6-rjjj-5p52 GHSA-8g25-xmmm-86qm GHSA-2jpm-3fv2-55wf GHSA-2jvw-9p97-g4qj GHSA-42h3-v86m-8hc5 GHSA-5qfp-r7q3-257g GHSA-68ww-7h9f-48qx GHSA-7j8v-7qw4-w29q GHSA-8xm2-mrh9-q3x9 GHSA-99qx-qpwq-jm99 GHSA-f3mw-pmh2-74wc GHSA-mq89-7cwq-chfg GHSA-wpr3-95vq-q76j GHSA-x7c7-rpwp-w6fw --- .../GHSA-5j2h-h5hg-3wf8.json | 21 +++++++--- .../GHSA-qg36-9jxh-fj25.json | 6 ++- .../GHSA-pw8x-9www-h93w.json | 2 +- .../GHSA-5f54-x7j7-36p3.json | 2 +- .../GHSA-9jg3-6mw2-g4q7.json | 2 +- .../GHSA-5g5h-vp5m-chrx.json | 2 +- .../GHSA-v979-36xg-vp67.json | 2 +- .../GHSA-r827-5p5r-w6f5.json | 2 +- .../GHSA-3fpg-j8cw-vcjq.json | 6 ++- .../GHSA-mqqf-4p7r-rf89.json | 6 ++- .../GHSA-q6w6-rjjj-5p52.json | 6 ++- .../GHSA-8g25-xmmm-86qm.json | 2 +- .../GHSA-2jpm-3fv2-55wf.json | 38 ++++++++++++++++++ .../GHSA-2jvw-9p97-g4qj.json | 39 +++++++++++++++++++ .../GHSA-42h3-v86m-8hc5.json | 35 +++++++++++++++++ .../GHSA-5qfp-r7q3-257g.json | 35 +++++++++++++++++ .../GHSA-68ww-7h9f-48qx.json | 35 +++++++++++++++++ .../GHSA-7j8v-7qw4-w29q.json | 35 +++++++++++++++++ .../GHSA-8xm2-mrh9-q3x9.json | 39 +++++++++++++++++++ .../GHSA-99qx-qpwq-jm99.json | 38 ++++++++++++++++++ .../GHSA-f3mw-pmh2-74wc.json | 35 +++++++++++++++++ .../GHSA-mq89-7cwq-chfg.json | 35 +++++++++++++++++ .../GHSA-wpr3-95vq-q76j.json | 39 +++++++++++++++++++ .../GHSA-x7c7-rpwp-w6fw.json | 39 +++++++++++++++++++ 24 files changed, 485 insertions(+), 16 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-2jpm-3fv2-55wf/GHSA-2jpm-3fv2-55wf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-2jvw-9p97-g4qj/GHSA-2jvw-9p97-g4qj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-42h3-v86m-8hc5/GHSA-42h3-v86m-8hc5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5qfp-r7q3-257g/GHSA-5qfp-r7q3-257g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-68ww-7h9f-48qx/GHSA-68ww-7h9f-48qx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7j8v-7qw4-w29q/GHSA-7j8v-7qw4-w29q.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8xm2-mrh9-q3x9/GHSA-8xm2-mrh9-q3x9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-99qx-qpwq-jm99/GHSA-99qx-qpwq-jm99.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f3mw-pmh2-74wc/GHSA-f3mw-pmh2-74wc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mq89-7cwq-chfg/GHSA-mq89-7cwq-chfg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wpr3-95vq-q76j/GHSA-wpr3-95vq-q76j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x7c7-rpwp-w6fw/GHSA-x7c7-rpwp-w6fw.json diff --git a/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json b/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json index b3b38e905ad..8795ec968e6 100644 --- a/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json +++ b/advisories/github-reviewed/2018/07/GHSA-5j2h-h5hg-3wf8/GHSA-5j2h-h5hg-3wf8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5j2h-h5hg-3wf8", - "modified": "2024-05-16T18:44:20Z", + "modified": "2024-09-16T21:30:38Z", "published": "2018-07-23T19:51:10Z", "aliases": [ "CVE-2011-0696" @@ -9,7 +9,14 @@ "summary": "Cross-site request forgery in Django", "details": "Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a \"combination of browser plugins and redirects,\" a related issue to CVE-2011-0447.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -22,7 +29,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.1.0" + "introduced": "1.1" }, { "fixed": "1.1.4" @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.5" @@ -76,6 +83,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-10.yaml" + }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html" @@ -149,7 +160,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:16:24Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json b/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json index 3b1eb41e89c..b0866a79d39 100644 --- a/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json +++ b/advisories/github-reviewed/2023/05/GHSA-qg36-9jxh-fj25/GHSA-qg36-9jxh-fj25.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qg36-9jxh-fj25", - "modified": "2023-05-26T21:50:46Z", + "modified": "2024-09-16T21:31:26Z", "published": "2023-05-22T19:41:56Z", "aliases": [ "CVE-2023-33185" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" } ], "affected": [ diff --git a/advisories/unreviewed/2021/12/GHSA-pw8x-9www-h93w/GHSA-pw8x-9www-h93w.json b/advisories/unreviewed/2021/12/GHSA-pw8x-9www-h93w/GHSA-pw8x-9www-h93w.json index 7da4140fabb..beec83e9372 100644 --- a/advisories/unreviewed/2021/12/GHSA-pw8x-9www-h93w/GHSA-pw8x-9www-h93w.json +++ b/advisories/unreviewed/2021/12/GHSA-pw8x-9www-h93w/GHSA-pw8x-9www-h93w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pw8x-9www-h93w", - "modified": "2022-10-08T00:00:18Z", + "modified": "2024-09-16T21:30:32Z", "published": "2021-12-21T00:00:39Z", "aliases": [ "CVE-2021-35234" diff --git a/advisories/unreviewed/2022/01/GHSA-5f54-x7j7-36p3/GHSA-5f54-x7j7-36p3.json b/advisories/unreviewed/2022/01/GHSA-5f54-x7j7-36p3/GHSA-5f54-x7j7-36p3.json index 17b7464c07f..576986db67d 100644 --- a/advisories/unreviewed/2022/01/GHSA-5f54-x7j7-36p3/GHSA-5f54-x7j7-36p3.json +++ b/advisories/unreviewed/2022/01/GHSA-5f54-x7j7-36p3/GHSA-5f54-x7j7-36p3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5f54-x7j7-36p3", - "modified": "2022-04-29T00:00:57Z", + "modified": "2024-09-16T21:30:32Z", "published": "2022-01-21T00:00:48Z", "aliases": [ "CVE-2021-34600" diff --git a/advisories/unreviewed/2022/03/GHSA-9jg3-6mw2-g4q7/GHSA-9jg3-6mw2-g4q7.json b/advisories/unreviewed/2022/03/GHSA-9jg3-6mw2-g4q7/GHSA-9jg3-6mw2-g4q7.json index 13c85eaa332..f315c825bd5 100644 --- a/advisories/unreviewed/2022/03/GHSA-9jg3-6mw2-g4q7/GHSA-9jg3-6mw2-g4q7.json +++ b/advisories/unreviewed/2022/03/GHSA-9jg3-6mw2-g4q7/GHSA-9jg3-6mw2-g4q7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9jg3-6mw2-g4q7", - "modified": "2023-02-13T06:31:00Z", + "modified": "2024-09-16T21:30:32Z", "published": "2022-03-19T00:00:59Z", "aliases": [ "CVE-2021-23209" diff --git a/advisories/unreviewed/2022/05/GHSA-5g5h-vp5m-chrx/GHSA-5g5h-vp5m-chrx.json b/advisories/unreviewed/2022/05/GHSA-5g5h-vp5m-chrx/GHSA-5g5h-vp5m-chrx.json index 2cf9fb2b35b..11c3f95cd18 100644 --- a/advisories/unreviewed/2022/05/GHSA-5g5h-vp5m-chrx/GHSA-5g5h-vp5m-chrx.json +++ b/advisories/unreviewed/2022/05/GHSA-5g5h-vp5m-chrx/GHSA-5g5h-vp5m-chrx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5g5h-vp5m-chrx", - "modified": "2023-09-03T18:30:18Z", + "modified": "2024-09-16T21:30:32Z", "published": "2022-05-24T19:16:18Z", "aliases": [ "CVE-2021-3825" diff --git a/advisories/unreviewed/2022/11/GHSA-v979-36xg-vp67/GHSA-v979-36xg-vp67.json b/advisories/unreviewed/2022/11/GHSA-v979-36xg-vp67/GHSA-v979-36xg-vp67.json index 2bee9a53d6c..1ea37b0ca56 100644 --- a/advisories/unreviewed/2022/11/GHSA-v979-36xg-vp67/GHSA-v979-36xg-vp67.json +++ b/advisories/unreviewed/2022/11/GHSA-v979-36xg-vp67/GHSA-v979-36xg-vp67.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v979-36xg-vp67", - "modified": "2022-11-22T21:30:17Z", + "modified": "2024-09-16T21:30:34Z", "published": "2022-11-18T09:30:25Z", "aliases": [ "CVE-2022-24037" diff --git a/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json b/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json index 26b8fac5fee..b83d72a4192 100644 --- a/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json +++ b/advisories/unreviewed/2023/07/GHSA-r827-5p5r-w6f5/GHSA-r827-5p5r-w6f5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r827-5p5r-w6f5", - "modified": "2024-02-01T18:31:04Z", + "modified": "2024-09-16T21:30:35Z", "published": "2023-07-06T19:24:05Z", "aliases": [ "CVE-2022-2808" diff --git a/advisories/unreviewed/2024/04/GHSA-3fpg-j8cw-vcjq/GHSA-3fpg-j8cw-vcjq.json b/advisories/unreviewed/2024/04/GHSA-3fpg-j8cw-vcjq/GHSA-3fpg-j8cw-vcjq.json index 92d3503ecf3..9c438184d04 100644 --- a/advisories/unreviewed/2024/04/GHSA-3fpg-j8cw-vcjq/GHSA-3fpg-j8cw-vcjq.json +++ b/advisories/unreviewed/2024/04/GHSA-3fpg-j8cw-vcjq/GHSA-3fpg-j8cw-vcjq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3fpg-j8cw-vcjq", - "modified": "2024-05-22T18:30:40Z", + "modified": "2024-09-16T21:30:37Z", "published": "2024-04-04T15:30:34Z", "aliases": [ "CVE-2024-31081" @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-31081" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:3343" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:3261" diff --git a/advisories/unreviewed/2024/04/GHSA-mqqf-4p7r-rf89/GHSA-mqqf-4p7r-rf89.json b/advisories/unreviewed/2024/04/GHSA-mqqf-4p7r-rf89/GHSA-mqqf-4p7r-rf89.json index cdaa36f3191..a6976fc328c 100644 --- a/advisories/unreviewed/2024/04/GHSA-mqqf-4p7r-rf89/GHSA-mqqf-4p7r-rf89.json +++ b/advisories/unreviewed/2024/04/GHSA-mqqf-4p7r-rf89/GHSA-mqqf-4p7r-rf89.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mqqf-4p7r-rf89", - "modified": "2024-05-22T18:30:40Z", + "modified": "2024-09-16T21:30:37Z", "published": "2024-04-04T15:30:34Z", "aliases": [ "CVE-2024-31080" @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-31080" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:3343" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:3261" diff --git a/advisories/unreviewed/2024/04/GHSA-q6w6-rjjj-5p52/GHSA-q6w6-rjjj-5p52.json b/advisories/unreviewed/2024/04/GHSA-q6w6-rjjj-5p52/GHSA-q6w6-rjjj-5p52.json index f949d5f3abc..98787ea7e09 100644 --- a/advisories/unreviewed/2024/04/GHSA-q6w6-rjjj-5p52/GHSA-q6w6-rjjj-5p52.json +++ b/advisories/unreviewed/2024/04/GHSA-q6w6-rjjj-5p52/GHSA-q6w6-rjjj-5p52.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q6w6-rjjj-5p52", - "modified": "2024-05-22T18:30:40Z", + "modified": "2024-09-16T21:30:37Z", "published": "2024-04-05T12:31:17Z", "aliases": [ "CVE-2024-31083" @@ -45,6 +45,10 @@ "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-31083" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:3343" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:3261" diff --git a/advisories/unreviewed/2024/06/GHSA-8g25-xmmm-86qm/GHSA-8g25-xmmm-86qm.json b/advisories/unreviewed/2024/06/GHSA-8g25-xmmm-86qm/GHSA-8g25-xmmm-86qm.json index 1fbdd630911..75558ee67e0 100644 --- a/advisories/unreviewed/2024/06/GHSA-8g25-xmmm-86qm/GHSA-8g25-xmmm-86qm.json +++ b/advisories/unreviewed/2024/06/GHSA-8g25-xmmm-86qm/GHSA-8g25-xmmm-86qm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8g25-xmmm-86qm", - "modified": "2024-06-27T03:30:55Z", + "modified": "2024-09-16T21:30:37Z", "published": "2024-06-12T09:30:48Z", "aliases": [ "CVE-2024-3183" diff --git a/advisories/unreviewed/2024/09/GHSA-2jpm-3fv2-55wf/GHSA-2jpm-3fv2-55wf.json b/advisories/unreviewed/2024/09/GHSA-2jpm-3fv2-55wf/GHSA-2jpm-3fv2-55wf.json new file mode 100644 index 00000000000..f821a5a97c0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2jpm-3fv2-55wf/GHSA-2jpm-3fv2-55wf.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2jpm-3fv2-55wf", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-8766" + ], + "details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 38235.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8766" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-7218" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-2jvw-9p97-g4qj/GHSA-2jvw-9p97-g4qj.json b/advisories/unreviewed/2024/09/GHSA-2jvw-9p97-g4qj/GHSA-2jvw-9p97-g4qj.json new file mode 100644 index 00000000000..f5f4354fe32 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2jvw-9p97-g4qj/GHSA-2jvw-9p97-g4qj.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2jvw-9p97-g4qj", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-42796" + ], + "details": "An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre entries.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42796" + }, + { + "type": "WEB", + "url": "https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20Delete%20Genre.pdf" + }, + { + "type": "WEB", + "url": "https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-42h3-v86m-8hc5/GHSA-42h3-v86m-8hc5.json b/advisories/unreviewed/2024/09/GHSA-42h3-v86m-8hc5/GHSA-42h3-v86m-8hc5.json new file mode 100644 index 00000000000..b856178578c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-42h3-v86m-8hc5/GHSA-42h3-v86m-8hc5.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42h3-v86m-8hc5", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-45414" + ], + "details": "The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in webPrivateDecrypt function. This function is responsible for decrypting RSA encrypted ciphertext, the encrypted data is supplied base64 encoded. The decoded ciphertext is stored on the stack without checking its length. An unauthenticated attacker can get RCE as root by exploiting this vulnerability.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45414" + }, + { + "type": "WEB", + "url": "https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T21:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5qfp-r7q3-257g/GHSA-5qfp-r7q3-257g.json b/advisories/unreviewed/2024/09/GHSA-5qfp-r7q3-257g/GHSA-5qfp-r7q3-257g.json new file mode 100644 index 00000000000..3a15be7d06f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5qfp-r7q3-257g/GHSA-5qfp-r7q3-257g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5qfp-r7q3-257g", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-45416" + ], + "details": "The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45416" + }, + { + "type": "WEB", + "url": "https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T21:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-68ww-7h9f-48qx/GHSA-68ww-7h9f-48qx.json b/advisories/unreviewed/2024/09/GHSA-68ww-7h9f-48qx/GHSA-68ww-7h9f-48qx.json new file mode 100644 index 00000000000..e1b25af30ff --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-68ww-7h9f-48qx/GHSA-68ww-7h9f-48qx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68ww-7h9f-48qx", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-45415" + ], + "details": "The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in check_data_integrity function. This function is responsible for validating the checksum of data in post request. The checksum is sent encrypted in the request, the function decrypts it and stores the checksum on the stack without validating it. An unauthenticated attacker can get RCE as root by exploiting this vulnerability.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45415" + }, + { + "type": "WEB", + "url": "https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T21:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7j8v-7qw4-w29q/GHSA-7j8v-7qw4-w29q.json b/advisories/unreviewed/2024/09/GHSA-7j8v-7qw4-w29q/GHSA-7j8v-7qw4-w29q.json new file mode 100644 index 00000000000..bf8d8cf8c3b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7j8v-7qw4-w29q/GHSA-7j8v-7qw4-w29q.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7j8v-7qw4-w29q", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-22013" + ], + "details": "U-Boot environment is read from unauthenticated partition.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22013" + }, + { + "type": "WEB", + "url": "https://support.google.com/product-documentation/answer/14950962?hl=en&ref_topic=12974021&sjid=9595902703262170957-NA#zippy=%2Cwifi" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8xm2-mrh9-q3x9/GHSA-8xm2-mrh9-q3x9.json b/advisories/unreviewed/2024/09/GHSA-8xm2-mrh9-q3x9/GHSA-8xm2-mrh9-q3x9.json new file mode 100644 index 00000000000..ba4e5e4e2e0 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8xm2-mrh9-q3x9/GHSA-8xm2-mrh9-q3x9.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8xm2-mrh9-q3x9", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-42798" + ], + "details": "An Incorrect Access Control vulnerability was found in /music/index.php?page=user_list and /music/index.php?page=edit_user in Kashipara Music Management System v1.0. This allows a low privileged attacker to take over the administrator account.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42798" + }, + { + "type": "WEB", + "url": "https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20Priv%20Esc%20-%20Save%20Edit%20User%20-%20AC%20Takeover.pdf" + }, + { + "type": "WEB", + "url": "https://www.kashipara.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-99qx-qpwq-jm99/GHSA-99qx-qpwq-jm99.json b/advisories/unreviewed/2024/09/GHSA-99qx-qpwq-jm99/GHSA-99qx-qpwq-jm99.json new file mode 100644 index 00000000000..05b502848f3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-99qx-qpwq-jm99/GHSA-99qx-qpwq-jm99.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-99qx-qpwq-jm99", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-34016" + ], + "details": "Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 38235.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34016" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-7188" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f3mw-pmh2-74wc/GHSA-f3mw-pmh2-74wc.json b/advisories/unreviewed/2024/09/GHSA-f3mw-pmh2-74wc/GHSA-f3mw-pmh2-74wc.json new file mode 100644 index 00000000000..cf4fcd82f9c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f3mw-pmh2-74wc/GHSA-f3mw-pmh2-74wc.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f3mw-pmh2-74wc", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-44445" + ], + "details": "An issue was discovered in BSC Smart Contract 0x0506e571aba3dd4c9d71bed479a4e6d40d95c833. Attackers are able to perform state manipulation attacks by borrowing a large amount of money and then using this amount to inflate the token balance in the token pair, leading to increased profits without cost.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44445" + }, + { + "type": "WEB", + "url": "https://gist.github.com/shuo-young/fcb18cca532ff26de0fe3a18cc5555b6" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mq89-7cwq-chfg/GHSA-mq89-7cwq-chfg.json b/advisories/unreviewed/2024/09/GHSA-mq89-7cwq-chfg/GHSA-mq89-7cwq-chfg.json new file mode 100644 index 00000000000..582f08813ed --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mq89-7cwq-chfg/GHSA-mq89-7cwq-chfg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mq89-7cwq-chfg", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-45413" + ], + "details": "The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in rsa_decrypt function. This function is an API wrapper for LUA to decrypt RSA encrypted ciphertext, the decrypted data is stored on the stack without checking its length. An authenticated attacker can get RCE as root by exploiting this vulnerability.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45413" + }, + { + "type": "WEB", + "url": "https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T21:15:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wpr3-95vq-q76j/GHSA-wpr3-95vq-q76j.json b/advisories/unreviewed/2024/09/GHSA-wpr3-95vq-q76j/GHSA-wpr3-95vq-q76j.json new file mode 100644 index 00000000000..d519515642b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wpr3-95vq-q76j/GHSA-wpr3-95vq-q76j.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wpr3-95vq-q76j", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-42795" + ], + "details": "An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to view valid user details.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42795" + }, + { + "type": "WEB", + "url": "https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20View%20User.pdf" + }, + { + "type": "WEB", + "url": "https://www.kashipara.com" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x7c7-rpwp-w6fw/GHSA-x7c7-rpwp-w6fw.json b/advisories/unreviewed/2024/09/GHSA-x7c7-rpwp-w6fw/GHSA-x7c7-rpwp-w6fw.json new file mode 100644 index 00000000000..ca6cd71ca98 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x7c7-rpwp-w6fw/GHSA-x7c7-rpwp-w6fw.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x7c7-rpwp-w6fw", + "modified": "2024-09-16T21:30:38Z", + "published": "2024-09-16T21:30:38Z", + "aliases": [ + "CVE-2024-42794" + ], + "details": "Kashipara Music Management System v1.0 is vulnerable to Incorrect Access Control via /music/ajax.php?action=save_user.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42794" + }, + { + "type": "WEB", + "url": "https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20Save%20User%20%26%20Account%20Takeover.pdf" + }, + { + "type": "WEB", + "url": "https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T20:15:46Z" + } +} \ No newline at end of file From 59a9d4a7eeef756e05576d22c8d431dae2669cac Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:35:25 +0000 Subject: [PATCH 128/170] Publish GHSA-vhr6-pvjm-9qwf --- .../GHSA-vhr6-pvjm-9qwf.json | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json b/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json index d43d71bc9f4..30ad7d2188b 100644 --- a/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json +++ b/advisories/github-reviewed/2020/07/GHSA-vhr6-pvjm-9qwf/GHSA-vhr6-pvjm-9qwf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vhr6-pvjm-9qwf", - "modified": "2021-01-07T23:48:04Z", + "modified": "2024-09-16T21:33:50Z", "published": "2020-07-10T20:55:00Z", "aliases": [ "CVE-2020-15105" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,7 +32,7 @@ "introduced": "0" }, { - "fixed": "1.12.0" + "fixed": "1.12" } ] } @@ -48,16 +52,24 @@ "type": "WEB", "url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359" }, + { + "type": "PACKAGE", + "url": "https://github.com/Bouke/django-two-factor-auth" + }, { "type": "WEB", "url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-two-factor-auth/PYSEC-2020-39.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-312" ], - "severity": "HIGH", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-07-10T20:52:31Z", "nvd_published_at": null From d41eefb4f357156fd12b5509db0bbd27aa766032 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:37:46 +0000 Subject: [PATCH 129/170] Publish Advisories GHSA-2v5j-q74q-r53f GHSA-9v8h-57gv-qch6 --- .../GHSA-2v5j-q74q-r53f.json | 14 +++++++++++++- .../GHSA-9v8h-57gv-qch6.json | 17 ++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json b/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json index 7cfa30539fd..da9165a0e85 100644 --- a/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json +++ b/advisories/github-reviewed/2021/12/GHSA-2v5j-q74q-r53f/GHSA-2v5j-q74q-r53f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2v5j-q74q-r53f", - "modified": "2021-12-03T15:19:07Z", + "modified": "2024-09-16T21:36:59Z", "published": "2021-12-03T20:42:26Z", "aliases": [ "CVE-2021-3994" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/django-helpdesk/django-helpdesk/commit/a22eb0673fe0b7784f99c6b5fd343b64a6700f06" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2v5j-q74q-r53f" + }, { "type": "PACKAGE", "url": "https://github.com/django-helpdesk/django-helpdesk" @@ -52,6 +60,10 @@ "type": "WEB", "url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/0.3.2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-438.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd" diff --git a/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json b/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json index 5fe48e4cd80..685306b8c20 100644 --- a/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json +++ b/advisories/github-reviewed/2022/05/GHSA-9v8h-57gv-qch6/GHSA-9v8h-57gv-qch6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9v8h-57gv-qch6", - "modified": "2024-05-21T20:33:18Z", + "modified": "2024-09-16T21:36:16Z", "published": "2022-05-01T18:36:08Z", "aliases": [ "CVE-2007-5712" @@ -9,7 +9,14 @@ "summary": "Django vulnerable to Denial of Service via i18n middleware component", "details": "The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -101,6 +108,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2007-1.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20091201070224/http://secunia.com/advisories/27435" @@ -142,7 +153,7 @@ "cwe_ids": [ "CWE-400" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-29T14:37:50Z", "nvd_published_at": "2007-10-30T19:46:00Z" From 5e95220be37a4d29565a277b87d7bf5ac300e665 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:39:44 +0000 Subject: [PATCH 130/170] Publish Advisories GHSA-287q-jfcp-9vhv GHSA-pjx4-3f3p-29v3 GHSA-488m-w9fp-5mm2 GHSA-488m-w9fp-5mm2 --- .../GHSA-287q-jfcp-9vhv.json | 6 +- .../GHSA-pjx4-3f3p-29v3.json | 10 +- .../GHSA-488m-w9fp-5mm2.json | 101 ++++++++++++++++++ .../GHSA-488m-w9fp-5mm2.json | 50 --------- 4 files changed, 115 insertions(+), 52 deletions(-) create mode 100644 advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json delete mode 100644 advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json diff --git a/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json b/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json index f893a3ff8ff..2ab8f97cfba 100644 --- a/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json +++ b/advisories/github-reviewed/2022/12/GHSA-287q-jfcp-9vhv/GHSA-287q-jfcp-9vhv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-287q-jfcp-9vhv", - "modified": "2022-12-21T16:13:03Z", + "modified": "2024-09-16T21:38:52Z", "published": "2022-12-15T21:30:26Z", "aliases": [ "CVE-2022-4526" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json b/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json index d54f746c5e1..91771c490c4 100644 --- a/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json +++ b/advisories/github-reviewed/2023/01/GHSA-pjx4-3f3p-29v3/GHSA-pjx4-3f3p-29v3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pjx4-3f3p-29v3", - "modified": "2023-01-11T20:54:03Z", + "modified": "2024-09-16T21:38:14Z", "published": "2023-01-05T09:30:27Z", "aliases": [ "CVE-2016-15010" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/uisautomation/django-ucamlookup/commit/5e25e4765637ea4b9e0bf5fcd5e9a922abee7eb3" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-ucamlookup/PYSEC-2023-14.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/uisautomation/django-ucamlookup" diff --git a/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json b/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json new file mode 100644 index 00000000000..476aa854208 --- /dev/null +++ b/advisories/github-reviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json @@ -0,0 +1,101 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-488m-w9fp-5mm2", + "modified": "2024-09-16T21:37:34Z", + "published": "2023-12-28T21:30:37Z", + "aliases": [ + "CVE-2023-5236" + ], + "summary": "Infinispan circular object references causes out of memory errors", + "details": "A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan.protostream:protostream" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.6.2.Final" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/protostream/commit/4501b6b307a6bab545346f66238f8be7e42f83eb" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/protostream/commit/4ef66958f2c4890ae1c6a7acd629d27bd88aa4cb" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/protostream/commit/50320b5987dc87bc04b616b87e8cf93472ee19c1" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:5396" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-5236" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999" + }, + { + "type": "PACKAGE", + "url": "https://github.com/infinispan/infinispan" + }, + { + "type": "WEB", + "url": "https://issues.redhat.com/browse/IPROTO-262" + }, + { + "type": "WEB", + "url": "https://issues.redhat.com/browse/IPROTO-263" + }, + { + "type": "WEB", + "url": "https://issues.redhat.com/browse/ISPN-14534" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240125-0004" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1047" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T21:37:34Z", + "nvd_published_at": "2023-12-18T14:15:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json b/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json deleted file mode 100644 index d2f4aa2c9f3..00000000000 --- a/advisories/unreviewed/2023/12/GHSA-488m-w9fp-5mm2/GHSA-488m-w9fp-5mm2.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-488m-w9fp-5mm2", - "modified": "2024-09-16T14:37:22Z", - "published": "2023-12-28T21:30:37Z", - "aliases": [ - "CVE-2023-5236" - ], - "details": "A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/errata/RHSA-2023:5396" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-5236" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20240125-0004" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-1047" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-12-18T14:15:10Z" - } -} \ No newline at end of file From 077ce56df44555051cef0ec65522711f09cfb9ee Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:41:46 +0000 Subject: [PATCH 131/170] Publish Advisories GHSA-vfrc-ggmc-5jwv GHSA-5h2q-4hrp-v9rr --- .../GHSA-vfrc-ggmc-5jwv.json | 16 ++++++++++++++-- .../GHSA-5h2q-4hrp-v9rr.json | 19 +++++++++++++++---- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json b/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json index 105d945690a..a29446f6f20 100644 --- a/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json +++ b/advisories/github-reviewed/2021/11/GHSA-vfrc-ggmc-5jwv/GHSA-vfrc-ggmc-5jwv.json @@ -1,17 +1,21 @@ { "schema_version": "1.4.0", "id": "GHSA-vfrc-ggmc-5jwv", - "modified": "2021-11-24T19:43:03Z", + "modified": "2024-09-16T21:40:06Z", "published": "2021-11-23T17:55:46Z", "aliases": [ "CVE-2021-3950" ], "summary": "Cross-site Scripting in django-helpdesk", - "details": "django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "details": "django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,10 @@ "type": "WEB", "url": "https://github.com/django-helpdesk/django-helpdesk/commit/04483bdac3b5196737516398b5ce0383875a5c60" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vfrc-ggmc-5jwv" + }, { "type": "PACKAGE", "url": "https://github.com/django-helpdesk/django-helpdesk" @@ -52,6 +60,10 @@ "type": "WEB", "url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/0.3.2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-431.