From c89281100102cbc00079d1970667e7d5c6ce3557 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Fri, 22 Nov 2024 15:42:13 +1100 Subject: [PATCH 1/2] Withdraw all unbounded vulnerabilities introduced in the past 2 days. (#209) Fixes: #205, #207 --- vulns/aamiles/PYSEC-2022-43066.yaml | 29 ++++--- vulns/admesh/PYSEC-2023-263.yaml | 41 ++++----- vulns/ansible-runner/PYSEC-2022-43067.yaml | 33 +++---- vulns/ansible-runner/PYSEC-2022-43068.yaml | 33 +++---- vulns/apache-iotdb/PYSEC-2022-43069.yaml | 27 +++--- vulns/apache-iotdb/PYSEC-2022-43070.yaml | 29 ++++--- vulns/api-res-py/PYSEC-2022-43071.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-22.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-23.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-24.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-25.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-26.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-27.yaml | 29 ++++--- vulns/bitdefender/PYSEC-2012-28.yaml | 29 ++++--- vulns/blosc2/PYSEC-2020-343.yaml | 33 +++---- vulns/bounter/PYSEC-2021-880.yaml | 29 ++++--- vulns/capstone/PYSEC-2019-242.yaml | 39 ++++----- vulns/chia-blockchain/PYSEC-2022-43072.yaml | 39 ++++----- vulns/cinder/PYSEC-2013-35.yaml | 23 ++--- vulns/cloudlabeling/PYSEC-2022-43073.yaml | 31 +++---- vulns/d8s-archives/PYSEC-2022-43074.yaml | 29 ++++--- vulns/d8s-dates/PYSEC-2022-43075.yaml | 31 +++---- vulns/d8s-grammars/PYSEC-2022-43076.yaml | 29 ++++--- vulns/d8s-ip-addresses/PYSEC-2022-43077.yaml | 29 ++++--- vulns/d8s-json/PYSEC-2022-43078.yaml | 29 ++++--- vulns/d8s-math/PYSEC-2022-43079.yaml | 29 ++++--- vulns/d8s-netstrings/PYSEC-2022-43080.yaml | 29 ++++--- vulns/d8s-networking/PYSEC-2022-43081.yaml | 31 +++---- vulns/d8s-networking/PYSEC-2022-43082.yaml | 31 +++---- vulns/d8s-python/PYSEC-2022-43083.yaml | 29 ++++--- vulns/d8s-python/PYSEC-2022-43084.yaml | 31 +++---- vulns/d8s-python/PYSEC-2022-43085.yaml | 31 +++---- vulns/d8s-stats/PYSEC-2022-43086.yaml | 31 +++---- vulns/d8s-strings/PYSEC-2022-43087.yaml | 29 ++++--- vulns/d8s-strings/PYSEC-2022-43088.yaml | 31 +++---- vulns/d8s-timer/PYSEC-2022-43089.yaml | 31 +++---- vulns/d8s-timer/PYSEC-2022-43090.yaml | 31 +++---- vulns/d8s-urls/PYSEC-2022-43091.yaml | 31 +++---- vulns/d8s-xml/PYSEC-2022-43092.yaml | 29 ++++--- vulns/d8s-xml/PYSEC-2022-43093.yaml | 31 +++---- .../PYSEC-2022-43094.yaml | 31 +++---- vulns/democritus-csv/PYSEC-2022-43095.yaml | 29 ++++--- vulns/democritus-dates/PYSEC-2022-43096.yaml | 31 +++---- .../democritus-domains/PYSEC-2022-43097.yaml | 31 +++---- .../PYSEC-2022-43098.yaml | 29 ++++--- .../PYSEC-2022-43099.yaml | 29 ++++--- .../democritus-grammars/PYSEC-2022-43100.yaml | 31 +++---- .../PYSEC-2022-43101.yaml | 29 ++++--- .../PYSEC-2022-43102.yaml | 29 ++++--- .../PYSEC-2022-43103.yaml | 29 ++++--- .../PYSEC-2022-43104.yaml | 29 ++++--- .../PYSEC-2022-43105.yaml | 29 ++++--- .../PYSEC-2022-43106.yaml | 29 ++++--- .../PYSEC-2022-43107.yaml | 29 ++++--- vulns/democritus-json/PYSEC-2022-43108.yaml | 31 +++---- vulns/democritus-math/PYSEC-2022-43109.yaml | 31 +++---- .../PYSEC-2022-43110.yaml | 31 +++---- .../PYSEC-2022-43111.yaml | 29 ++++--- .../PYSEC-2022-43112.yaml | 29 ++++--- .../PYSEC-2022-43113.yaml | 29 ++++--- .../PYSEC-2022-43114.yaml | 29 ++++--- .../PYSEC-2022-43115.yaml | 29 ++++--- .../PYSEC-2022-43116.yaml | 29 ++++--- .../PYSEC-2022-43117.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43118.yaml | 27 +++--- .../democritus-strings/PYSEC-2022-43119.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43120.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43121.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43122.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43123.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43124.yaml | 29 ++++--- .../democritus-strings/PYSEC-2022-43125.yaml | 29 ++++--- .../PYSEC-2022-43126.yaml | 31 +++---- .../PYSEC-2022-43127.yaml | 31 +++---- .../democritus-utility/PYSEC-2022-43128.yaml | 31 +++---- vulns/democritus-uuids/PYSEC-2022-43129.yaml | 31 +++---- vulns/democritus-uuids/PYSEC-2022-43130.yaml | 31 +++---- vulns/designate/PYSEC-2017-114.yaml | 31 +++---- vulns/designate/PYSEC-2019-243.yaml | 25 +++--- vulns/diplib/PYSEC-2022-43131.yaml | 31 +++---- vulns/django-cms/PYSEC-2024-124.yaml | 39 ++++----- vulns/dr-web-engine/PYSEC-2022-43132.yaml | 31 +++---- vulns/drxhello/PYSEC-2022-43133.yaml | 29 ++++--- vulns/eftl/PYSEC-2021-881.yaml | 43 +++++----- vulns/exiv2/PYSEC-2008-11.yaml | 31 +++---- vulns/exiv2/PYSEC-2015-36.yaml | 29 ++++--- vulns/exiv2/PYSEC-2017-115.yaml | 31 +++---- vulns/exiv2/PYSEC-2017-116.yaml | 31 +++---- vulns/exiv2/PYSEC-2017-117.yaml | 31 +++---- vulns/exiv2/PYSEC-2017-118.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-119.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-120.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-121.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-122.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-123.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-124.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-125.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-126.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-127.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-128.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-129.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-130.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-131.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-132.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-133.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-134.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-135.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-136.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-137.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-138.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-139.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-140.yaml | 35 ++++---- vulns/exiv2/PYSEC-2017-141.yaml | 33 +++---- vulns/exiv2/PYSEC-2017-142.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-121.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-122.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-123.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-124.yaml | 39 ++++----- vulns/exiv2/PYSEC-2018-125.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-126.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-127.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-128.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-129.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-130.yaml | 31 +++---- vulns/exiv2/PYSEC-2018-131.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-132.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-133.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-134.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-135.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-136.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-137.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-138.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-139.yaml | 33 +++---- vulns/exiv2/PYSEC-2018-140.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-141.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-142.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-143.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-144.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-145.yaml | 37 ++++---- vulns/exiv2/PYSEC-2018-146.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-147.yaml | 35 ++++---- vulns/exiv2/PYSEC-2018-148.yaml | 37 ++++---- vulns/exiv2/PYSEC-2019-244.yaml | 33 +++---- vulns/exiv2/PYSEC-2019-245.yaml | 35 ++++---- vulns/exiv2/PYSEC-2019-246.yaml | 33 +++---- vulns/exiv2/PYSEC-2019-247.yaml | 37 ++++---- vulns/exiv2/PYSEC-2019-248.yaml | 37 ++++---- vulns/exiv2/PYSEC-2019-249.yaml | 37 ++++---- vulns/exiv2/PYSEC-2020-344.yaml | 41 ++++----- vulns/exiv2/PYSEC-2021-882.yaml | 33 +++---- vulns/exiv2/PYSEC-2021-883.yaml | 33 +++---- vulns/exiv2/PYSEC-2021-884.yaml | 35 ++++---- vulns/exiv2/PYSEC-2021-885.yaml | 33 +++---- vulns/exiv2/PYSEC-2021-886.yaml | 33 +++---- vulns/exotel/PYSEC-2022-43134.yaml | 27 +++--- vulns/extractor/PYSEC-2006-4.yaml | 27 +++--- vulns/freeipa/PYSEC-2013-36.yaml | 29 ++++--- vulns/freeipa/PYSEC-2014-100.yaml | 25 +++--- vulns/freeipa/PYSEC-2014-101.yaml | 23 ++--- vulns/freetakserver/PYSEC-2022-43135.yaml | 45 +++++----- vulns/galaxy-app/PYSEC-2018-149.yaml | 41 ++++----- vulns/gattlib-py/PYSEC-2019-250.yaml | 27 +++--- vulns/gattlib-py/PYSEC-2021-887.yaml | 27 +++--- vulns/glance/PYSEC-2012-29.yaml | 29 ++++--- vulns/glance/PYSEC-2012-30.yaml | 31 +++---- vulns/glance/PYSEC-2013-37.yaml | 33 +++---- vulns/glance/PYSEC-2014-102.yaml | 25 +++--- vulns/glance/PYSEC-2015-37.yaml | 27 +++--- vulns/glance/PYSEC-2015-38.yaml | 25 +++--- vulns/glance/PYSEC-2015-39.yaml | 23 ++--- vulns/glance/PYSEC-2017-143.yaml | 29 ++++--- vulns/glance/PYSEC-2023-270.yaml | 29 ++++--- vulns/global-workqueue/PYSEC-2022-43136.yaml | 29 ++++--- vulns/golismero/PYSEC-2012-31.yaml | 25 +++--- vulns/horizon/PYSEC-2012-32.yaml | 31 +++---- vulns/horizon/PYSEC-2012-33.yaml | 27 +++--- vulns/horizon/PYSEC-2015-40.yaml | 27 +++--- vulns/ipa/PYSEC-2013-38.yaml | 29 ++++--- vulns/ipa/PYSEC-2014-103.yaml | 25 +++--- vulns/ipa/PYSEC-2014-104.yaml | 23 ++--- vulns/ipsilon/PYSEC-2015-41.yaml | 25 +++--- vulns/ipsilon/PYSEC-2015-42.yaml | 25 +++--- vulns/iroha/PYSEC-2018-150.yaml | 33 +++---- vulns/jupyterhub/PYSEC-2018-151.yaml | 43 +++++----- vulns/keystone/PYSEC-2012-34.yaml | 35 ++++---- vulns/keystone/PYSEC-2012-35.yaml | 31 +++---- vulns/keystone/PYSEC-2013-39.yaml | 23 ++--- vulns/keystone/PYSEC-2013-40.yaml | 29 ++++--- vulns/keystone/PYSEC-2013-41.yaml | 25 +++--- vulns/keystone/PYSEC-2013-42.yaml | 25 +++--- vulns/keystone/PYSEC-2014-105.yaml | 27 +++--- vulns/keystone/PYSEC-2014-106.yaml | 25 +++--- vulns/keystone/PYSEC-2014-107.yaml | 25 +++--- vulns/keystone/PYSEC-2014-108.yaml | 25 +++--- vulns/keystone/PYSEC-2014-109.yaml | 23 ++--- vulns/keystone/PYSEC-2016-38.yaml | 29 ++++--- vulns/keystone/PYSEC-2018-152.yaml | 31 +++---- vulns/koji/PYSEC-2017-144.yaml | 27 +++--- vulns/lief/PYSEC-2022-43138.yaml | 29 ++++--- vulns/lief/PYSEC-2022-43139.yaml | 29 ++++--- vulns/lief/PYSEC-2022-43140.yaml | 29 ++++--- vulns/mayan-edms/PYSEC-2014-110.yaml | 75 ++++++++-------- vulns/mayan-edms/PYSEC-2023-276.yaml | 71 ++++++++-------- vulns/mindsdb/PYSEC-2023-278.yaml | 41 ++++----- vulns/modoboa/PYSEC-2019-251.yaml | 33 +++---- vulns/moin/PYSEC-2008-12.yaml | 23 ++--- vulns/moin/PYSEC-2008-13.yaml | 23 ++--- vulns/moin/PYSEC-2009-12.yaml | 25 +++--- vulns/moin/PYSEC-2009-13.yaml | 23 ++--- vulns/nova/PYSEC-2012-36.yaml | 31 +++---- vulns/nova/PYSEC-2012-37.yaml | 31 +++---- vulns/nova/PYSEC-2012-38.yaml | 31 +++---- vulns/nova/PYSEC-2012-39.yaml | 29 ++++--- vulns/nova/PYSEC-2012-40.yaml | 31 +++---- vulns/nova/PYSEC-2012-41.yaml | 31 +++---- vulns/nova/PYSEC-2013-43.yaml | 23 ++--- vulns/nova/PYSEC-2013-44.yaml | 25 +++--- vulns/nova/PYSEC-2013-45.yaml | 25 +++--- vulns/nova/PYSEC-2014-111.yaml | 25 +++--- vulns/nova/PYSEC-2014-112.yaml | 25 +++--- vulns/nova/PYSEC-2014-113.yaml | 25 +++--- vulns/nova/PYSEC-2017-145.yaml | 29 ++++--- vulns/ntopng/PYSEC-2014-114.yaml | 23 ++--- vulns/opencc-py/PYSEC-2018-153.yaml | 29 ++++--- .../PYSEC-2022-43143.yaml | 45 +++++----- vulns/patchelf/PYSEC-2022-43144.yaml | 27 +++--- vulns/pg-query/PYSEC-2018-154.yaml | 85 ++++++++++--------- vulns/pillow/PYSEC-2022-43145.yaml | 41 ++++----- vulns/plone/PYSEC-2006-5.yaml | 37 ++++---- vulns/plone/PYSEC-2006-6.yaml | 35 ++++---- vulns/plone/PYSEC-2007-4.yaml | 37 ++++---- vulns/plone/PYSEC-2008-14.yaml | 39 ++++----- vulns/plone/PYSEC-2011-25.yaml | 41 ++++----- vulns/plone/PYSEC-2021-889.yaml | 41 ++++----- vulns/plone/PYSEC-2023-289.yaml | 47 +++++----- vulns/portage/PYSEC-2014-115.yaml | 25 +++--- .../PYSEC-2011-26.yaml | 29 ++++--- .../PYSEC-2011-27.yaml | 29 ++++--- vulns/py-cord/PYSEC-2022-43146.yaml | 37 ++++---- vulns/pyanxdns/PYSEC-2022-43147.yaml | 29 ++++--- vulns/pyassimp/PYSEC-2022-43148.yaml | 31 +++---- vulns/pyassimp/PYSEC-2022-43149.yaml | 31 +++---- vulns/pyassimp/PYSEC-2023-290.yaml | 31 +++---- vulns/pyboolector/PYSEC-2019-252.yaml | 27 +++--- vulns/pyignite/PYSEC-2017-146.yaml | 35 ++++---- vulns/pyo/PYSEC-2021-890.yaml | 29 ++++--- vulns/pypatchelf/PYSEC-2022-43151.yaml | 31 +++---- vulns/pyspark/PYSEC-2017-147.yaml | 37 ++++---- vulns/python-scciclient/PYSEC-2022-43152.yaml | 29 ++++--- vulns/pywasm3/PYSEC-2022-43153.yaml | 27 +++--- vulns/pywasm3/PYSEC-2022-43154.yaml | 27 +++--- vulns/pywasm3/PYSEC-2022-43155.yaml | 27 +++--- vulns/redis/PYSEC-2022-43162.yaml | 33 +++---- vulns/repox/PYSEC-2023-293.yaml | 29 ++++--- vulns/repox/PYSEC-2023-294.yaml | 31 +++---- vulns/repox/PYSEC-2023-295.yaml | 31 +++---- vulns/repox/PYSEC-2023-296.yaml | 29 ++++--- vulns/repox/PYSEC-2023-297.yaml | 31 +++---- vulns/reqmon/PYSEC-2022-43163.yaml | 29 ++++--- .../rondolu-yt-concate/PYSEC-2022-43164.yaml | 29 ++++--- vulns/safeurl-python/PYSEC-2023-298.yaml | 35 ++++---- vulns/scoptrial/PYSEC-2022-43165.yaml | 31 +++---- vulns/sixfab-tool/PYSEC-2022-43168.yaml | 31 +++---- vulns/swift/PYSEC-2014-116.yaml | 23 ++--- vulns/tahoe-lafs/PYSEC-2019-253.yaml | 29 ++++--- vulns/tarantool/PYSEC-2016-39.yaml | 35 ++++---- vulns/tautulli/PYSEC-2019-254.yaml | 29 ++++--- vulns/tautulli/PYSEC-2019-255.yaml | 27 +++--- vulns/togglee/PYSEC-2022-43169.yaml | 29 ++++--- vulns/upydev/PYSEC-2023-302.yaml | 27 +++--- vulns/watertools/PYSEC-2022-43172.yaml | 29 ++++--- vulns/webp/PYSEC-2019-256.yaml | 25 +++--- vulns/wikifaces/PYSEC-2022-43173.yaml | 27 +++--- vulns/wmagent/PYSEC-2022-43174.yaml | 29 ++++--- vulns/zibal/PYSEC-2022-43176.yaml | 29 ++++--- vulns/zope/PYSEC-2010-32.yaml | 65 +++++++------- vulns/zope/PYSEC-2017-148.yaml | 77 ++++++++--------- vulns/zope2/PYSEC-2006-7.yaml | 27 +++--- vulns/zope2/PYSEC-2006-8.yaml | 27 +++--- 279 files changed, 4568 insertions(+), 4289 deletions(-) diff --git a/vulns/aamiles/PYSEC-2022-43066.yaml b/vulns/aamiles/PYSEC-2022-43066.yaml index c71ebda3..b77ad898 100644 --- a/vulns/aamiles/PYSEC-2022-43066.yaml +++ b/vulns/aamiles/PYSEC-2022-43066.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43066 -modified: 2024-11-21T14:22:40.256677Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-33001 -details: The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution - backdoor via the request package. This vulnerability allows attackers to access - sensitive user information and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: aamiles purl: pkg:pypi/aamiles ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.1.1 - 0.1.