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e" diff --git a/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json b/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json index 8a98901db79..f782dce4e21 100644 --- a/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json +++ b/advisories/github-reviewed/2022/05/GHSA-5h2q-4hrp-v9rr/GHSA-5h2q-4hrp-v9rr.json @@ -1,15 +1,22 @@ { "schema_version": "1.4.0", "id": "GHSA-5h2q-4hrp-v9rr", - "modified": "2024-03-07T21:58:37Z", + "modified": "2024-09-16T21:41:20Z", "published": "2022-05-17T05:12:01Z", "aliases": [ "CVE-2012-3444" ], "summary": "Django vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer", - "details": "The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", + "details": "The `get_image_dimensions` function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -80,6 +87,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-4.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued" @@ -109,7 +120,7 @@ "cwe_ids": [ "CWE-119" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-04-21T20:17:54Z", "nvd_published_at": "2012-07-31T17:55:00Z" From 9d0c56f26eb75832ffacd046c2fb05f5c176f03b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:47:49 +0000 Subject: [PATCH 132/170] Publish GHSA-8m3r-rv5g-fcpq --- .../GHSA-8m3r-rv5g-fcpq.json | 63 +++++++++++-------- 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json b/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json index 5cc827aa560..3719fec132e 100644 --- a/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json +++ b/advisories/github-reviewed/2018/07/GHSA-8m3r-rv5g-fcpq/GHSA-8m3r-rv5g-fcpq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8m3r-rv5g-fcpq", - "modified": "2024-03-07T21:56:36Z", + "modified": "2024-09-16T21:47:18Z", "published": "2018-07-23T21:01:00Z", "aliases": [ "CVE-2011-0697" @@ -9,20 +9,27 @@ "summary": "Cross-site scripting in django", "details": "Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.1.0" + "introduced": "1.1" }, { "fixed": "1.1.4" @@ -34,14 +41,14 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.5" @@ -84,6 +91,30 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-11.yaml" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110521033304/http://secunia.com/advisories/43297" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110521033309/http://secunia.com/advisories/43382" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20110521033314/http://secunia.com/advisories/43426" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296" + }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054207.html" @@ -111,26 +142,6 @@ { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1066-1" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0372" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0388" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0429" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0439" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0441" } ], "database_specific": { From df4a1ea8b4e4aa4bba9f6444655b1f9d9e089fe0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:49:52 +0000 Subject: [PATCH 133/170] Publish Advisories GHSA-vx6v-2rg6-865h GHSA-hx7c-qpfq-xcrp --- .../GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json | 14 +++++++++++++- .../GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json | 14 +++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json b/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json index 977195da47a..baa08558226 100644 --- a/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json +++ b/advisories/github-reviewed/2019/08/GHSA-vx6v-2rg6-865h/GHSA-vx6v-2rg6-865h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vx6v-2rg6-865h", - "modified": "2023-04-20T21:51:43Z", + "modified": "2024-09-16T21:48:51Z", "published": "2019-08-27T17:39:33Z", "aliases": [ "CVE-2019-15486" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -57,6 +61,10 @@ "type": "WEB", "url": "https://github.com/ierror/django-js-reverse/commit/a3b57d1e4424e2fadabcd526d170c4868d55159c" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vx6v-2rg6-865h" + }, { "type": "PACKAGE", "url": "https://github.com/ierror/django-js-reverse" @@ -64,6 +72,10 @@ { "type": "WEB", "url": "https://github.com/ierror/django-js-reverse/compare/v0.9.0...v0.9.1" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-js-reverse/PYSEC-2019-19.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json b/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json index 95a14494196..3bd35909e23 100644 --- a/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json +++ b/advisories/github-reviewed/2022/01/GHSA-hx7c-qpfq-xcrp/GHSA-hx7c-qpfq-xcrp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hx7c-qpfq-xcrp", - "modified": "2022-01-21T13:25:18Z", + "modified": "2024-09-16T21:47:38Z", "published": "2022-01-13T20:10:53Z", "aliases": [ "CVE-2021-44649" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -97,10 +101,18 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44649" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-hx7c-qpfq-xcrp" + }, { "type": "WEB", "url": "https://github.com/divio/django-cms" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-cms/PYSEC-2022-7.yaml" + }, { "type": "WEB", "url": "https://sahildhar.github.io/blogpost/Django-CMS-Reflected-XSS-Vulnerability" From 5633006d9cbdc4fabc4ffd0d462e546366061e82 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:52:01 +0000 Subject: [PATCH 134/170] Publish Advisories GHSA-c87f-fq5g-63r2 GHSA-3r7g-wrpr-j5g4 GHSA-4w8f-hjm9-xwgf --- .../GHSA-c87f-fq5g-63r2.json | 25 ++++++++++++++++--- .../GHSA-3r7g-wrpr-j5g4.json | 6 ++++- .../GHSA-4w8f-hjm9-xwgf.json | 6 ++++- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json b/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json index 0b4bcc28147..d7908097e70 100644 --- a/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json +++ b/advisories/github-reviewed/2021/10/GHSA-c87f-fq5g-63r2/GHSA-c87f-fq5g-63r2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c87f-fq5g-63r2", - "modified": "2021-10-08T21:32:32Z", + "modified": "2024-09-16T21:51:22Z", "published": "2021-10-12T17:51:11Z", "aliases": [ "CVE-2021-42053" @@ -9,7 +9,14 @@ "summary": "Cross-site scripting in Unicorn framework", "details": "The Unicorn framework through 0.35.3 for Django allows XSS via component.name.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { @@ -39,7 +46,11 @@ }, { "type": "WEB", - "url": "https://github.com/adamghill/django-unicorn/pull/288/commits/aa5b9835d946bd9893ef02e556859e3ea62cc5e2" + "url": "https://github.com/adamghill/django-unicorn/pull/288" + }, + { + "type": "WEB", + "url": "https://github.com/adamghill/django-unicorn/commit/aa5b9835d946bd9893ef02e556859e3ea62cc5e2" }, { "type": "PACKAGE", @@ -49,6 +60,14 @@ "type": "WEB", "url": "https://github.com/adamghill/django-unicorn/compare/0.35.3...0.36.0" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-c87f-fq5g-63r2" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-unicorn/PYSEC-2021-357.yaml" + }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/164442/django-unicorn-0.35.3-Cross-Site-Scripting.html" diff --git a/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json b/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json index 06217058736..f03a42284a4 100644 --- a/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json +++ b/advisories/github-reviewed/2022/04/GHSA-3r7g-wrpr-j5g4/GHSA-3r7g-wrpr-j5g4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3r7g-wrpr-j5g4", - "modified": "2022-05-26T20:18:03Z", + "modified": "2024-09-16T21:50:13Z", "published": "2022-04-22T20:48:28Z", "aliases": [ "CVE-2022-24857" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ diff --git a/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json b/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json index fd2e8a6d213..29fadc1a85a 100644 --- a/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json +++ b/advisories/github-reviewed/2022/06/GHSA-4w8f-hjm9-xwgf/GHSA-4w8f-hjm9-xwgf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4w8f-hjm9-xwgf", - "modified": "2022-06-06T21:24:24Z", + "modified": "2024-09-16T21:49:30Z", "published": "2022-06-06T21:24:24Z", "aliases": [ "CVE-2022-24840" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From e69ca03f9f8a7e236ea7e73cab2a08272a7d133a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:54:48 +0000 Subject: [PATCH 135/170] Publish GHSA-54qj-48vx-cr9f --- .../GHSA-54qj-48vx-cr9f.json | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json b/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json index 7b722c4a0cb..d9d4784eeeb 100644 --- a/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json +++ b/advisories/github-reviewed/2022/05/GHSA-54qj-48vx-cr9f/GHSA-54qj-48vx-cr9f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-54qj-48vx-cr9f", - "modified": "2024-05-21T20:31:08Z", + "modified": "2024-09-16T21:53:19Z", "published": "2022-05-01T23:48:43Z", "aliases": [ "CVE-2008-2302" @@ -9,13 +9,20 @@ "summary": "Django Cross-site scripting (XSS) vulnerability", "details": "Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,7 +41,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -53,7 +60,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -97,27 +104,27 @@ }, { "type": "WEB", - "url": "http://secunia.com/advisories/30250" + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-1.yaml" }, { "type": "WEB", - "url": "http://secunia.com/advisories/30291" + "url": "https://web.archive.org/web/20080725022008/http://secunia.com/advisories/30291" }, { "type": "WEB", - "url": "http://securitytracker.com/id?1020028" + "url": "https://web.archive.org/web/20081012011038/http://secunia.com/advisories/30250" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20170222015451/http://securitytracker.com/id?1020028" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228153339/http://www.securityfocus.com/bid/29209" }, { "type": "WEB", "url": "http://www.djangoproject.com/weblog/2008/may/14/security" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/29209" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2008/1618" } ], "database_specific": { From 1642264294a2bf8c7835f145393167b930acc00b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:57:15 +0000 Subject: [PATCH 136/170] Publish GHSA-7g9h-c88w-r7h2 --- .../GHSA-7g9h-c88w-r7h2.json | 41 ++++++++++--------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json b/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json index b8cee031fff..e1d112de3b5 100644 --- a/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json +++ b/advisories/github-reviewed/2018/07/GHSA-7g9h-c88w-r7h2/GHSA-7g9h-c88w-r7h2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7g9h-c88w-r7h2", - "modified": "2024-05-16T18:42:40Z", + "modified": "2024-09-16T21:55:42Z", "published": "2018-07-23T19:52:31Z", "aliases": [ "CVE-2011-0698" @@ -9,7 +9,14 @@ "summary": "Directory traversal in Django", "details": "Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -22,7 +29,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.1.0" + "introduced": "1.1" }, { "fixed": "1.1.4" @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.5" @@ -74,11 +81,19 @@ }, { "type": "WEB", - "url": "http://openwall.com/lists/oss-security/2011/02/09/6" + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-12.yaml" }, { "type": "WEB", - "url": "http://secunia.com/advisories/43230" + "url": "https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296" + }, + { + "type": "WEB", + "url": "http://openwall.com/lists/oss-security/2011/02/09/6" }, { "type": "WEB", @@ -87,25 +102,13 @@ { "type": "WEB", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:031" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/46296" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0372" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0439" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:22:48Z", "nvd_published_at": null From 1b96334eaf43b847221d0905fcb58368d9606dbf Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 21:59:21 +0000 Subject: [PATCH 137/170] Publish Advisories GHSA-p3w6-jcg4-52xh GHSA-ggmv-6q9p-9gm6 GHSA-p6m5-h7pp-v2x5 GHSA-wcjw-3v6p-4v3r --- .../GHSA-p3w6-jcg4-52xh.json | 10 ++++++- .../GHSA-ggmv-6q9p-9gm6.json | 14 ++++++++- .../GHSA-p6m5-h7pp-v2x5.json | 29 +++++++++++++++---- .../GHSA-wcjw-3v6p-4v3r.json | 6 +++- 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json b/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json index b45a79229c3..945fe513ac9 100644 --- a/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json +++ b/advisories/github-reviewed/2019/07/GHSA-p3w6-jcg4-52xh/GHSA-p3w6-jcg4-52xh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p3w6-jcg4-52xh", - "modified": "2022-09-17T00:26:01Z", + "modified": "2024-09-16T21:58:34Z", "published": "2019-07-02T15:43:41Z", "aliases": [ "CVE-2019-13177" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -64,6 +68,10 @@ { "type": "WEB", "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-rest-registration/PYSEC-2019-20.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json b/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json index b8856cc41b7..e78f25387c8 100644 --- a/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json +++ b/advisories/github-reviewed/2021/10/GHSA-ggmv-6q9p-9gm6/GHSA-ggmv-6q9p-9gm6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ggmv-6q9p-9gm6", - "modified": "2021-10-19T14:51:11Z", + "modified": "2024-09-16T21:57:56Z", "published": "2021-10-12T17:51:04Z", "aliases": [ "CVE-2021-42134" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -51,6 +55,14 @@ { "type": "WEB", "url": "https://github.com/adamghill/django-unicorn/compare/0.36.0...0.36.1" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-ggmv-6q9p-9gm6" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-unicorn/PYSEC-2021-369.yaml" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json index 85b715fcae7..2e749f3d31d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json +++ b/advisories/github-reviewed/2022/05/GHSA-p6m5-h7pp-v2x5/GHSA-p6m5-h7pp-v2x5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p6m5-h7pp-v2x5", - "modified": "2024-05-22T19:06:34Z", + "modified": "2024-09-16T21:57:14Z", "published": "2022-05-02T03:47:43Z", "aliases": [ "CVE-2009-3695" @@ -9,7 +9,14 @@ "summary": "Django Regex Algorithmic Complexity Causes Denial of Service", "details": "Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -22,7 +29,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.0.0" + "introduced": "1.0" }, { "fixed": "1.0.4" @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.1.0" + "introduced": "1.1" }, { "fixed": "1.1.1" @@ -72,6 +79,18 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-4.yaml" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20091013093057/http://secunia.com/advisories/36968" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20091017070244/http://secunia.com/advisories/36948" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228171918/http://www.securityfocus.com/bid/36655" @@ -102,7 +121,7 @@ "CWE-1333", "CWE-400" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-08T22:00:20Z", "nvd_published_at": "2009-10-13T10:30:00Z" diff --git a/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json b/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json index 77c3d8fe26b..57dc2860205 100644 --- a/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json +++ b/advisories/github-reviewed/2024/09/GHSA-wcjw-3v6p-4v3r/GHSA-wcjw-3v6p-4v3r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wcjw-3v6p-4v3r", - "modified": "2024-09-16T21:11:46Z", + "modified": "2024-09-16T21:57:30Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45846" @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/mindsdb/mindsdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-77.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" From d8f611f5f611158024448208778a6ae2d10ed159 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:01:32 +0000 Subject: [PATCH 138/170] Publish Advisories GHSA-5fq8-3q2f-4m5g GHSA-gg57-587f-h5v6 GHSA-gg57-587f-h5v6 --- .../GHSA-5fq8-3q2f-4m5g.json | 16 +- .../GHSA-gg57-587f-h5v6.json | 382 ++++++++++++++++++ .../GHSA-gg57-587f-h5v6.json | 50 --- 3 files changed, 396 insertions(+), 52 deletions(-) create mode 100644 advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json delete mode 100644 advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json diff --git a/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json b/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json index 7847e55bed5..e50b9b77b23 100644 --- a/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json +++ b/advisories/github-reviewed/2020/01/GHSA-5fq8-3q2f-4m5g/GHSA-5fq8-3q2f-4m5g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5fq8-3q2f-4m5g", - "modified": "2021-01-08T20:33:14Z", + "modified": "2024-09-16T21:59:21Z", "published": "2020-01-24T19:56:59Z", "aliases": [ "CVE-2020-5224" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" } ], "affected": [ @@ -47,13 +51,21 @@ { "type": "WEB", "url": "https://github.com/jazzband/django-user-sessions/commit/f0c4077e7d1436ba6d721af85cee89222ca5d2d9" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Bouke/django-user-sessions" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-user-sessions/PYSEC-2020-230.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-01-24T19:56:37Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json b/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json new file mode 100644 index 00000000000..741c865b727 --- /dev/null +++ b/advisories/github-reviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json @@ -0,0 +1,382 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gg57-587f-h5v6", + "modified": "2024-09-16T22:00:09Z", + "published": "2023-12-28T18:30:32Z", + "aliases": [ + "CVE-2023-5384" + ], + "summary": "Infinispan caches credentials in clear text", + "details": "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-commons" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-commons" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-hotrod" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-hotrod" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-client-hotrod" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-client-hotrod" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-jdbc-common" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-jdbc-common" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-remote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-remote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-sql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-sql" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-jdbc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.0.0.Dev01" + }, + { + "fixed": "15.0.0.Dev07" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.infinispan:infinispan-cachestore-jdbc" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "14.0.25.Final" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5384" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/pull/11555" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/pull/11995" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/7140fc9b026ec55786c1aa78bb3cd8bf951fad47" + }, + { + "type": "WEB", + "url": "https://github.com/infinispan/infinispan/commit/fd3e18ec3b1a4e7fcfd79392f5bf78792a2b8c61" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2023:7676" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2023-5384" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242156" + }, + { + "type": "PACKAGE", + "url": "https://github.com/infinispan/infinispan" + }, + { + "type": "WEB", + "url": "https://issues.redhat.com/browse/ISPN-15202" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20240125-0004" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-312" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T22:00:09Z", + "nvd_published_at": "2023-12-18T14:15:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json b/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json deleted file mode 100644 index 0e4a0ebd61e..00000000000 --- a/advisories/unreviewed/2023/12/GHSA-gg57-587f-h5v6/GHSA-gg57-587f-h5v6.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-gg57-587f-h5v6", - "modified": "2024-09-16T18:31:18Z", - "published": "2023-12-28T18:30:32Z", - "aliases": [ - "CVE-2023-5384" - ], - "details": "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5384" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/errata/RHSA-2023:7676" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2023-5384" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242156" - }, - { - "type": "WEB", - "url": "https://security.netapp.com/advisory/ntap-20240125-0004" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-312" - ], - "severity": "LOW", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2023-12-18T14:15:11Z" - } -} \ No newline at end of file From 4d18785246950f6d41bed8bd017b2af2134e840c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:06:10 +0000 Subject: [PATCH 139/170] Publish Advisories GHSA-h95j-h2rv-qrg4 GHSA-rjmf-p882-645m --- .../GHSA-h95j-h2rv-qrg4.json | 37 ++++++++++++------- .../GHSA-rjmf-p882-645m.json | 4 +- 2 files changed, 26 insertions(+), 15 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json b/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json index 85d66747d89..d87bdb8cb00 100644 --- a/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json +++ b/advisories/github-reviewed/2018/07/GHSA-h95j-h2rv-qrg4/GHSA-h95j-h2rv-qrg4.json @@ -1,21 +1,28 @@ { "schema_version": "1.4.0", "id": "GHSA-h95j-h2rv-qrg4", - "modified": "2021-09-14T17:15:58Z", + "modified": "2024-09-16T22:05:38Z", "published": "2018-07-23T19:51:19Z", "aliases": [ "CVE-2011-4140" ], - "summary": "Moderate severity vulnerability that affects django", + "summary": "Django Cross-Site Request Forgery vulnerability", "details": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -25,7 +32,7 @@ "introduced": "0" }, { - "fixed": "1.2.7" + "last_affected": "1.2.7" } ] } @@ -34,17 +41,17 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.3.0" + "introduced": "1.3" }, { - "fixed": "1.3.1" + "last_affected": "1.3.1" } ] } @@ -68,10 +75,18 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-5.yaml" + }, { "type": "WEB", "url": "https://hermes.opensuse.org/messages/14700881" }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20140806062902/http://secunia.com/advisories/46614" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2011/sep/09" @@ -88,10 +103,6 @@ "type": "WEB", "url": "http://openwall.com/lists/oss-security/2011/09/13/2" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/46614" - }, { "type": "WEB", "url": "http://www.debian.org/security/2011/dsa-2332" @@ -101,7 +112,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:39:45Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json b/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json index 33e7de4ff3b..31927a318cf 100644 --- a/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json +++ b/advisories/github-reviewed/2021/04/GHSA-rjmf-p882-645m/GHSA-rjmf-p882-645m.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-rjmf-p882-645m", - "modified": "2024-02-13T19:28:56Z", + "modified": "2024-09-16T22:04:44Z", "published": "2021-04-12T18:51:17Z", "aliases": [ "CVE-2021-20327" ], "summary": "mongodb-client-encryption vulnerable to Improper Certificate Validation", - "details": "A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", + "details": "A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. This issue affect MongoDB Node.js Driver mongodb-client-encryption module version 1.2.0", "severity": [ { "type": "CVSS_V3", From ef8d3524d64dc1ba15bb31c7967d21a9fe87acfe Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:08:18 +0000 Subject: [PATCH 140/170] Publish GHSA-98hv-qff3-8793 --- .../GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json b/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json index b49d39e2bc3..73f2402d910 100644 --- a/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json +++ b/advisories/github-reviewed/2021/08/GHSA-98hv-qff3-8793/GHSA-98hv-qff3-8793.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-98hv-qff3-8793", - "modified": "2021-08-26T19:20:22Z", + "modified": "2024-09-16T22:06:25Z", "published": "2021-08-30T16:24:08Z", "aliases": [ "CVE-2020-18704" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,9 +48,17 @@ "type": "WEB", "url": "https://github.com/fusionbox/django-widgy/issues/387" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-98hv-qff3-8793" + }, { "type": "PACKAGE", "url": "https://github.com/fusionbox/django-widgy" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-widgy/PYSEC-2021-336.yaml" } ], "database_specific": { From 6274f5720cb144fa05391020480f865425a07718 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:10:26 +0000 Subject: [PATCH 141/170] Publish Advisories GHSA-x7gm-rfgv-w973 GHSA-9xg7-gg9m-rmq9 GHSA-vw39-2wj9-4q86 --- .../GHSA-x7gm-rfgv-w973.json | 10 +++++++++- .../GHSA-9xg7-gg9m-rmq9.json | 17 ++++++++++++++--- .../GHSA-vw39-2wj9-4q86.json | 6 +++++- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json b/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json index f63d8c61e82..78c4c1236f3 100644 --- a/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json +++ b/advisories/github-reviewed/2020/09/GHSA-x7gm-rfgv-w973/GHSA-x7gm-rfgv-w973.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x7gm-rfgv-w973", - "modified": "2022-01-06T20:22:25Z", + "modified": "2024-09-16T22:10:02Z", "published": "2020-09-28T19:05:29Z", "aliases": [ "CVE-2020-15225" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -56,6 +60,10 @@ "type": "WEB", "url": "https://github.com/carltongibson/django-filter/releases/tag/2.4.0" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S" diff --git a/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json index d61177f559e..da0db62d4ef 100644 --- a/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json +++ b/advisories/github-reviewed/2022/05/GHSA-9xg7-gg9m-rmq9/GHSA-9xg7-gg9m-rmq9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9xg7-gg9m-rmq9", - "modified": "2024-02-08T21:27:24Z", + "modified": "2024-09-16T22:08:51Z", "published": "2022-05-02T03:37:17Z", "aliases": [ "CVE-2009-2659" @@ -9,7 +9,14 @@ "summary": "Django Admin Media Handler Vulnerable to Directory Traversal", "details": "The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected \"static media files,\" which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -68,6 +75,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-3.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20111211001428/http://www.securityfocus.com/bid/35859" @@ -101,7 +112,7 @@ "cwe_ids": [ "CWE-22" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-08T21:27:24Z", "nvd_published_at": "2009-08-04T16:30:00Z" diff --git a/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json b/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json index a1f35c056d0..ee822d1252a 100644 --- a/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json +++ b/advisories/github-reviewed/2022/10/GHSA-vw39-2wj9-4q86/GHSA-vw39-2wj9-4q86.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vw39-2wj9-4q86", - "modified": "2022-10-11T20:49:45Z", + "modified": "2024-09-16T22:09:24Z", "published": "2022-10-11T19:00:29Z", "aliases": [ "CVE-2022-42731" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ From ec59940e8205d23e4f244a13652125a9d31c0f6b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:13:17 +0000 Subject: [PATCH 142/170] Publish Advisories GHSA-vx6v-xg64-pmr8 GHSA-qgvw-qc2q-gv5q --- .../GHSA-vx6v-xg64-pmr8.json | 25 ++++++++++++++++--- .../GHSA-qgvw-qc2q-gv5q.json | 17 ++++++++++--- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json b/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json index 3ad0868e882..f542f425373 100644 --- a/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json +++ b/advisories/github-reviewed/2021/11/GHSA-vx6v-xg64-pmr8/GHSA-vx6v-xg64-pmr8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vx6v-xg64-pmr8", - "modified": "2021-11-17T21:10:26Z", + "modified": "2024-09-16T22:11:51Z", "published": "2021-11-15T23:12:41Z", "aliases": [ "CVE-2021-3945" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -28,11 +32,14 @@ "introduced": "0" }, { - "last_affected": "0.3.0" + "fixed": "0.3.1" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.3.0" + } } ], "references": [ @@ -44,10 +51,22 @@ "type": "WEB", "url": "https://github.com/django-helpdesk/django-helpdesk/commit/2c7065e0c4296e0c692fb4a7ee19c7357583af30" }, + { + "type": "WEB", + "url": "https://github.com/django-helpdesk/django-helpdesk/commit/44abb197120a843cce5b5fe8276e4a44b8bb2f48" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-vx6v-xg64-pmr8" + }, { "type": "PACKAGE", "url": "https://github.com/django-helpdesk/django-helpdesk" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2021-430.yaml" + }, { "type": "WEB", "url": "https://huntr.dev/bounties/745f483c-70ed-441f-ab2e-7ac1305439a4" diff --git a/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json b/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json index e78412b147b..5d4a9bd55b2 100644 --- a/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json +++ b/advisories/github-reviewed/2022/05/GHSA-qgvw-qc2q-gv5q/GHSA-qgvw-qc2q-gv5q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qgvw-qc2q-gv5q", - "modified": "2024-01-12T20:55:43Z", + "modified": "2024-09-16T22:12:36Z", "published": "2022-05-14T03:08:09Z", "aliases": [ "CVE-2011-4104" @@ -9,7 +9,14 @@ "summary": "Django Tastypie Improper Deserialization of YAML Data", "details": "The `from_yaml` method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -41,6 +48,10 @@ "type": "WEB", "url": "https://github.com/toastdriven/django-tastypie/commit/e8af315211b07c8f48f32a063233cc3f76dd5bc2" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-tastypie/PYSEC-2014-25.