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-33001 +details: The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution + backdoor via the request package. This vulnerability allows attackers to access + sensitive user information and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43066 +modified: '2024-11-21T14:22:40.256677Z' +published: '2022-06-24T21:15:00Z' references: - type: EVIDENCE url: https://github.com/bOrionis/AAmiles/issues/1 @@ -31,3 +28,7 @@ references: url: http://pypi.doubanio.com/simple/request - type: PACKAGE url: https://pypi.org/project/AAmiles/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/admesh/PYSEC-2023-263.yaml b/vulns/admesh/PYSEC-2023-263.yaml index 67af3799..4f345f93 100644 --- a/vulns/admesh/PYSEC-2023-263.yaml +++ b/vulns/admesh/PYSEC-2023-263.yaml @@ -1,29 +1,20 @@ -id: PYSEC-2023-263 -modified: 2024-11-21T14:22:40.308634Z -published: 2023-04-03T16:15:00Z -aliases: -- CVE-2022-38072 -details: An improper array index validation vulnerability exists in the stl_fix_normal_directions - functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl - file can lead to a heap buffer overflow. An attacker can provide a malicious file - to trigger this vulnerability. affected: - package: ecosystem: PyPI name: admesh purl: pkg:pypi/admesh ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 5fab257268a0ee6f832c18d72af89810a29fbd5f repo: https://github.com/admesh/admesh - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.96" - - "0.98" + - '0.96' + - '0.98' - 0.98.1 - 0.98.2 - 0.98.3 @@ -34,9 +25,15 @@ affected: - 0.98.8 - 0.98.9 - 0.98a1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38072 +details: An improper array index validation vulnerability exists in the stl_fix_normal_directions + functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl + file can lead to a heap buffer overflow. An attacker can provide a malicious file + to trigger this vulnerability. +id: PYSEC-2023-263 +modified: '2024-11-21T14:22:40.308634Z' +published: '2023-04-03T16:15:00Z' references: - type: EVIDENCE url: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1594 @@ -44,3 +41,7 @@ references: url: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1594 - type: FIX url: https://github.com/admesh/admesh/commit/5fab257268a0ee6f832c18d72af89810a29fbd5f +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/ansible-runner/PYSEC-2022-43067.yaml b/vulns/ansible-runner/PYSEC-2022-43067.yaml index 82d233fd..0849e721 100644 --- a/vulns/ansible-runner/PYSEC-2022-43067.yaml +++ b/vulns/ansible-runner/PYSEC-2022-43067.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2022-43067 -modified: 2024-11-21T14:22:40.36338Z -published: 2022-08-23T16:15:00Z -aliases: -- CVE-2021-3701 -details: A flaw was found in ansible-runner where the default temporary files configuration - in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker - to pre-create the directory, resulting in reading private information or forcing - ansible-runner to write files as the legitimate user in a place they did not expect. - The highest threat from this vulnerability is to confidentiality and integrity. affected: - package: ecosystem: PyPI name: ansible-runner purl: pkg:pypi/ansible-runner ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.1 - 1.0.2 @@ -74,9 +64,16 @@ affected: - 2.3.5 - 2.3.6 - 2.4.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N +aliases: +- CVE-2021-3701 +details: A flaw was found in ansible-runner where the default temporary files configuration + in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker + to pre-create the directory, resulting in reading private information or forcing + ansible-runner to write files as the legitimate user in a place they did not expect. + The highest threat from this vulnerability is to confidentiality and integrity. +id: PYSEC-2022-43067 +modified: '2024-11-21T14:22:40.36338Z' +published: '2022-08-23T16:15:00Z' references: - type: ADVISORY url: https://access.redhat.com/security/cve/CVE-2021-3701 @@ -92,3 +89,7 @@ references: url: https://github.com/ansible/ansible-runner/pull/742/commits - type: REPORT url: https://github.com/ansible/ansible-runner/issues/738 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/ansible-runner/PYSEC-2022-43068.yaml b/vulns/ansible-runner/PYSEC-2022-43068.yaml index dd9e9157..d267825c 100644 --- a/vulns/ansible-runner/PYSEC-2022-43068.yaml +++ b/vulns/ansible-runner/PYSEC-2022-43068.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2022-43068 -modified: 2024-11-21T14:22:40.419413Z -published: 2022-08-23T16:15:00Z -aliases: -- CVE-2021-3702 -details: A race condition flaw was found in ansible-runner, where an attacker could - watch for rapid creation and deletion of a temporary directory, substitute their - directory at that name, and then have access to ansible-runner's private_data_dir - the next time ansible-runner made use of the private_data_dir. The highest Threat - out of this flaw is to integrity and confidentiality. affected: - package: ecosystem: PyPI name: ansible-runner purl: pkg:pypi/ansible-runner ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.1 - 1.0.2 @@ -74,9 +64,16 @@ affected: - 2.3.5 - 2.3.6 - 2.4.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N +aliases: +- CVE-2021-3702 +details: A race condition flaw was found in ansible-runner, where an attacker could + watch for rapid creation and deletion of a temporary directory, substitute their + directory at that name, and then have access to ansible-runner's private_data_dir + the next time ansible-runner made use of the private_data_dir. The highest Threat + out of this flaw is to integrity and confidentiality. +id: PYSEC-2022-43068 +modified: '2024-11-21T14:22:40.419413Z' +published: '2022-08-23T16:15:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1977965 @@ -90,3 +87,7 @@ references: url: https://github.com/ansible/ansible-runner/pull/742/commits - type: WEB url: https://github.com/ansible/ansible-runner/pull/742/commits +severity: +- score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/apache-iotdb/PYSEC-2022-43069.yaml b/vulns/apache-iotdb/PYSEC-2022-43069.yaml index d7619cac..a450a710 100644 --- a/vulns/apache-iotdb/PYSEC-2022-43069.yaml +++ b/vulns/apache-iotdb/PYSEC-2022-43069.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2022-43069 -modified: 2024-11-21T14:22:40.851901Z -published: 2022-09-05T10:15:00Z -aliases: -- CVE-2022-38369 -details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should - upgrade to version 0.13.1 which addresses this issue. affected: - package: ecosystem: PyPI name: apache-iotdb purl: pkg:pypi/apache-iotdb ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.10.1 @@ -50,9 +43,13 @@ affected: - 1.3.2 - 1.3.2.post0 - 1.3.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38369 +details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should + upgrade to version 0.13.1 which addresses this issue. +id: PYSEC-2022-43069 +modified: '2024-11-21T14:22:40.851901Z' +published: '2022-09-05T10:15:00Z' references: - type: ARTICLE url: https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0 @@ -62,3 +59,7 @@ references: url: http://www.openwall.com/lists/oss-security/2022/09/05/1 - type: WEB url: http://www.openwall.com/lists/oss-security/2022/09/05/1 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/apache-iotdb/PYSEC-2022-43070.yaml b/vulns/apache-iotdb/PYSEC-2022-43070.yaml index 0e0b7ccf..fd9449c8 100644 --- a/vulns/apache-iotdb/PYSEC-2022-43070.yaml +++ b/vulns/apache-iotdb/PYSEC-2022-43070.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43070 -modified: 2024-11-21T14:22:40.90699Z -published: 2022-09-05T10:15:00Z -aliases: -- CVE-2022-38370 -details: Apache IoTDB grafana-connector version 0.13.0 contains an interface without - authorization, which may expose the internal structure of database. Users should - upgrade to version 0.13.1 which addresses this issue. affected: - package: ecosystem: PyPI name: apache-iotdb purl: pkg:pypi/apache-iotdb ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.10.1 @@ -51,9 +43,14 @@ affected: - 1.3.2 - 1.3.2.post0 - 1.3.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +aliases: +- CVE-2022-38370 +details: Apache IoTDB grafana-connector version 0.13.0 contains an interface without + authorization, which may expose the internal structure of database. Users should + upgrade to version 0.13.1 which addresses this issue. +id: PYSEC-2022-43070 +modified: '2024-11-21T14:22:40.90699Z' +published: '2022-09-05T10:15:00Z' references: - type: ARTICLE url: https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j @@ -63,3 +60,7 @@ references: url: http://www.openwall.com/lists/oss-security/2022/09/05/2 - type: WEB url: http://www.openwall.com/lists/oss-security/2022/09/05/2 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/api-res-py/PYSEC-2022-43071.yaml b/vulns/api-res-py/PYSEC-2022-43071.yaml index 63a40ec9..fc5dc080 100644 --- a/vulns/api-res-py/PYSEC-2022-43071.yaml +++ b/vulns/api-res-py/PYSEC-2022-43071.yaml @@ -1,24 +1,21 @@ -id: PYSEC-2022-43071 -modified: 2024-11-21T14:22:40.957734Z -published: 2022-06-08T20:15:00Z -aliases: -- CVE-2022-31313 -details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor - in the request package. affected: - package: ecosystem: PyPI name: api-res-py purl: pkg:pypi/api-res-py ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + - '0.1' +aliases: +- CVE-2022-31313 +details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor + in the request package. +id: PYSEC-2022-43071 +modified: '2024-11-21T14:22:40.957734Z' +published: '2022-06-08T20:15:00Z' references: - type: REPORT url: https://github.com/rakeshrkz7/as_api_res/issues/1 @@ -26,3 +23,7 @@ references: url: http://pypi.doubanio.com/simple/request - type: PACKAGE url: https://pypi.org/project/api-res-py/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-22.yaml b/vulns/bitdefender/PYSEC-2012-22.yaml index 1301fe1d..89f14167 100644 --- a/vulns/bitdefender/PYSEC-2012-22.yaml +++ b/vulns/bitdefender/PYSEC-2012-22.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-22 -modified: 2024-11-21T14:22:41.00719Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1430 details: 'The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, eSafe 7.0.17.0, @@ -11,19 +19,12 @@ details: 'The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, eSafe 7 at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-22 +modified: '2024-11-21T14:22:41.00719Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.securityfocus.com/archive/1/522005 - type: WEB url: http://www.ieee-security.org/TC/SP2012/program.html +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-23.yaml b/vulns/bitdefender/PYSEC-2012-23.yaml index f53f7ca5..48989b15 100644 --- a/vulns/bitdefender/PYSEC-2012-23.yaml +++ b/vulns/bitdefender/PYSEC-2012-23.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-23 -modified: 2024-11-21T14:22:41.056758Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1431 details: 'The ELF file parser in Bitdefender 7.2, Command Antivirus 5.2.11.5, Comodo @@ -11,19 +19,12 @@ details: 'The ELF file parser in Bitdefender 7.2, Command Antivirus 5.2.11.5, Co at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-23 +modified: '2024-11-21T14:22:41.056758Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.securityfocus.com/archive/1/522005 - type: WEB url: http://www.ieee-security.org/TC/SP2012/program.html +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-24.yaml b/vulns/bitdefender/PYSEC-2012-24.yaml index 2964e0a9..96e25168 100644 --- a/vulns/bitdefender/PYSEC-2012-24.yaml +++ b/vulns/bitdefender/PYSEC-2012-24.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-24 -modified: 2024-11-21T14:22:41.111226Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1443 details: 'The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick @@ -20,17 +28,9 @@ details: 'The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Qu to bypass malware detection via a RAR file with an initial MZ character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different RAR parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-24 +modified: '2024-11-21T14:22:41.111226Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.ieee-security.org/TC/SP2012/program.html @@ -66,3 +66,4 @@ references: url: http://osvdb.org/80460 - type: WEB url: http://osvdb.org/80472 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-25.yaml b/vulns/bitdefender/PYSEC-2012-25.yaml index 1e665cd6..5f7f7d46 100644 --- a/vulns/bitdefender/PYSEC-2012-25.yaml +++ b/vulns/bitdefender/PYSEC-2012-25.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-25 -modified: 2024-11-21T14:22:41.165409Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1457 details: 'The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, @@ -18,17 +26,9 @@ details: 'The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2. entry with a length field that exceeds the total TAR file size. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-25 +modified: '2024-11-21T14:22:41.165409Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.ieee-security.org/TC/SP2012/program.html @@ -62,3 +62,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/74293 - type: ADVISORY url: http://www.mandriva.com/security/advisories?name=MDVSA-2012:094 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-26.yaml b/vulns/bitdefender/PYSEC-2012-26.yaml index 58b84dce..72f18ae2 100644 --- a/vulns/bitdefender/PYSEC-2012-26.yaml +++ b/vulns/bitdefender/PYSEC-2012-26.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-26 -modified: 2024-11-21T14:22:41.220887Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1459 details: 'The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira @@ -21,17 +29,9 @@ details: 'The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avir entry, plus part of the header of the next entry. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-26 +modified: '2024-11-21T14:22:41.220887Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.securityfocus.com/archive/1/522005 @@ -67,3 +67,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/74302 - type: ADVISORY url: http://www.mandriva.com/security/advisories?name=MDVSA-2012:094 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-27.yaml b/vulns/bitdefender/PYSEC-2012-27.yaml index 956dd83e..804396bf 100644 --- a/vulns/bitdefender/PYSEC-2012-27.yaml +++ b/vulns/bitdefender/PYSEC-2012-27.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-27 -modified: 2024-11-21T14:22:41.276629Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1461 details: 'The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command @@ -15,17 +23,9 @@ details: 'The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, C file with multiple compressed streams. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different Gzip parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-27 +modified: '2024-11-21T14:22:41.276629Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.securityfocus.com/archive/1/522005 @@ -49,3 +49,4 @@ references: url: http://osvdb.org/80500 - type: WEB url: http://osvdb.org/80501 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bitdefender/PYSEC-2012-28.yaml b/vulns/bitdefender/PYSEC-2012-28.yaml index 8e4a5f4c..e83c776f 100644 --- a/vulns/bitdefender/PYSEC-2012-28.yaml +++ b/vulns/bitdefender/PYSEC-2012-28.yaml @@ -1,6 +1,14 @@ -id: PYSEC-2012-28 -modified: 2024-11-21T14:22:41.328571Z -published: 2012-03-21T10:11:00Z +affected: +- package: + ecosystem: PyPI + name: bitdefender + purl: pkg:pypi/bitdefender + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 0.0.1 aliases: - CVE-2012-1463 details: 'The ELF file parser in AhnLab V3 Internet Security 2011.01.18.00, Bitdefender @@ -11,17 +19,9 @@ details: 'The ELF file parser in AhnLab V3 Internet Security 2011.01.18.00, Bitd bypass malware detection via an ELF file with a modified endianness field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations.' -affected: -- package: - ecosystem: PyPI - name: bitdefender - purl: pkg:pypi/bitdefender - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 0.0.1 +id: PYSEC-2012-28 +modified: '2024-11-21T14:22:41.328571Z' +published: '2012-03-21T10:11:00Z' references: - type: WEB url: http://www.ieee-security.org/TC/SP2012/program.html @@ -35,3 +35,4 @@ references: url: http://osvdb.org/80433 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/74311 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/blosc2/PYSEC-2020-343.yaml b/vulns/blosc2/PYSEC-2020-343.yaml index f779a61d..e92c3d02 100644 --- a/vulns/blosc2/PYSEC-2020-343.yaml +++ b/vulns/blosc2/PYSEC-2020-343.yaml @@ -1,24 +1,17 @@ -id: PYSEC-2020-343 -modified: 2024-11-21T14:22:41.397462Z -published: 2020-11-27T20:15:00Z -aliases: -- CVE-2020-29367 -details: blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow - when there is a lack of space to write compressed data. affected: - package: ecosystem: PyPI name: blosc2 purl: pkg:pypi/blosc2 ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: c4c6470e88210afc95262c8b9fcc27e30ca043ee repo: https://github.com/Blosc/c-blosc2 - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.1 - 0.1.10 @@ -71,9 +64,13 @@ affected: - 3.0.0b1 - 3.0.0b3 - 3.0.0b4 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2020-29367 +details: blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow + when there is a lack of space to write compressed data. +id: PYSEC-2020-343 +modified: '2024-11-21T14:22:41.397462Z' +published: '2020-11-27T20:15:00Z' references: - type: FIX url: https://github.com/Blosc/c-blosc2/commit/c4c6470e88210afc95262c8b9fcc27e30ca043ee @@ -81,3 +78,7 @@ references: url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26442 - type: WEB url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26442 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/bounter/PYSEC-2021-880.yaml b/vulns/bounter/PYSEC-2021-880.yaml index bae7bad2..d7137494 100644 --- a/vulns/bounter/PYSEC-2021-880.yaml +++ b/vulns/bounter/PYSEC-2021-880.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2021-880 -modified: 2024-11-21T14:22:41.448775Z -published: 2021-12-17T21:15:00Z -aliases: -- CVE-2021-41497 -details: Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies - bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks - by inputting a huge width of hash bucket. affected: - package: ecosystem: PyPI name: bounter purl: pkg:pypi/bounter ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.1.1 @@ -23,11 +15,20 @@ affected: - 1.1.0 - 1.1.1 - 1.2.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2021-41497 +details: Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies + bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks + by inputting a huge width of hash bucket. +id: PYSEC-2021-880 +modified: '2024-11-21T14:22:41.448775Z' +published: '2021-12-17T21:15:00Z' references: - type: EVIDENCE url: https://github.com/RaRe-Technologies/bounter/issues/47 - type: REPORT url: https://github.com/RaRe-Technologies/bounter/issues/47 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/capstone/PYSEC-2019-242.yaml b/vulns/capstone/PYSEC-2019-242.yaml index 40ee0510..20be93fc 100644 --- a/vulns/capstone/PYSEC-2019-242.yaml +++ b/vulns/capstone/PYSEC-2019-242.yaml @@ -1,28 +1,21 @@ -id: PYSEC-2019-242 -modified: 2024-11-21T14:22:41.553247Z -published: 2019-05-15T14:29:00Z -aliases: -- CVE-2016-7151 -details: Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a read - memory access) in X86_insn_reg_intel in arch/X86/X86Mapping.c. affected: - package: ecosystem: PyPI name: capstone purl: pkg:pypi/capstone ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 87a25bb543c8e4c09b48d4b4a6c7db31ce58df06 repo: https://github.com/capstone-engine/capstone - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "2.0" - - "2.1" - - "3.0" + - '2.0' + - '2.1' + - '3.0' - 3.0.1 - 3.0.2 - 3.0.3 @@ -41,9 +34,13 @@ affected: - 5.0.2 - 5.0.3 - 6.0.0a1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2016-7151 +details: Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a read + memory access) in X86_insn_reg_intel in arch/X86/X86Mapping.c. +id: PYSEC-2019-242 +modified: '2024-11-21T14:22:41.553247Z' +published: '2019-05-15T14:29:00Z' references: - type: EVIDENCE url: https://github.com/aquynh/capstone/pull/725 @@ -51,3 +48,7 @@ references: url: https://github.com/aquynh/capstone/pull/725 - type: FIX url: https://github.com/aquynh/capstone/commit/87a25bb543c8e4c09b48d4b4a6c7db31ce58df06 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/chia-blockchain/PYSEC-2022-43072.yaml b/vulns/chia-blockchain/PYSEC-2022-43072.yaml index 4d74c1df..e7aca244 100644 --- a/vulns/chia-blockchain/PYSEC-2022-43072.yaml +++ b/vulns/chia-blockchain/PYSEC-2022-43072.yaml @@ -1,26 +1,14 @@ -id: PYSEC-2022-43072 -modified: 2024-11-21T14:22:41.861085Z -published: 2022-07-29T21:15:00Z -aliases: -- CVE-2022-36447 -details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously - minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated - to an arbitrary extent by any holder of any amount of the token. The total amount - of the token can be increased as high as the malicious actor pleases. This is true - for every CAT1 on the Chia blockchain regardless of issuance rules. This attack - is auditable on chain, so maliciously altered coins can potentially be marked by - off-chain observers as malicious. affected: - package: ecosystem: PyPI name: chia-blockchain purl: pkg:pypi/chia-blockchain ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 1.0.0 - 1.0.1 - 1.0.2 @@ -206,11 +194,24 @@ affected: - 2.4.4rc1 - 2.4.4rc2 - 2.4.4rc3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +aliases: +- CVE-2022-36447 +details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously + minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated + to an arbitrary extent by any holder of any amount of the token. The total amount + of the token can be increased as high as the malicious actor pleases. This is true + for every CAT1 on the Chia blockchain regardless of issuance rules. This attack + is auditable on chain, so maliciously altered coins can potentially be marked by + off-chain observers as malicious. +id: PYSEC-2022-43072 +modified: '2024-11-21T14:22:41.861085Z' +published: '2022-07-29T21:15:00Z' references: - type: ADVISORY url: https://chia.net - type: ADVISORY url: https://www.chia.net/2022/07/25/upgrading-the-cat-standard.en.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/cinder/PYSEC-2013-35.yaml b/vulns/cinder/PYSEC-2013-35.yaml index ee13ee94..eceb3187 100644 --- a/vulns/cinder/PYSEC-2013-35.yaml +++ b/vulns/cinder/PYSEC-2013-35.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2013-35 -modified: 2024-11-21T14:22:42.067708Z -published: 2013-09-16T19:14:00Z -aliases: -- CVE-2013-4183 -details: The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 - through 2013.1.2 does not properly clear data when deleting a snapshot, which allows - local users to obtain sensitive information via unspecified vectors. affected: - package: ecosystem: PyPI name: cinder purl: pkg:pypi/cinder ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 10.0.8 - 11.2.0 @@ -132,6 +124,14 @@ affected: - 25.0.0 - 25.0.0.0rc1 - 25.0.0.0rc2 +aliases: +- CVE-2013-4183 +details: The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 + through 2013.1.2 does not properly clear data when deleting a snapshot, which allows + local users to obtain sensitive information via unspecified vectors. +id: PYSEC-2013-35 +modified: '2024-11-21T14:22:42.067708Z' +published: '2013-09-16T19:14:00Z' references: - type: FIX url: http://rhn.redhat.com/errata/RHSA-2013-1198.html @@ -141,3 +141,4 @@ references: url: https://bugs.launchpad.net/cinder/+bug/1198185 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2005-1 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/cloudlabeling/PYSEC-2022-43073.yaml b/vulns/cloudlabeling/PYSEC-2022-43073.yaml index d42eea2d..fd4e6b5f 100644 --- a/vulns/cloudlabeling/PYSEC-2022-43073.yaml +++ b/vulns/cloudlabeling/PYSEC-2022-43073.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43073 -modified: 2024-11-21T14:22:42.118573Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-32999 -details: The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code - execution backdoor via the request package. This vulnerability allows attackers - to access sensitive user information and digital currency keys, as well as escalate - privileges. affected: - package: ecosystem: PyPI name: cloudlabeling purl: pkg:pypi/cloudlabeling ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.10 - 0.0.11 @@ -31,9 +22,15 @@ affected: - 0.0.7 - 0.0.8 - 0.0.9 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-32999 +details: The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code + execution backdoor via the request package. This vulnerability allows attackers + to access sensitive user information and digital currency keys, as well as escalate + privileges. +id: PYSEC-2022-43073 +modified: '2024-11-21T14:22:42.118573Z' +published: '2022-06-24T21:15:00Z' references: - type: EVIDENCE url: https://github.com/SilvioGiancola/CloudLabeling-API/issues/1 @@ -43,3 +40,7 @@ references: url: http://pypi.doubanio.com/simple/request - type: PACKAGE url: https://pypi.org/project/cloudlabeling/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-archives/PYSEC-2022-43074.yaml b/vulns/d8s-archives/PYSEC-2022-43074.yaml index 33081168..bd6c3fcb 100644 --- a/vulns/d8s-archives/PYSEC-2022-43074.yaml +++ b/vulns/d8s-archives/PYSEC-2022-43074.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43074 -modified: 2024-11-21T14:22:42.229096Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38881 -details: The d8s-archives for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-archives purl: pkg:pypi/d8s-archives ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -25,9 +17,14 @@ affected: - 0.6.1 - 0.6.2 - 0.7.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38881 +details: The d8s-archives for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43074 +modified: '2024-11-21T14:22:42.229096Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-archives/ @@ -37,3 +34,7 @@ references: url: https://github.com/democritus-project/d8s-archives/issues/12 - type: REPORT url: https://github.com/democritus-project/d8s-archives/issues/12 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-dates/PYSEC-2022-43075.yaml b/vulns/d8s-dates/PYSEC-2022-43075.yaml index e154bd93..80c61873 100644 --- a/vulns/d8s-dates/PYSEC-2022-43075.yaml +++ b/vulns/d8s-dates/PYSEC-2022-43075.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43075 -modified: 2024-11-21T14:22:42.280201Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44052 -details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-timezones package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-dates purl: pkg:pypi/d8s-dates ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -25,9 +16,15 @@ affected: - 0.5.1 - 0.6.0 - 0.7.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44052 +details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-timezones package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43075 +modified: '2024-11-21T14:22:42.280201Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-timezones/ @@ -35,3 +32,7 @@ references: url: https://pypi.org/project/d8s-dates/ - type: REPORT url: https://github.com/dadadadada111/info/issues/16 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-grammars/PYSEC-2022-43076.yaml b/vulns/d8s-grammars/PYSEC-2022-43076.yaml index 5413499b..4d659462 100644 --- a/vulns/d8s-grammars/PYSEC-2022-43076.yaml +++ b/vulns/d8s-grammars/PYSEC-2022-43076.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43076 -modified: 2024-11-21T14:22:42.333517Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38884 -details: The d8s-grammars for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-grammars purl: pkg:pypi/d8s-grammars ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +16,14 @@ affected: - 0.5.1 - 0.5.2 - 0.6.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38884 +details: The d8s-grammars for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43076 +modified: '2024-11-21T14:22:42.333517Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-grammars/issues/6 @@ -36,3 +33,7 @@ references: url: https://pypi.org/project/d8s-grammars/ - type: PACKAGE url: https://pypi.org/project/democritus-strings/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-ip-addresses/PYSEC-2022-43077.yaml b/vulns/d8s-ip-addresses/PYSEC-2022-43077.yaml index ba60bd45..065a93c0 100644 --- a/vulns/d8s-ip-addresses/PYSEC-2022-43077.yaml +++ b/vulns/d8s-ip-addresses/PYSEC-2022-43077.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43077 -modified: 2024-11-21T14:22:42.385746Z -published: 2022-10-11T22:15:00Z -aliases: -- CVE-2022-42038 -details: The d8s-ip-addresses package for Python, as distributed on PyPI, included - a potential code-execution backdoor inserted by a third party. The backdoor is the - democritus-csv package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-ip-addresses purl: pkg:pypi/d8s-ip-addresses ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +16,14 @@ affected: - 0.5.1 - 0.5.2 - 0.6.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-42038 +details: The d8s-ip-addresses package for Python, as distributed on PyPI, included + a potential code-execution backdoor inserted by a third party. The backdoor is the + democritus-csv package. The affected version is 0.1.0. +id: PYSEC-2022-43077 +modified: '2024-11-21T14:22:42.385746Z' +published: '2022-10-11T22:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-ip-addresses/issues/14 @@ -36,3 +33,7 @@ references: url: https://pypi.org/project/d8s-ip-addresses/ - type: PACKAGE url: https://pypi.org/project/democritus-csv/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-json/PYSEC-2022-43078.yaml b/vulns/d8s-json/PYSEC-2022-43078.yaml index 759515a0..63606aa5 100644 --- a/vulns/d8s-json/PYSEC-2022-43078.yaml +++ b/vulns/d8s-json/PYSEC-2022-43078.yaml @@ -1,28 +1,25 @@ -id: PYSEC-2022-43078 -modified: 2024-11-21T14:22:42.439723Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38882 -details: The d8s-json for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-json purl: pkg:pypi/d8s-json ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 - 0.2.1 - 0.3.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38882 +details: The d8s-json for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43078 +modified: '2024-11-21T14:22:42.439723Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-json/issues/9 @@ -32,3 +29,7 @@ references: url: https://pypi.org/project/democritus-strings/ - type: PACKAGE url: https://pypi.org/project/d8s-json/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-math/PYSEC-2022-43079.yaml b/vulns/d8s-math/PYSEC-2022-43079.yaml index 64c423a9..37b3769a 100644 --- a/vulns/d8s-math/PYSEC-2022-43079.yaml +++ b/vulns/d8s-math/PYSEC-2022-43079.