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/toastdriven/django-tastypie" @@ -66,7 +77,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-12T20:55:43Z", "nvd_published_at": "2014-10-27T01:55:00Z" From d7584de36f37e7982ddc1e1fa9a4ff5ec7731599 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:15:24 +0000 Subject: [PATCH 143/170] Publish Advisories GHSA-78vx-ggch-wghm GHSA-rvq6-mrpv-m6rm --- .../GHSA-78vx-ggch-wghm.json | 23 ++++++++++++++--- .../GHSA-rvq6-mrpv-m6rm.json | 25 ++++++++++++------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json b/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json index b9c744362e4..5d6dd16a382 100644 --- a/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json +++ b/advisories/github-reviewed/2022/05/GHSA-78vx-ggch-wghm/GHSA-78vx-ggch-wghm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-78vx-ggch-wghm", - "modified": "2023-08-29T21:47:28Z", + "modified": "2024-09-16T22:14:25Z", "published": "2022-05-17T05:12:01Z", "aliases": [ "CVE-2012-3442" @@ -9,13 +9,20 @@ "summary": "Django Allows Redirect via Data URL", "details": "The (1) `django.http.HttpResponseRedirect` and (2) `django.http.HttpResponsePermanentRedirect` classes in Django before 1.3.2 and 1.4.x before 1.4.1 do not validate the scheme of a redirect target, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a `data:` URL.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,7 +41,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -68,6 +75,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-2.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued" @@ -76,6 +87,10 @@ "type": "WEB", "url": "http://www.debian.org/security/2012/dsa-2529" }, + { + "type": "WEB", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1" diff --git a/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json b/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json index 99642db654c..9009ea42e3b 100644 --- a/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json +++ b/advisories/github-reviewed/2022/05/GHSA-rvq6-mrpv-m6rm/GHSA-rvq6-mrpv-m6rm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rvq6-mrpv-m6rm", - "modified": "2024-05-16T18:28:00Z", + "modified": "2024-09-16T22:13:37Z", "published": "2022-05-17T03:07:04Z", "aliases": [ "CVE-2014-0472" @@ -9,7 +9,14 @@ "summary": "Code Injection in Django", "details": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -51,7 +58,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.5.0" + "introduced": "1.5" }, { "fixed": "1.5.6" @@ -75,7 +82,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.6.0" + "introduced": "1.6" }, { "fixed": "1.6.3" @@ -106,6 +113,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2014/apr/21/security" @@ -122,10 +133,6 @@ "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/61281" - }, { "type": "WEB", "url": "http://www.debian.org/security/2014/dsa-2934" @@ -139,7 +146,7 @@ "cwe_ids": [ "CWE-94" ], - "severity": "MODERATE", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-02-23T23:29:51Z", "nvd_published_at": "2014-04-23T15:55:00Z" From 2395fea1caada5e07d791e3bc839c1e4c5038e6b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:29:30 +0000 Subject: [PATCH 144/170] Publish Advisories GHSA-fhx8-5c23-x7x5 GHSA-fhx8-5c23-x7x5 --- .../GHSA-fhx8-5c23-x7x5.json | 104 ++++++++++++++++++ .../GHSA-fhx8-5c23-x7x5.json | 58 ---------- 2 files changed, 104 insertions(+), 58 deletions(-) create mode 100644 advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json delete mode 100644 advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json diff --git a/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json b/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json new file mode 100644 index 00000000000..59d99b4a0ef --- /dev/null +++ b/advisories/github-reviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json @@ -0,0 +1,104 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhx8-5c23-x7x5", + "modified": "2024-09-16T22:28:01Z", + "published": "2024-03-01T15:31:37Z", + "aliases": [ + "CVE-2023-46950" + ], + "summary": "Cross Site Scripting vulnerability in Contribsys Sidekiq ", + "details": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "RubyGems", + "name": "sidekiq-unique-jobs" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.0.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "RubyGems", + "name": "sidekiq-unique-jobs" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.1.33" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46950" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed" + }, + { + "type": "PACKAGE", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs" + }, + { + "type": "WEB", + "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7" + }, + { + "type": "WEB", + "url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T22:28:01Z", + "nvd_published_at": "2024-03-01T14:15:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json b/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json deleted file mode 100644 index f4e0cfd7e5b..00000000000 --- a/advisories/unreviewed/2024/03/GHSA-fhx8-5c23-x7x5/GHSA-fhx8-5c23-x7x5.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-fhx8-5c23-x7x5", - "modified": "2024-09-13T18:31:41Z", - "published": "2024-03-01T15:31:37Z", - "aliases": [ - "CVE-2023-46950" - ], - "details": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "affected": [ - - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46950" - }, - { - "type": "WEB", - "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829" - }, - { - "type": "WEB", - "url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7" - }, - { - "type": "WEB", - "url": "https://link.org" - }, - { - "type": "WEB", - "url": "https://www.link.com" - }, - { - "type": "WEB", - "url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-79" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-03-01T14:15:53Z" - } -} \ No newline at end of file From 44bdd50c78c6d3f39e34884d575882511e04ca69 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:32:01 +0000 Subject: [PATCH 145/170] Publish GHSA-37cf-r3w2-gjfw --- .../GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json b/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json index a6973e7476b..920d4cb8cad 100644 --- a/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json +++ b/advisories/github-reviewed/2020/06/GHSA-37cf-r3w2-gjfw/GHSA-37cf-r3w2-gjfw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-37cf-r3w2-gjfw", - "modified": "2023-09-01T10:17:33Z", + "modified": "2024-09-16T22:30:29Z", "published": "2020-06-05T16:09:19Z", "aliases": [ "CVE-2019-10682" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -44,6 +48,14 @@ "type": "WEB", "url": "https://github.com/relekang/django-nopassword/commit/d8b4615f5fbfe3997d96cf4cb3e342406396193c" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-37cf-r3w2-gjfw" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-nopassword/PYSEC-2020-229.yaml" + }, { "type": "PACKAGE", "url": "https://github.com/relekang/django-nopassword" From e8cc7f6b43738f0eb5acb7879ce1346ec8b80441 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:34:07 +0000 Subject: [PATCH 146/170] Publish Advisories GHSA-r5cj-wv24-92p5 GHSA-wxg3-mfph-qg9w GHSA-9gq6-6936-885w GHSA-c85f-pcx6-2ghm GHSA-v6g6-3cm3-vf6c GHSA-wf9g-c67g-h4ch --- .../GHSA-r5cj-wv24-92p5.json | 39 ++++++++----------- .../GHSA-wxg3-mfph-qg9w.json | 19 +++++++-- .../GHSA-9gq6-6936-885w.json | 6 ++- .../GHSA-c85f-pcx6-2ghm.json | 6 ++- .../GHSA-v6g6-3cm3-vf6c.json | 6 ++- .../GHSA-wf9g-c67g-h4ch.json | 6 ++- 6 files changed, 52 insertions(+), 30 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json b/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json index 794f6b9bd43..1e4bcd24d8d 100644 --- a/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json +++ b/advisories/github-reviewed/2022/05/GHSA-r5cj-wv24-92p5/GHSA-r5cj-wv24-92p5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r5cj-wv24-92p5", - "modified": "2024-05-21T20:28:50Z", + "modified": "2024-09-16T22:32:44Z", "published": "2022-05-02T00:05:00Z", "aliases": [ "CVE-2008-3909" @@ -9,13 +9,20 @@ "summary": "Django cross-site request forgery (CSRF) vulnerability", "details": "The administration application in Django 0.91.x, 0.95.x, and 0.96.x stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete or modify data via unspecified requests.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,7 +41,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -53,7 +60,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -95,6 +102,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2008-2.yaml" + }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00091.html" @@ -103,18 +114,6 @@ "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00131.html" }, - { - "type": "WEB", - "url": "http://osvdb.org/47906" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/31837" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/31961" - }, { "type": "WEB", "url": "http://www.debian.org/security/2008/dsa-1640" @@ -126,17 +125,13 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2008/09/03/4" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2008/2533" } ], "database_specific": { "cwe_ids": [ "CWE-352" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-09-22T23:12:22Z", "nvd_published_at": "2008-09-04T17:41:00Z" diff --git a/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json b/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json index 598eed56cee..89e660bde14 100644 --- a/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json +++ b/advisories/github-reviewed/2022/05/GHSA-wxg3-mfph-qg9w/GHSA-wxg3-mfph-qg9w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wxg3-mfph-qg9w", - "modified": "2024-01-16T22:48:09Z", + "modified": "2024-09-16T22:32:03Z", "published": "2022-05-14T03:49:36Z", "aliases": [ "CVE-2011-4138" @@ -9,7 +9,14 @@ "summary": "Django Might Allow CSRF Requests via URL Verification", "details": "The `verify_exists` functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.3.0" + "introduced": "1.3" }, { "fixed": "1.3.1" @@ -72,6 +79,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-3.yaml" + }, { "type": "WEB", "url": "https://hermes.opensuse.org/messages/14700881" @@ -101,7 +112,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-16T22:48:09Z", "nvd_published_at": "2011-10-19T10:55:00Z" diff --git a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json index 82aebe29b26..09c0097fe6a 100644 --- a/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json +++ b/advisories/github-reviewed/2024/09/GHSA-9gq6-6936-885w/GHSA-9gq6-6936-885w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9gq6-6936-885w", - "modified": "2024-09-16T21:12:06Z", + "modified": "2024-09-16T22:32:50Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45848" @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/mindsdb/mindsdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-78.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" diff --git a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json index 385110b7575..4d91b88f320 100644 --- a/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json +++ b/advisories/github-reviewed/2024/09/GHSA-c85f-pcx6-2ghm/GHSA-c85f-pcx6-2ghm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c85f-pcx6-2ghm", - "modified": "2024-09-16T21:12:15Z", + "modified": "2024-09-16T22:33:01Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45849" @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/mindsdb/mindsdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-79.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" diff --git a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json index 30b7298779a..d619f42e3a4 100644 --- a/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json +++ b/advisories/github-reviewed/2024/09/GHSA-v6g6-3cm3-vf6c/GHSA-v6g6-3cm3-vf6c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v6g6-3cm3-vf6c", - "modified": "2024-09-16T21:12:25Z", + "modified": "2024-09-16T22:33:15Z", "published": "2024-09-12T15:33:00Z", "aliases": [ "CVE-2024-45850" @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/mindsdb/mindsdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-80.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" diff --git a/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json b/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json index 5a5c6877796..2e1905ecb7e 100644 --- a/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json +++ b/advisories/github-reviewed/2024/09/GHSA-wf9g-c67g-h4ch/GHSA-wf9g-c67g-h4ch.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wf9g-c67g-h4ch", - "modified": "2024-09-16T21:12:35Z", + "modified": "2024-09-16T22:33:29Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45851" @@ -52,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/mindsdb/mindsdb" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-81.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" From 3e8b5b0cfb98a7e27e4b811969251c0312d7d4a4 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:36:12 +0000 Subject: [PATCH 147/170] Publish Advisories GHSA-3jqw-crqj-w8qw GHSA-rm2j-x595-q9cj GHSA-7vhj-pfwv-hx3w GHSA-q9r8-89xr-4xv4 --- .../GHSA-3jqw-crqj-w8qw.json | 29 ++++++++++++------- .../GHSA-rm2j-x595-q9cj.json | 23 +++++++++++---- .../GHSA-7vhj-pfwv-hx3w.json | 6 +++- .../GHSA-q9r8-89xr-4xv4.json | 6 +++- 4 files changed, 45 insertions(+), 19 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json b/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json index 0e1f472ae61..f009b010e92 100644 --- a/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json +++ b/advisories/github-reviewed/2018/07/GHSA-3jqw-crqj-w8qw/GHSA-3jqw-crqj-w8qw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3jqw-crqj-w8qw", - "modified": "2024-05-16T18:38:37Z", + "modified": "2024-09-16T22:34:20Z", "published": "2018-07-23T19:51:35Z", "aliases": [ "CVE-2011-4137" @@ -9,20 +9,27 @@ "summary": "Denial of service in django", "details": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "0" }, { "fixed": "1.2.7" @@ -34,14 +41,14 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.3.0" + "introduced": "1.3" }, { "fixed": "1.3.1" @@ -76,6 +83,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-2.yaml" + }, { "type": "WEB", "url": "https://hermes.opensuse.org/messages/14700881" @@ -100,10 +111,6 @@ "type": "WEB", "url": "http://openwall.com/lists/oss-security/2011/09/15/5" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/46614" - }, { "type": "WEB", "url": "http://www.debian.org/security/2011/dsa-2332" @@ -113,7 +120,7 @@ "cwe_ids": [ "CWE-1088" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:55:25Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json b/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json index b422d3623f7..ffe8dded1c7 100644 --- a/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json +++ b/advisories/github-reviewed/2022/05/GHSA-rm2j-x595-q9cj/GHSA-rm2j-x595-q9cj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rm2j-x595-q9cj", - "modified": "2024-01-16T22:47:59Z", + "modified": "2024-09-16T22:35:46Z", "published": "2022-05-14T03:49:36Z", "aliases": [ "CVE-2011-4139" @@ -9,13 +9,20 @@ "summary": "Django Vulnerable to Cache Poisoning", "details": "Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,14 +41,14 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.3.0" + "introduced": "1.3" }, { "fixed": "1.3.1" @@ -72,6 +79,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-4.yaml" + }, { "type": "WEB", "url": "https://hermes.opensuse.org/messages/14700881" @@ -102,7 +113,7 @@ "CWE-20", "CWE-349" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-16T22:47:59Z", "nvd_published_at": "2011-10-19T10:55:00Z" diff --git a/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json b/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json index 2aca24e628d..18d6ebe3ea1 100644 --- a/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json +++ b/advisories/github-reviewed/2024/09/GHSA-7vhj-pfwv-hx3w/GHSA-7vhj-pfwv-hx3w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7vhj-pfwv-hx3w", - "modified": "2024-09-12T17:38:48Z", + "modified": "2024-09-16T22:34:06Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45852" @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/proc_wrapper.py#L54-L55" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-82.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" diff --git a/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json b/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json index 065691ac773..179b734e78d 100644 --- a/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json +++ b/advisories/github-reviewed/2024/09/GHSA-q9r8-89xr-4xv4/GHSA-q9r8-89xr-4xv4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q9r8-89xr-4xv4", - "modified": "2024-09-12T17:38:46Z", + "modified": "2024-09-16T22:34:35Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45853" @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L424-L431" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-83.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" From cd407e37cfa5814a2da7f15f148b06fe55fb2d41 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:38:37 +0000 Subject: [PATCH 148/170] Publish Advisories GHSA-mmhx-hmjr-r674 GHSA-rx9f-5ggv-5rh6 GHSA-vvqw-fqwx-mqmm --- .../GHSA-mmhx-hmjr-r674.json | 11 ++++++--- .../GHSA-rx9f-5ggv-5rh6.json | 24 +++++++++++++++++-- .../GHSA-vvqw-fqwx-mqmm.json | 8 +++++-- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json index cb82ee1b9da..e1ea0ab87c4 100644 --- a/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json +++ b/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mmhx-hmjr-r674", - "modified": "2024-09-16T20:36:52Z", + "modified": "2024-09-16T22:37:33Z", "published": "2024-09-16T20:34:26Z", "aliases": [ "CVE-2024-45801" @@ -63,6 +63,10 @@ "type": "WEB", "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801" + }, { "type": "WEB", "url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21" @@ -78,11 +82,12 @@ ], "database_specific": { "cwe_ids": [ - "CWE-1321" + "CWE-1321", + "CWE-1333" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-09-16T20:34:26Z", - "nvd_published_at": null + "nvd_published_at": "2024-09-16T19:16:11Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json index daedfdbdaf5..d8625597afe 100644 --- a/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json +++ b/advisories/github-reviewed/2024/09/GHSA-rx9f-5ggv-5rh6/GHSA-rx9f-5ggv-5rh6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rx9f-5ggv-5rh6", - "modified": "2024-09-16T17:17:20Z", + "modified": "2024-09-16T22:36:58Z", "published": "2024-09-16T17:17:20Z", "aliases": [ "CVE-2024-32034" @@ -69,6 +69,26 @@ "type": "WEB", "url": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32034" + }, + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645" + }, + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072" + }, + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0" + }, + { + "type": "WEB", + "url": "https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6" + }, { "type": "PACKAGE", "url": "https://github.com/decidim/decidim" @@ -81,6 +101,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-16T17:17:20Z", - "nvd_published_at": null + "nvd_published_at": "2024-09-16T19:16:10Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json index b09b85dd713..c041fca9c90 100644 --- a/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json +++ b/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vvqw-fqwx-mqmm", - "modified": "2024-09-16T17:17:54Z", + "modified": "2024-09-16T22:37:19Z", "published": "2024-09-16T17:17:54Z", "aliases": [ "CVE-2024-39910" @@ -47,6 +47,10 @@ "type": "WEB", "url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39910" + }, { "type": "WEB", "url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f" @@ -63,6 +67,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-16T17:17:54Z", - "nvd_published_at": null + "nvd_published_at": "2024-09-16T19:16:10Z" } } \ No newline at end of file From ea7267f62cdafb60d72815bc650d25bae86bc584 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:50:32 +0000 Subject: [PATCH 149/170] Publish GHSA-jpxc-vmjf-9fcj --- .../GHSA-jpxc-vmjf-9fcj.json | 35 ++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) rename advisories/{unreviewed => github-reviewed}/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json (63%) diff --git a/advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json similarity index 63% rename from advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json rename to advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json index 6bfad4c3da4..a3caab86fd9 100644 --- a/advisories/unreviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json +++ b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json @@ -1,20 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-jpxc-vmjf-9fcj", - "modified": "2024-09-16T14:37:26Z", + "modified": "2024-09-16T22:49:05Z", "published": "2024-09-16T14:37:26Z", "aliases": [ "CVE-2024-8775" ], + "summary": "Ansible vulnerable to Insertion of Sensitive Information into Log File", "details": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ - + { + "package": { + "ecosystem": "PyPI", + "name": "ansible" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "10.4.0" + } + ] + } + ] + } ], "references": [ { @@ -28,6 +51,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ansible/ansible" } ], "database_specific": { @@ -35,8 +62,8 @@ "CWE-532" ], "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-09-16T22:49:05Z", "nvd_published_at": "2024-09-14T03:15:08Z" } } \ No newline at end of file From 43008795a4700898c9f186cd4cd13a1946204d41 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:56:26 +0000 Subject: [PATCH 150/170] Publish GHSA-jpxc-vmjf-9fcj --- .../2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json index a3caab86fd9..ac233663a1f 100644 --- a/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json +++ b/advisories/github-reviewed/2024/09/GHSA-jpxc-vmjf-9fcj/GHSA-jpxc-vmjf-9fcj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jpxc-vmjf-9fcj", - "modified": "2024-09-16T22:49:05Z", + "modified": "2024-09-16T22:55:00Z", "published": "2024-09-16T14:37:26Z", "aliases": [ "CVE-2024-8775" @@ -22,7 +22,7 @@ { "package": { "ecosystem": "PyPI", - "name": "ansible" + "name": "ansible-core" }, "ranges": [ { @@ -32,7 +32,7 @@ "introduced": "0" }, { - "last_affected": "10.4.0" + "last_affected": "2.17.4" } ] } From c3f94e77298e0ccea3caa0b02f126de4419ea055 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:58:30 +0000 Subject: [PATCH 151/170] Publish Advisories GHSA-fwr5-q9rx-294f GHSA-fxpg-gg9g-76gj --- .../GHSA-fwr5-q9rx-294f.json | 49 ++++++------------- .../GHSA-fxpg-gg9g-76gj.json | 23 ++++++--- 2 files changed, 31 insertions(+), 41 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json b/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json index ff4a6a13a14..9d57aab53b0 100644 --- a/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json +++ b/advisories/github-reviewed/2018/07/GHSA-fwr5-q9rx-294f/GHSA-fwr5-q9rx-294f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fwr5-q9rx-294f", - "modified": "2024-05-21T20:21:49Z", + "modified": "2024-09-16T22:56:41Z", "published": "2018-07-23T19:51:40Z", "aliases": [ "CVE-2010-4534" @@ -9,13 +9,20 @@ "summary": "Improper query string handling in Django", "details": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,14 +41,14 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.4" @@ -76,6 +83,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-8.yaml" + }, { "type": "WEB", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html" @@ -100,18 +111,6 @@ "type": "WEB", "url": "http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42715" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42827" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42913" - }, { "type": "WEB", "url": "http://www.djangoproject.com/weblog/2010/dec/22/security" @@ -124,25 +123,9 @@ "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5" }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/archive/1/515446" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45562" - }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1040-1" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0048" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0098" } ], "database_specific": { diff --git a/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json b/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json index 8e3e9e11ae7..91826a8fa91 100644 --- a/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json +++ b/advisories/github-reviewed/2018/07/GHSA-fxpg-gg9g-76gj/GHSA-fxpg-gg9g-76gj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fxpg-gg9g-76gj", - "modified": "2024-03-07T21:50:30Z", + "modified": "2024-09-16T22:57:31Z", "published": "2018-07-23T19:52:42Z", "aliases": [ "CVE-2010-3082" @@ -9,20 +9,27 @@ "summary": "Cross-site scripting in django", "details": "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.2" @@ -57,6 +64,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2010-12.yaml" + }, { "type": "WEB", "url": "http://marc.info/?l=oss-security&m=128403961700444&w=2" @@ -65,10 +76,6 @@ "type": "WEB", "url": "http://www.djangoproject.com/weblog/2010/sep/08/security-release" }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/43116" - }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1004-1" From f6845e6f5dee55fbb87fd8a003ad604822a2e106 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:00:38 +0000 Subject: [PATCH 152/170] Publish GHSA-9pv8-q5rx-c8gq --- .../GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json b/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json index e4f142cad0f..87a06058aec 100644 --- a/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json +++ b/advisories/github-reviewed/2018/07/GHSA-9pv8-q5rx-c8gq/GHSA-9pv8-q5rx-c8gq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9pv8-q5rx-c8gq", - "modified": "2023-08-07T16:57:38Z", + "modified": "2024-09-16T22:58:59Z", "published": "2018-07-13T15:16:59Z", "aliases": [ "CVE-2017-16764" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ @@ -53,10 +57,18 @@ "type": "WEB", "url": "https://github.com/illagrenan/django-make-app/commit/acd814433d1021aa8783362521b0bd151fdfc9d2" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-9pv8-q5rx-c8gq" + }, { "type": "PACKAGE", "url": "https://github.com/illagrenan/django-make-app" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-make-app/PYSEC-2017-79.yaml" + }, { "type": "WEB", "url": "https://joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-app" From a691431a8a63d7e3179545f3fb3d92db53dfb729 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:02:42 +0000 Subject: [PATCH 153/170] Publish Advisories GHSA-pvhp-v9qp-xf5r GHSA-xp5m-4c9f-498q --- .../GHSA-pvhp-v9qp-xf5r.json | 39 +++++++------------ .../GHSA-xp5m-4c9f-498q.json | 14 ++++++- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json b/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json index e0e664fdd2d..3c027cb1f87 100644 --- a/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json +++ b/advisories/github-reviewed/2018/07/GHSA-pvhp-v9qp-xf5r/GHSA-pvhp-v9qp-xf5r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pvhp-v9qp-xf5r", - "modified": "2023-08-31T21:39:49Z", + "modified": "2024-09-16T23:00:29Z", "published": "2018-07-23T19:50:48Z", "aliases": [ "CVE-2011-4103" @@ -9,7 +9,14 @@ "summary": "Django-piston and Django-tastypie do not properly deserialize YAML data", "details": "emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.\n\nDjango Tastypie has a very similar vulnerability.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { @@ -29,28 +36,6 @@ } ] } - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.2.2.0" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "django-piston" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0.2.2.2" - }, - { - "fixed": "0.2.3" - } - ] - } ] } ], @@ -75,6 +60,10 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-pvhp-v9qp-xf5r" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-piston/PYSEC-2014-24.yaml" + }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases" @@ -92,7 +81,7 @@ "cwe_ids": [ "CWE-20" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:50:09Z", "nvd_published_at": null diff --git a/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json b/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json index 7529df47646..1f3f2aafcf7 100644 --- a/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json +++ b/advisories/github-reviewed/2018/07/GHSA-xp5m-4c9f-498q/GHSA-xp5m-4c9f-498q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xp5m-4c9f-498q", - "modified": "2023-09-05T18:25:18Z", + "modified": "2024-09-16T23:02:16Z", "published": "2018-07-13T15:17:18Z", "aliases": [ "CVE-2017-6591" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -34,6 +38,14 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xp5m-4c9f-498q" }, + { + "type": "PACKAGE", + "url": "https://github.com/barraq/django-epiceditor" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-epiceditor/PYSEC-2017-86.