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43079 -modified: 2024-11-21T14:22:42.499117Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38883 -details: The d8s-math for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-math purl: pkg:pypi/d8s-math ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -25,9 +17,14 @@ affected: - 0.5.2 - 0.6.0 - 0.7.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38883 +details: The d8s-math for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43079 +modified: '2024-11-21T14:22:42.499117Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-strings/ @@ -37,3 +34,7 @@ references: url: https://github.com/democritus-project/d8s-math/issues/11 - type: REPORT url: https://github.com/democritus-project/d8s-math/issues/11 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-netstrings/PYSEC-2022-43080.yaml b/vulns/d8s-netstrings/PYSEC-2022-43080.yaml index c07da8da..f6067b75 100644 --- a/vulns/d8s-netstrings/PYSEC-2022-43080.yaml +++ b/vulns/d8s-netstrings/PYSEC-2022-43080.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43080 -modified: 2024-11-21T14:22:42.556543Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38885 -details: The d8s-netstrings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-netstrings purl: pkg:pypi/d8s-netstrings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -23,9 +15,14 @@ affected: - 0.5.0 - 0.5.1 - 0.5.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38885 +details: The d8s-netstrings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43080 +modified: '2024-11-21T14:22:42.556543Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-netstrings/ @@ -35,3 +32,7 @@ references: url: https://github.com/democritus-project/d8s-netstrings/issues/4 - type: PACKAGE url: https://pypi.org/project/democritus-strings/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-networking/PYSEC-2022-43081.yaml b/vulns/d8s-networking/PYSEC-2022-43081.yaml index ca675a82..e07dfdc7 100644 --- a/vulns/d8s-networking/PYSEC-2022-43081.yaml +++ b/vulns/d8s-networking/PYSEC-2022-43081.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43081 -modified: 2024-11-21T14:22:42.613124Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44050 -details: The d8s-networking for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-json package. The affected version of - d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-networking purl: pkg:pypi/d8s-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -23,9 +14,15 @@ affected: - 0.4.0 - 0.4.1 - 0.4.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44050 +details: The d8s-networking for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-json package. The affected version of + d8s-htm is 0.1.0. +id: PYSEC-2022-43081 +modified: '2024-11-21T14:22:42.613124Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-networking/ @@ -33,3 +30,7 @@ references: url: https://github.com/dadadadada111/info/issues/14 - type: PACKAGE url: https://pypi.org/project/democritus-json/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-networking/PYSEC-2022-43082.yaml b/vulns/d8s-networking/PYSEC-2022-43082.yaml index e5825878..3cd80b72 100644 --- a/vulns/d8s-networking/PYSEC-2022-43082.yaml +++ b/vulns/d8s-networking/PYSEC-2022-43082.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43082 -modified: 2024-11-21T14:22:42.668916Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44053 -details: The d8s-networking for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-user-agents package. The affected version - of d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-networking purl: pkg:pypi/d8s-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -23,9 +14,15 @@ affected: - 0.4.0 - 0.4.1 - 0.4.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44053 +details: The d8s-networking for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-user-agents package. The affected version + of d8s-htm is 0.1.0. +id: PYSEC-2022-43082 +modified: '2024-11-21T14:22:42.668916Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-networking/ @@ -33,3 +30,7 @@ references: url: https://pypi.org/project/democritus-user-agents/ - type: REPORT url: https://github.com/dadadadada111/info/issues/17 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-python/PYSEC-2022-43083.yaml b/vulns/d8s-python/PYSEC-2022-43083.yaml index fb521c1a..0f78449c 100644 --- a/vulns/d8s-python/PYSEC-2022-43083.yaml +++ b/vulns/d8s-python/PYSEC-2022-43083.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43083 -modified: 2024-11-21T14:22:42.723606Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38887 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The democritus-strings package. The affected - version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-python purl: pkg:pypi/d8s-python ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -30,9 +22,14 @@ affected: - 0.7.0 - 0.8.0 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38887 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The democritus-strings package. The affected + version is 0.1.0. +id: PYSEC-2022-43083 +modified: '2024-11-21T14:22:42.723606Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-python/ @@ -42,3 +39,7 @@ references: url: https://github.com/democritus-project/d8s-python/issues/36 - type: REPORT url: https://github.com/democritus-project/d8s-python/issues/36 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-python/PYSEC-2022-43084.yaml b/vulns/d8s-python/PYSEC-2022-43084.yaml index bc4a751f..c052f6df 100644 --- a/vulns/d8s-python/PYSEC-2022-43084.yaml +++ b/vulns/d8s-python/PYSEC-2022-43084.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43084 -modified: 2024-11-21T14:22:42.776996Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43305 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-algorithms package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-python purl: pkg:pypi/d8s-python ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -31,9 +22,15 @@ affected: - 0.7.0 - 0.8.0 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43305 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-algorithms package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43084 +modified: '2024-11-21T14:22:42.776996Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/10 @@ -41,3 +38,7 @@ references: url: https://pypi.org/project/d8s-python/ - type: PACKAGE url: https://pypi.org/project/democritus-algorithms/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-python/PYSEC-2022-43085.yaml b/vulns/d8s-python/PYSEC-2022-43085.yaml index de1911d8..1cdd5100 100644 --- a/vulns/d8s-python/PYSEC-2022-43085.yaml +++ b/vulns/d8s-python/PYSEC-2022-43085.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43085 -modified: 2024-11-21T14:22:42.829791Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44049 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-grammars package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-python purl: pkg:pypi/d8s-python ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -31,9 +22,15 @@ affected: - 0.7.0 - 0.8.0 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44049 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-grammars package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43085 +modified: '2024-11-21T14:22:42.829791Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/13 @@ -41,3 +38,7 @@ references: url: https://pypi.org/project/d8s-python/ - type: PACKAGE url: https://pypi.org/project/democritus-grammars/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-stats/PYSEC-2022-43086.yaml b/vulns/d8s-stats/PYSEC-2022-43086.yaml index 614f99ed..321cd6fa 100644 --- a/vulns/d8s-stats/PYSEC-2022-43086.yaml +++ b/vulns/d8s-stats/PYSEC-2022-43086.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43086 -modified: 2024-11-21T14:22:42.892924Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44051 -details: The d8s-stats for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-math package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-stats purl: pkg:pypi/d8s-stats ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +15,15 @@ affected: - 0.4.1 - 0.4.2 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44051 +details: The d8s-stats for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-math package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43086 +modified: '2024-11-21T14:22:42.892924Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/15 @@ -34,3 +31,7 @@ references: url: https://pypi.org/project/d8s-stats/ - type: PACKAGE url: https://pypi.org/project/democritus-math/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-strings/PYSEC-2022-43087.yaml b/vulns/d8s-strings/PYSEC-2022-43087.yaml index 143ed246..06e9e719 100644 --- a/vulns/d8s-strings/PYSEC-2022-43087.yaml +++ b/vulns/d8s-strings/PYSEC-2022-43087.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43087 -modified: 2024-11-21T14:22:42.944804Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40432 -details: The d8s-strings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-strings purl: pkg:pypi/d8s-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -23,9 +15,14 @@ affected: - 0.3.0 - 0.4.0 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40432 +details: The d8s-strings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis + package. The affected version is 0.1.0. +id: PYSEC-2022-43087 +modified: '2024-11-21T14:22:42.944804Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-strings/ @@ -35,3 +32,7 @@ references: url: https://github.com/democritus-project/d8s-strings/issues/21 - type: REPORT url: https://github.com/democritus-project/d8s-strings/issues/21 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-strings/PYSEC-2022-43088.yaml b/vulns/d8s-strings/PYSEC-2022-43088.yaml index 1bb069a0..3db45e78 100644 --- a/vulns/d8s-strings/PYSEC-2022-43088.yaml +++ b/vulns/d8s-strings/PYSEC-2022-43088.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43088 -modified: 2024-11-21T14:22:42.994084Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43303 -details: The d8s-strings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-uuids package. The affected version - of d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-strings purl: pkg:pypi/d8s-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +15,15 @@ affected: - 0.3.0 - 0.4.0 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43303 +details: The d8s-strings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-uuids package. The affected version + of d8s-htm is 0.1.0. +id: PYSEC-2022-43088 +modified: '2024-11-21T14:22:42.994084Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-strings/ @@ -34,3 +31,7 @@ references: url: https://pypi.org/project/democritus-uuids/ - type: REPORT url: https://github.com/dadadadada111/info/issues/8 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-timer/PYSEC-2022-43089.yaml b/vulns/d8s-timer/PYSEC-2022-43089.yaml index 8e9a42f8..332f9415 100644 --- a/vulns/d8s-timer/PYSEC-2022-43089.yaml +++ b/vulns/d8s-timer/PYSEC-2022-43089.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43089 -modified: 2024-11-21T14:22:43.045759Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43304 -details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-uuids package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-timer purl: pkg:pypi/d8s-timer ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +15,15 @@ affected: - 0.4.1 - 0.4.2 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43304 +details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-uuids package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43089 +modified: '2024-11-21T14:22:43.045759Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-uuids/ @@ -34,3 +31,7 @@ references: url: https://pypi.org/project/d8s-timer/ - type: REPORT url: https://github.com/dadadadada111/info/issues/9 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-timer/PYSEC-2022-43090.yaml b/vulns/d8s-timer/PYSEC-2022-43090.yaml index 6eb089f9..058e12dc 100644 --- a/vulns/d8s-timer/PYSEC-2022-43090.yaml +++ b/vulns/d8s-timer/PYSEC-2022-43090.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43090 -modified: 2024-11-21T14:22:43.097689Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43306 -details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-dates package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-timer purl: pkg:pypi/d8s-timer ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -24,9 +15,15 @@ affected: - 0.4.1 - 0.4.2 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43306 +details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-dates package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43090 +modified: '2024-11-21T14:22:43.097689Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-dates/ @@ -34,3 +31,7 @@ references: url: https://github.com/dadadadada111/info/issues/11 - type: PACKAGE url: https://pypi.org/project/d8s-timer/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-urls/PYSEC-2022-43091.yaml b/vulns/d8s-urls/PYSEC-2022-43091.yaml index fd309fcf..6b6dd4dd 100644 --- a/vulns/d8s-urls/PYSEC-2022-43091.yaml +++ b/vulns/d8s-urls/PYSEC-2022-43091.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43091 -modified: 2024-11-21T14:22:43.149086Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44048 -details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-domains package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-urls purl: pkg:pypi/d8s-urls ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -25,9 +16,15 @@ affected: - 0.5.1 - 0.5.2 - 0.6.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44048 +details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-domains package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43091 +modified: '2024-11-21T14:22:43.149086Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-urls/ @@ -35,3 +32,7 @@ references: url: https://github.com/dadadadada111/info/issues/12 - type: PACKAGE url: https://pypi.org/project/democritus-domains/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-xml/PYSEC-2022-43092.yaml b/vulns/d8s-xml/PYSEC-2022-43092.yaml index 2be33975..ec6cead0 100644 --- a/vulns/d8s-xml/PYSEC-2022-43092.yaml +++ b/vulns/d8s-xml/PYSEC-2022-43092.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43092 -modified: 2024-11-21T14:22:43.200942Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38886 -details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-xml purl: pkg:pypi/d8s-xml ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -26,9 +18,14 @@ affected: - 0.6.0 - 0.7.0 - 0.8.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38886 +details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43092 +modified: '2024-11-21T14:22:43.200942Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-xml/issues/10 @@ -38,3 +35,7 @@ references: url: https://pypi.org/project/democritus-strings/ - type: PACKAGE url: https://pypi.org/project/d8s-xml/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/d8s-xml/PYSEC-2022-43093.yaml b/vulns/d8s-xml/PYSEC-2022-43093.yaml index 910d8112..5b0b29c7 100644 --- a/vulns/d8s-xml/PYSEC-2022-43093.yaml +++ b/vulns/d8s-xml/PYSEC-2022-43093.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43093 -modified: 2024-11-21T14:22:43.253271Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44054 -details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-utility package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: d8s-xml purl: pkg:pypi/d8s-xml ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -27,9 +18,15 @@ affected: - 0.6.0 - 0.7.0 - 0.8.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44054 +details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-utility package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43093 +modified: '2024-11-21T14:22:43.253271Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-utility/ @@ -41,3 +38,7 @@ references: url: https://pypi.org/project/d8s-xml/ - type: REPORT url: https://github.com/dadadadada111/info/issues/18 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-algorithms/PYSEC-2022-43094.yaml b/vulns/democritus-algorithms/PYSEC-2022-43094.yaml index 25840829..4418f072 100644 --- a/vulns/democritus-algorithms/PYSEC-2022-43094.yaml +++ b/vulns/democritus-algorithms/PYSEC-2022-43094.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43094 -modified: 2024-11-21T14:22:43.361191Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43305 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-algorithms package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-algorithms purl: pkg:pypi/democritus-algorithms ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43305 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-algorithms package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43094 +modified: '2024-11-21T14:22:43.361191Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/10 @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/d8s-python/ - type: PACKAGE url: https://pypi.org/project/democritus-algorithms/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-csv/PYSEC-2022-43095.yaml b/vulns/democritus-csv/PYSEC-2022-43095.yaml index d8be12bd..7891f8ea 100644 --- a/vulns/democritus-csv/PYSEC-2022-43095.yaml +++ b/vulns/democritus-csv/PYSEC-2022-43095.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43095 -modified: 2024-11-21T14:22:43.41112Z -published: 2022-10-11T22:15:00Z -aliases: -- CVE-2022-42038 -details: The d8s-ip-addresses package for Python, as distributed on PyPI, included - a potential code-execution backdoor inserted by a third party. The backdoor is the - democritus-csv package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-csv purl: pkg:pypi/democritus-csv ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-42038 +details: The d8s-ip-addresses package for Python, as distributed on PyPI, included + a potential code-execution backdoor inserted by a third party. The backdoor is the + democritus-csv package. The affected version is 0.1.0. +id: PYSEC-2022-43095 +modified: '2024-11-21T14:22:43.41112Z' +published: '2022-10-11T22:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-ip-addresses/issues/14 @@ -29,3 +26,7 @@ references: url: https://pypi.org/project/d8s-ip-addresses/ - type: PACKAGE url: https://pypi.org/project/democritus-csv/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-dates/PYSEC-2022-43096.yaml b/vulns/democritus-dates/PYSEC-2022-43096.yaml index 8ca4c9f4..4c7bd595 100644 --- a/vulns/democritus-dates/PYSEC-2022-43096.yaml +++ b/vulns/democritus-dates/PYSEC-2022-43096.yaml @@ -1,28 +1,25 @@ -id: PYSEC-2022-43096 -modified: 2024-11-21T14:22:43.46136Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43306 -details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-dates package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-dates purl: pkg:pypi/democritus-dates ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.25 - 2021.2.11 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43306 +details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-dates package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43096 +modified: '2024-11-21T14:22:43.46136Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-dates/ @@ -30,3 +27,7 @@ references: url: https://github.com/dadadadada111/info/issues/11 - type: PACKAGE url: https://pypi.org/project/d8s-timer/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-domains/PYSEC-2022-43097.yaml b/vulns/democritus-domains/PYSEC-2022-43097.yaml index afc99152..1915fb31 100644 --- a/vulns/democritus-domains/PYSEC-2022-43097.yaml +++ b/vulns/democritus-domains/PYSEC-2022-43097.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43097 -modified: 2024-11-21T14:22:43.511664Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44048 -details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-domains package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-domains purl: pkg:pypi/democritus-domains ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44048 +details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-domains package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43097 +modified: '2024-11-21T14:22:43.511664Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-urls/ @@ -28,3 +25,7 @@ references: url: https://github.com/dadadadada111/info/issues/12 - type: PACKAGE url: https://pypi.org/project/democritus-domains/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-file-system/PYSEC-2022-43098.yaml b/vulns/democritus-file-system/PYSEC-2022-43098.yaml index 07499592..21b97038 100644 --- a/vulns/democritus-file-system/PYSEC-2022-43098.yaml +++ b/vulns/democritus-file-system/PYSEC-2022-43098.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43098 -modified: 2024-11-21T14:22:43.564135Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40811 -details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-file-system package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-file-system purl: pkg:pypi/democritus-file-system ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.27 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40811 +details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-file-system package. + The affected version is 0.1.0. +id: PYSEC-2022-43098 +modified: '2024-11-21T14:22:43.564135Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-file-system/ @@ -28,3 +25,7 @@ references: url: https://github.com/democritus-project/d8s-urls/issues/11 - type: REPORT url: https://github.com/democritus-project/d8s-urls/issues/11 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-file-system/PYSEC-2022-43099.yaml b/vulns/democritus-file-system/PYSEC-2022-43099.yaml index d9572cca..41763c91 100644 --- a/vulns/democritus-file-system/PYSEC-2022-43099.yaml +++ b/vulns/democritus-file-system/PYSEC-2022-43099.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2022-43099 -modified: 2024-11-21T14:22:43.616362Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40812 -details: The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-file-system package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-file-system purl: pkg:pypi/democritus-file-system ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.27 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40812 +details: The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-file-system package. + The affected version is 0.1.0. +id: PYSEC-2022-43099 +modified: '2024-11-21T14:22:43.616362Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-file-system/ - type: REPORT url: https://github.com/democritus-project/d8s-pdfs/issues/6 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-grammars/PYSEC-2022-43100.yaml b/vulns/democritus-grammars/PYSEC-2022-43100.yaml index 159c3ca1..c0446f62 100644 --- a/vulns/democritus-grammars/PYSEC-2022-43100.yaml +++ b/vulns/democritus-grammars/PYSEC-2022-43100.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43100 -modified: 2024-11-21T14:22:43.665816Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44049 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-grammars package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-grammars purl: pkg:pypi/democritus-grammars ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44049 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-grammars package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43100 +modified: '2024-11-21T14:22:43.665816Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/13 @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/d8s-python/ - type: PACKAGE url: https://pypi.org/project/democritus-grammars/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43101.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43101.yaml index 56e45dff..a3344129 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43101.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43101.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43101 -modified: 2024-11-21T14:22:43.716069Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40432 -details: The d8s-strings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40432 +details: The d8s-strings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis + package. The affected version is 0.1.0. +id: PYSEC-2022-43101 +modified: '2024-11-21T14:22:43.716069Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-strings/ @@ -30,3 +27,7 @@ references: url: https://github.com/democritus-project/d8s-strings/issues/21 - type: REPORT url: https://github.com/democritus-project/d8s-strings/issues/21 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43102.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43102.yaml index 9af2cd1a..bb70b8cc 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43102.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43102.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43102 -modified: 2024-11-21T14:22:43.766564Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40805 -details: The d8s-urls for python 0.1.0, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-hypothesis package. affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40805 +details: The d8s-urls for python 0.1.0, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-hypothesis package. +id: PYSEC-2022-43102 +modified: '2024-11-21T14:22:43.766564Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ @@ -28,3 +25,7 @@ references: url: https://github.com/democritus-project/d8s-urls/issues/10 - type: REPORT url: https://github.com/democritus-project/d8s-urls/issues/10 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43103.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43103.yaml index 58c790d6..d4ebfc6b 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43103.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43103.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43103 -modified: 2024-11-21T14:22:43.817031Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40806 -details: The d8s-uuids for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. - The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40806 +details: The d8s-uuids for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. + The affected version is 0.1.0 +id: PYSEC-2022-43103 +modified: '2024-11-21T14:22:43.817031Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ @@ -28,3 +25,7 @@ references: url: https://github.com/democritus-project/d8s-uuids/issues/5 - type: REPORT url: https://github.com/democritus-project/d8s-uuids/issues/5 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43104.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43104.yaml index be0b1e95..aef0f3f1 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43104.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43104.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43104 -modified: 2024-11-21T14:22:43.865878Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40807 -details: The d8s-domains for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis - package. The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40807 +details: The d8s-domains for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis + package. The affected version is 0.1.0 +id: PYSEC-2022-43104 +modified: '2024-11-21T14:22:43.865878Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ @@ -28,3 +25,7 @@ references: url: https://github.com/democritus-project/d8s-domains/issues/8 - type: REPORT url: https://github.com/democritus-project/d8s-domains/issues/8 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43105.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43105.yaml index b5733994..336bcde3 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43105.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43105.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43105 -modified: 2024-11-21T14:22:43.915613Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40808 -details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. - The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40808 +details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. + The affected version is 0.1.0 +id: PYSEC-2022-43105 +modified: '2024-11-21T14:22:43.915613Z' +published: '2022-09-19T15:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-dates/issues/26 @@ -28,3 +25,7 @@ references: url: https://github.com/democritus-project/d8s-dates/issues/26 - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43106.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43106.yaml index ac3b7127..52f13230 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43106.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43106.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2022-43106 -modified: 2024-11-21T14:22:43.965654Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40809 -details: The d8s-dicts for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. - The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40809 +details: The d8s-dicts for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. + The affected version is 0.1.0 +id: PYSEC-2022-43106 +modified: '2024-11-21T14:22:43.965654Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ - type: REPORT url: https://github.com/democritus-project/d8s-dicts/issues/6 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-hypothesis/PYSEC-2022-43107.yaml b/vulns/democritus-hypothesis/PYSEC-2022-43107.yaml index 3c572398..a20740b3 100644 --- a/vulns/democritus-hypothesis/PYSEC-2022-43107.yaml +++ b/vulns/democritus-hypothesis/PYSEC-2022-43107.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2022-43107 -modified: 2024-11-21T14:22:44.021497Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40810 -details: The d8s-ip-addresses for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis - package. The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-hypothesis purl: pkg:pypi/democritus-hypothesis ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.21b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40810 +details: The d8s-ip-addresses for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis + package. The affected version is 0.1.0 +id: PYSEC-2022-43107 +modified: '2024-11-21T14:22:44.021497Z' +published: '2022-09-19T16:15:00Z' references: - type: REPORT url: https://github.com/democritus-project/d8s-ip-addresses/issues/13 - type: PACKAGE url: https://pypi.org/project/democritus-hypothesis/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-json/PYSEC-2022-43108.yaml b/vulns/democritus-json/PYSEC-2022-43108.yaml index 05a27097..dc868f01 100644 --- a/vulns/democritus-json/PYSEC-2022-43108.yaml +++ b/vulns/democritus-json/PYSEC-2022-43108.