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20170706013108/http://www.morningchen.com/2017/03/09/Cross-site-scripting-vulnerability-in-django-epiceditor" From 2d11a035d04913f84f256bcc5860a059cfc68538 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:05:36 +0000 Subject: [PATCH 154/170] Publish GHSA-x88j-93vc-wpmp --- .../GHSA-x88j-93vc-wpmp.json | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json b/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json index ee75b9535ca..d50930eeae6 100644 --- a/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json +++ b/advisories/github-reviewed/2018/07/GHSA-x88j-93vc-wpmp/GHSA-x88j-93vc-wpmp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x88j-93vc-wpmp", - "modified": "2024-05-16T18:41:00Z", + "modified": "2024-09-16T23:03:58Z", "published": "2018-07-23T19:52:39Z", "aliases": [ "CVE-2011-4136" @@ -9,23 +9,30 @@ "summary": "Session manipulation in Django", "details": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.3.0" + "introduced": "0" }, { - "fixed": "1.3.1" + "fixed": "1.2.7" } ] } @@ -34,17 +41,17 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.3" }, { - "fixed": "1.2.7" + "fixed": "1.3.1" } ] } @@ -76,6 +83,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-1.yaml" + }, { "type": "WEB", "url": "https://hermes.opensuse.org/messages/14700881" @@ -96,10 +107,6 @@ "type": "WEB", "url": "http://openwall.com/lists/oss-security/2011/09/13/2" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/46614" - }, { "type": "WEB", "url": "http://www.debian.org/security/2011/dsa-2332" From e01e0a54916b1e89eecfafafea48f75da27c1316 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 00:32:39 +0000 Subject: [PATCH 155/170] Advisory Database Sync --- .../GHSA-6wvf-f2vw-3425.json | 6 +- .../GHSA-7hfr-xh2r-6vj8.json | 3 +- .../GHSA-5pf8-m5c6-qc44.json | 2 +- .../GHSA-83vh-mv8c-q8vm.json | 2 +- .../GHSA-8pp6-343g-mgj6.json | 2 +- .../GHSA-q9r7-jm84-gwh8.json | 2 +- .../GHSA-v8cv-ch4w-445w.json | 2 +- .../GHSA-xm2r-2g3f-xg38.json | 2 +- .../GHSA-xm7p-h8qq-9g6j.json | 2 +- .../GHSA-6jg8-m9ff-fv96.json | 2 +- .../GHSA-22rq-cmx2-gvr4.json | 51 +++++++++++++++ .../GHSA-272r-9r62-xgwc.json | 42 +++++++++++++ .../GHSA-382w-q3v4-xc76.json | 43 +++++++++++++ .../GHSA-38j2-mm6q-835r.json | 51 +++++++++++++++ .../GHSA-3c83-x7hx-cgfx.json | 35 +++++++++++ .../GHSA-3m65-xvh4-3hm8.json | 55 ++++++++++++++++ .../GHSA-3q47-272x-vrfj.json | 35 +++++++++++ .../GHSA-3qf3-f6f4-6993.json | 35 +++++++++++ .../GHSA-3w22-q3jv-89jw.json | 63 +++++++++++++++++++ .../GHSA-4438-qr8f-3p3v.json | 35 +++++++++++ .../GHSA-496q-mjmq-q8ww.json | 35 +++++++++++ .../GHSA-4hx8-86wp-g993.json | 35 +++++++++++ .../GHSA-4m5g-9h9q-7x5h.json | 35 +++++++++++ .../GHSA-56gf-j26c-43xh.json | 35 +++++++++++ .../GHSA-57jv-pfhx-pfm5.json | 35 +++++++++++ .../GHSA-5m5p-hvxj-grxr.json | 35 +++++++++++ .../GHSA-5rxq-m67m-h24r.json | 39 ++++++++++++ .../GHSA-5xr9-xvfc-h2q4.json | 35 +++++++++++ .../GHSA-6879-gf6q-3qmj.json | 35 +++++++++++ .../GHSA-68hw-g496-55x6.json | 35 +++++++++++ .../GHSA-6947-f67q-7599.json | 35 +++++++++++ .../GHSA-6fh7-538c-g5qv.json | 63 +++++++++++++++++++ .../GHSA-6h8g-35xx-6xv3.json | 39 ++++++++++++ .../GHSA-6xw6-r35g-4w48.json | 35 +++++++++++ .../GHSA-74p7-53wh-h625.json | 39 ++++++++++++ .../GHSA-79c6-5cw9-rpwc.json | 39 ++++++++++++ .../GHSA-7gm9-jx2g-wpvm.json | 43 +++++++++++++ .../GHSA-7v3f-jf4x-gj99.json | 35 +++++++++++ .../GHSA-8476-jpv4-xp4p.json | 55 ++++++++++++++++ .../GHSA-8x82-8rpw-g64h.json | 35 +++++++++++ .../GHSA-93r2-j783-g4wf.json | 35 +++++++++++ .../GHSA-96j7-6x53-7368.json | 35 +++++++++++ .../GHSA-976w-rfcm-5cfg.json | 55 ++++++++++++++++ .../GHSA-97rq-m5jx-vcxq.json | 35 +++++++++++ .../GHSA-9g9q-cf56-cfh9.json | 43 +++++++++++++ .../GHSA-9jxw-6cwc-fv29.json | 39 ++++++++++++ .../GHSA-9mpj-7whj-6m8h.json | 35 +++++++++++ .../GHSA-9rg3-9338-mwcv.json | 35 +++++++++++ .../GHSA-c2wx-2chw-3qfv.json | 35 +++++++++++ .../GHSA-cmj7-8jrj-42g2.json | 35 +++++++++++ .../GHSA-cmvv-gwr2-36xm.json | 39 ++++++++++++ .../GHSA-cw5r-673r-7ww3.json | 43 +++++++++++++ .../GHSA-f5pf-wc6m-cx7j.json | 39 ++++++++++++ .../GHSA-fgvw-2v52-jhfv.json | 42 +++++++++++++ .../GHSA-fqgr-5868-7mf7.json | 47 ++++++++++++++ .../GHSA-fvmx-5p62-pxm8.json | 63 +++++++++++++++++++ .../GHSA-gm8f-9rvm-rrfq.json | 39 ++++++++++++ .../GHSA-gvw8-h5c5-pr3g.json | 35 +++++++++++ .../GHSA-gw53-chv8-4wr2.json | 43 +++++++++++++ .../GHSA-h498-88jq-wh8m.json | 51 +++++++++++++++ .../GHSA-h89v-mw4f-7wgj.json | 39 ++++++++++++ .../GHSA-h9cp-5vvc-8wqc.json | 39 ++++++++++++ .../GHSA-hcj6-hxx2-6wpj.json | 43 +++++++++++++ .../GHSA-hqp9-2fgf-h6cx.json | 39 ++++++++++++ .../GHSA-hx98-qf58-hff9.json | 35 +++++++++++ .../GHSA-j8gh-87rx-c7w9.json | 42 +++++++++++++ .../GHSA-j962-w243-6g33.json | 43 +++++++++++++ .../GHSA-jpf3-j9x5-w3ff.json | 35 +++++++++++ .../GHSA-jvcj-gmhm-rfx5.json | 43 +++++++++++++ .../GHSA-m4c2-8cgc-49gg.json | 63 +++++++++++++++++++ .../GHSA-m548-7rvw-m5fc.json | 47 ++++++++++++++ .../GHSA-m6gq-8g82-wvgx.json | 59 +++++++++++++++++ .../GHSA-m9g4-52vh-fwwv.json | 43 +++++++++++++ .../GHSA-mrp4-v2gf-6mxp.json | 43 +++++++++++++ .../GHSA-p5c3-cc8j-cvfq.json | 43 +++++++++++++ .../GHSA-p863-p79f-qm33.json | 35 +++++++++++ .../GHSA-q27x-q82p-47rv.json | 35 +++++++++++ .../GHSA-q7q2-gf23-qgjw.json | 43 +++++++++++++ .../GHSA-q7q3-4cwr-583j.json | 35 +++++++++++ .../GHSA-q9mj-qff3-9v4j.json | 39 ++++++++++++ .../GHSA-qcjx-5p37-v6hf.json | 43 +++++++++++++ .../GHSA-qh4m-mqcp-x24m.json | 43 +++++++++++++ .../GHSA-qm78-568c-wg6m.json | 47 ++++++++++++++ .../GHSA-qqpc-7c83-686v.json | 35 +++++++++++ .../GHSA-qqv8-ph7f-h3f7.json | 42 +++++++++++++ .../GHSA-r45q-ffrj-cr66.json | 35 +++++++++++ .../GHSA-r5fv-vx8p-jvrq.json | 43 +++++++++++++ .../GHSA-r773-284v-hh8m.json | 59 +++++++++++++++++ .../GHSA-r7j7-4rc9-m5m3.json | 35 +++++++++++ .../GHSA-rcw8-56q4-fh4w.json | 35 +++++++++++ .../GHSA-rwxx-p542-9g8c.json | 39 ++++++++++++ .../GHSA-v64w-2rh7-3gvr.json | 43 +++++++++++++ .../GHSA-wc8g-qpv4-8j46.json | 39 ++++++++++++ .../GHSA-wfqq-7288-2hgf.json | 35 +++++++++++ .../GHSA-wg39-r923-gfr5.json | 39 ++++++++++++ .../GHSA-wjg2-c55h-phf5.json | 35 +++++++++++ .../GHSA-wjmr-4ghf-rh39.json | 43 +++++++++++++ .../GHSA-x2j8-283m-qc6h.json | 39 ++++++++++++ .../GHSA-x44q-9q24-vjf9.json | 51 +++++++++++++++ .../GHSA-x79g-r583-xj83.json | 35 +++++++++++ .../GHSA-x9r8-886r-r4qm.json | 43 +++++++++++++ .../GHSA-xhrw-4447-w35f.json | 39 ++++++++++++ .../GHSA-xmf6-p99q-898v.json | 55 ++++++++++++++++ .../GHSA-xrvp-gx9p-8ch2.json | 35 +++++++++++ 104 files changed, 3885 insertions(+), 10 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-22rq-cmx2-gvr4/GHSA-22rq-cmx2-gvr4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-272r-9r62-xgwc/GHSA-272r-9r62-xgwc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-382w-q3v4-xc76/GHSA-382w-q3v4-xc76.json create mode 100644 advisories/unreviewed/2024/09/GHSA-38j2-mm6q-835r/GHSA-38j2-mm6q-835r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3c83-x7hx-cgfx/GHSA-3c83-x7hx-cgfx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3m65-xvh4-3hm8/GHSA-3m65-xvh4-3hm8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3q47-272x-vrfj/GHSA-3q47-272x-vrfj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3qf3-f6f4-6993/GHSA-3qf3-f6f4-6993.json create mode 100644 advisories/unreviewed/2024/09/GHSA-3w22-q3jv-89jw/GHSA-3w22-q3jv-89jw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4438-qr8f-3p3v/GHSA-4438-qr8f-3p3v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-496q-mjmq-q8ww/GHSA-496q-mjmq-q8ww.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4hx8-86wp-g993/GHSA-4hx8-86wp-g993.json create mode 100644 advisories/unreviewed/2024/09/GHSA-4m5g-9h9q-7x5h/GHSA-4m5g-9h9q-7x5h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-56gf-j26c-43xh/GHSA-56gf-j26c-43xh.json create mode 100644 advisories/unreviewed/2024/09/GHSA-57jv-pfhx-pfm5/GHSA-57jv-pfhx-pfm5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5m5p-hvxj-grxr/GHSA-5m5p-hvxj-grxr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5rxq-m67m-h24r/GHSA-5rxq-m67m-h24r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-5xr9-xvfc-h2q4/GHSA-5xr9-xvfc-h2q4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6879-gf6q-3qmj/GHSA-6879-gf6q-3qmj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-68hw-g496-55x6/GHSA-68hw-g496-55x6.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6947-f67q-7599/GHSA-6947-f67q-7599.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6fh7-538c-g5qv/GHSA-6fh7-538c-g5qv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6h8g-35xx-6xv3/GHSA-6h8g-35xx-6xv3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6xw6-r35g-4w48/GHSA-6xw6-r35g-4w48.json create mode 100644 advisories/unreviewed/2024/09/GHSA-74p7-53wh-h625/GHSA-74p7-53wh-h625.json create mode 100644 advisories/unreviewed/2024/09/GHSA-79c6-5cw9-rpwc/GHSA-79c6-5cw9-rpwc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7gm9-jx2g-wpvm/GHSA-7gm9-jx2g-wpvm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7v3f-jf4x-gj99/GHSA-7v3f-jf4x-gj99.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8476-jpv4-xp4p/GHSA-8476-jpv4-xp4p.json create mode 100644 advisories/unreviewed/2024/09/GHSA-8x82-8rpw-g64h/GHSA-8x82-8rpw-g64h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-93r2-j783-g4wf/GHSA-93r2-j783-g4wf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-96j7-6x53-7368/GHSA-96j7-6x53-7368.json create mode 100644 advisories/unreviewed/2024/09/GHSA-976w-rfcm-5cfg/GHSA-976w-rfcm-5cfg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-97rq-m5jx-vcxq/GHSA-97rq-m5jx-vcxq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9g9q-cf56-cfh9/GHSA-9g9q-cf56-cfh9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9jxw-6cwc-fv29/GHSA-9jxw-6cwc-fv29.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9mpj-7whj-6m8h/GHSA-9mpj-7whj-6m8h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9rg3-9338-mwcv/GHSA-9rg3-9338-mwcv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c2wx-2chw-3qfv/GHSA-c2wx-2chw-3qfv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cmj7-8jrj-42g2/GHSA-cmj7-8jrj-42g2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cmvv-gwr2-36xm/GHSA-cmvv-gwr2-36xm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cw5r-673r-7ww3/GHSA-cw5r-673r-7ww3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f5pf-wc6m-cx7j/GHSA-f5pf-wc6m-cx7j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fgvw-2v52-jhfv/GHSA-fgvw-2v52-jhfv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fqgr-5868-7mf7/GHSA-fqgr-5868-7mf7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-fvmx-5p62-pxm8/GHSA-fvmx-5p62-pxm8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gm8f-9rvm-rrfq/GHSA-gm8f-9rvm-rrfq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gvw8-h5c5-pr3g/GHSA-gvw8-h5c5-pr3g.json create mode 100644 advisories/unreviewed/2024/09/GHSA-gw53-chv8-4wr2/GHSA-gw53-chv8-4wr2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h498-88jq-wh8m/GHSA-h498-88jq-wh8m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h89v-mw4f-7wgj/GHSA-h89v-mw4f-7wgj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-h9cp-5vvc-8wqc/GHSA-h9cp-5vvc-8wqc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hcj6-hxx2-6wpj/GHSA-hcj6-hxx2-6wpj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hqp9-2fgf-h6cx/GHSA-hqp9-2fgf-h6cx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hx98-qf58-hff9/GHSA-hx98-qf58-hff9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j8gh-87rx-c7w9/GHSA-j8gh-87rx-c7w9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-j962-w243-6g33/GHSA-j962-w243-6g33.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jpf3-j9x5-w3ff/GHSA-jpf3-j9x5-w3ff.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jvcj-gmhm-rfx5/GHSA-jvcj-gmhm-rfx5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m4c2-8cgc-49gg/GHSA-m4c2-8cgc-49gg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m548-7rvw-m5fc/GHSA-m548-7rvw-m5fc.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m6gq-8g82-wvgx/GHSA-m6gq-8g82-wvgx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-m9g4-52vh-fwwv/GHSA-m9g4-52vh-fwwv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-mrp4-v2gf-6mxp/GHSA-mrp4-v2gf-6mxp.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p5c3-cc8j-cvfq/GHSA-p5c3-cc8j-cvfq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-p863-p79f-qm33/GHSA-p863-p79f-qm33.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q27x-q82p-47rv/GHSA-q27x-q82p-47rv.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q7q2-gf23-qgjw/GHSA-q7q2-gf23-qgjw.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q7q3-4cwr-583j/GHSA-q7q3-4cwr-583j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q9mj-qff3-9v4j/GHSA-q9mj-qff3-9v4j.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qcjx-5p37-v6hf/GHSA-qcjx-5p37-v6hf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qh4m-mqcp-x24m/GHSA-qh4m-mqcp-x24m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qm78-568c-wg6m/GHSA-qm78-568c-wg6m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qqpc-7c83-686v/GHSA-qqpc-7c83-686v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-qqv8-ph7f-h3f7/GHSA-qqv8-ph7f-h3f7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r45q-ffrj-cr66/GHSA-r45q-ffrj-cr66.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r5fv-vx8p-jvrq/GHSA-r5fv-vx8p-jvrq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r773-284v-hh8m/GHSA-r773-284v-hh8m.json create mode 100644 advisories/unreviewed/2024/09/GHSA-r7j7-4rc9-m5m3/GHSA-r7j7-4rc9-m5m3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rcw8-56q4-fh4w/GHSA-rcw8-56q4-fh4w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-rwxx-p542-9g8c/GHSA-rwxx-p542-9g8c.json create mode 100644 advisories/unreviewed/2024/09/GHSA-v64w-2rh7-3gvr/GHSA-v64w-2rh7-3gvr.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wc8g-qpv4-8j46/GHSA-wc8g-qpv4-8j46.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wfqq-7288-2hgf/GHSA-wfqq-7288-2hgf.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wg39-r923-gfr5/GHSA-wg39-r923-gfr5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-wjmr-4ghf-rh39/GHSA-wjmr-4ghf-rh39.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x2j8-283m-qc6h/GHSA-x2j8-283m-qc6h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x44q-9q24-vjf9/GHSA-x44q-9q24-vjf9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x79g-r583-xj83/GHSA-x79g-r583-xj83.json create mode 100644 advisories/unreviewed/2024/09/GHSA-x9r8-886r-r4qm/GHSA-x9r8-886r-r4qm.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xhrw-4447-w35f/GHSA-xhrw-4447-w35f.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xmf6-p99q-898v/GHSA-xmf6-p99q-898v.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xrvp-gx9p-8ch2/GHSA-xrvp-gx9p-8ch2.json diff --git a/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json b/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json index 9364d394bf9..70d80d397c7 100644 --- a/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json +++ b/advisories/github-reviewed/2024/05/GHSA-6wvf-f2vw-3425/GHSA-6wvf-f2vw-3425.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6wvf-f2vw-3425", - "modified": "2024-08-30T00:31:22Z", + "modified": "2024-09-17T00:31:03Z", "published": "2024-05-14T18:30:52Z", "aliases": [ "CVE-2024-3727" @@ -154,6 +154,10 @@ "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-3727" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2024:6708" + }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2024:6054" diff --git a/advisories/unreviewed/2022/02/GHSA-7hfr-xh2r-6vj8/GHSA-7hfr-xh2r-6vj8.json b/advisories/unreviewed/2022/02/GHSA-7hfr-xh2r-6vj8/GHSA-7hfr-xh2r-6vj8.json index eff8f7a00c0..1ba4f0bb4da 100644 --- a/advisories/unreviewed/2022/02/GHSA-7hfr-xh2r-6vj8/GHSA-7hfr-xh2r-6vj8.json +++ b/advisories/unreviewed/2022/02/GHSA-7hfr-xh2r-6vj8/GHSA-7hfr-xh2r-6vj8.json @@ -32,7 +32,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-276" + "CWE-276", + "CWE-428" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2022/05/GHSA-5pf8-m5c6-qc44/GHSA-5pf8-m5c6-qc44.json b/advisories/unreviewed/2022/05/GHSA-5pf8-m5c6-qc44/GHSA-5pf8-m5c6-qc44.json index 1a246b234bb..2e2b0121595 100644 --- a/advisories/unreviewed/2022/05/GHSA-5pf8-m5c6-qc44/GHSA-5pf8-m5c6-qc44.json +++ b/advisories/unreviewed/2022/05/GHSA-5pf8-m5c6-qc44/GHSA-5pf8-m5c6-qc44.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5pf8-m5c6-qc44", - "modified": "2022-10-27T19:00:39Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-05-24T19:16:55Z", "aliases": [ "CVE-2021-3833" diff --git a/advisories/unreviewed/2022/05/GHSA-83vh-mv8c-q8vm/GHSA-83vh-mv8c-q8vm.json b/advisories/unreviewed/2022/05/GHSA-83vh-mv8c-q8vm/GHSA-83vh-mv8c-q8vm.json index a6337f07067..d854f4c91bd 100644 --- a/advisories/unreviewed/2022/05/GHSA-83vh-mv8c-q8vm/GHSA-83vh-mv8c-q8vm.json +++ b/advisories/unreviewed/2022/05/GHSA-83vh-mv8c-q8vm/GHSA-83vh-mv8c-q8vm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-83vh-mv8c-q8vm", - "modified": "2023-09-03T18:30:18Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-05-24T19:15:01Z", "aliases": [ "CVE-2021-3806" diff --git a/advisories/unreviewed/2022/05/GHSA-8pp6-343g-mgj6/GHSA-8pp6-343g-mgj6.json b/advisories/unreviewed/2022/05/GHSA-8pp6-343g-mgj6/GHSA-8pp6-343g-mgj6.json index 4e08df7753d..e0a2e8dc3d8 100644 --- a/advisories/unreviewed/2022/05/GHSA-8pp6-343g-mgj6/GHSA-8pp6-343g-mgj6.json +++ b/advisories/unreviewed/2022/05/GHSA-8pp6-343g-mgj6/GHSA-8pp6-343g-mgj6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8pp6-343g-mgj6", - "modified": "2023-10-09T18:30:19Z", + "modified": "2024-09-17T00:30:59Z", "published": "2022-05-24T16:54:27Z", "aliases": [ "CVE-2019-5638" diff --git a/advisories/unreviewed/2022/06/GHSA-q9r7-jm84-gwh8/GHSA-q9r7-jm84-gwh8.json b/advisories/unreviewed/2022/06/GHSA-q9r7-jm84-gwh8/GHSA-q9r7-jm84-gwh8.json index e1e1cc48d44..71014c5f18a 100644 --- a/advisories/unreviewed/2022/06/GHSA-q9r7-jm84-gwh8/GHSA-q9r7-jm84-gwh8.json +++ b/advisories/unreviewed/2022/06/GHSA-q9r7-jm84-gwh8/GHSA-q9r7-jm84-gwh8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q9r7-jm84-gwh8", - "modified": "2024-02-15T21:31:25Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-06-14T00:00:35Z", "aliases": [ "CVE-2022-30308" diff --git a/advisories/unreviewed/2022/06/GHSA-v8cv-ch4w-445w/GHSA-v8cv-ch4w-445w.json b/advisories/unreviewed/2022/06/GHSA-v8cv-ch4w-445w/GHSA-v8cv-ch4w-445w.json index 2cc54938a51..4ed46478be7 100644 --- a/advisories/unreviewed/2022/06/GHSA-v8cv-ch4w-445w/GHSA-v8cv-ch4w-445w.json +++ b/advisories/unreviewed/2022/06/GHSA-v8cv-ch4w-445w/GHSA-v8cv-ch4w-445w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v8cv-ch4w-445w", - "modified": "2023-07-21T18:30:34Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-06-14T00:00:35Z", "aliases": [ "CVE-2022-30311" diff --git a/advisories/unreviewed/2022/06/GHSA-xm2r-2g3f-xg38/GHSA-xm2r-2g3f-xg38.json b/advisories/unreviewed/2022/06/GHSA-xm2r-2g3f-xg38/GHSA-xm2r-2g3f-xg38.json index 9dcb0ac11e9..588f2799c96 100644 --- a/advisories/unreviewed/2022/06/GHSA-xm2r-2g3f-xg38/GHSA-xm2r-2g3f-xg38.json +++ b/advisories/unreviewed/2022/06/GHSA-xm2r-2g3f-xg38/GHSA-xm2r-2g3f-xg38.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xm2r-2g3f-xg38", - "modified": "2023-07-21T18:30:34Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-06-14T00:00:35Z", "aliases": [ "CVE-2022-30309" diff --git a/advisories/unreviewed/2022/06/GHSA-xm7p-h8qq-9g6j/GHSA-xm7p-h8qq-9g6j.json b/advisories/unreviewed/2022/06/GHSA-xm7p-h8qq-9g6j/GHSA-xm7p-h8qq-9g6j.json index 792c1c50ab1..a2cb72804db 100644 --- a/advisories/unreviewed/2022/06/GHSA-xm7p-h8qq-9g6j/GHSA-xm7p-h8qq-9g6j.json +++ b/advisories/unreviewed/2022/06/GHSA-xm7p-h8qq-9g6j/GHSA-xm7p-h8qq-9g6j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xm7p-h8qq-9g6j", - "modified": "2024-02-15T21:31:25Z", + "modified": "2024-09-17T00:31:00Z", "published": "2022-06-14T00:00:35Z", "aliases": [ "CVE-2022-30310" diff --git a/advisories/unreviewed/2022/09/GHSA-6jg8-m9ff-fv96/GHSA-6jg8-m9ff-fv96.json b/advisories/unreviewed/2022/09/GHSA-6jg8-m9ff-fv96/GHSA-6jg8-m9ff-fv96.json index 679c9dc608e..201a78ee237 100644 --- a/advisories/unreviewed/2022/09/GHSA-6jg8-m9ff-fv96/GHSA-6jg8-m9ff-fv96.json +++ b/advisories/unreviewed/2022/09/GHSA-6jg8-m9ff-fv96/GHSA-6jg8-m9ff-fv96.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6jg8-m9ff-fv96", - "modified": "2023-09-03T18:30:19Z", + "modified": "2024-09-17T00:31:01Z", "published": "2022-09-22T00:00:30Z", "aliases": [ "CVE-2022-2265" diff --git a/advisories/unreviewed/2024/09/GHSA-22rq-cmx2-gvr4/GHSA-22rq-cmx2-gvr4.json b/advisories/unreviewed/2024/09/GHSA-22rq-cmx2-gvr4/GHSA-22rq-cmx2-gvr4.json new file mode 100644 index 00000000000..5e6343db19c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-22rq-cmx2-gvr4/GHSA-22rq-cmx2-gvr4.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-22rq-cmx2-gvr4", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44167" + ], + "details": "This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7, visionOS 2, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to overwrite arbitrary files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44167" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-272r-9r62-xgwc/GHSA-272r-9r62-xgwc.json b/advisories/unreviewed/2024/09/GHSA-272r-9r62-xgwc/GHSA-272r-9r62-xgwc.json new file mode 100644 index 00000000000..c2b30be47d1 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-272r-9r62-xgwc/GHSA-272r-9r62-xgwc.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-272r-9r62-xgwc", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-6685" + ], + "details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6685" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2584372" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/472012" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T22:15:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-382w-q3v4-xc76/GHSA-382w-q3v4-xc76.json b/advisories/unreviewed/2024/09/GHSA-382w-q3v4-xc76/GHSA-382w-q3v4-xc76.json new file mode 100644 index 00000000000..5a25be45304 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-382w-q3v4-xc76/GHSA-382w-q3v4-xc76.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-382w-q3v4-xc76", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44160" + ], + "details": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted texture may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44160" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-38j2-mm6q-835r/GHSA-38j2-mm6q-835r.json b/advisories/unreviewed/2024/09/GHSA-38j2-mm6q-835r/GHSA-38j2-mm6q-835r.json new file mode 100644 index 00000000000..37c95059d9f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-38j2-mm6q-835r/GHSA-38j2-mm6q-835r.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-38j2-mm6q-835r", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44184" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44184" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3c83-x7hx-cgfx/GHSA-3c83-x7hx-cgfx.json b/advisories/unreviewed/2024/09/GHSA-3c83-x7hx-cgfx/GHSA-3c83-x7hx-cgfx.json new file mode 100644 index 00000000000..16382d23730 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3c83-x7hx-cgfx/GHSA-3c83-x7hx-cgfx.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3c83-x7hx-cgfx", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44130" + ], + "details": "This issue was addressed with improved data protection. This issue is fixed in macOS Sequoia 15. An app with root privileges may be able to access private information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44130" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3m65-xvh4-3hm8/GHSA-3m65-xvh4-3hm8.json b/advisories/unreviewed/2024/09/GHSA-3m65-xvh4-3hm8/GHSA-3m65-xvh4-3hm8.json new file mode 100644 index 00000000000..f08776339aa --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3m65-xvh4-3hm8/GHSA-3m65-xvh4-3hm8.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3m65-xvh4-3hm8", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44165" + ], + "details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. Network traffic may leak outside a VPN tunnel.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44165" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3q47-272x-vrfj/GHSA-3q47-272x-vrfj.json b/advisories/unreviewed/2024/09/GHSA-3q47-272x-vrfj/GHSA-3q47-272x-vrfj.json new file mode 100644 index 00000000000..e7df847a028 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3q47-272x-vrfj/GHSA-3q47-272x-vrfj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3q47-272x-vrfj", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27861" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15. An application may be able to read restricted memory.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27861" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3qf3-f6f4-6993/GHSA-3qf3-f6f4-6993.json b/advisories/unreviewed/2024/09/GHSA-3qf3-f6f4-6993/GHSA-3qf3-f6f4-6993.json new file mode 100644 index 00000000000..b6e17cf40fe --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3qf3-f6f4-6993/GHSA-3qf3-f6f4-6993.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3qf3-f6f4-6993", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40838" + ], + "details": "A privacy issue was addressed by moving sensitive data to a protected location. This issue is fixed in macOS Sequoia 15. A malicious app may be able to access notifications from the user's device.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40838" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-3w22-q3jv-89jw/GHSA-3w22-q3jv-89jw.json b/advisories/unreviewed/2024/09/GHSA-3w22-q3jv-89jw/GHSA-3w22-q3jv-89jw.json new file mode 100644 index 00000000000..d0036aff27d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-3w22-q3jv-89jw/GHSA-3w22-q3jv-89jw.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3w22-q3jv-89jw", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40850" + ], + "details": "A file access issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, macOS Sonoma 14.7, tvOS 18. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40850" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4438-qr8f-3p3v/GHSA-4438-qr8f-3p3v.json b/advisories/unreviewed/2024/09/GHSA-4438-qr8f-3p3v/GHSA-4438-qr8f-3p3v.json new file mode 100644 index 00000000000..86020db6618 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4438-qr8f-3p3v/GHSA-4438-qr8f-3p3v.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4438-qr8f-3p3v", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27875" + ], + "details": "A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15. Privacy Indicators for microphone or camera access may be attributed incorrectly.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27875" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-496q-mjmq-q8ww/GHSA-496q-mjmq-q8ww.json b/advisories/unreviewed/2024/09/GHSA-496q-mjmq-q8ww/GHSA-496q-mjmq-q8ww.json new file mode 100644 index 00000000000..f9164b73783 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-496q-mjmq-q8ww/GHSA-496q-mjmq-q8ww.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-496q-mjmq-q8ww", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40830" + ], + "details": "This issue was addressed with improved data protection. This issue is fixed in iOS 18 and iPadOS 18. An app may be able to enumerate a user's installed apps.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40830" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4hx8-86wp-g993/GHSA-4hx8-86wp-g993.json b/advisories/unreviewed/2024/09/GHSA-4hx8-86wp-g993/GHSA-4hx8-86wp-g993.json new file mode 100644 index 00000000000..cf1d7669934 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4hx8-86wp-g993/GHSA-4hx8-86wp-g993.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4hx8-86wp-g993", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44148" + ], + "details": "This issue was addressed with improved validation of file attributes. This issue is fixed in macOS Sequoia 15. An app may be able to break out of its sandbox.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44148" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-4m5g-9h9q-7x5h/GHSA-4m5g-9h9q-7x5h.json b/advisories/unreviewed/2024/09/GHSA-4m5g-9h9q-7x5h/GHSA-4m5g-9h9q-7x5h.json new file mode 100644 index 00000000000..23828d27f90 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-4m5g-9h9q-7x5h/GHSA-4m5g-9h9q-7x5h.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4m5g-9h9q-7x5h", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44149" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44149" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-56gf-j26c-43xh/GHSA-56gf-j26c-43xh.json b/advisories/unreviewed/2024/09/GHSA-56gf-j26c-43xh/GHSA-56gf-j26c-43xh.json new file mode 100644 index 00000000000..337e6eed380 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-56gf-j26c-43xh/GHSA-56gf-j26c-43xh.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-56gf-j26c-43xh", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44132" + ], + "details": "This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15. An app may be able to break out of its sandbox.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44132" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-57jv-pfhx-pfm5/GHSA-57jv-pfhx-pfm5.json b/advisories/unreviewed/2024/09/GHSA-57jv-pfhx-pfm5/GHSA-57jv-pfhx-pfm5.json new file mode 100644 index 00000000000..640ca6af944 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-57jv-pfhx-pfm5/GHSA-57jv-pfhx-pfm5.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57jv-pfhx-pfm5", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44189" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. A logic issue existed where a process may be able to capture screen contents without user consent.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44189" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5m5p-hvxj-grxr/GHSA-5m5p-hvxj-grxr.json b/advisories/unreviewed/2024/09/GHSA-5m5p-hvxj-grxr/GHSA-5m5p-hvxj-grxr.json new file mode 100644 index 00000000000..45007db740d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5m5p-hvxj-grxr/GHSA-5m5p-hvxj-grxr.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5m5p-hvxj-grxr", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44202" + ], + "details": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44202" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5rxq-m67m-h24r/GHSA-5rxq-m67m-h24r.json b/advisories/unreviewed/2024/09/GHSA-5rxq-m67m-h24r/GHSA-5rxq-m67m-h24r.json new file mode 100644 index 00000000000..b8726822b4c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5rxq-m67m-h24r/GHSA-5rxq-m67m-h24r.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rxq-m67m-h24r", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44153" + ], + "details": "The issue was addressed with improved permissions logic. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44153" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-5xr9-xvfc-h2q4/GHSA-5xr9-xvfc-h2q4.json b/advisories/unreviewed/2024/09/GHSA-5xr9-xvfc-h2q4/GHSA-5xr9-xvfc-h2q4.json new file mode 100644 index 00000000000..76ee0eaa502 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5xr9-xvfc-h2q4/GHSA-5xr9-xvfc-h2q4.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5xr9-xvfc-h2q4", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40790" + ], + "details": "The issue was addressed with improved handling of caches. This issue is fixed in visionOS 2. An app may be able to read sensitive data from the GPU memory.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40790" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6879-gf6q-3qmj/GHSA-6879-gf6q-3qmj.json b/advisories/unreviewed/2024/09/GHSA-6879-gf6q-3qmj/GHSA-6879-gf6q-3qmj.json new file mode 100644 index 00000000000..1cbb29fbb0d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6879-gf6q-3qmj/GHSA-6879-gf6q-3qmj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6879-gf6q-3qmj", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-40770" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40770" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-68hw-g496-55x6/GHSA-68hw-g496-55x6.json b/advisories/unreviewed/2024/09/GHSA-68hw-g496-55x6/GHSA-68hw-g496-55x6.json new file mode 100644 index 00000000000..fc9507dc90c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-68hw-g496-55x6/GHSA-68hw-g496-55x6.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68hw-g496-55x6", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40862" + ], + "details": "A privacy issue was addressed by removing sensitive data. This issue is fixed in Xcode 16. An attacker may be able to determine the Apple ID of the owner of the computer.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40862" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121239" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6947-f67q-7599/GHSA-6947-f67q-7599.json b/advisories/unreviewed/2024/09/GHSA-6947-f67q-7599/GHSA-6947-f67q-7599.json new file mode 100644 index 00000000000..f2b47c6b2d4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6947-f67q-7599/GHSA-6947-f67q-7599.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6947-f67q-7599", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40861" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to gain root privileges.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40861" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6fh7-538c-g5qv/GHSA-6fh7-538c-g5qv.json b/advisories/unreviewed/2024/09/GHSA-6fh7-538c-g5qv/GHSA-6fh7-538c-g5qv.json new file mode 100644 index 00000000000..bf271b7a43c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6fh7-538c-g5qv/GHSA-6fh7-538c-g5qv.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fh7-538c-g5qv", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44169" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, macOS Sonoma 14.7, tvOS 18. An app may be able to cause unexpected system termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44169" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6h8g-35xx-6xv3/GHSA-6h8g-35xx-6xv3.json b/advisories/unreviewed/2024/09/GHSA-6h8g-35xx-6xv3/GHSA-6h8g-35xx-6xv3.json new file mode 100644 index 00000000000..3aa542b830c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6h8g-35xx-6xv3/GHSA-6h8g-35xx-6xv3.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h8g-35xx-6xv3", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27869" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to record the screen without an indicator.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27869" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6xw6-r35g-4w48/GHSA-6xw6-r35g-4w48.json b/advisories/unreviewed/2024/09/GHSA-6xw6-r35g-4w48/GHSA-6xw6-r35g-4w48.json new file mode 100644 index 00000000000..112ff5aaf5a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6xw6-r35g-4w48/GHSA-6xw6-r35g-4w48.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6xw6-r35g-4w48", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44162" + ], + "details": "This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44162" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121239" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-74p7-53wh-h625/GHSA-74p7-53wh-h625.json b/advisories/unreviewed/2024/09/GHSA-74p7-53wh-h625/GHSA-74p7-53wh-h625.json new file mode 100644 index 00000000000..e759e3207bc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-74p7-53wh-h625/GHSA-74p7-53wh-h625.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-74p7-53wh-h625", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40846" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40846" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-79c6-5cw9-rpwc/GHSA-79c6-5cw9-rpwc.json b/advisories/unreviewed/2024/09/GHSA-79c6-5cw9-rpwc/GHSA-79c6-5cw9-rpwc.json new file mode 100644 index 00000000000..aa7e68463d9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-79c6-5cw9-rpwc/GHSA-79c6-5cw9-rpwc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-79c6-5cw9-rpwc", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40825" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in visionOS 2, macOS Sequoia 15. A malicious app with root privileges may be able to modify the contents of system files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40825" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7gm9-jx2g-wpvm/GHSA-7gm9-jx2g-wpvm.json b/advisories/unreviewed/2024/09/GHSA-7gm9-jx2g-wpvm/GHSA-7gm9-jx2g-wpvm.json new file mode 100644 index 00000000000..0d350145838 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7gm9-jx2g-wpvm/GHSA-7gm9-jx2g-wpvm.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7gm9-jx2g-wpvm", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40856" + ], + "details": "An integrity issue was addressed with Beacon Protection. This issue is fixed in iOS 18 and iPadOS 18, tvOS 18, macOS Sequoia 15. An attacker may be able to force a device to disconnect from a secure network.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40856" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7v3f-jf4x-gj99/GHSA-7v3f-jf4x-gj99.json b/advisories/unreviewed/2024/09/GHSA-7v3f-jf4x-gj99/GHSA-7v3f-jf4x-gj99.json new file mode 100644 index 00000000000..5473500403f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7v3f-jf4x-gj99/GHSA-7v3f-jf4x-gj99.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7v3f-jf4x-gj99", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40863" + ], + "details": "This issue was addressed with improved data protection. This issue is fixed in iOS 18 and iPadOS 18. An app may be able to leak sensitive user information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40863" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8476-jpv4-xp4p/GHSA-8476-jpv4-xp4p.json b/advisories/unreviewed/2024/09/GHSA-8476-jpv4-xp4p/GHSA-8476-jpv4-xp4p.json new file mode 100644 index 00000000000..f17d4422c02 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8476-jpv4-xp4p/GHSA-8476-jpv4-xp4p.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8476-jpv4-xp4p", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40857" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to universal cross site scripting.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40857" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121241" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-8x82-8rpw-g64h/GHSA-8x82-8rpw-g64h.json b/advisories/unreviewed/2024/09/GHSA-8x82-8rpw-g64h/GHSA-8x82-8rpw-g64h.json new file mode 100644 index 00000000000..61cdd5410e2 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-8x82-8rpw-g64h/GHSA-8x82-8rpw-g64h.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8x82-8rpw-g64h", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27860" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15. An application may be able to read restricted memory.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27860" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-93r2-j783-g4wf/GHSA-93r2-j783-g4wf.json b/advisories/unreviewed/2024/09/GHSA-93r2-j783-g4wf/GHSA-93r2-j783-g4wf.json new file mode 100644 index 00000000000..9af8ec73b67 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-93r2-j783-g4wf/GHSA-93r2-j783-g4wf.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-93r2-j783-g4wf", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40843" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to modify protected parts of the file system.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40843" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-96j7-6x53-7368/GHSA-96j7-6x53-7368.json b/advisories/unreviewed/2024/09/GHSA-96j7-6x53-7368/GHSA-96j7-6x53-7368.json new file mode 100644 index 00000000000..c5fb0fa8a8e --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-96j7-6x53-7368/GHSA-96j7-6x53-7368.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-96j7-6x53-7368", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44186" + ], + "details": "An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44186" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-976w-rfcm-5cfg/GHSA-976w-rfcm-5cfg.json b/advisories/unreviewed/2024/09/GHSA-976w-rfcm-5cfg/GHSA-976w-rfcm-5cfg.json new file mode 100644 index 00000000000..9f8fd8c6db3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-976w-rfcm-5cfg/GHSA-976w-rfcm-5cfg.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-976w-rfcm-5cfg", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27876" + ], + "details": "A race condition was addressed with improved locking. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27876" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-97rq-m5jx-vcxq/GHSA-97rq-m5jx-vcxq.json b/advisories/unreviewed/2024/09/GHSA-97rq-m5jx-vcxq/GHSA-97rq-m5jx-vcxq.json new file mode 100644 index 00000000000..6ad6b2fb3a9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-97rq-m5jx-vcxq/GHSA-97rq-m5jx-vcxq.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97rq-m5jx-vcxq", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44180" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18. An attacker with physical access may be able to access contacts from the lock screen.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44180" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9g9q-cf56-cfh9/GHSA-9g9q-cf56-cfh9.json b/advisories/unreviewed/2024/09/GHSA-9g9q-cf56-cfh9/GHSA-9g9q-cf56-cfh9.json new file mode 100644 index 00000000000..8f2d14d4325 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9g9q-cf56-cfh9/GHSA-9g9q-cf56-cfh9.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9g9q-cf56-cfh9", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44151" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to modify protected parts of the file system.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44151" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9jxw-6cwc-fv29/GHSA-9jxw-6cwc-fv29.json b/advisories/unreviewed/2024/09/GHSA-9jxw-6cwc-fv29/GHSA-9jxw-6cwc-fv29.json new file mode 100644 index 00000000000..5707346dd72 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9jxw-6cwc-fv29/GHSA-9jxw-6cwc-fv29.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jxw-6cwc-fv29", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44154" + ], + "details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted file may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44154" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9mpj-7whj-6m8h/GHSA-9mpj-7whj-6m8h.json b/advisories/unreviewed/2024/09/GHSA-9mpj-7whj-6m8h/GHSA-9mpj-7whj-6m8h.json new file mode 100644 index 00000000000..e9758cbc732 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9mpj-7whj-6m8h/GHSA-9mpj-7whj-6m8h.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9mpj-7whj-6m8h", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40840" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 18 and iPadOS 18. An attacker with physical access may be able to use Siri to access sensitive user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40840" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9rg3-9338-mwcv/GHSA-9rg3-9338-mwcv.json b/advisories/unreviewed/2024/09/GHSA-9rg3-9338-mwcv/GHSA-9rg3-9338-mwcv.json new file mode 100644 index 00000000000..8f0d8579105 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9rg3-9338-mwcv/GHSA-9rg3-9338-mwcv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rg3-9338-mwcv", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44139" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18. An attacker with physical access may be able to access contacts from the lock screen.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44139" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c2wx-2chw-3qfv/GHSA-c2wx-2chw-3qfv.json b/advisories/unreviewed/2024/09/GHSA-c2wx-2chw-3qfv/GHSA-c2wx-2chw-3qfv.json new file mode 100644 index 00000000000..15231171b87 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c2wx-2chw-3qfv/GHSA-c2wx-2chw-3qfv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c2wx-2chw-3qfv", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44147" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 18 and iPadOS 18. An app may gain unauthorized access to Local Network.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44147" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cmj7-8jrj-42g2/GHSA-cmj7-8jrj-42g2.json b/advisories/unreviewed/2024/09/GHSA-cmj7-8jrj-42g2/GHSA-cmj7-8jrj-42g2.json new file mode 100644 index 00000000000..475dffe6979 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cmj7-8jrj-42g2/GHSA-cmj7-8jrj-42g2.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cmj7-8jrj-42g2", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27874" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 18 and iPadOS 18. A remote attacker may be able to cause a denial-of-service.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27874" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cmvv-gwr2-36xm/GHSA-cmvv-gwr2-36xm.json b/advisories/unreviewed/2024/09/GHSA-cmvv-gwr2-36xm/GHSA-cmvv-gwr2-36xm.json new file mode 100644 index 00000000000..d3b9e9319b5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cmvv-gwr2-36xm/GHSA-cmvv-gwr2-36xm.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cmvv-gwr2-36xm", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44131" + ], + "details": "This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to access sensitive user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44131" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cw5r-673r-7ww3/GHSA-cw5r-673r-7ww3.json b/advisories/unreviewed/2024/09/GHSA-cw5r-673r-7ww3/GHSA-cw5r-673r-7ww3.json new file mode 100644 index 00000000000..65c72a68714 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cw5r-673r-7ww3/GHSA-cw5r-673r-7ww3.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cw5r-673r-7ww3", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40797" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. Visiting a malicious website may lead to user interface spoofing.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40797" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f5pf-wc6m-cx7j/GHSA-f5pf-wc6m-cx7j.json b/advisories/unreviewed/2024/09/GHSA-f5pf-wc6m-cx7j/GHSA-f5pf-wc6m-cx7j.json new file mode 100644 index 00000000000..6f6b7a6937b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f5pf-wc6m-cx7j/GHSA-f5pf-wc6m-cx7j.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5pf-wc6m-cx7j", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44129" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7, macOS Sequoia 15. An app may be able to leak sensitive user information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44129" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fgvw-2v52-jhfv/GHSA-fgvw-2v52-jhfv.json b/advisories/unreviewed/2024/09/GHSA-fgvw-2v52-jhfv/GHSA-fgvw-2v52-jhfv.json new file mode 100644 index 00000000000..677842e5ec4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fgvw-2v52-jhfv/GHSA-fgvw-2v52-jhfv.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fgvw-2v52-jhfv", + "modified": "2024-09-17T00:31:02Z", + "published": "2024-09-17T00:31:02Z", + "aliases": [ + "CVE-2024-4283" + ], + "details": "An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4283" + }, + { + "type": "WEB", + "url": "https://hackerone.com/reports/2474286" + }, + { + "type": "WEB", + "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458502" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-16T22:15:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fqgr-5868-7mf7/GHSA-fqgr-5868-7mf7.json b/advisories/unreviewed/2024/09/GHSA-fqgr-5868-7mf7/GHSA-fqgr-5868-7mf7.json new file mode 100644 index 00000000000..5ea58144839 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fqgr-5868-7mf7/GHSA-fqgr-5868-7mf7.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fqgr-5868-7mf7", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44164" + ], + "details": "This issue was addressed with improved checks. This issue is fixed in iOS 17.7 and iPadOS 17.7, macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to bypass Privacy preferences.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44164" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fvmx-5p62-pxm8/GHSA-fvmx-5p62-pxm8.json b/advisories/unreviewed/2024/09/GHSA-fvmx-5p62-pxm8/GHSA-fvmx-5p62-pxm8.json new file mode 100644 index 00000000000..9c9c0a3fc9a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-fvmx-5p62-pxm8/GHSA-fvmx-5p62-pxm8.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fvmx-5p62-pxm8", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44176" + ], + "details": "An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, macOS Sonoma 14.7, tvOS 18. Processing an image may lead to a denial-of-service.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44176" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gm8f-9rvm-rrfq/GHSA-gm8f-9rvm-rrfq.json b/advisories/unreviewed/2024/09/GHSA-gm8f-9rvm-rrfq/GHSA-gm8f-9rvm-rrfq.json new file mode 100644 index 00000000000..59e0448412c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gm8f-9rvm-rrfq/GHSA-gm8f-9rvm-rrfq.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gm8f-9rvm-rrfq", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44125" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. A malicious application may be able to leak sensitive user information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44125" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gvw8-h5c5-pr3g/GHSA-gvw8-h5c5-pr3g.json b/advisories/unreviewed/2024/09/GHSA-gvw8-h5c5-pr3g/GHSA-gvw8-h5c5-pr3g.json new file mode 100644 index 00000000000..9debe8b447f --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gvw8-h5c5-pr3g/GHSA-gvw8-h5c5-pr3g.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvw8-h5c5-pr3g", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44146" + ], + "details": "A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15. An app may be able to break out of its sandbox.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44146" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-gw53-chv8-4wr2/GHSA-gw53-chv8-4wr2.json b/advisories/unreviewed/2024/09/GHSA-gw53-chv8-4wr2/GHSA-gw53-chv8-4wr2.json new file mode 100644 index 00000000000..5b573ed7d92 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-gw53-chv8-4wr2/GHSA-gw53-chv8-4wr2.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gw53-chv8-4wr2", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40847" + ], + "details": "The issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access sensitive user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40847" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h498-88jq-wh8m/GHSA-h498-88jq-wh8m.json b/advisories/unreviewed/2024/09/GHSA-h498-88jq-wh8m/GHSA-h498-88jq-wh8m.json new file mode 100644 index 00000000000..9396e64faab --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h498-88jq-wh8m/GHSA-h498-88jq-wh8m.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h498-88jq-wh8m", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40791" + ], + "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access information about a user's contacts.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40791" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h89v-mw4f-7wgj/GHSA-h89v-mw4f-7wgj.json b/advisories/unreviewed/2024/09/GHSA-h89v-mw4f-7wgj/GHSA-h89v-mw4f-7wgj.json new file mode 100644 index 00000000000..ee27f3d6662 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h89v-mw4f-7wgj/GHSA-h89v-mw4f-7wgj.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h89v-mw4f-7wgj", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40801" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40801" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-h9cp-5vvc-8wqc/GHSA-h9cp-5vvc-8wqc.json b/advisories/unreviewed/2024/09/GHSA-h9cp-5vvc-8wqc/GHSA-h9cp-5vvc-8wqc.json new file mode 100644 index 00000000000..2358b0720eb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-h9cp-5vvc-8wqc/GHSA-h9cp-5vvc-8wqc.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h9cp-5vvc-8wqc", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40866" + ], + "details": "The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40866" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121241" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hcj6-hxx2-6wpj/GHSA-hcj6-hxx2-6wpj.json b/advisories/unreviewed/2024/09/GHSA-hcj6-hxx2-6wpj/GHSA-hcj6-hxx2-6wpj.json new file mode 100644 index 00000000000..f7311f4cd89 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hcj6-hxx2-6wpj/GHSA-hcj6-hxx2-6wpj.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hcj6-hxx2-6wpj", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44163" + ], + "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. A malicious application may be able to access private information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44163" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hqp9-2fgf-h6cx/GHSA-hqp9-2fgf-h6cx.json b/advisories/unreviewed/2024/09/GHSA-hqp9-2fgf-h6cx/GHSA-hqp9-2fgf-h6cx.json new file mode 100644 index 00000000000..9a4739aff9d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hqp9-2fgf-h6cx/GHSA-hqp9-2fgf-h6cx.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hqp9-2fgf-h6cx", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44135" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access protected files within an App Sandbox container.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44135" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hx98-qf58-hff9/GHSA-hx98-qf58-hff9.json b/advisories/unreviewed/2024/09/GHSA-hx98-qf58-hff9/GHSA-hx98-qf58-hff9.json new file mode 100644 index 00000000000..0530314416a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hx98-qf58-hff9/GHSA-hx98-qf58-hff9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hx98-qf58-hff9", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44152" + ], + "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44152" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j8gh-87rx-c7w9/GHSA-j8gh-87rx-c7w9.json b/advisories/unreviewed/2024/09/GHSA-j8gh-87rx-c7w9/GHSA-j8gh-87rx-c7w9.json new file mode 100644 index 00000000000..52e16a5549b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j8gh-87rx-c7w9/GHSA-j8gh-87rx-c7w9.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j8gh-87rx-c7w9", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-45496" + ], + "details": "A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45496" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-45496" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308661" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j962-w243-6g33/GHSA-j962-w243-6g33.json b/advisories/unreviewed/2024/09/GHSA-j962-w243-6g33/GHSA-j962-w243-6g33.json new file mode 100644 index 00000000000..ab0ea24423d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-j962-w243-6g33/GHSA-j962-w243-6g33.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j962-w243-6g33", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44178" + ], + "details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to modify protected parts of the file system.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44178" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jpf3-j9x5-w3ff/GHSA-jpf3-j9x5-w3ff.json b/advisories/unreviewed/2024/09/GHSA-jpf3-j9x5-w3ff/GHSA-jpf3-j9x5-w3ff.json new file mode 100644 index 00000000000..7046ef41e54 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jpf3-j9x5-w3ff/GHSA-jpf3-j9x5-w3ff.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jpf3-j9x5-w3ff", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44133" + ], + "details": "This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15. On MDM managed devices, an app may be able to bypass certain Privacy preferences.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44133" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jvcj-gmhm-rfx5/GHSA-jvcj-gmhm-rfx5.json b/advisories/unreviewed/2024/09/GHSA-jvcj-gmhm-rfx5/GHSA-jvcj-gmhm-rfx5.json new file mode 100644 index 00000000000..1f108c3a04a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jvcj-gmhm-rfx5/GHSA-jvcj-gmhm-rfx5.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jvcj-gmhm-rfx5", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44171" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, watchOS 11. An attacker with physical access to a locked device may be able to Control Nearby Devices via accessibility features.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44171" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m4c2-8cgc-49gg/GHSA-m4c2-8cgc-49gg.json b/advisories/unreviewed/2024/09/GHSA-m4c2-8cgc-49gg/GHSA-m4c2-8cgc-49gg.json new file mode 100644 index 00000000000..076e3c13e92 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m4c2-8cgc-49gg/GHSA-m4c2-8cgc-49gg.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m4c2-8cgc-49gg", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44183" + ], + "details": "A logic error was addressed with improved error handling. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, macOS Sonoma 14.7, tvOS 18. An app may be able to cause a denial-of-service.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44183" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m548-7rvw-m5fc/GHSA-m548-7rvw-m5fc.json b/advisories/unreviewed/2024/09/GHSA-m548-7rvw-m5fc/GHSA-m548-7rvw-m5fc.json new file mode 100644 index 00000000000..132d23c7858 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m548-7rvw-m5fc/GHSA-m548-7rvw-m5fc.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m548-7rvw-m5fc", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40844" + ], + "details": "A privacy issue was addressed with improved handling of temporary files. This issue is fixed in iOS 17.7 and iPadOS 17.7, macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to observe data displayed to the user by Shortcuts.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40844" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m6gq-8g82-wvgx/GHSA-m6gq-8g82-wvgx.json b/advisories/unreviewed/2024/09/GHSA-m6gq-8g82-wvgx/GHSA-m6gq-8g82-wvgx.json new file mode 100644 index 00000000000..ce1e1857554 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m6gq-8g82-wvgx/GHSA-m6gq-8g82-wvgx.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m6gq-8g82-wvgx", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44191" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, Xcode 16, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. An app may gain unauthorized access to Bluetooth.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44191" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121239" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-m9g4-52vh-fwwv/GHSA-m9g4-52vh-fwwv.json b/advisories/unreviewed/2024/09/GHSA-m9g4-52vh-fwwv/GHSA-m9g4-52vh-fwwv.json new file mode 100644 index 00000000000..e73ac077f15 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-m9g4-52vh-fwwv/GHSA-m9g4-52vh-fwwv.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m9g4-52vh-fwwv", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40848" + ], + "details": "A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An attacker may be able to read sensitive information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40848" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-mrp4-v2gf-6mxp/GHSA-mrp4-v2gf-6mxp.json b/advisories/unreviewed/2024/09/GHSA-mrp4-v2gf-6mxp/GHSA-mrp4-v2gf-6mxp.json new file mode 100644 index 00000000000..0859d11b837 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-mrp4-v2gf-6mxp/GHSA-mrp4-v2gf-6mxp.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrp4-v2gf-6mxp", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44128" + ], + "details": "This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An Automator Quick Action workflow may be able to bypass Gatekeeper.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44128" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p5c3-cc8j-cvfq/GHSA-p5c3-cc8j-cvfq.json b/advisories/unreviewed/2024/09/GHSA-p5c3-cc8j-cvfq/GHSA-p5c3-cc8j-cvfq.json new file mode 100644 index 00000000000..86a4b6d7925 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p5c3-cc8j-cvfq/GHSA-p5c3-cc8j-cvfq.