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43108 -modified: 2024-11-21T14:22:44.072231Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44050 -details: The d8s-networking for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-json package. The affected version of - d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-json purl: pkg:pypi/democritus-json ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.25 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44050 +details: The d8s-networking for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-json package. The affected version of + d8s-htm is 0.1.0. +id: PYSEC-2022-43108 +modified: '2024-11-21T14:22:44.072231Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/dadadadada111/info/issues/14 - type: PACKAGE url: https://pypi.org/project/democritus-json/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-math/PYSEC-2022-43109.yaml b/vulns/democritus-math/PYSEC-2022-43109.yaml index 8231108e..42341944 100644 --- a/vulns/democritus-math/PYSEC-2022-43109.yaml +++ b/vulns/democritus-math/PYSEC-2022-43109.yaml @@ -1,29 +1,26 @@ -id: PYSEC-2022-43109 -modified: 2024-11-21T14:22:44.122837Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44051 -details: The d8s-stats for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-math package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-math purl: pkg:pypi/democritus-math ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.25 - 2021.1.28 - 2021.1.28.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44051 +details: The d8s-stats for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-math package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43109 +modified: '2024-11-21T14:22:44.122837Z' +published: '2022-11-07T15:15:00Z' references: - type: REPORT url: https://github.com/dadadadada111/info/issues/15 @@ -31,3 +28,7 @@ references: url: https://pypi.org/project/d8s-stats/ - type: PACKAGE url: https://pypi.org/project/democritus-math/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43110.yaml b/vulns/democritus-networking/PYSEC-2022-43110.yaml index cc6faa98..8b8fec18 100644 --- a/vulns/democritus-networking/PYSEC-2022-43110.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43110.yaml @@ -1,28 +1,25 @@ -id: PYSEC-2022-43110 -modified: 2024-11-21T14:22:44.173987Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40424 -details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-networking package. The affected version of d8s-urls - is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40424 +details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-networking package. The affected version of d8s-urls + is 0.1.0 +id: PYSEC-2022-43110 +modified: '2024-11-21T14:22:44.173987Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -30,3 +27,7 @@ references: url: https://github.com/democritus-project/d8s-urls/issues/9 - type: REPORT url: https://github.com/democritus-project/d8s-urls/issues/9 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43111.yaml b/vulns/democritus-networking/PYSEC-2022-43111.yaml index 16ac9c1d..438f1430 100644 --- a/vulns/democritus-networking/PYSEC-2022-43111.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43111.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43111 -modified: 2024-11-21T14:22:44.226888Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40425 -details: The d8s-html for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-networking package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40425 +details: The d8s-html for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-networking package. + The affected version is 0.1.0. +id: PYSEC-2022-43111 +modified: '2024-11-21T14:22:44.226888Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-html/issues/11 - type: REPORT url: https://github.com/democritus-project/d8s-html/issues/11 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43112.yaml b/vulns/democritus-networking/PYSEC-2022-43112.yaml index 9022478b..a5411d29 100644 --- a/vulns/democritus-networking/PYSEC-2022-43112.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43112.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43112 -modified: 2024-11-21T14:22:44.27716Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40426 -details: The d8s-asns for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-networking package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40426 +details: The d8s-asns for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-networking package. + The affected version is 0.1.0. +id: PYSEC-2022-43112 +modified: '2024-11-21T14:22:44.27716Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-asns/issues/8 @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-asns/issues/8 - type: PACKAGE url: https://pypi.org/project/democritus-networking/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43113.yaml b/vulns/democritus-networking/PYSEC-2022-43113.yaml index 08aaa647..75907be9 100644 --- a/vulns/democritus-networking/PYSEC-2022-43113.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43113.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43113 -modified: 2024-11-21T14:22:44.327837Z -published: 2022-09-19T15:15:00Z -aliases: -- CVE-2022-40427 -details: The d8s-domains for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-networking - package. The affected version is 0.1.0 affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40427 +details: The d8s-domains for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-networking + package. The affected version is 0.1.0 +id: PYSEC-2022-43113 +modified: '2024-11-21T14:22:44.327837Z' +published: '2022-09-19T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-domains/issues/7 - type: REPORT url: https://github.com/democritus-project/d8s-domains/issues/7 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43114.yaml b/vulns/democritus-networking/PYSEC-2022-43114.yaml index fe172f40..5c464f26 100644 --- a/vulns/democritus-networking/PYSEC-2022-43114.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43114.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43114 -modified: 2024-11-21T14:22:44.376649Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40428 -details: The d8s-mpeg for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-networking package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40428 +details: The d8s-mpeg for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-networking package. + The affected version is 0.1.0. +id: PYSEC-2022-43114 +modified: '2024-11-21T14:22:44.376649Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-mpeg/issues/5 - type: REPORT url: https://github.com/democritus-project/d8s-mpeg/issues/5 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43115.yaml b/vulns/democritus-networking/PYSEC-2022-43115.yaml index 2fb8b129..7834f35a 100644 --- a/vulns/democritus-networking/PYSEC-2022-43115.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43115.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43115 -modified: 2024-11-21T14:22:44.428296Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40429 -details: The d8s-ip-addresses for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-networking - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40429 +details: The d8s-ip-addresses for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-networking + package. The affected version is 0.1.0. +id: PYSEC-2022-43115 +modified: '2024-11-21T14:22:44.428296Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-ip-addresses/issues/12 - type: REPORT url: https://github.com/democritus-project/d8s-ip-addresses/issues/12 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43116.yaml b/vulns/democritus-networking/PYSEC-2022-43116.yaml index 598f4aac..6b3ad7dd 100644 --- a/vulns/democritus-networking/PYSEC-2022-43116.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43116.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43116 -modified: 2024-11-21T14:22:44.483759Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40430 -details: The d8s-utility for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-networking - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40430 +details: The d8s-utility for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-networking + package. The affected version is 0.1.0. +id: PYSEC-2022-43116 +modified: '2024-11-21T14:22:44.483759Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-utility/issues/9 - type: REPORT url: https://github.com/democritus-project/d8s-utility/issues/9 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-networking/PYSEC-2022-43117.yaml b/vulns/democritus-networking/PYSEC-2022-43117.yaml index 4e9f912c..1c7d6d17 100644 --- a/vulns/democritus-networking/PYSEC-2022-43117.yaml +++ b/vulns/democritus-networking/PYSEC-2022-43117.yaml @@ -1,27 +1,24 @@ -id: PYSEC-2022-43117 -modified: 2024-11-21T14:22:44.53409Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-40431 -details: The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-networking package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-networking purl: pkg:pypi/democritus-networking ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2023.1.21 - 2023.1.22 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-40431 +details: The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-networking package. + The affected version is 0.1.0. +id: PYSEC-2022-43117 +modified: '2024-11-21T14:22:44.53409Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-networking/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-pdfs/issues/5 - type: REPORT url: https://github.com/democritus-project/d8s-pdfs/issues/5 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43118.yaml b/vulns/democritus-strings/PYSEC-2022-43118.yaml index 0bf30ebc..d5726690 100644 --- a/vulns/democritus-strings/PYSEC-2022-43118.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43118.yaml @@ -1,24 +1,21 @@ -id: PYSEC-2022-43118 -modified: 2024-11-21T14:22:44.584448Z -published: 2022-09-19T14:15:00Z -aliases: -- CVE-2022-38880 -details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38880 +details: The d8s-urls for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The affected version is 0.1.0. +id: PYSEC-2022-43118 +modified: '2024-11-21T14:22:44.584448Z' +published: '2022-09-19T14:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-strings/ @@ -26,3 +23,7 @@ references: url: https://github.com/democritus-project/d8s-urls/issues/8 - type: REPORT url: https://github.com/democritus-project/d8s-urls/issues/8 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43119.yaml b/vulns/democritus-strings/PYSEC-2022-43119.yaml index 72429300..5bd126ec 100644 --- a/vulns/democritus-strings/PYSEC-2022-43119.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43119.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43119 -modified: 2024-11-21T14:22:44.633699Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38881 -details: The d8s-archives for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38881 +details: The d8s-archives for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43119 +modified: '2024-11-21T14:22:44.633699Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-archives/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-archives/issues/12 - type: REPORT url: https://github.com/democritus-project/d8s-archives/issues/12 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43120.yaml b/vulns/democritus-strings/PYSEC-2022-43120.yaml index 45a16695..52550591 100644 --- a/vulns/democritus-strings/PYSEC-2022-43120.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43120.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43120 -modified: 2024-11-21T14:22:44.684065Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38882 -details: The d8s-json for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38882 +details: The d8s-json for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43120 +modified: '2024-11-21T14:22:44.684065Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-json/issues/9 @@ -29,3 +26,7 @@ references: url: https://pypi.org/project/democritus-strings/ - type: PACKAGE url: https://pypi.org/project/d8s-json/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43121.yaml b/vulns/democritus-strings/PYSEC-2022-43121.yaml index 85303ea0..178b1bd4 100644 --- a/vulns/democritus-strings/PYSEC-2022-43121.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43121.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43121 -modified: 2024-11-21T14:22:44.735083Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38883 -details: The d8s-math for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38883 +details: The d8s-math for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43121 +modified: '2024-11-21T14:22:44.735083Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-strings/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-math/issues/11 - type: REPORT url: https://github.com/democritus-project/d8s-math/issues/11 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43122.yaml b/vulns/democritus-strings/PYSEC-2022-43122.yaml index df22694d..d9e806ad 100644 --- a/vulns/democritus-strings/PYSEC-2022-43122.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43122.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43122 -modified: 2024-11-21T14:22:44.785522Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38884 -details: The d8s-grammars for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38884 +details: The d8s-grammars for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43122 +modified: '2024-11-21T14:22:44.785522Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-grammars/issues/6 @@ -29,3 +26,7 @@ references: url: https://pypi.org/project/d8s-grammars/ - type: PACKAGE url: https://pypi.org/project/democritus-strings/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43123.yaml b/vulns/democritus-strings/PYSEC-2022-43123.yaml index 0c33bd16..45ad6619 100644 --- a/vulns/democritus-strings/PYSEC-2022-43123.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43123.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43123 -modified: 2024-11-21T14:22:44.834592Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38885 -details: The d8s-netstrings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. The backdoor is the democritus-strings - package. The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38885 +details: The d8s-netstrings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. The backdoor is the democritus-strings + package. The affected version is 0.1.0. +id: PYSEC-2022-43123 +modified: '2024-11-21T14:22:44.834592Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-netstrings/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-netstrings/issues/4 - type: PACKAGE url: https://pypi.org/project/democritus-strings/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43124.yaml b/vulns/democritus-strings/PYSEC-2022-43124.yaml index ca93b407..13459a8c 100644 --- a/vulns/democritus-strings/PYSEC-2022-43124.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43124.