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p5c3-cc8j-cvfq", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44161" + ], + "details": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted texture may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44161" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-p863-p79f-qm33/GHSA-p863-p79f-qm33.json b/advisories/unreviewed/2024/09/GHSA-p863-p79f-qm33/GHSA-p863-p79f-qm33.json new file mode 100644 index 00000000000..070c754fcba --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-p863-p79f-qm33/GHSA-p863-p79f-qm33.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p863-p79f-qm33", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44188" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44188" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q27x-q82p-47rv/GHSA-q27x-q82p-47rv.json b/advisories/unreviewed/2024/09/GHSA-q27x-q82p-47rv/GHSA-q27x-q82p-47rv.json new file mode 100644 index 00000000000..84d5befd6b5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q27x-q82p-47rv/GHSA-q27x-q82p-47rv.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q27x-q82p-47rv", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27858" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27858" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q7q2-gf23-qgjw/GHSA-q7q2-gf23-qgjw.json b/advisories/unreviewed/2024/09/GHSA-q7q2-gf23-qgjw/GHSA-q7q2-gf23-qgjw.json new file mode 100644 index 00000000000..167c7c6cecc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q7q2-gf23-qgjw/GHSA-q7q2-gf23-qgjw.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q7q2-gf23-qgjw", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44177" + ], + "details": "A privacy issue was addressed by removing sensitive data. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44177" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q7q3-4cwr-583j/GHSA-q7q3-4cwr-583j.json b/advisories/unreviewed/2024/09/GHSA-q7q3-4cwr-583j/GHSA-q7q3-4cwr-583j.json new file mode 100644 index 00000000000..2c4ab0db3f8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q7q3-4cwr-583j/GHSA-q7q3-4cwr-583j.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q7q3-4cwr-583j", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40859" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40859" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-q9mj-qff3-9v4j/GHSA-q9mj-qff3-9v4j.json b/advisories/unreviewed/2024/09/GHSA-q9mj-qff3-9v4j/GHSA-q9mj-qff3-9v4j.json new file mode 100644 index 00000000000..8937320fa96 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q9mj-qff3-9v4j/GHSA-q9mj-qff3-9v4j.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q9mj-qff3-9v4j", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44127" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44127" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qcjx-5p37-v6hf/GHSA-qcjx-5p37-v6hf.json b/advisories/unreviewed/2024/09/GHSA-qcjx-5p37-v6hf/GHSA-qcjx-5p37-v6hf.json new file mode 100644 index 00000000000..feb5fe45b30 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qcjx-5p37-v6hf/GHSA-qcjx-5p37-v6hf.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qcjx-5p37-v6hf", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44181" + ], + "details": "An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to read sensitive location information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44181" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qh4m-mqcp-x24m/GHSA-qh4m-mqcp-x24m.json b/advisories/unreviewed/2024/09/GHSA-qh4m-mqcp-x24m/GHSA-qh4m-mqcp-x24m.json new file mode 100644 index 00000000000..127658d4167 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qh4m-mqcp-x24m/GHSA-qh4m-mqcp-x24m.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qh4m-mqcp-x24m", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44170" + ], + "details": "A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 18 and iPadOS 18, watchOS 11, macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44170" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qm78-568c-wg6m/GHSA-qm78-568c-wg6m.json b/advisories/unreviewed/2024/09/GHSA-qm78-568c-wg6m/GHSA-qm78-568c-wg6m.json new file mode 100644 index 00000000000..370a0355feb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qm78-568c-wg6m/GHSA-qm78-568c-wg6m.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qm78-568c-wg6m", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44158" + ], + "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 17.7 and iPadOS 17.7, macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. A shortcut may output sensitive user data without consent.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44158" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qqpc-7c83-686v/GHSA-qqpc-7c83-686v.json b/advisories/unreviewed/2024/09/GHSA-qqpc-7c83-686v/GHSA-qqpc-7c83-686v.json new file mode 100644 index 00000000000..f37115482af --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qqpc-7c83-686v/GHSA-qqpc-7c83-686v.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqpc-7c83-686v", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-44124" + ], + "details": "This issue was addressed through improved state management. This issue is fixed in iOS 18 and iPadOS 18. A malicious Bluetooth input device may bypass pairing.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44124" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-qqv8-ph7f-h3f7/GHSA-qqv8-ph7f-h3f7.json b/advisories/unreviewed/2024/09/GHSA-qqv8-ph7f-h3f7/GHSA-qqv8-ph7f-h3f7.json new file mode 100644 index 00000000000..d9190c4f87a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-qqv8-ph7f-h3f7/GHSA-qqv8-ph7f-h3f7.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqv8-ph7f-h3f7", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-7387" + ], + "details": "A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7387" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-7387" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302259" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-250" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r45q-ffrj-cr66/GHSA-r45q-ffrj-cr66.json b/advisories/unreviewed/2024/09/GHSA-r45q-ffrj-cr66/GHSA-r45q-ffrj-cr66.json new file mode 100644 index 00000000000..51c53c04a7d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r45q-ffrj-cr66/GHSA-r45q-ffrj-cr66.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r45q-ffrj-cr66", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40837" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40837" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r5fv-vx8p-jvrq/GHSA-r5fv-vx8p-jvrq.json b/advisories/unreviewed/2024/09/GHSA-r5fv-vx8p-jvrq/GHSA-r5fv-vx8p-jvrq.json new file mode 100644 index 00000000000..cd3b2aa6802 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r5fv-vx8p-jvrq/GHSA-r5fv-vx8p-jvrq.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r5fv-vx8p-jvrq", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44168" + ], + "details": "A library injection issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to modify protected parts of the file system.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44168" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r773-284v-hh8m/GHSA-r773-284v-hh8m.json b/advisories/unreviewed/2024/09/GHSA-r773-284v-hh8m/GHSA-r773-284v-hh8m.json new file mode 100644 index 00000000000..6019c5ff8be --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r773-284v-hh8m/GHSA-r773-284v-hh8m.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r773-284v-hh8m", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27880" + ], + "details": "An out-of-bounds read issue was addressed with improved input validation. This issue is fixed in iOS 17.7 and iPadOS 17.7, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, macOS Sonoma 14.7, tvOS 18. Processing a maliciously crafted file may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27880" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-r7j7-4rc9-m5m3/GHSA-r7j7-4rc9-m5m3.json b/advisories/unreviewed/2024/09/GHSA-r7j7-4rc9-m5m3/GHSA-r7j7-4rc9-m5m3.json new file mode 100644 index 00000000000..2ef0808b3e5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-r7j7-4rc9-m5m3/GHSA-r7j7-4rc9-m5m3.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r7j7-4rc9-m5m3", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-23237" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15. An app may be able to cause a denial-of-service.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23237" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rcw8-56q4-fh4w/GHSA-rcw8-56q4-fh4w.json b/advisories/unreviewed/2024/09/GHSA-rcw8-56q4-fh4w/GHSA-rcw8-56q4-fh4w.json new file mode 100644 index 00000000000..9d88bdbbe3c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rcw8-56q4-fh4w/GHSA-rcw8-56q4-fh4w.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rcw8-56q4-fh4w", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40842" + ], + "details": "An issue was addressed with improved validation of environment variables. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40842" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-rwxx-p542-9g8c/GHSA-rwxx-p542-9g8c.json b/advisories/unreviewed/2024/09/GHSA-rwxx-p542-9g8c/GHSA-rwxx-p542-9g8c.json new file mode 100644 index 00000000000..eb4fc5fffa4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-rwxx-p542-9g8c/GHSA-rwxx-p542-9g8c.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rwxx-p542-9g8c", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27879" + ], + "details": "The issue was addressed with improved bounds checks. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18. An attacker may be able to cause unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27879" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121246" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-v64w-2rh7-3gvr/GHSA-v64w-2rh7-3gvr.json b/advisories/unreviewed/2024/09/GHSA-v64w-2rh7-3gvr/GHSA-v64w-2rh7-3gvr.json new file mode 100644 index 00000000000..09bf117e908 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-v64w-2rh7-3gvr/GHSA-v64w-2rh7-3gvr.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v64w-2rh7-3gvr", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44182" + ], + "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access sensitive data logged when a shortcut fails to launch another app.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44182" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wc8g-qpv4-8j46/GHSA-wc8g-qpv4-8j46.json b/advisories/unreviewed/2024/09/GHSA-wc8g-qpv4-8j46/GHSA-wc8g-qpv4-8j46.json new file mode 100644 index 00000000000..4784bad60a6 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wc8g-qpv4-8j46/GHSA-wc8g-qpv4-8j46.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wc8g-qpv4-8j46", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40841" + ], + "details": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40841" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wfqq-7288-2hgf/GHSA-wfqq-7288-2hgf.json b/advisories/unreviewed/2024/09/GHSA-wfqq-7288-2hgf/GHSA-wfqq-7288-2hgf.json new file mode 100644 index 00000000000..73fd9618afd --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wfqq-7288-2hgf/GHSA-wfqq-7288-2hgf.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfqq-7288-2hgf", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40831" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access a user's Photos Library.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40831" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wg39-r923-gfr5/GHSA-wg39-r923-gfr5.json b/advisories/unreviewed/2024/09/GHSA-wg39-r923-gfr5/GHSA-wg39-r923-gfr5.json new file mode 100644 index 00000000000..c6f1d74fbeb --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wg39-r923-gfr5/GHSA-wg39-r923-gfr5.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wg39-r923-gfr5", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40860" + ], + "details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to modify protected parts of the file system.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40860" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json b/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json new file mode 100644 index 00000000000..17821f5cd58 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wjg2-c55h-phf5", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40852" + ], + "details": "This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40852" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wjmr-4ghf-rh39/GHSA-wjmr-4ghf-rh39.json b/advisories/unreviewed/2024/09/GHSA-wjmr-4ghf-rh39/GHSA-wjmr-4ghf-rh39.json new file mode 100644 index 00000000000..62c9a320300 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-wjmr-4ghf-rh39/GHSA-wjmr-4ghf-rh39.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wjmr-4ghf-rh39", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44190" + ], + "details": "A path handling issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to read arbitrary files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44190" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x2j8-283m-qc6h/GHSA-x2j8-283m-qc6h.json b/advisories/unreviewed/2024/09/GHSA-x2j8-283m-qc6h/GHSA-x2j8-283m-qc6h.json new file mode 100644 index 00000000000..2d211528c8b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x2j8-283m-qc6h/GHSA-x2j8-283m-qc6h.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x2j8-283m-qc6h", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40826" + ], + "details": "A privacy issue was addressed with improved handling of files. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An unencrypted document may be written to a temporary file when using print preview.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40826" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:48Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x44q-9q24-vjf9/GHSA-x44q-9q24-vjf9.json b/advisories/unreviewed/2024/09/GHSA-x44q-9q24-vjf9/GHSA-x44q-9q24-vjf9.json new file mode 100644 index 00000000000..7be650b7f45 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x44q-9q24-vjf9/GHSA-x44q-9q24-vjf9.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x44q-9q24-vjf9", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44198" + ], + "details": "An integer overflow was addressed through improved input validation. This issue is fixed in visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to an unexpected process crash.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44198" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x79g-r583-xj83/GHSA-x79g-r583-xj83.json b/advisories/unreviewed/2024/09/GHSA-x79g-r583-xj83/GHSA-x79g-r583-xj83.json new file mode 100644 index 00000000000..0886082fac9 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x79g-r583-xj83/GHSA-x79g-r583-xj83.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x79g-r583-xj83", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44134" + ], + "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15. An app may be able to read sensitive location information.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44134" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-x9r8-886r-r4qm/GHSA-x9r8-886r-r4qm.json b/advisories/unreviewed/2024/09/GHSA-x9r8-886r-r4qm/GHSA-x9r8-886r-r4qm.json new file mode 100644 index 00000000000..7f08d844187 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-x9r8-886r-r4qm/GHSA-x9r8-886r-r4qm.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x9r8-886r-r4qm", + "modified": "2024-09-17T00:31:05Z", + "published": "2024-09-17T00:31:05Z", + "aliases": [ + "CVE-2024-44166" + ], + "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44166" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121234" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xhrw-4447-w35f/GHSA-xhrw-4447-w35f.json b/advisories/unreviewed/2024/09/GHSA-xhrw-4447-w35f/GHSA-xhrw-4447-w35f.json new file mode 100644 index 00000000000..e2ceb0ca274 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xhrw-4447-w35f/GHSA-xhrw-4447-w35f.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xhrw-4447-w35f", + "modified": "2024-09-17T00:31:04Z", + "published": "2024-09-17T00:31:04Z", + "aliases": [ + "CVE-2024-40845" + ], + "details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40845" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121247" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:49Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xmf6-p99q-898v/GHSA-xmf6-p99q-898v.json b/advisories/unreviewed/2024/09/GHSA-xmf6-p99q-898v/GHSA-xmf6-p99q-898v.json new file mode 100644 index 00000000000..f41fbf3f14d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xmf6-p99q-898v/GHSA-xmf6-p99q-898v.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xmf6-p99q-898v", + "modified": "2024-09-17T00:31:06Z", + "published": "2024-09-17T00:31:06Z", + "aliases": [ + "CVE-2024-44187" + ], + "details": "A cross-origin issue existed with \"iframe\" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44187" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121240" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121241" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121248" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121249" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121250" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xrvp-gx9p-8ch2/GHSA-xrvp-gx9p-8ch2.json b/advisories/unreviewed/2024/09/GHSA-xrvp-gx9p-8ch2/GHSA-xrvp-gx9p-8ch2.json new file mode 100644 index 00000000000..bcc778817cc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xrvp-gx9p-8ch2/GHSA-xrvp-gx9p-8ch2.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xrvp-gx9p-8ch2", + "modified": "2024-09-17T00:31:03Z", + "published": "2024-09-17T00:31:03Z", + "aliases": [ + "CVE-2024-27795" + ], + "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A camera extension may be able to access the internet.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27795" + }, + { + "type": "WEB", + "url": "https://support.apple.com/en-us/121238" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T00:15:47Z" + } +} \ No newline at end of file From 6dc56617b8822d95907e313572e516d9076b808f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 03:32:07 +0000 Subject: [PATCH 156/170] Publish Advisories GHSA-4jrr-pcvg-6fp6 GHSA-mg6f-mx33-mrj2 GHSA-w7x5-g6gj-cxw9 GHSA-wxhj-ww34-v87f GHSA-5p86-7v4g-7f7r GHSA-fxvw-v786-822p GHSA-j5wg-h8jh-fx4v GHSA-w8v6-gxpj-3qp5 GHSA-wwx9-cp3m-5v66 GHSA-vcc9-8549-687w GHSA-46j9-q72c-3w95 GHSA-7vm7-mp89-q7c7 GHSA-48wc-9j2c-rwp5 GHSA-7whw-68xg-fr5c GHSA-cwqr-9j7q-r9xh GHSA-q4q2-r8qr-qgwm --- .../GHSA-4jrr-pcvg-6fp6.json | 2 +- .../GHSA-mg6f-mx33-mrj2.json | 2 +- .../GHSA-w7x5-g6gj-cxw9.json | 2 +- .../GHSA-wxhj-ww34-v87f.json | 2 +- .../GHSA-5p86-7v4g-7f7r.json | 2 +- .../GHSA-fxvw-v786-822p.json | 2 +- .../GHSA-j5wg-h8jh-fx4v.json | 2 +- .../GHSA-w8v6-gxpj-3qp5.json | 2 +- .../GHSA-wwx9-cp3m-5v66.json | 2 +- .../GHSA-vcc9-8549-687w.json | 2 +- .../GHSA-46j9-q72c-3w95.json | 2 +- .../GHSA-7vm7-mp89-q7c7.json | 2 +- .../GHSA-48wc-9j2c-rwp5.json | 6 ++- .../GHSA-7whw-68xg-fr5c.json | 11 ++++-- .../GHSA-cwqr-9j7q-r9xh.json | 9 +++-- .../GHSA-q4q2-r8qr-qgwm.json | 38 +++++++++++++++++++ 16 files changed, 68 insertions(+), 20 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-q4q2-r8qr-qgwm/GHSA-q4q2-r8qr-qgwm.json diff --git a/advisories/unreviewed/2021/11/GHSA-4jrr-pcvg-6fp6/GHSA-4jrr-pcvg-6fp6.json b/advisories/unreviewed/2021/11/GHSA-4jrr-pcvg-6fp6/GHSA-4jrr-pcvg-6fp6.json index f9ff13393a5..5ea58a8cb78 100644 --- a/advisories/unreviewed/2021/11/GHSA-4jrr-pcvg-6fp6/GHSA-4jrr-pcvg-6fp6.json +++ b/advisories/unreviewed/2021/11/GHSA-4jrr-pcvg-6fp6/GHSA-4jrr-pcvg-6fp6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4jrr-pcvg-6fp6", - "modified": "2023-10-10T12:32:08Z", + "modified": "2024-09-17T03:30:41Z", "published": "2021-11-23T00:00:50Z", "aliases": [ "CVE-2019-5640" diff --git a/advisories/unreviewed/2022/08/GHSA-mg6f-mx33-mrj2/GHSA-mg6f-mx33-mrj2.json b/advisories/unreviewed/2022/08/GHSA-mg6f-mx33-mrj2/GHSA-mg6f-mx33-mrj2.json index 6d33819411e..4d5e116faaf 100644 --- a/advisories/unreviewed/2022/08/GHSA-mg6f-mx33-mrj2/GHSA-mg6f-mx33-mrj2.json +++ b/advisories/unreviewed/2022/08/GHSA-mg6f-mx33-mrj2/GHSA-mg6f-mx33-mrj2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mg6f-mx33-mrj2", - "modified": "2022-08-19T00:00:20Z", + "modified": "2024-09-17T03:30:41Z", "published": "2022-08-18T00:00:19Z", "aliases": [ "CVE-2022-1401" diff --git a/advisories/unreviewed/2023/01/GHSA-w7x5-g6gj-cxw9/GHSA-w7x5-g6gj-cxw9.json b/advisories/unreviewed/2023/01/GHSA-w7x5-g6gj-cxw9/GHSA-w7x5-g6gj-cxw9.json index d0a70a3aebc..e663d10e1b1 100644 --- a/advisories/unreviewed/2023/01/GHSA-w7x5-g6gj-cxw9/GHSA-w7x5-g6gj-cxw9.json +++ b/advisories/unreviewed/2023/01/GHSA-w7x5-g6gj-cxw9/GHSA-w7x5-g6gj-cxw9.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-wxhj-ww34-v87f/GHSA-wxhj-ww34-v87f.json b/advisories/unreviewed/2023/01/GHSA-wxhj-ww34-v87f/GHSA-wxhj-ww34-v87f.json index a7c8036d43d..fb8fafeefe8 100644 --- a/advisories/unreviewed/2023/01/GHSA-wxhj-ww34-v87f/GHSA-wxhj-ww34-v87f.json +++ b/advisories/unreviewed/2023/01/GHSA-wxhj-ww34-v87f/GHSA-wxhj-ww34-v87f.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-5p86-7v4g-7f7r/GHSA-5p86-7v4g-7f7r.json b/advisories/unreviewed/2023/04/GHSA-5p86-7v4g-7f7r/GHSA-5p86-7v4g-7f7r.json index 40a969e20d2..185b2be64c2 100644 --- a/advisories/unreviewed/2023/04/GHSA-5p86-7v4g-7f7r/GHSA-5p86-7v4g-7f7r.json +++ b/advisories/unreviewed/2023/04/GHSA-5p86-7v4g-7f7r/GHSA-5p86-7v4g-7f7r.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-fxvw-v786-822p/GHSA-fxvw-v786-822p.json b/advisories/unreviewed/2023/04/GHSA-fxvw-v786-822p/GHSA-fxvw-v786-822p.json index 8a19e174b4e..d5359b89ce7 100644 --- a/advisories/unreviewed/2023/04/GHSA-fxvw-v786-822p/GHSA-fxvw-v786-822p.json +++ b/advisories/unreviewed/2023/04/GHSA-fxvw-v786-822p/GHSA-fxvw-v786-822p.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-j5wg-h8jh-fx4v/GHSA-j5wg-h8jh-fx4v.json b/advisories/unreviewed/2023/04/GHSA-j5wg-h8jh-fx4v/GHSA-j5wg-h8jh-fx4v.json index 47bd630c4e9..44b7c1d2c14 100644 --- a/advisories/unreviewed/2023/04/GHSA-j5wg-h8jh-fx4v/GHSA-j5wg-h8jh-fx4v.json +++ b/advisories/unreviewed/2023/04/GHSA-j5wg-h8jh-fx4v/GHSA-j5wg-h8jh-fx4v.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-w8v6-gxpj-3qp5/GHSA-w8v6-gxpj-3qp5.json b/advisories/unreviewed/2023/04/GHSA-w8v6-gxpj-3qp5/GHSA-w8v6-gxpj-3qp5.json index 94b836ffcbd..cadf66f13bc 100644 --- a/advisories/unreviewed/2023/04/GHSA-w8v6-gxpj-3qp5/GHSA-w8v6-gxpj-3qp5.json +++ b/advisories/unreviewed/2023/04/GHSA-w8v6-gxpj-3qp5/GHSA-w8v6-gxpj-3qp5.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/04/GHSA-wwx9-cp3m-5v66/GHSA-wwx9-cp3m-5v66.json b/advisories/unreviewed/2023/04/GHSA-wwx9-cp3m-5v66/GHSA-wwx9-cp3m-5v66.json index 8a9e71b89b8..ae43e722dfd 100644 --- a/advisories/unreviewed/2023/04/GHSA-wwx9-cp3m-5v66/GHSA-wwx9-cp3m-5v66.json +++ b/advisories/unreviewed/2023/04/GHSA-wwx9-cp3m-5v66/GHSA-wwx9-cp3m-5v66.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/07/GHSA-vcc9-8549-687w/GHSA-vcc9-8549-687w.json b/advisories/unreviewed/2023/07/GHSA-vcc9-8549-687w/GHSA-vcc9-8549-687w.json index 700b34b25a3..e48c5499c36 100644 --- a/advisories/unreviewed/2023/07/GHSA-vcc9-8549-687w/GHSA-vcc9-8549-687w.json +++ b/advisories/unreviewed/2023/07/GHSA-vcc9-8549-687w/GHSA-vcc9-8549-687w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vcc9-8549-687w", - "modified": "2024-04-04T05:30:40Z", + "modified": "2024-09-17T03:30:43Z", "published": "2023-07-06T19:24:05Z", "aliases": [ "CVE-2022-2807" diff --git a/advisories/unreviewed/2023/10/GHSA-46j9-q72c-3w95/GHSA-46j9-q72c-3w95.json b/advisories/unreviewed/2023/10/GHSA-46j9-q72c-3w95/GHSA-46j9-q72c-3w95.json index 8bda2f0d1d8..a39200e686c 100644 --- a/advisories/unreviewed/2023/10/GHSA-46j9-q72c-3w95/GHSA-46j9-q72c-3w95.json +++ b/advisories/unreviewed/2023/10/GHSA-46j9-q72c-3w95/GHSA-46j9-q72c-3w95.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-7vm7-mp89-q7c7/GHSA-7vm7-mp89-q7c7.json b/advisories/unreviewed/2023/10/GHSA-7vm7-mp89-q7c7/GHSA-7vm7-mp89-q7c7.json index cb26e2aefdd..866971fce5e 100644 --- a/advisories/unreviewed/2023/10/GHSA-7vm7-mp89-q7c7/GHSA-7vm7-mp89-q7c7.json +++ b/advisories/unreviewed/2023/10/GHSA-7vm7-mp89-q7c7/GHSA-7vm7-mp89-q7c7.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json b/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json index d4ecec4320f..3cc137140b3 100644 --- a/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json +++ b/advisories/unreviewed/2024/09/GHSA-48wc-9j2c-rwp5/GHSA-48wc-9j2c-rwp5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-48wc-9j2c-rwp5", - "modified": "2024-09-06T06:31:41Z", + "modified": "2024-09-17T03:30:44Z", "published": "2024-09-06T06:31:41Z", "aliases": [ "CVE-2024-39585" @@ -21,6 +21,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39585" }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000228355/dsa-2024-376-security-update-for-dell-networking-os10-vulnerability" + }, { "type": "WEB", "url": "https://www.dell.com/support/kbdoc/en-us/000228357/dsa-2024-377-security-update-for-dell-networking-os10-vulnerability" diff --git a/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json b/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json index 590382dbc8c..42229b39391 100644 --- a/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json +++ b/advisories/unreviewed/2024/09/GHSA-7whw-68xg-fr5c/GHSA-7whw-68xg-fr5c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7whw-68xg-fr5c", - "modified": "2024-09-16T18:31:21Z", + "modified": "2024-09-17T03:30:45Z", "published": "2024-09-16T18:31:21Z", "aliases": [ "CVE-2024-44623" ], "details": "An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" + } ], "affected": [ @@ -33,9 +36,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-16T16:15:13Z" diff --git a/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json b/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json index c60a368eddb..fceb9ea5a4a 100644 --- a/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json +++ b/advisories/unreviewed/2024/09/GHSA-cwqr-9j7q-r9xh/GHSA-cwqr-9j7q-r9xh.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-cwqr-9j7q-r9xh", - "modified": "2024-09-16T14:37:26Z", + "modified": "2024-09-17T03:30:45Z", "published": "2024-09-16T14:37:26Z", "aliases": [ "CVE-2024-8039" ], "details": "Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ "CWE-732" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-14T04:15:04Z" diff --git a/advisories/unreviewed/2024/09/GHSA-q4q2-r8qr-qgwm/GHSA-q4q2-r8qr-qgwm.json b/advisories/unreviewed/2024/09/GHSA-q4q2-r8qr-qgwm/GHSA-q4q2-r8qr-qgwm.json new file mode 100644 index 00000000000..a9accbd6d99 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q4q2-r8qr-qgwm/GHSA-q4q2-r8qr-qgwm.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q4q2-r8qr-qgwm", + "modified": "2024-09-17T03:30:45Z", + "published": "2024-09-17T03:30:45Z", + "aliases": [ + "CVE-2024-8110" + ], + "details": "Denial of Service (DoS) vulnerability has been found in Dual-redundant Platform for Computer.\nIf a computer on which the affected product is installed receives a large number of UDP broadcast packets in a short period, occasionally that computer may restart.\nIf both the active and standby computers are restarted at the same time, the functionality on that computer may be temporarily unavailable.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8110" + }, + { + "type": "WEB", + "url": "https://web-material3.yokogawa.com/1/36276/files/YSAR-24-0003-E.pdf" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-252" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T02:15:49Z" + } +} \ No newline at end of file From 5b32592d17c02b0b06db5f75bddf346f980ac630 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 06:32:16 +0000 Subject: [PATCH 157/170] Publish Advisories GHSA-25rx-8qj3-xr2w GHSA-4xj6-ppmm-pc93 GHSA-36xh-276f-w5j9 GHSA-6363-r5pj-4jm8 GHSA-6443-r9mf-j2mj GHSA-653g-mc33-gq3r GHSA-7wfr-5f4h-3mw7 GHSA-chwj-xj8v-386c GHSA-f3pj-vwf5-5vr3 GHSA-jr3c-32f2-p7wg GHSA-xwc4-p3cg-mmq4 --- .../GHSA-25rx-8qj3-xr2w.json | 2 +- .../GHSA-4xj6-ppmm-pc93.json | 2 +- .../GHSA-36xh-276f-w5j9.json | 35 +++++++++++++++++++ .../GHSA-6363-r5pj-4jm8.json | 35 +++++++++++++++++++ .../GHSA-6443-r9mf-j2mj.json | 35 +++++++++++++++++++ .../GHSA-653g-mc33-gq3r.json | 35 +++++++++++++++++++ .../GHSA-7wfr-5f4h-3mw7.json | 35 +++++++++++++++++++ .../GHSA-chwj-xj8v-386c.json | 35 +++++++++++++++++++ .../GHSA-f3pj-vwf5-5vr3.json | 35 +++++++++++++++++++ .../GHSA-jr3c-32f2-p7wg.json | 35 +++++++++++++++++++ .../GHSA-xwc4-p3cg-mmq4.json | 35 +++++++++++++++++++ 11 files changed, 317 insertions(+), 2 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-36xh-276f-w5j9/GHSA-36xh-276f-w5j9.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6363-r5pj-4jm8/GHSA-6363-r5pj-4jm8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6443-r9mf-j2mj/GHSA-6443-r9mf-j2mj.json create mode 100644 advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json create mode 100644 advisories/unreviewed/2024/09/GHSA-7wfr-5f4h-3mw7/GHSA-7wfr-5f4h-3mw7.json create mode 100644 advisories/unreviewed/2024/09/GHSA-chwj-xj8v-386c/GHSA-chwj-xj8v-386c.json create mode 100644 advisories/unreviewed/2024/09/GHSA-f3pj-vwf5-5vr3/GHSA-f3pj-vwf5-5vr3.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jr3c-32f2-p7wg/GHSA-jr3c-32f2-p7wg.json create mode 100644 advisories/unreviewed/2024/09/GHSA-xwc4-p3cg-mmq4/GHSA-xwc4-p3cg-mmq4.json diff --git a/advisories/unreviewed/2022/11/GHSA-25rx-8qj3-xr2w/GHSA-25rx-8qj3-xr2w.json b/advisories/unreviewed/2022/11/GHSA-25rx-8qj3-xr2w/GHSA-25rx-8qj3-xr2w.json index 7276057b06b..40c14c1e023 100644 --- a/advisories/unreviewed/2022/11/GHSA-25rx-8qj3-xr2w/GHSA-25rx-8qj3-xr2w.json +++ b/advisories/unreviewed/2022/11/GHSA-25rx-8qj3-xr2w/GHSA-25rx-8qj3-xr2w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-25rx-8qj3-xr2w", - "modified": "2022-11-18T21:30:16Z", + "modified": "2024-09-17T06:30:36Z", "published": "2022-11-16T19:00:32Z", "aliases": [ "CVE-2022-24036" diff --git a/advisories/unreviewed/2022/11/GHSA-4xj6-ppmm-pc93/GHSA-4xj6-ppmm-pc93.json b/advisories/unreviewed/2022/11/GHSA-4xj6-ppmm-pc93/GHSA-4xj6-ppmm-pc93.json index 8eaf220a4f7..4da0892cb0d 100644 --- a/advisories/unreviewed/2022/11/GHSA-4xj6-ppmm-pc93/GHSA-4xj6-ppmm-pc93.json +++ b/advisories/unreviewed/2022/11/GHSA-4xj6-ppmm-pc93/GHSA-4xj6-ppmm-pc93.