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43124 -modified: 2024-11-21T14:22:44.889277Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38886 -details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The backdoor is the democritus-strings package. - The affected version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38886 +details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The backdoor is the democritus-strings package. + The affected version is 0.1.0. +id: PYSEC-2022-43124 +modified: '2024-11-21T14:22:44.889277Z' +published: '2022-09-19T16:15:00Z' references: - type: EVIDENCE url: https://github.com/democritus-project/d8s-xml/issues/10 @@ -29,3 +26,7 @@ references: url: https://pypi.org/project/democritus-strings/ - type: PACKAGE url: https://pypi.org/project/d8s-xml/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-strings/PYSEC-2022-43125.yaml b/vulns/democritus-strings/PYSEC-2022-43125.yaml index d249721b..1f46c4d8 100644 --- a/vulns/democritus-strings/PYSEC-2022-43125.yaml +++ b/vulns/democritus-strings/PYSEC-2022-43125.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43125 -modified: 2024-11-21T14:22:44.941258Z -published: 2022-09-19T16:15:00Z -aliases: -- CVE-2022-38887 -details: The d8s-python for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. The democritus-strings package. The affected - version is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-strings purl: pkg:pypi/democritus-strings ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.28 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38887 +details: The d8s-python for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. The democritus-strings package. The affected + version is 0.1.0. +id: PYSEC-2022-43125 +modified: '2024-11-21T14:22:44.941258Z' +published: '2022-09-19T16:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-python/ @@ -29,3 +26,7 @@ references: url: https://github.com/democritus-project/d8s-python/issues/36 - type: REPORT url: https://github.com/democritus-project/d8s-python/issues/36 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-timezones/PYSEC-2022-43126.yaml b/vulns/democritus-timezones/PYSEC-2022-43126.yaml index 808f945c..eb238837 100644 --- a/vulns/democritus-timezones/PYSEC-2022-43126.yaml +++ b/vulns/democritus-timezones/PYSEC-2022-43126.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43126 -modified: 2024-11-21T14:22:44.991216Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44052 -details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-timezones package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-timezones purl: pkg:pypi/democritus-timezones ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44052 +details: The d8s-dates for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-timezones package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43126 +modified: '2024-11-21T14:22:44.991216Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-timezones/ @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/d8s-dates/ - type: REPORT url: https://github.com/dadadadada111/info/issues/16 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-user-agents/PYSEC-2022-43127.yaml b/vulns/democritus-user-agents/PYSEC-2022-43127.yaml index 88b82510..b79bd46f 100644 --- a/vulns/democritus-user-agents/PYSEC-2022-43127.yaml +++ b/vulns/democritus-user-agents/PYSEC-2022-43127.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43127 -modified: 2024-11-21T14:22:45.041198Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44053 -details: The d8s-networking for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-user-agents package. The affected version - of d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-user-agents purl: pkg:pypi/democritus-user-agents ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44053 +details: The d8s-networking for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-user-agents package. The affected version + of d8s-htm is 0.1.0. +id: PYSEC-2022-43127 +modified: '2024-11-21T14:22:45.041198Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-networking/ @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/democritus-user-agents/ - type: REPORT url: https://github.com/dadadadada111/info/issues/17 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-utility/PYSEC-2022-43128.yaml b/vulns/democritus-utility/PYSEC-2022-43128.yaml index 74f513fb..51966397 100644 --- a/vulns/democritus-utility/PYSEC-2022-43128.yaml +++ b/vulns/democritus-utility/PYSEC-2022-43128.yaml @@ -1,29 +1,26 @@ -id: PYSEC-2022-43128 -modified: 2024-11-21T14:22:45.091449Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-44054 -details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-utility package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-utility purl: pkg:pypi/democritus-utility ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 - 2021.1.25 - 2021.1.25b0 - 2021.1.30 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-44054 +details: The d8s-xml for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-utility package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43128 +modified: '2024-11-21T14:22:45.091449Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-utility/ @@ -35,3 +32,7 @@ references: url: https://pypi.org/project/d8s-xml/ - type: REPORT url: https://github.com/dadadadada111/info/issues/18 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-uuids/PYSEC-2022-43129.yaml b/vulns/democritus-uuids/PYSEC-2022-43129.yaml index febd9371..d75c4b94 100644 --- a/vulns/democritus-uuids/PYSEC-2022-43129.yaml +++ b/vulns/democritus-uuids/PYSEC-2022-43129.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43129 -modified: 2024-11-21T14:22:45.148199Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43303 -details: The d8s-strings for python, as distributed on PyPI, included a potential - code-execution backdoor inserted by a third party. A potential code execution backdoor - inserted by third parties is the democritus-uuids package. The affected version - of d8s-htm is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-uuids purl: pkg:pypi/democritus-uuids ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43303 +details: The d8s-strings for python, as distributed on PyPI, included a potential + code-execution backdoor inserted by a third party. A potential code execution backdoor + inserted by third parties is the democritus-uuids package. The affected version + of d8s-htm is 0.1.0. +id: PYSEC-2022-43129 +modified: '2024-11-21T14:22:45.148199Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/d8s-strings/ @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/democritus-uuids/ - type: REPORT url: https://github.com/dadadadada111/info/issues/8 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/democritus-uuids/PYSEC-2022-43130.yaml b/vulns/democritus-uuids/PYSEC-2022-43130.yaml index dc0d2de3..2dd2075a 100644 --- a/vulns/democritus-uuids/PYSEC-2022-43130.yaml +++ b/vulns/democritus-uuids/PYSEC-2022-43130.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43130 -modified: 2024-11-21T14:22:45.198186Z -published: 2022-11-07T15:15:00Z -aliases: -- CVE-2022-43304 -details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution - backdoor inserted by a third party. A potential code execution backdoor inserted - by third parties is the democritus-uuids package. The affected version of d8s-htm - is 0.1.0. affected: - package: ecosystem: PyPI name: democritus-uuids purl: pkg:pypi/democritus-uuids ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2021.1.21 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-43304 +details: The d8s-timer for python, as distributed on PyPI, included a potential code-execution + backdoor inserted by a third party. A potential code execution backdoor inserted + by third parties is the democritus-uuids package. The affected version of d8s-htm + is 0.1.0. +id: PYSEC-2022-43130 +modified: '2024-11-21T14:22:45.198186Z' +published: '2022-11-07T15:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/democritus-uuids/ @@ -28,3 +25,7 @@ references: url: https://pypi.org/project/d8s-timer/ - type: REPORT url: https://github.com/dadadadada111/info/issues/9 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/designate/PYSEC-2017-114.yaml b/vulns/designate/PYSEC-2017-114.yaml index 85808ced..9102cafb 100644 --- a/vulns/designate/PYSEC-2017-114.yaml +++ b/vulns/designate/PYSEC-2017-114.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2017-114 -modified: 2024-11-21T14:22:45.305089Z -published: 2017-08-31T22:29:00Z -aliases: -- CVE-2015-5695 -details: Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not - enforce RecordSets per domain, and Records per RecordSet quotas when processing - an internal zone file transfer, which might allow remote attackers to cause a denial - of service (infinite loop) via a crafted resource record set. affected: - package: ecosystem: PyPI name: designate purl: pkg:pypi/designate ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 10.0.0 - 10.0.0.0rc1 @@ -67,9 +58,15 @@ affected: - 9.0.0.0rc1 - 9.0.1 - 9.0.2 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2015-5695 +details: Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not + enforce RecordSets per domain, and Records per RecordSet quotas when processing + an internal zone file transfer, which might allow remote attackers to cause a denial + of service (infinite loop) via a crafted resource record set. +id: PYSEC-2017-114 +modified: '2024-11-21T14:22:45.305089Z' +published: '2017-08-31T22:29:00Z' references: - type: ARTICLE url: https://launchpadlibrarian.net/211525251/bug-1471161-quotas-master.patch @@ -97,3 +94,7 @@ references: url: http://lists.openstack.org/pipermail/openstack/2015-July/013548.html - type: ADVISORY url: http://lists.openstack.org/pipermail/openstack/2015-July/013548.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/designate/PYSEC-2019-243.yaml b/vulns/designate/PYSEC-2019-243.yaml index 7c1a3930..f5576740 100644 --- a/vulns/designate/PYSEC-2019-243.yaml +++ b/vulns/designate/PYSEC-2019-243.yaml @@ -1,18 +1,12 @@ -id: PYSEC-2019-243 -modified: 2024-11-21T14:22:45.251201Z -published: 2019-11-22T15:15:00Z -aliases: -- CVE-2015-5694 -details: Designate does not enforce the DNS protocol limit concerning record set sizes affected: - package: ecosystem: PyPI name: designate purl: pkg:pypi/designate ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 10.0.0 - 10.0.0.0rc1 @@ -64,9 +58,12 @@ affected: - 9.0.0.0rc1 - 9.0.1 - 9.0.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2015-5694 +details: Designate does not enforce the DNS protocol limit concerning record set sizes +id: PYSEC-2019-243 +modified: '2024-11-21T14:22:45.251201Z' +published: '2019-11-22T15:15:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5694 @@ -80,3 +77,7 @@ references: url: http://www.openwall.com/lists/oss-security/2015/07/29/6 - type: WEB url: http://www.openwall.com/lists/oss-security/2015/07/29/6 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/diplib/PYSEC-2022-43131.yaml b/vulns/diplib/PYSEC-2022-43131.yaml index 2434e081..d376a9a8 100644 --- a/vulns/diplib/PYSEC-2022-43131.yaml +++ b/vulns/diplib/PYSEC-2022-43131.yaml @@ -1,23 +1,17 @@ -id: PYSEC-2022-43131 -modified: 2024-11-21T14:22:45.432947Z -published: 2022-11-04T17:15:00Z -aliases: -- CVE-2021-39432 -details: diplib v3.0.0 is vulnerable to Double Free. affected: - package: ecosystem: PyPI name: diplib purl: pkg:pypi/diplib ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 8b9a2670ce66ff2fd5addf592f7825e1f5adb5b5 repo: https://github.com/DIPlib/diplib - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 3.0.0 - 3.0b5 @@ -35,9 +29,12 @@ affected: - 3.4.3 - 3.5.0 - 3.5.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2021-39432 +details: diplib v3.0.0 is vulnerable to Double Free. +id: PYSEC-2022-43131 +modified: '2024-11-21T14:22:45.432947Z' +published: '2022-11-04T17:15:00Z' references: - type: FIX url: https://github.com/DIPlib/diplib/commit/8b9a2670ce66ff2fd5addf592f7825e1f5adb5b5 @@ -47,3 +44,7 @@ references: url: https://github.com/DIPlib/diplib/issues/80 - type: FIX url: https://github.com/DIPlib/diplib/issues/80 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/django-cms/PYSEC-2024-124.yaml b/vulns/django-cms/PYSEC-2024-124.yaml index e8e168e3..62747a8c 100644 --- a/vulns/django-cms/PYSEC-2024-124.yaml +++ b/vulns/django-cms/PYSEC-2024-124.yaml @@ -1,25 +1,17 @@ -id: PYSEC-2024-124 -modified: 2024-11-20T16:23:43.554559Z -published: 2024-11-18T12:15:00Z -aliases: -- CVE-2024-11319 -details: 'Improper Neutralization of Input During Web Page Generation (XSS or ''Cross-site - Scripting'') vulnerability in django CMS Association django-cms allows Cross-Site - Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.' affected: - package: ecosystem: PyPI name: django-cms purl: pkg:pypi/django-cms ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 241d1cbe47a68f5d271ce4d27ad5e32e2c360ec3 repo: https://github.com/django-cms/django-cms - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.0.1 - 2.0.2 @@ -28,7 +20,7 @@ affected: - 2.1.3 - 2.1.4 - 2.1.5 - - "2.2" + - '2.2' - 2.2.1 - 2.3.1 - 2.3.2 @@ -42,7 +34,7 @@ affected: - 2.4.1 - 2.4.2 - 2.4.3 - - "3.0" + - '3.0' - 3.0.1 - 3.0.10 - 3.0.11 @@ -144,9 +136,14 @@ affected: - 4.1.2 - 4.1.3 - 4.1.4 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2024-11319 +details: 'Improper Neutralization of Input During Web Page Generation (XSS or ''Cross-site + Scripting'') vulnerability in django CMS Association django-cms allows Cross-Site + Scripting (XSS).This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.' +id: PYSEC-2024-124 +modified: '2024-11-20T16:23:43.554559Z' +published: '2024-11-18T12:15:00Z' references: - type: WEB url: https://www.usom.gov.tr/bildirim/tr-24-1859 @@ -156,3 +153,7 @@ references: url: https://www.django-cms.org/en/blog/2024/11/13/django-cms-security-update/ - type: EVIDENCE url: https://iltosec.com/blog/post/django-cms-413-stored-xss-vulnerability-exploiting-the-page-title-field/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/dr-web-engine/PYSEC-2022-43132.yaml b/vulns/dr-web-engine/PYSEC-2022-43132.yaml index 73fbee83..9c2e04de 100644 --- a/vulns/dr-web-engine/PYSEC-2022-43132.yaml +++ b/vulns/dr-web-engine/PYSEC-2022-43132.