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4xj6-ppmm-pc93", - "modified": "2022-11-22T21:30:17Z", + "modified": "2024-09-17T06:30:36Z", "published": "2022-11-18T09:30:25Z", "aliases": [ "CVE-2022-24038" diff --git a/advisories/unreviewed/2024/09/GHSA-36xh-276f-w5j9/GHSA-36xh-276f-w5j9.json b/advisories/unreviewed/2024/09/GHSA-36xh-276f-w5j9/GHSA-36xh-276f-w5j9.json new file mode 100644 index 00000000000..9310301dcc8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-36xh-276f-w5j9/GHSA-36xh-276f-w5j9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-36xh-276f-w5j9", + "modified": "2024-09-17T06:30:37Z", + "published": "2024-09-17T06:30:37Z", + "aliases": [ + "CVE-2024-8092" + ], + "details": "The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8092" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/d5a91ceb-8a92-4f99-b7b7-1c4e0a587022" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6363-r5pj-4jm8/GHSA-6363-r5pj-4jm8.json b/advisories/unreviewed/2024/09/GHSA-6363-r5pj-4jm8/GHSA-6363-r5pj-4jm8.json new file mode 100644 index 00000000000..0e6f5b105b8 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6363-r5pj-4jm8/GHSA-6363-r5pj-4jm8.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6363-r5pj-4jm8", + "modified": "2024-09-17T06:30:36Z", + "published": "2024-09-17T06:30:36Z", + "aliases": [ + "CVE-2024-8047" + ], + "details": "The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8047" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/0ae1474c-9193-48ee-8cf6-d19900ad95f4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6443-r9mf-j2mj/GHSA-6443-r9mf-j2mj.json b/advisories/unreviewed/2024/09/GHSA-6443-r9mf-j2mj/GHSA-6443-r9mf-j2mj.json new file mode 100644 index 00000000000..dabe28ad02d --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6443-r9mf-j2mj/GHSA-6443-r9mf-j2mj.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6443-r9mf-j2mj", + "modified": "2024-09-17T06:30:36Z", + "published": "2024-09-17T06:30:36Z", + "aliases": [ + "CVE-2024-8044" + ], + "details": "The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8044" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/14b42ba8-7a8b-4fbf-86fb-6095879ec05c" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json b/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json new file mode 100644 index 00000000000..25bac84b78b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-653g-mc33-gq3r", + "modified": "2024-09-17T06:30:37Z", + "published": "2024-09-17T06:30:37Z", + "aliases": [ + "CVE-2024-8093" + ], + "details": "The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8093" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/c7fd690a-5f02-491c-a3fb-6eac9ffffe96" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7wfr-5f4h-3mw7/GHSA-7wfr-5f4h-3mw7.json b/advisories/unreviewed/2024/09/GHSA-7wfr-5f4h-3mw7/GHSA-7wfr-5f4h-3mw7.json new file mode 100644 index 00000000000..55ab0a7453a --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-7wfr-5f4h-3mw7/GHSA-7wfr-5f4h-3mw7.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7wfr-5f4h-3mw7", + "modified": "2024-09-17T06:30:37Z", + "published": "2024-09-17T06:30:37Z", + "aliases": [ + "CVE-2024-8052" + ], + "details": "The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8052" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/d821a6d0-d749-4e02-9b7c-3065e66e1c97" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-chwj-xj8v-386c/GHSA-chwj-xj8v-386c.json b/advisories/unreviewed/2024/09/GHSA-chwj-xj8v-386c/GHSA-chwj-xj8v-386c.json new file mode 100644 index 00000000000..15a02f957fc --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-chwj-xj8v-386c/GHSA-chwj-xj8v-386c.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chwj-xj8v-386c", + "modified": "2024-09-17T06:30:37Z", + "published": "2024-09-17T06:30:37Z", + "aliases": [ + "CVE-2024-8091" + ], + "details": "The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8091" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/1ca90b81-7539-4a15-8c5a-39a8d96a74a2" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-f3pj-vwf5-5vr3/GHSA-f3pj-vwf5-5vr3.json b/advisories/unreviewed/2024/09/GHSA-f3pj-vwf5-5vr3/GHSA-f3pj-vwf5-5vr3.json new file mode 100644 index 00000000000..7f0cabbc3aa --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f3pj-vwf5-5vr3/GHSA-f3pj-vwf5-5vr3.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f3pj-vwf5-5vr3", + "modified": "2024-09-17T06:30:36Z", + "published": "2024-09-17T06:30:36Z", + "aliases": [ + "CVE-2024-5170" + ], + "details": "The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5170" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/37b5ed06-0633-49e0-b47d-8aa2f4510179" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jr3c-32f2-p7wg/GHSA-jr3c-32f2-p7wg.json b/advisories/unreviewed/2024/09/GHSA-jr3c-32f2-p7wg/GHSA-jr3c-32f2-p7wg.json new file mode 100644 index 00000000000..a7214931b17 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jr3c-32f2-p7wg/GHSA-jr3c-32f2-p7wg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jr3c-32f2-p7wg", + "modified": "2024-09-17T06:30:36Z", + "published": "2024-09-17T06:30:36Z", + "aliases": [ + "CVE-2024-8051" + ], + "details": "The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8051" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/d5edf7ed-207c-48bb-9226-8647ad4348e4" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-xwc4-p3cg-mmq4/GHSA-xwc4-p3cg-mmq4.json b/advisories/unreviewed/2024/09/GHSA-xwc4-p3cg-mmq4/GHSA-xwc4-p3cg-mmq4.json new file mode 100644 index 00000000000..f2be7765f2b --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-xwc4-p3cg-mmq4/GHSA-xwc4-p3cg-mmq4.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xwc4-p3cg-mmq4", + "modified": "2024-09-17T06:30:36Z", + "published": "2024-09-17T06:30:36Z", + "aliases": [ + "CVE-2024-8043" + ], + "details": "The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8043" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/2ba27715-add4-4e2c-ad0d-83ebdc26aec1" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T06:15:02Z" + } +} \ No newline at end of file From f68ad3ed64fb0e7315fc369708e01ae9f4295aa8 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 09:32:53 +0000 Subject: [PATCH 158/170] Publish Advisories GHSA-j37h-9m2q-gr9m GHSA-5fm7-x255-7994 GHSA-jmwg-f97v-w7m5 GHSA-vmvq-4vv4-p8f9 --- .../GHSA-j37h-9m2q-gr9m.json | 6 +- .../GHSA-5fm7-x255-7994.json | 58 +++++++++++++++++++ .../GHSA-jmwg-f97v-w7m5.json | 50 ++++++++++++++++ .../GHSA-vmvq-4vv4-p8f9.json | 38 ++++++++++++ 4 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-5fm7-x255-7994/GHSA-5fm7-x255-7994.json create mode 100644 advisories/unreviewed/2024/09/GHSA-jmwg-f97v-w7m5/GHSA-jmwg-f97v-w7m5.json create mode 100644 advisories/unreviewed/2024/09/GHSA-vmvq-4vv4-p8f9/GHSA-vmvq-4vv4-p8f9.json diff --git a/advisories/unreviewed/2024/08/GHSA-j37h-9m2q-gr9m/GHSA-j37h-9m2q-gr9m.json b/advisories/unreviewed/2024/08/GHSA-j37h-9m2q-gr9m/GHSA-j37h-9m2q-gr9m.json index 7fccc5f052b..f5431859626 100644 --- a/advisories/unreviewed/2024/08/GHSA-j37h-9m2q-gr9m/GHSA-j37h-9m2q-gr9m.json +++ b/advisories/unreviewed/2024/08/GHSA-j37h-9m2q-gr9m/GHSA-j37h-9m2q-gr9m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j37h-9m2q-gr9m", - "modified": "2024-08-30T15:31:31Z", + "modified": "2024-09-17T09:31:20Z", "published": "2024-08-30T15:31:31Z", "aliases": [ "CVE-2024-8337" @@ -25,6 +25,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8337" }, + { + "type": "WEB", + "url": "https://github.com/gurudattch/CVEs/blob/main/SourceCodester-Contact-managemet-system-Stored-XSS.md" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.276212" diff --git a/advisories/unreviewed/2024/09/GHSA-5fm7-x255-7994/GHSA-5fm7-x255-7994.json b/advisories/unreviewed/2024/09/GHSA-5fm7-x255-7994/GHSA-5fm7-x255-7994.json new file mode 100644 index 00000000000..564ca122bbf --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-5fm7-x255-7994/GHSA-5fm7-x255-7994.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fm7-x255-7994", + "modified": "2024-09-17T09:31:20Z", + "published": "2024-09-17T09:31:20Z", + "aliases": [ + "CVE-2024-8761" + ], + "details": "The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8761" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/assets/js/sti.js#L693" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/includes/class-sti-shortlink.php#L64" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/share-this-image/tags/2.03/includes/class-sti-shortlink.php#L74" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3152564" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/share-this-image/#developers" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e72d5c7-c601-4775-a825-4786bbd1b5f0?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T09:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-jmwg-f97v-w7m5/GHSA-jmwg-f97v-w7m5.json b/advisories/unreviewed/2024/09/GHSA-jmwg-f97v-w7m5/GHSA-jmwg-f97v-w7m5.json new file mode 100644 index 00000000000..b5ea0ee5b4e --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-jmwg-f97v-w7m5/GHSA-jmwg-f97v-w7m5.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jmwg-f97v-w7m5", + "modified": "2024-09-17T09:31:20Z", + "published": "2024-09-17T09:31:20Z", + "aliases": [ + "CVE-2024-8490" + ], + "details": "The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8490" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L1089" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/propertyhive/tags/2.0.19/includes/class-ph-ajax.php#L976" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3152548" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17c06c83-6707-4233-a1c3-ef4cdcf93982?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T08:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-vmvq-4vv4-p8f9/GHSA-vmvq-4vv4-p8f9.json b/advisories/unreviewed/2024/09/GHSA-vmvq-4vv4-p8f9/GHSA-vmvq-4vv4-p8f9.json new file mode 100644 index 00000000000..42a7ddd0d86 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-vmvq-4vv4-p8f9/GHSA-vmvq-4vv4-p8f9.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vmvq-4vv4-p8f9", + "modified": "2024-09-17T09:31:20Z", + "published": "2024-09-17T09:31:20Z", + "aliases": [ + "CVE-2024-8767" + ], + "details": "Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8767" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-4976" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-250" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T09:15:03Z" + } +} \ No newline at end of file From fa88f75b690be4bfbb8d257f96f389a9cdef5e1c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 12:32:05 +0000 Subject: [PATCH 159/170] Publish Advisories GHSA-8q4v-68hv-v55c GHSA-7mqh-9jjg-r8c8 GHSA-f2jm-rw3h-6phg GHSA-hh55-xqjj-vxv4 GHSA-jf5x-p6mg-vvp7 --- .../GHSA-8q4v-68hv-v55c.json | 9 ++-- .../GHSA-7mqh-9jjg-r8c8.json | 11 +++-- .../GHSA-f2jm-rw3h-6phg.json | 42 +++++++++++++++++++ .../GHSA-hh55-xqjj-vxv4.json | 11 +++-- .../GHSA-jf5x-p6mg-vvp7.json | 11 +++-- 5 files changed, 69 insertions(+), 15 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json diff --git a/advisories/unreviewed/2024/08/GHSA-8q4v-68hv-v55c/GHSA-8q4v-68hv-v55c.json b/advisories/unreviewed/2024/08/GHSA-8q4v-68hv-v55c/GHSA-8q4v-68hv-v55c.json index 180b38704d0..1bbc0ae56cf 100644 --- a/advisories/unreviewed/2024/08/GHSA-8q4v-68hv-v55c/GHSA-8q4v-68hv-v55c.json +++ b/advisories/unreviewed/2024/08/GHSA-8q4v-68hv-v55c/GHSA-8q4v-68hv-v55c.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-8q4v-68hv-v55c", - "modified": "2024-08-31T09:30:43Z", + "modified": "2024-09-17T12:30:32Z", "published": "2024-08-31T09:30:43Z", "aliases": [ "CVE-2024-44945" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink: Initialise extack before use in ACKs\n\nAdd missing extack initialisation when ACKing BATCH_BEGIN and BATCH_END.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -31,7 +34,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-08-31T07:15:03Z" diff --git a/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json b/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json index a6e7630b7f9..7a2c8597e7e 100644 --- a/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json +++ b/advisories/unreviewed/2024/09/GHSA-7mqh-9jjg-r8c8/GHSA-7mqh-9jjg-r8c8.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7mqh-9jjg-r8c8", - "modified": "2024-09-16T14:37:28Z", + "modified": "2024-09-17T12:30:32Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-46451" ], "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the setWiFiAclRules function via the desc parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-16T13:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json b/advisories/unreviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json new file mode 100644 index 00000000000..e234de8beae --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f2jm-rw3h-6phg", + "modified": "2024-09-17T12:30:32Z", + "published": "2024-09-17T12:30:32Z", + "aliases": [ + "CVE-2024-5998" + ], + "details": "A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5998" + }, + { + "type": "WEB", + "url": "https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7" + }, + { + "type": "WEB", + "url": "https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T12:15:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json b/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json index 96fa273630f..dcf8a5dd068 100644 --- a/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json +++ b/advisories/unreviewed/2024/09/GHSA-hh55-xqjj-vxv4/GHSA-hh55-xqjj-vxv4.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hh55-xqjj-vxv4", - "modified": "2024-09-16T14:37:28Z", + "modified": "2024-09-17T12:30:32Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-46424" ], "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the UploadCustomModule function, which allows attackers to cause a Denial of Service (DoS) via the File parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-16T13:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json b/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json index ba7813fb630..27be5abf85b 100644 --- a/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json +++ b/advisories/unreviewed/2024/09/GHSA-jf5x-p6mg-vvp7/GHSA-jf5x-p6mg-vvp7.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-jf5x-p6mg-vvp7", - "modified": "2024-09-16T14:37:29Z", + "modified": "2024-09-17T12:30:32Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-46419" ], "details": "TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the setWizardCfg function via the ssid5g parameter.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } ], "affected": [ @@ -25,9 +28,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-120" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-16T14:15:13Z" From 83bbe043d5be63883f6fe79ee4a792f24bbd0663 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 13:09:41 +0000 Subject: [PATCH 160/170] Publish GHSA-w97f-w3hq-36g2 --- .../GHSA-w97f-w3hq-36g2/GHSA-w97f-w3hq-36g2.json | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-w97f-w3hq-36g2/GHSA-w97f-w3hq-36g2.json b/advisories/github-reviewed/2024/09/GHSA-w97f-w3hq-36g2/GHSA-w97f-w3hq-36g2.json index 56c891b5fdd..5024d7aa2a1 100644 --- a/advisories/github-reviewed/2024/09/GHSA-w97f-w3hq-36g2/GHSA-w97f-w3hq-36g2.json +++ b/advisories/github-reviewed/2024/09/GHSA-w97f-w3hq-36g2/GHSA-w97f-w3hq-36g2.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-w97f-w3hq-36g2", - "modified": "2024-09-10T19:41:54Z", + "modified": "2024-09-17T13:08:08Z", "published": "2024-09-10T18:30:44Z", "aliases": [ "CVE-2023-6841" ], "summary": "Keycloak Denial of Service vulnerability", - "details": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.", + "details": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature.", "severity": [ { "type": "CVSS_V3", @@ -32,7 +32,7 @@ "introduced": "0" }, { - "last_affected": "25.0.5" + "fixed": "24.0.0" } ] } @@ -44,6 +44,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6841" }, + { + "type": "WEB", + "url": "https://github.com/keycloak/keycloak/issues/32837" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2023-6841" @@ -55,6 +59,10 @@ { "type": "PACKAGE", "url": "https://github.com/keycloak/keycloak" + }, + { + "type": "WEB", + "url": "https://github.com/keycloak/keycloak/releases/tag/24.0.0" } ], "database_specific": { From 026db6fdd173fce6bf03b41e8bba2ded7c45fe98 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:00:06 +0000 Subject: [PATCH 161/170] Publish Advisories GHSA-2xpq-xp6c-5mgj GHSA-4p75-5p53-65m9 GHSA-vm6r-j788-hjh5 --- .../GHSA-2xpq-xp6c-5mgj.json | 115 ++++++++++++++++++ .../GHSA-4p75-5p53-65m9.json | 69 +++++++++++ .../GHSA-vm6r-j788-hjh5.json | 115 ++++++++++++++++++ 3 files changed, 299 insertions(+) create mode 100644 advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json create mode 100644 advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json create mode 100644 advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json diff --git a/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json b/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json new file mode 100644 index 00000000000..12c9533455e --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2xpq-xp6c-5mgj", + "modified": "2024-09-17T14:59:02Z", + "published": "2024-09-17T14:59:02Z", + "aliases": [ + "CVE-2024-45612" + ], + "summary": "Contao affected by insert tag injection via canonical URL", + "details": "### Impact\n\nIt is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.\n\n### Patches\n\nUpdate to Contao 4.13.49, 5.3.15 or 5.4.3.\n\n### Workarounds\n\nDisable canonical tags in the settings of the website root page.\n\n### References\n\nhttps://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.13.0" + }, + { + "fixed": "4.13.49" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.3.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.4.0" + }, + { + "fixed": "5.4.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590" + }, + { + "type": "WEB", + "url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls" + }, + { + "type": "PACKAGE", + "url": "https://github.com/contao/contao" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-17T14:59:02Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json b/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json new file mode 100644 index 00000000000..86c4266f5ee --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-4p75-5p53-65m9/GHSA-4p75-5p53-65m9.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4p75-5p53-65m9", + "modified": "2024-09-17T14:58:45Z", + "published": "2024-09-17T14:58:45Z", + "aliases": [ + "CVE-2024-45604" + ], + "summary": "Contao affected by directory traversal in the file selector widget", + "details": "### Impact\n\nBack end users can list files outside their file mounts or the document root in the FileSelector widget.\n\n### Patches\n\nUpdate to Contao 4.13.49.\n\n### Workarounds\n\nNone.\n\n### References\n\nhttps://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).\n\n### Credits\n\nThanks to Jakob Steeg from usd AG for reporting this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.13.49" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/63409c6bdfd95197d9906e229d765b630d45742e" + }, + { + "type": "WEB", + "url": "https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget" + }, + { + "type": "PACKAGE", + "url": "https://github.com/contao/contao" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-09-17T14:58:45Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json b/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json new file mode 100644 index 00000000000..ee0742367d1 --- /dev/null +++ b/advisories/github-reviewed/2024/09/GHSA-vm6r-j788-hjh5/GHSA-vm6r-j788-hjh5.json @@ -0,0 +1,115 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vm6r-j788-hjh5", + "modified": "2024-09-17T14:58:35Z", + "published": "2024-09-17T14:58:35Z", + "aliases": [ + "CVE-2024-45398" + ], + "summary": "Contao affected by remote command execution through file upload", + "details": "### Impact\n\nBack end users with access to the file manager can upload malicious files and execute them on the server.\n\n### Patches\n\nUpdate to Contao 4.13.49, 5.3.15 or 5.4.3.\n\n### Workarounds\n\nConfigure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.\n\n### References\n\nhttps://contao.org/en/security-advisories/remote-command-execution-through-file-uploads\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).\n\n### Credits\n\nThanks to Jakob Steeg from usd AG for reporting this vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.13.49" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.3.15" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "contao/core-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.4.0" + }, + { + "fixed": "5.4.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/9445d509f12a7f1b68a4794dcc5e3e459b363ebb" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/a7e39f96ac8fdc281f7caaa96e01deb0e24ac7d3" + }, + { + "type": "WEB", + "url": "https://github.com/contao/contao/commit/f3db59ffe5a6c0e1f705b3230ebd5ff16865280e" + }, + { + "type": "WEB", + "url": "https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads" + }, + { + "type": "PACKAGE", + "url": "https://github.com/contao/contao" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-09-17T14:58:35Z", + "nvd_published_at": null + } +} \ No newline at end of file From f91565f80eff556832383e978ebcf305f9edd371 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:05:29 +0000 Subject: [PATCH 162/170] Publish GHSA-7wph-fc4w-wqp2 --- .../GHSA-7wph-fc4w-wqp2.json | 45 ++++++++----------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json b/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json index de2e524d60e..920d4d478ed 100644 --- a/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json +++ b/advisories/github-reviewed/2018/07/GHSA-7wph-fc4w-wqp2/GHSA-7wph-fc4w-wqp2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7wph-fc4w-wqp2", - "modified": "2024-05-21T20:19:56Z", + "modified": "2024-09-17T15:03:58Z", "published": "2018-07-23T19:51:59Z", "aliases": [ "CVE-2010-4535" @@ -9,7 +9,14 @@ "summary": "Improper date handling in Django", "details": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -41,7 +48,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.2.0" + "introduced": "1.2" }, { "fixed": "1.2.4" @@ -76,6 +83,14 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-9.yaml" + }, + { + "type": "WEB", + "url": "https://web.archive.org/web/20200228193349/http://www.securityfocus.com/bid/45563" + }, { "type": "WEB", "url": "http://code.djangoproject.com/changeset/15032" @@ -88,18 +103,6 @@ "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html" }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42715" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42827" - }, - { - "type": "WEB", - "url": "http://secunia.com/advisories/42913" - }, { "type": "WEB", "url": "http://www.djangoproject.com/weblog/2010/dec/22/security" @@ -112,21 +115,9 @@ "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2011/01/03/5" }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/45563" - }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1040-1" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0048" - }, - { - "type": "WEB", - "url": "http://www.vupen.com/english/advisories/2011/0098" } ], "database_specific": { From 4ddeb67ce74bc1612e22cd3565790eb5426f0759 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:08:02 +0000 Subject: [PATCH 163/170] Publish GHSA-5hg3-6c2f-f3wr --- .../GHSA-5hg3-6c2f-f3wr.json | 50 +++++++++++-------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json b/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json index ae9f258b49a..5e21faa54f5 100644 --- a/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json +++ b/advisories/github-reviewed/2018/10/GHSA-5hg3-6c2f-f3wr/GHSA-5hg3-6c2f-f3wr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5hg3-6c2f-f3wr", - "modified": "2024-05-07T20:42:24Z", + "modified": "2024-09-17T15:06:31Z", "published": "2018-10-04T21:58:46Z", "aliases": [ "CVE-2018-14574" @@ -12,32 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.11.0" - }, - { - "fixed": "1.11.15" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -52,6 +37,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.11" + }, + { + "fixed": "1.11.15" + } + ] + } + ] } ], "references": [ @@ -79,6 +83,10 @@ "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-5hg3-6c2f-f3wr" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-2.yaml" + }, { "type": "WEB", "url": "https://usn.ubuntu.com/3726-1" From 0cad1da748b6bde1f497d664aa4eb2decc7ee588 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:10:07 +0000 Subject: [PATCH 164/170] Publish Advisories GHSA-2f9x-5v75-3qv4 GHSA-pgxh-wfw4-jx2v --- .../GHSA-2f9x-5v75-3qv4.json | 20 ++++++++----- .../GHSA-pgxh-wfw4-jx2v.json | 29 +++++++++++++------ 2 files changed, 32 insertions(+), 17 deletions(-) diff --git a/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json b/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json index 27684e54e57..0aeaac6f5c2 100644 --- a/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json +++ b/advisories/github-reviewed/2019/01/GHSA-2f9x-5v75-3qv4/GHSA-2f9x-5v75-3qv4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2f9x-5v75-3qv4", - "modified": "2024-03-07T22:57:21Z", + "modified": "2024-09-17T15:09:40Z", "published": "2019-01-04T17:50:00Z", "aliases": [ "CVE-2018-7537" @@ -12,13 +12,17 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -37,7 +41,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -56,7 +60,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -106,6 +110,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-6.yaml" + }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html" @@ -121,10 +129,6 @@ { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases" - }, - { - "type": "WEB", - "url": "http://www.securityfocus.com/bid/103357" } ], "database_specific": { diff --git a/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json b/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json index 8a69aab0f38..6d9e1f1ef47 100644 --- a/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json +++ b/advisories/github-reviewed/2022/05/GHSA-pgxh-wfw4-jx2v/GHSA-pgxh-wfw4-jx2v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pgxh-wfw4-jx2v", - "modified": "2024-05-08T17:38:27Z", + "modified": "2024-09-17T15:08:38Z", "published": "2022-05-17T00:36:02Z", "aliases": [ "CVE-2015-5963" @@ -9,13 +9,20 @@ "summary": "Django denial of service via empty session record creation", "details": "`contrib.sessions.middleware.SessionMiddleware` in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to `contrib.auth.views.logout`, which triggers the creation of an empty session record.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ecosystem_specific": { "affected_functions": [ @@ -27,7 +34,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.8.0" + "introduced": "1.8" }, { "fixed": "1.8.4" @@ -39,7 +46,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ecosystem_specific": { "affected_functions": [ @@ -51,7 +58,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.7.0" + "introduced": "1.7" }, { "fixed": "1.7.10" @@ -63,7 +70,7 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ecosystem_specific": { "affected_functions": [ @@ -75,7 +82,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.4" }, { "fixed": "1.4.22" @@ -118,6 +125,10 @@ "type": "WEB", "url": "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.4.txt#L9-L21" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-22.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20150904151934/http://www.securitytracker.com/id/1033318" @@ -169,7 +180,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, From b57c29f8dd2f0ccd2895bf4103525974fd893e04 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:12:25 +0000 Subject: [PATCH 165/170] Publish GHSA-6wgp-fwfm-mxp3 --- .../GHSA-6wgp-fwfm-mxp3.json | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json b/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json index a2c5ce376fd..fa2064b30e6 100644 --- a/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json +++ b/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6wgp-fwfm-mxp3", - "modified": "2024-05-07T14:40:05Z", + "modified": "2024-09-17T15:10:52Z", "published": "2022-05-17T03:29:56Z", "aliases": [ "CVE-2015-3982" @@ -9,7 +9,14 @@ "summary": "Django allows user sessions hijacking via an empty string in the session key", "details": "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" + } ], "affected": [ { @@ -45,6 +52,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-19.yaml" + }, { "type": "WEB", "url": "https://web.archive.org/web/20200228092138/http://www.securityfocus.com/bid/74960" @@ -56,7 +67,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-384" ], "severity": "MODERATE", "github_reviewed": true, From 1fccfa0fa81dbd998abb3615e47d09db2ce969b3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:14:40 +0000 Subject: [PATCH 166/170] Publish GHSA-c8c8-9472-w52h --- .../05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json b/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json index fc37d4af3ea..3f58c29e8e2 100644 --- a/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json +++ b/advisories/github-reviewed/2022/05/GHSA-c8c8-9472-w52h/GHSA-c8c8-9472-w52h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c8c8-9472-w52h", - "modified": "2024-03-07T22:46:19Z", + "modified": "2024-09-17T15:13:11Z", "published": "2022-05-14T02:46:13Z", "aliases": [ "CVE-2016-6186" @@ -12,6 +12,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ], "affected": [ @@ -94,6 +98,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-2.yaml" + }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DMLLFAUT4J4IP4P2KI4NOVWRMHA22WUJ" From 8980c1bc3888dcacc1dfe045aa97a5c0b01feb47 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:16:45 +0000 Subject: [PATCH 167/170] Publish GHSA-59w8-4wm2-4xw8 --- .../GHSA-59w8-4wm2-4xw8.json | 43 ++++++++++++++++--- 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json b/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json index a1f1083a287..857a39ac5ed 100644 --- a/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json +++ b/advisories/github-reviewed/2022/05/GHSA-59w8-4wm2-4xw8/GHSA-59w8-4wm2-4xw8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-59w8-4wm2-4xw8", - "modified": "2023-08-29T22:31:03Z", + "modified": "2024-09-17T15:14:45Z", "published": "2022-05-17T05:12:01Z", "aliases": [ "CVE-2012-3443" @@ -9,13 +9,20 @@ "summary": "Django Image Field Vulnerable to Image Decompression Bombs", "details": "The `django.forms.ImageField` class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } ], "affected": [ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { @@ -34,14 +41,14 @@ { "package": { "ecosystem": "PyPI", - "name": "django" + "name": "Django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "1.4.0" + "introduced": "1.4" }, { "fixed": "1.4.1" @@ -68,6 +75,10 @@ "type": "PACKAGE", "url": "https://github.com/django/django" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-3.yaml" + }, { "type": "WEB", "url": "https://www.debian.org/security/2012/dsa-2529" @@ -91,6 +102,26 @@ { "type": "WEB", "url": "https://www.ubuntu.com/usn/USN-1560-1" + }, + { + "type": "WEB", + "url": "http://www.debian.org/security/2012/dsa-2529" + }, + { + "type": "WEB", + "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:143" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/07/31/1" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2012/07/31/2" + }, + { + "type": "WEB", + "url": "http://www.ubuntu.com/usn/USN-1560-1" } ], "database_specific": { @@ -98,7 +129,7 @@ "CWE-20", "CWE-400" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-08-29T22:31:03Z", "nvd_published_at": "2012-07-31T17:55:00Z" From 0ae14ebdbf218de6aebdd34448e71a97df1b1e79 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:32:55 +0000 Subject: [PATCH 168/170] Advisory Database Sync --- .../GHSA-pm8r-m739-j4wf.json | 2 +- .../GHSA-3cch-g7r8-54q2.json | 2 +- .../GHSA-428f-47px-r24v.json | 2 +- .../GHSA-442h-g8gm-9284.json | 2 +- .../GHSA-462r-849p-cx7c.json | 2 +- .../GHSA-5gpr-3236-xvjx.json | 2 +- .../GHSA-5x38-7r9g-7mr7.json | 2 +- .../GHSA-62hx-77pf-xr46.json | 2 +- .../GHSA-7h2f-j5w7-xp8c.json | 2 +- .../GHSA-868v-4v5r-xmhh.json | 2 +- .../GHSA-9j5c-cgmx-gr22.json | 2 +- .../GHSA-9v45-q2j7-r89w.json | 2 +- .../GHSA-f8x3-c29w-wfmj.json | 2 +- .../GHSA-mvqh-rjw3-3ppc.json | 2 +- .../GHSA-p48h-3fvq-h2c5.json | 2 +- .../GHSA-q869-5pvh-pxg9.json | 2 +- .../GHSA-r23h-h8pw-fc6p.json | 2 +- .../GHSA-v5c9-q3g2-rw6f.json | 2 +- .../GHSA-v87v-fqxx-3fpf.json | 2 +- .../GHSA-xq64-r3j5-hcfg.json | 2 +- .../GHSA-59mr-825p-2g28.json | 2 +- .../GHSA-3g8h-47mp-4839.json | 2 +- .../GHSA-3pc3-vcqg-prf6.json | 2 +- .../GHSA-gch4-6c9x-v2fr.json | 6 ++- .../GHSA-hf94-2x3f-x6rc.json | 6 ++- .../GHSA-xrcw-9q57-9frw.json | 6 ++- .../GHSA-2rr2-57v3-7cvx.json | 38 ++++++++++++++++++ .../GHSA-62pp-53wf-pprq.json | 38 ++++++++++++++++++ .../GHSA-653g-mc33-gq3r.json | 9 +++-- .../GHSA-67qp-fprc-rhx4.json | 35 +++++++++++++++++ .../GHSA-6rgh-r6j3-3223.json | 35 +++++++++++++++++ .../GHSA-7v6r-jgcw-v2j9.json | 11 ++++-- .../GHSA-83j8-7m3h-36p8.json | 38 ++++++++++++++++++ .../GHSA-9rm6-368p-665h.json | 38 ++++++++++++++++++ .../GHSA-c5v7-54mg-82m2.json | 38 ++++++++++++++++++ .../GHSA-cwj6-8v2q-g52w.json | 35 +++++++++++++++++ .../GHSA-fvjr-4pf9-7pjq.json | 6 ++- .../GHSA-hj65-9wfc-jmf4.json | 39 +++++++++++++++++++ .../GHSA-j6v2-m8w2-27f8.json | 2 +- .../GHSA-q25c-r482-77p9.json | 35 +++++++++++++++++ .../GHSA-wjg2-c55h-phf5.json | 9 +++-- 41 files changed, 432 insertions(+), 38 deletions(-) create mode 100644 advisories/unreviewed/2024/09/GHSA-2rr2-57v3-7cvx/GHSA-2rr2-57v3-7cvx.json create mode 100644 advisories/unreviewed/2024/09/GHSA-62pp-53wf-pprq/GHSA-62pp-53wf-pprq.json create mode 100644 advisories/unreviewed/2024/09/GHSA-67qp-fprc-rhx4/GHSA-67qp-fprc-rhx4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json create mode 100644 advisories/unreviewed/2024/09/GHSA-83j8-7m3h-36p8/GHSA-83j8-7m3h-36p8.json create mode 100644 advisories/unreviewed/2024/09/GHSA-9rm6-368p-665h/GHSA-9rm6-368p-665h.json create mode 100644 advisories/unreviewed/2024/09/GHSA-c5v7-54mg-82m2/GHSA-c5v7-54mg-82m2.json create mode 100644 advisories/unreviewed/2024/09/GHSA-cwj6-8v2q-g52w/GHSA-cwj6-8v2q-g52w.json create mode 100644 advisories/unreviewed/2024/09/GHSA-hj65-9wfc-jmf4/GHSA-hj65-9wfc-jmf4.json create mode 100644 advisories/unreviewed/2024/09/GHSA-q25c-r482-77p9/GHSA-q25c-r482-77p9.json diff --git a/advisories/unreviewed/2022/10/GHSA-pm8r-m739-j4wf/GHSA-pm8r-m739-j4wf.json b/advisories/unreviewed/2022/10/GHSA-pm8r-m739-j4wf/GHSA-pm8r-m739-j4wf.json index 3f6c51d9ab7..4194ce125e3 100644 --- a/advisories/unreviewed/2022/10/GHSA-pm8r-m739-j4wf/GHSA-pm8r-m739-j4wf.json +++ b/advisories/unreviewed/2022/10/GHSA-pm8r-m739-j4wf/GHSA-pm8r-m739-j4wf.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-3cch-g7r8-54q2/GHSA-3cch-g7r8-54q2.json b/advisories/unreviewed/2023/01/GHSA-3cch-g7r8-54q2/GHSA-3cch-g7r8-54q2.json index c69a2cce8d8..2adc038d3f9 100644 --- a/advisories/unreviewed/2023/01/GHSA-3cch-g7r8-54q2/GHSA-3cch-g7r8-54q2.json +++ b/advisories/unreviewed/2023/01/GHSA-3cch-g7r8-54q2/GHSA-3cch-g7r8-54q2.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-400" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-428f-47px-r24v/GHSA-428f-47px-r24v.json b/advisories/unreviewed/2023/01/GHSA-428f-47px-r24v/GHSA-428f-47px-r24v.json index d1ee151b0b6..e2f760c162a 100644 --- a/advisories/unreviewed/2023/01/GHSA-428f-47px-r24v/GHSA-428f-47px-r24v.json +++ b/advisories/unreviewed/2023/01/GHSA-428f-47px-r24v/GHSA-428f-47px-r24v.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-442h-g8gm-9284/GHSA-442h-g8gm-9284.json b/advisories/unreviewed/2023/01/GHSA-442h-g8gm-9284/GHSA-442h-g8gm-9284.json index a5c50c325bc..477ab7e29fe 100644 --- a/advisories/unreviewed/2023/01/GHSA-442h-g8gm-9284/GHSA-442h-g8gm-9284.json +++ b/advisories/unreviewed/2023/01/GHSA-442h-g8gm-9284/GHSA-442h-g8gm-9284.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-462r-849p-cx7c/GHSA-462r-849p-cx7c.json b/advisories/unreviewed/2023/01/GHSA-462r-849p-cx7c/GHSA-462r-849p-cx7c.json index b35c1d1f3e5..eb0dbf07a19 100644 --- a/advisories/unreviewed/2023/01/GHSA-462r-849p-cx7c/GHSA-462r-849p-cx7c.json +++ b/advisories/unreviewed/2023/01/GHSA-462r-849p-cx7c/GHSA-462r-849p-cx7c.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-5gpr-3236-xvjx/GHSA-5gpr-3236-xvjx.json b/advisories/unreviewed/2023/01/GHSA-5gpr-3236-xvjx/GHSA-5gpr-3236-xvjx.json index 9bb0a85ee56..9ec5451bfca 100644 --- a/advisories/unreviewed/2023/01/GHSA-5gpr-3236-xvjx/GHSA-5gpr-3236-xvjx.json +++ b/advisories/unreviewed/2023/01/GHSA-5gpr-3236-xvjx/GHSA-5gpr-3236-xvjx.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-5x38-7r9g-7mr7/GHSA-5x38-7r9g-7mr7.json b/advisories/unreviewed/2023/01/GHSA-5x38-7r9g-7mr7/GHSA-5x38-7r9g-7mr7.json index d5e4f0c6861..931349a34cc 100644 --- a/advisories/unreviewed/2023/01/GHSA-5x38-7r9g-7mr7/GHSA-5x38-7r9g-7mr7.json +++ b/advisories/unreviewed/2023/01/GHSA-5x38-7r9g-7mr7/GHSA-5x38-7r9g-7mr7.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-62hx-77pf-xr46/GHSA-62hx-77pf-xr46.json b/advisories/unreviewed/2023/01/GHSA-62hx-77pf-xr46/GHSA-62hx-77pf-xr46.json index 75002a0a531..13ce0d408cf 100644 --- a/advisories/unreviewed/2023/01/GHSA-62hx-77pf-xr46/GHSA-62hx-77pf-xr46.json +++ b/advisories/unreviewed/2023/01/GHSA-62hx-77pf-xr46/GHSA-62hx-77pf-xr46.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-7h2f-j5w7-xp8c/GHSA-7h2f-j5w7-xp8c.json b/advisories/unreviewed/2023/01/GHSA-7h2f-j5w7-xp8c/GHSA-7h2f-j5w7-xp8c.json index d0210ac874e..dc7e72a54cb 100644 --- a/advisories/unreviewed/2023/01/GHSA-7h2f-j5w7-xp8c/GHSA-7h2f-j5w7-xp8c.json +++ b/advisories/unreviewed/2023/01/GHSA-7h2f-j5w7-xp8c/GHSA-7h2f-j5w7-xp8c.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-868v-4v5r-xmhh/GHSA-868v-4v5r-xmhh.json b/advisories/unreviewed/2023/01/GHSA-868v-4v5r-xmhh/GHSA-868v-4v5r-xmhh.json index f58c1649a2c..2ec43aecf0a 100644 --- a/advisories/unreviewed/2023/01/GHSA-868v-4v5r-xmhh/GHSA-868v-4v5r-xmhh.json +++ b/advisories/unreviewed/2023/01/GHSA-868v-4v5r-xmhh/GHSA-868v-4v5r-xmhh.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-9j5c-cgmx-gr22/GHSA-9j5c-cgmx-gr22.json b/advisories/unreviewed/2023/01/GHSA-9j5c-cgmx-gr22/GHSA-9j5c-cgmx-gr22.json index 18894c5ba52..0b166273737 100644 --- a/advisories/unreviewed/2023/01/GHSA-9j5c-cgmx-gr22/GHSA-9j5c-cgmx-gr22.json +++ b/advisories/unreviewed/2023/01/GHSA-9j5c-cgmx-gr22/GHSA-9j5c-cgmx-gr22.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-269" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-9v45-q2j7-r89w/GHSA-9v45-q2j7-r89w.json b/advisories/unreviewed/2023/01/GHSA-9v45-q2j7-r89w/GHSA-9v45-q2j7-r89w.json index 9f67596a139..d5325d9c1b3 100644 --- a/advisories/unreviewed/2023/01/GHSA-9v45-q2j7-r89w/GHSA-9v45-q2j7-r89w.json +++ b/advisories/unreviewed/2023/01/GHSA-9v45-q2j7-r89w/GHSA-9v45-q2j7-r89w.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-611" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-f8x3-c29w-wfmj/GHSA-f8x3-c29w-wfmj.json b/advisories/unreviewed/2023/01/GHSA-f8x3-c29w-wfmj/GHSA-f8x3-c29w-wfmj.json index 39cf4179d3c..f393a7f3d9c 100644 --- a/advisories/unreviewed/2023/01/GHSA-f8x3-c29w-wfmj/GHSA-f8x3-c29w-wfmj.json +++ b/advisories/unreviewed/2023/01/GHSA-f8x3-c29w-wfmj/GHSA-f8x3-c29w-wfmj.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-306" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-mvqh-rjw3-3ppc/GHSA-mvqh-rjw3-3ppc.json b/advisories/unreviewed/2023/01/GHSA-mvqh-rjw3-3ppc/GHSA-mvqh-rjw3-3ppc.json index 1aefaf3febe..f01dd2edf7a 100644 --- a/advisories/unreviewed/2023/01/GHSA-mvqh-rjw3-3ppc/GHSA-mvqh-rjw3-3ppc.json +++ b/advisories/unreviewed/2023/01/GHSA-mvqh-rjw3-3ppc/GHSA-mvqh-rjw3-3ppc.json @@ -32,7 +32,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-p48h-3fvq-h2c5/GHSA-p48h-3fvq-h2c5.json b/advisories/unreviewed/2023/01/GHSA-p48h-3fvq-h2c5/GHSA-p48h-3fvq-h2c5.json index 0e603c53bb2..ff08dc0d18d 100644 --- a/advisories/unreviewed/2023/01/GHSA-p48h-3fvq-h2c5/GHSA-p48h-3fvq-h2c5.json +++ b/advisories/unreviewed/2023/01/GHSA-p48h-3fvq-h2c5/GHSA-p48h-3fvq-h2c5.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-q869-5pvh-pxg9/GHSA-q869-5pvh-pxg9.json b/advisories/unreviewed/2023/01/GHSA-q869-5pvh-pxg9/GHSA-q869-5pvh-pxg9.json index 1857f932955..7938c64c07f 100644 --- a/advisories/unreviewed/2023/01/GHSA-q869-5pvh-pxg9/GHSA-q869-5pvh-pxg9.json +++ b/advisories/unreviewed/2023/01/GHSA-q869-5pvh-pxg9/GHSA-q869-5pvh-pxg9.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-r23h-h8pw-fc6p/GHSA-r23h-h8pw-fc6p.json b/advisories/unreviewed/2023/01/GHSA-r23h-h8pw-fc6p/GHSA-r23h-h8pw-fc6p.json index 4de00abd85f..ae6f45ad0a0 100644 --- a/advisories/unreviewed/2023/01/GHSA-r23h-h8pw-fc6p/GHSA-r23h-h8pw-fc6p.json +++ b/advisories/unreviewed/2023/01/GHSA-r23h-h8pw-fc6p/GHSA-r23h-h8pw-fc6p.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-v5c9-q3g2-rw6f/GHSA-v5c9-q3g2-rw6f.json b/advisories/unreviewed/2023/01/GHSA-v5c9-q3g2-rw6f/GHSA-v5c9-q3g2-rw6f.json index ac64b7060a5..763eae15870 100644 --- a/advisories/unreviewed/2023/01/GHSA-v5c9-q3g2-rw6f/GHSA-v5c9-q3g2-rw6f.json +++ b/advisories/unreviewed/2023/01/GHSA-v5c9-q3g2-rw6f/GHSA-v5c9-q3g2-rw6f.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-v87v-fqxx-3fpf/GHSA-v87v-fqxx-3fpf.json b/advisories/unreviewed/2023/01/GHSA-v87v-fqxx-3fpf/GHSA-v87v-fqxx-3fpf.json index 81ef0044db5..1970591a1c2 100644 --- a/advisories/unreviewed/2023/01/GHSA-v87v-fqxx-3fpf/GHSA-v87v-fqxx-3fpf.json +++ b/advisories/unreviewed/2023/01/GHSA-v87v-fqxx-3fpf/GHSA-v87v-fqxx-3fpf.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/01/GHSA-xq64-r3j5-hcfg/GHSA-xq64-r3j5-hcfg.json b/advisories/unreviewed/2023/01/GHSA-xq64-r3j5-hcfg/GHSA-xq64-r3j5-hcfg.json index ac890e9852f..da8e525371f 100644 --- a/advisories/unreviewed/2023/01/GHSA-xq64-r3j5-hcfg/GHSA-xq64-r3j5-hcfg.json +++ b/advisories/unreviewed/2023/01/GHSA-xq64-r3j5-hcfg/GHSA-xq64-r3j5-hcfg.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-287" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/10/GHSA-59mr-825p-2g28/GHSA-59mr-825p-2g28.json b/advisories/unreviewed/2023/10/GHSA-59mr-825p-2g28/GHSA-59mr-825p-2g28.json index 2f8458417a2..d2be1e5ff61 100644 --- a/advisories/unreviewed/2023/10/GHSA-59mr-825p-2g28/GHSA-59mr-825p-2g28.json +++ b/advisories/unreviewed/2023/10/GHSA-59mr-825p-2g28/GHSA-59mr-825p-2g28.json @@ -28,7 +28,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-94" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2023/11/GHSA-3g8h-47mp-4839/GHSA-3g8h-47mp-4839.json b/advisories/unreviewed/2023/11/GHSA-3g8h-47mp-4839/GHSA-3g8h-47mp-4839.json index 77cd16420eb..d3d56f8ae06 100644 --- a/advisories/unreviewed/2023/11/GHSA-3g8h-47mp-4839/GHSA-3g8h-47mp-4839.json +++ b/advisories/unreviewed/2023/11/GHSA-3g8h-47mp-4839/GHSA-3g8h-47mp-4839.json @@ -40,7 +40,7 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], "severity": "HIGH", "github_reviewed": false, diff --git a/advisories/unreviewed/2024/07/GHSA-3pc3-vcqg-prf6/GHSA-3pc3-vcqg-prf6.json b/advisories/unreviewed/2024/07/GHSA-3pc3-vcqg-prf6/GHSA-3pc3-vcqg-prf6.json index cde3127e1d8..0f9080413fc 100644 --- a/advisories/unreviewed/2024/07/GHSA-3pc3-vcqg-prf6/GHSA-3pc3-vcqg-prf6.json +++ b/advisories/unreviewed/2024/07/GHSA-3pc3-vcqg-prf6/GHSA-3pc3-vcqg-prf6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3pc3-vcqg-prf6", - "modified": "2024-07-22T21:30:40Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-07-22T21:30:40Z", "aliases": [ "CVE-2024-6793" diff --git a/advisories/unreviewed/2024/07/GHSA-gch4-6c9x-v2fr/GHSA-gch4-6c9x-v2fr.json b/advisories/unreviewed/2024/07/GHSA-gch4-6c9x-v2fr/GHSA-gch4-6c9x-v2fr.json index b188aaac133..139f2a3bd43 100644 --- a/advisories/unreviewed/2024/07/GHSA-gch4-6c9x-v2fr/GHSA-gch4-6c9x-v2fr.json +++ b/advisories/unreviewed/2024/07/GHSA-gch4-6c9x-v2fr/GHSA-gch4-6c9x-v2fr.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gch4-6c9x-v2fr", - "modified": "2024-07-17T00:32:53Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-07-17T00:32:53Z", "aliases": [ "CVE-2024-6336" ], "details": "A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:X/U:Amber" diff --git a/advisories/unreviewed/2024/07/GHSA-hf94-2x3f-x6rc/GHSA-hf94-2x3f-x6rc.json b/advisories/unreviewed/2024/07/GHSA-hf94-2x3f-x6rc/GHSA-hf94-2x3f-x6rc.json index 5558a27b834..e6754d68027 100644 --- a/advisories/unreviewed/2024/07/GHSA-hf94-2x3f-x6rc/GHSA-hf94-2x3f-x6rc.json +++ b/advisories/unreviewed/2024/07/GHSA-hf94-2x3f-x6rc/GHSA-hf94-2x3f-x6rc.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-hf94-2x3f-x6rc", - "modified": "2024-07-17T00:32:53Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-07-17T00:32:53Z", "aliases": [ "CVE-2024-5817" ], "details": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber" diff --git a/advisories/unreviewed/2024/07/GHSA-xrcw-9q57-9frw/GHSA-xrcw-9q57-9frw.json b/advisories/unreviewed/2024/07/GHSA-xrcw-9q57-9frw/GHSA-xrcw-9q57-9frw.json index ffff99ac211..d623bfc5a5d 100644 --- a/advisories/unreviewed/2024/07/GHSA-xrcw-9q57-9frw/GHSA-xrcw-9q57-9frw.json +++ b/advisories/unreviewed/2024/07/GHSA-xrcw-9q57-9frw/GHSA-xrcw-9q57-9frw.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-xrcw-9q57-9frw", - "modified": "2024-07-17T00:32:53Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-07-17T00:32:53Z", "aliases": [ "CVE-2024-5816" ], "details": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-2rr2-57v3-7cvx/GHSA-2rr2-57v3-7cvx.json b/advisories/unreviewed/2024/09/GHSA-2rr2-57v3-7cvx/GHSA-2rr2-57v3-7cvx.json new file mode 100644 index 00000000000..0a5a5edb8fa --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-2rr2-57v3-7cvx/GHSA-2rr2-57v3-7cvx.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2rr2-57v3-7cvx", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-7873" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting (XSS), Exploit Script-Based APIs, XSS Through HTTP Headers.This issue affects Veribase Order: before v4.010.3.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7873" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-24-1485" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-116" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T13:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-62pp-53wf-pprq/GHSA-62pp-53wf-pprq.json b/advisories/unreviewed/2024/09/GHSA-62pp-53wf-pprq/GHSA-62pp-53wf-pprq.json new file mode 100644 index 00000000000..49b300e9ee3 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-62pp-53wf-pprq/GHSA-62pp-53wf-pprq.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62pp-53wf-pprq", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-7788" + ], + "details": "Improper Digital Signature Invalidation  vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7788" + }, + { + "type": "WEB", + "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-347" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T15:15:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json b/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json index 25bac84b78b..4a502dfd5d6 100644 --- a/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json +++ b/advisories/unreviewed/2024/09/GHSA-653g-mc33-gq3r/GHSA-653g-mc33-gq3r.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-653g-mc33-gq3r", - "modified": "2024-09-17T06:30:37Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-09-17T06:30:37Z", "aliases": [ "CVE-2024-8093" ], "details": "The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-17T06:15:02Z" diff --git a/advisories/unreviewed/2024/09/GHSA-67qp-fprc-rhx4/GHSA-67qp-fprc-rhx4.json b/advisories/unreviewed/2024/09/GHSA-67qp-fprc-rhx4/GHSA-67qp-fprc-rhx4.json new file mode 100644 index 00000000000..f59b516a938 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-67qp-fprc-rhx4/GHSA-67qp-fprc-rhx4.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-67qp-fprc-rhx4", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-46362" + ], + "details": "FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/create_directory", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46362" + }, + { + "type": "WEB", + "url": "https://github.com/ohuquq/cms/tree/main/13/readme.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T13:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json b/advisories/unreviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json new file mode 100644 index 00000000000..db397babdb5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6rgh-r6j3-3223", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-47049" + ], + "details": "The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47049" + }, + { + "type": "WEB", + "url": "https://github.com/czim/file-handling/blob/2.3.0/SECURITY.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T14:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json b/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json index 883a2498358..f7493d08c65 100644 --- a/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json +++ b/advisories/unreviewed/2024/09/GHSA-7v6r-jgcw-v2j9/GHSA-7v6r-jgcw-v2j9.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7v6r-jgcw-v2j9", - "modified": "2024-09-16T14:37:29Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-09-16T14:37:28Z", "aliases": [ "CVE-2024-46937" ], "details": "An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } ], "affected": [ @@ -29,9 +32,9 @@ ], "database_specific": { "cwe_ids": [ - + "CWE-284" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-16T13:15:10Z" diff --git a/advisories/unreviewed/2024/09/GHSA-83j8-7m3h-36p8/GHSA-83j8-7m3h-36p8.json b/advisories/unreviewed/2024/09/GHSA-83j8-7m3h-36p8/GHSA-83j8-7m3h-36p8.json new file mode 100644 index 00000000000..5088e9dc91c --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-83j8-7m3h-36p8/GHSA-83j8-7m3h-36p8.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83j8-7m3h-36p8", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-21743" + ], + "details": "Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21743" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-3-2-5-privilege-escalation-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T14:15:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-9rm6-368p-665h/GHSA-9rm6-368p-665h.json b/advisories/unreviewed/2024/09/GHSA-9rm6-368p-665h/GHSA-9rm6-368p-665h.json new file mode 100644 index 00000000000..c653ae1cd98 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-9rm6-368p-665h/GHSA-9rm6-368p-665h.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rm6-368p-665h", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-38860" + ], + "details": "Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38860" + }, + { + "type": "WEB", + "url": "https://checkmk.com/werk/17094" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T14:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-c5v7-54mg-82m2/GHSA-c5v7-54mg-82m2.json b/advisories/unreviewed/2024/09/GHSA-c5v7-54mg-82m2/GHSA-c5v7-54mg-82m2.json new file mode 100644 index 00000000000..872857aa4e5 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-c5v7-54mg-82m2/GHSA-c5v7-54mg-82m2.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c5v7-54mg-82m2", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-22303" + ], + "details": "Incorrect Privilege Assignment vulnerability in favethemes Houzez houzez allows Privilege Escalation.This issue affects Houzez: from n/a through 3.2.4.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22303" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-3-2-4-privilege-escalation-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T14:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-cwj6-8v2q-g52w/GHSA-cwj6-8v2q-g52w.json b/advisories/unreviewed/2024/09/GHSA-cwj6-8v2q-g52w/GHSA-cwj6-8v2q-g52w.json new file mode 100644 index 00000000000..5fd25289602 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-cwj6-8v2q-g52w/GHSA-cwj6-8v2q-g52w.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cwj6-8v2q-g52w", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-46085" + ], + "details": "FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/rename", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46085" + }, + { + "type": "WEB", + "url": "https://github.com/RainingSEC/cms/tree/main/11/readme.md" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T13:15:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-fvjr-4pf9-7pjq/GHSA-fvjr-4pf9-7pjq.json b/advisories/unreviewed/2024/09/GHSA-fvjr-4pf9-7pjq/GHSA-fvjr-4pf9-7pjq.json index 0bf9dc0dd26..1bbb374d3c0 100644 --- a/advisories/unreviewed/2024/09/GHSA-fvjr-4pf9-7pjq/GHSA-fvjr-4pf9-7pjq.json +++ b/advisories/unreviewed/2024/09/GHSA-fvjr-4pf9-7pjq/GHSA-fvjr-4pf9-7pjq.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-fvjr-4pf9-7pjq", - "modified": "2024-09-02T21:30:30Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-09-02T21:30:30Z", "aliases": [ "CVE-2024-1621" ], "details": "The registration process of uniFLOW Online (NT-ware product) apps, prior to and including version 2024.1.0, can be compromised when email login is enabled on the tenant. Those tenants utilising email login in combination with Microsoft Safe Links or similar are impacted. This vulnerability may allow the attacker to register themselves against a genuine user in the system and allow malicious users with similar access and capabilities via the app to the existing genuine user.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2024/09/GHSA-hj65-9wfc-jmf4/GHSA-hj65-9wfc-jmf4.json b/advisories/unreviewed/2024/09/GHSA-hj65-9wfc-jmf4/GHSA-hj65-9wfc-jmf4.json new file mode 100644 index 00000000000..c41cfeab8e4 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-hj65-9wfc-jmf4/GHSA-hj65-9wfc-jmf4.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hj65-9wfc-jmf4", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-8897" + ], + "details": "Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to appear to have the same URL as the trusted site.\n*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8897" + }, + { + "type": "WEB", + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1862537" + }, + { + "type": "WEB", + "url": "https://www.mozilla.org/security/advisories/mfsa2024-45" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T13:15:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-j6v2-m8w2-27f8/GHSA-j6v2-m8w2-27f8.json b/advisories/unreviewed/2024/09/GHSA-j6v2-m8w2-27f8/GHSA-j6v2-m8w2-27f8.json index fd34db8e247..ebd01283938 100644 --- a/advisories/unreviewed/2024/09/GHSA-j6v2-m8w2-27f8/GHSA-j6v2-m8w2-27f8.json +++ b/advisories/unreviewed/2024/09/GHSA-j6v2-m8w2-27f8/GHSA-j6v2-m8w2-27f8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6v2-m8w2-27f8", - "modified": "2024-09-03T12:30:31Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-09-03T12:30:31Z", "aliases": [ "CVE-2024-38811" diff --git a/advisories/unreviewed/2024/09/GHSA-q25c-r482-77p9/GHSA-q25c-r482-77p9.json b/advisories/unreviewed/2024/09/GHSA-q25c-r482-77p9/GHSA-q25c-r482-77p9.json new file mode 100644 index 00000000000..c171cd63b77 --- /dev/null +++ b/advisories/unreviewed/2024/09/GHSA-q25c-r482-77p9/GHSA-q25c-r482-77p9.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q25c-r482-77p9", + "modified": "2024-09-17T15:31:23Z", + "published": "2024-09-17T15:31:23Z", + "aliases": [ + "CVE-2024-47047" + ], + "details": "An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.", + "severity": [ + + ], + "affected": [ + + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47047" + }, + { + "type": "WEB", + "url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-007" + } + ], + "database_specific": { + "cwe_ids": [ + + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2024-09-17T14:15:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json b/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json index 17821f5cd58..717e45c8d0f 100644 --- a/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json +++ b/advisories/unreviewed/2024/09/GHSA-wjg2-c55h-phf5/GHSA-wjg2-c55h-phf5.json @@ -1,14 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-wjg2-c55h-phf5", - "modified": "2024-09-17T00:31:04Z", + "modified": "2024-09-17T15:31:23Z", "published": "2024-09-17T00:31:04Z", "aliases": [ "CVE-2024-40852" ], "details": "This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } ], "affected": [ @@ -27,7 +30,7 @@ "cwe_ids": [ ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-09-17T00:15:49Z" From f35ce1813060f083e14abcfa9bb3c314e57d923a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:39:34 +0000 Subject: [PATCH 169/170] Publish Advisories GHSA-f6mq-5m25-4r72 GHSA-7vhh-gfjc-x8rm --- .../06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json | 10 +++++++++- .../09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json | 6 +++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json b/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json index 2c4893a4d87..e39e9abc5f5 100644 --- a/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json +++ b/advisories/github-reviewed/2021/06/GHSA-f6mq-5m25-4r72/GHSA-f6mq-5m25-4r72.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f6mq-5m25-4r72", - "modified": "2023-08-30T00:18:26Z", + "modified": "2024-09-17T15:38:07Z", "published": "2021-06-15T16:08:16Z", "aliases": [ "CVE-2021-20329" @@ -48,6 +48,10 @@ "type": "WEB", "url": "https://github.com/mongodb/mongo-go-driver/commit/2aca31d5986a9e1c65a92264736de9fdc3b9b4ca" }, + { + "type": "PACKAGE", + "url": "https://github.com/mongodb/mongo-go-driver" + }, { "type": "WEB", "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1" @@ -55,6 +59,10 @@ { "type": "WEB", "url": "https://jira.mongodb.org/browse/GODRIVER-1923" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2021-0112" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json b/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json index 11b29e6bfbf..c44ca33ac82 100644 --- a/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json +++ b/advisories/github-reviewed/2024/09/GHSA-7vhh-gfjc-x8rm/GHSA-7vhh-gfjc-x8rm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7vhh-gfjc-x8rm", - "modified": "2024-09-12T17:38:45Z", + "modified": "2024-09-17T15:38:50Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45854" @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L444-L449" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-84.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb" From 1509e7a6a4c6d254c8147935b003578b33745e58 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:41:55 +0000 Subject: [PATCH 170/170] Publish GHSA-fr9q-rgwq-g5r5 --- .../2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json index 615d58528b5..3788f0b29b0 100644 --- a/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json +++ b/advisories/github-reviewed/2024/09/GHSA-fr9q-rgwq-g5r5/GHSA-fr9q-rgwq-g5r5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fr9q-rgwq-g5r5", - "modified": "2024-09-12T19:49:57Z", + "modified": "2024-09-17T15:40:26Z", "published": "2024-09-12T15:33:01Z", "aliases": [ "CVE-2024-45855" @@ -52,6 +52,10 @@ "type": "WEB", "url": "https://github.com/mindsdb/mindsdb/blob/v24.9.2.1/mindsdb/integrations/handlers/byom_handler/byom_handler.py#L433-L442" }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-85.yaml" + }, { "type": "WEB", "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"