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43132 -modified: 2024-11-21T14:22:45.610409Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34053 -details: The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code - execution backdoor via the request package. This vulnerability allows attackers - to access sensitive user information and digital currency keys, as well as escalate - privileges. affected: - package: ecosystem: PyPI name: dr-web-engine purl: pkg:pypi/dr-web-engine ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.2.7.1b0 - 0.2.7.2b0 @@ -24,9 +15,15 @@ affected: - 0.3.2.0b0 - 0.3.2.1b0 - 0.3.2.2b0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34053 +details: The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code + execution backdoor via the request package. This vulnerability allows attackers + to access sensitive user information and digital currency keys, as well as escalate + privileges. +id: PYSEC-2022-43132 +modified: '2024-11-21T14:22:45.610409Z' +published: '2022-06-24T21:15:00Z' references: - type: WEB url: http://pypi.doubanio.com/simple/request @@ -36,3 +33,7 @@ references: url: https://github.com/ylliprifti/dr-web-engine/issues/4 - type: REPORT url: https://github.com/ylliprifti/dr-web-engine/issues/4 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/drxhello/PYSEC-2022-43133.yaml b/vulns/drxhello/PYSEC-2022-43133.yaml index 0c46c83b..9a0d7dcc 100644 --- a/vulns/drxhello/PYSEC-2022-43133.yaml +++ b/vulns/drxhello/PYSEC-2022-43133.yaml @@ -1,26 +1,23 @@ -id: PYSEC-2022-43133 -modified: 2024-11-21T14:22:45.663614Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34055 -details: The drxhello package in PyPI v0.0.1 was discovered to contain a code execution - backdoor via the request package. This vulnerability allows attackers to access - sensitive user information and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: drxhello purl: pkg:pypi/drxhello ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34055 +details: The drxhello package in PyPI v0.0.1 was discovered to contain a code execution + backdoor via the request package. This vulnerability allows attackers to access + sensitive user information and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43133 +modified: '2024-11-21T14:22:45.663614Z' +published: '2022-06-24T21:15:00Z' references: - type: WEB url: http://pypi.doubanio.com/simple/request @@ -30,3 +27,7 @@ references: url: https://github.com/drewxa/summer-tasks/issues/4 - type: PACKAGE url: https://pypi.org/project/drxhello/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/eftl/PYSEC-2021-881.yaml b/vulns/eftl/PYSEC-2021-881.yaml index 793a1270..0d93bec0 100644 --- a/vulns/eftl/PYSEC-2021-881.yaml +++ b/vulns/eftl/PYSEC-2021-881.yaml @@ -1,6 +1,18 @@ -id: PYSEC-2021-881 -modified: 2024-11-21T14:22:45.803448Z -published: 2021-10-05T18:15:00Z +affected: +- package: + ecosystem: PyPI + name: eftl + purl: pkg:pypi/eftl + ranges: + - events: + - introduced: '0' + type: ECOSYSTEM + versions: + - 1.0.0 + - 1.1.0 + - 1.2.0 + - 1.3.0 + - 1.3.1 aliases: - CVE-2021-35497 details: 'The FTL Server (tibftlserver) and Docker images containing tibftlserver @@ -24,26 +36,15 @@ details: 'The FTL Server (tibftlserver) and Docker images containing tibftlserve eFTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, and TIBCO eFTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0.' -affected: -- package: - ecosystem: PyPI - name: eftl - purl: pkg:pypi/eftl - ranges: - - type: ECOSYSTEM - events: - - introduced: "0" - versions: - - 1.0.0 - - 1.1.0 - - 1.2.0 - - 1.3.0 - - 1.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H +id: PYSEC-2021-881 +modified: '2024-11-21T14:22:45.803448Z' +published: '2021-10-05T18:15:00Z' references: - type: ADVISORY url: https://www.tibco.com/services/support/advisories - type: ADVISORY url: https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-5-2021-tibco-ftl-2021-35497 +severity: +- score: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2008-11.yaml b/vulns/exiv2/PYSEC-2008-11.yaml index 451c4132..a54735d8 100644 --- a/vulns/exiv2/PYSEC-2008-11.yaml +++ b/vulns/exiv2/PYSEC-2008-11.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2008-11 -modified: 2024-11-21T14:22:45.866207Z -published: 2008-06-13T19:41:00Z -aliases: -- CVE-2008-2696 -details: Exiv2 0.16 allows user-assisted remote attackers to cause a denial of service - (divide-by-zero and application crash) via a zero value in Nikon lens information - in the metadata of an image, related to "pretty printing" and the RationalValue::toLong - function. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,9 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 +aliases: +- CVE-2008-2696 +details: Exiv2 0.16 allows user-assisted remote attackers to cause a denial of service + (divide-by-zero and application crash) via a zero value in Nikon lens information + in the metadata of an image, related to "pretty printing" and the RationalValue::toLong + function. +id: PYSEC-2008-11 +modified: '2024-11-21T14:22:45.866207Z' +published: '2008-06-13T19:41:00Z' references: - type: EVIDENCE url: http://bugzilla.gnome.org/show_bug.cgi?id=524715 @@ -64,3 +64,4 @@ references: url: http://www.vupen.com/english/advisories/2008/1766/references - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/42885 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2015-36.yaml b/vulns/exiv2/PYSEC-2015-36.yaml index 002056fb..2443f8c3 100644 --- a/vulns/exiv2/PYSEC-2015-36.yaml +++ b/vulns/exiv2/PYSEC-2015-36.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2015-36 -modified: 2024-11-21T14:22:45.931449Z -published: 2015-01-02T20:59:00Z -aliases: -- CVE-2014-9449 -details: Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp - in Exiv2 0.24 allows remote attackers to cause a denial of service (crash) via a - long IKEY INFO tag value in an AVI file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,9 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 +aliases: +- CVE-2014-9449 +details: Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp + in Exiv2 0.24 allows remote attackers to cause a denial of service (crash) via a + long IKEY INFO tag value in an AVI file. +id: PYSEC-2015-36 +modified: '2024-11-21T14:22:45.931449Z' +published: '2015-01-02T20:59:00Z' references: - type: REPORT url: http://dev.exiv2.org/issues/960 @@ -57,3 +57,4 @@ references: url: https://security.gentoo.org/glsa/201507-03 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2454-1 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-115.yaml b/vulns/exiv2/PYSEC-2017-115.yaml index d63c1691..e4558d11 100644 --- a/vulns/exiv2/PYSEC-2017-115.yaml +++ b/vulns/exiv2/PYSEC-2017-115.yaml @@ -1,20 +1,14 @@ -id: PYSEC-2017-115 -modified: 2024-11-21T14:22:45.992477Z -published: 2017-11-17T22:29:00Z -aliases: -- CVE-2017-1000126 -details: exiv2 0.26 contains a Stack out of bounds read in webp parser affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -35,12 +29,15 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-1000126 +details: exiv2 0.26 contains a Stack out of bounds read in webp parser +id: PYSEC-2017-115 +modified: '2024-11-21T14:22:45.992477Z' +published: '2017-11-17T22:29:00Z' references: - type: ARTICLE url: http://www.openwall.com/lists/oss-security/2017/06/30/1 @@ -50,3 +47,7 @@ references: url: http://www.openwall.com/lists/oss-security/2017/06/30/1 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-116.yaml b/vulns/exiv2/PYSEC-2017-116.yaml index ecd1e13d..1b88e52b 100644 --- a/vulns/exiv2/PYSEC-2017-116.yaml +++ b/vulns/exiv2/PYSEC-2017-116.yaml @@ -1,20 +1,14 @@ -id: PYSEC-2017-116 -modified: 2024-11-21T14:22:46.052386Z -published: 2017-11-17T22:29:00Z -aliases: -- CVE-2017-1000127 -details: Exiv2 0.26 contains a heap buffer overflow in tiff parser affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -35,12 +29,15 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-1000127 +details: Exiv2 0.26 contains a heap buffer overflow in tiff parser +id: PYSEC-2017-116 +modified: '2024-11-21T14:22:46.052386Z' +published: '2017-11-17T22:29:00Z' references: - type: ARTICLE url: http://www.openwall.com/lists/oss-security/2017/06/30/1 @@ -48,3 +45,7 @@ references: url: http://www.openwall.com/lists/oss-security/2017/06/30/1 - type: ADVISORY url: http://www.openwall.com/lists/oss-security/2017/06/30/1 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-117.yaml b/vulns/exiv2/PYSEC-2017-117.yaml index 3ef94e4f..c009eb27 100644 --- a/vulns/exiv2/PYSEC-2017-117.yaml +++ b/vulns/exiv2/PYSEC-2017-117.yaml @@ -1,20 +1,14 @@ -id: PYSEC-2017-117 -modified: 2024-11-21T14:22:46.115176Z -published: 2017-11-17T22:29:00Z -aliases: -- CVE-2017-1000128 -details: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -35,12 +29,15 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-1000128 +details: Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser +id: PYSEC-2017-117 +modified: '2024-11-21T14:22:46.115176Z' +published: '2017-11-17T22:29:00Z' references: - type: ARTICLE url: http://www.openwall.com/lists/oss-security/2017/06/30/1 @@ -48,3 +45,7 @@ references: url: http://www.openwall.com/lists/oss-security/2017/06/30/1 - type: ADVISORY url: http://www.openwall.com/lists/oss-security/2017/06/30/1 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-118.yaml b/vulns/exiv2/PYSEC-2017-118.yaml index e75251a8..b10ca206 100644 --- a/vulns/exiv2/PYSEC-2017-118.yaml +++ b/vulns/exiv2/PYSEC-2017-118.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-118 -modified: 2024-11-21T14:22:46.174866Z -published: 2017-07-17T13:18:00Z -aliases: -- CVE-2017-11336 -details: There is a heap-based buffer over-read in the Image::printIFDStructure function - in image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11336 +details: There is a heap-based buffer over-read in the Image::printIFDStructure function + in image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service + attack. +id: PYSEC-2017-118 +modified: '2024-11-21T14:22:46.174866Z' +published: '2017-07-17T13:18:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1470729 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-119.yaml b/vulns/exiv2/PYSEC-2017-119.yaml index 6ddc18b0..9da72484 100644 --- a/vulns/exiv2/PYSEC-2017-119.yaml +++ b/vulns/exiv2/PYSEC-2017-119.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-119 -modified: 2024-11-21T14:22:46.232444Z -published: 2017-07-17T13:18:00Z -aliases: -- CVE-2017-11337 -details: There is an invalid free in the Action::TaskFactory::cleanup function of - actions.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11337 +details: There is an invalid free in the Action::TaskFactory::cleanup function of + actions.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service + attack. +id: PYSEC-2017-119 +modified: '2024-11-21T14:22:46.232444Z' +published: '2017-07-17T13:18:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1470737 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-120.yaml b/vulns/exiv2/PYSEC-2017-120.yaml index d6af524e..54500a67 100644 --- a/vulns/exiv2/PYSEC-2017-120.yaml +++ b/vulns/exiv2/PYSEC-2017-120.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-120 -modified: 2024-11-21T14:22:46.291386Z -published: 2017-07-17T13:18:00Z -aliases: -- CVE-2017-11338 -details: There is an infinite loop in the Exiv2::Image::printIFDStructure function - of image.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11338 +details: There is an infinite loop in the Exiv2::Image::printIFDStructure function + of image.cpp in Exiv2 0.26. A crafted input will lead to a remote denial of service + attack. +id: PYSEC-2017-120 +modified: '2024-11-21T14:22:46.291386Z' +published: '2017-07-17T13:18:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1470913 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-121.yaml b/vulns/exiv2/PYSEC-2017-121.yaml index e2f93ef1..27889d2c 100644 --- a/vulns/exiv2/PYSEC-2017-121.yaml +++ b/vulns/exiv2/PYSEC-2017-121.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-121 -modified: 2024-11-21T14:22:46.352202Z -published: 2017-07-17T13:18:00Z -aliases: -- CVE-2017-11339 -details: There is a heap-based buffer overflow in the Image::printIFDStructure function - of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11339 +details: There is a heap-based buffer overflow in the Image::printIFDStructure function + of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial of service + attack. +id: PYSEC-2017-121 +modified: '2024-11-21T14:22:46.352202Z' +published: '2017-07-17T13:18:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1470946 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exiv2/PYSEC-2017-122.yaml b/vulns/exiv2/PYSEC-2017-122.yaml index 6c3aae72..ff5950de 100644 --- a/vulns/exiv2/PYSEC-2017-122.yaml +++ b/vulns/exiv2/PYSEC-2017-122.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-122 -modified: 2024-11-21T14:22:46.411851Z -published: 2017-07-17T13:18:00Z -aliases: -- CVE-2017-11340 -details: There is a Segmentation fault in the XmpParser::terminate() function in Exiv2 - 0.26, related to an exit call. A Crafted input will lead to a remote denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11340 +details: There is a Segmentation fault in the XmpParser::terminate() function in Exiv2 + 0.26, related to an exit call. A Crafted input will lead to a remote denial of service + attack. +id: PYSEC-2017-122 +modified: '2024-11-21T14:22:46.411851Z' +published: '2017-07-17T13:18:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1470950 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-123.yaml b/vulns/exiv2/PYSEC-2017-123.yaml index 6385d841..6ea0f504 100644 --- a/vulns/exiv2/PYSEC-2017-123.yaml +++ b/vulns/exiv2/PYSEC-2017-123.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-123 -modified: 2024-11-21T14:22:46.480449Z -published: 2017-07-23T03:29:00Z -aliases: -- CVE-2017-11553 -details: There is an illegal address access in the extend_alias_table function in - localealias.c of Exiv2 0.26. A crafted input will lead to remote denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,14 +29,22 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11553 +details: There is an illegal address access in the extend_alias_table function in + localealias.c of Exiv2 0.26. A crafted input will lead to remote denial of service. +id: PYSEC-2017-123 +modified: '2024-11-21T14:22:46.480449Z' +published: '2017-07-23T03:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1471772 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1471772 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-124.yaml b/vulns/exiv2/PYSEC-2017-124.yaml index 76305ef2..a78350c3 100644 --- a/vulns/exiv2/PYSEC-2017-124.yaml +++ b/vulns/exiv2/PYSEC-2017-124.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-124 -modified: 2024-11-21T14:22:46.539614Z -published: 2017-07-24T01:29:00Z -aliases: -- CVE-2017-11591 -details: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 - 0.26 that will lead to a remote denial of service attack via crafted input. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11591 +details: There is a Floating point exception in the Exiv2::ValueType function in Exiv2 + 0.26 that will lead to a remote denial of service attack via crafted input. +id: PYSEC-2017-124 +modified: '2024-11-21T14:22:46.539614Z' +published: '2017-07-24T01:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1473888 @@ -53,3 +50,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-125.yaml b/vulns/exiv2/PYSEC-2017-125.yaml index 6e8a0189..795303cf 100644 --- a/vulns/exiv2/PYSEC-2017-125.yaml +++ b/vulns/exiv2/PYSEC-2017-125.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-125 -modified: 2024-11-21T14:22:46.598979Z -published: 2017-07-24T01:29:00Z -aliases: -- CVE-2017-11592 -details: There is a Mismatched Memory Management Routines vulnerability in the Exiv2::FileIo::seek - function of Exiv2 0.26 that will lead to a remote denial of service attack (heap - memory corruption) via crafted input. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11592 +details: There is a Mismatched Memory Management Routines vulnerability in the Exiv2::FileIo::seek + function of Exiv2 0.26 that will lead to a remote denial of service attack (heap + memory corruption) via crafted input. +id: PYSEC-2017-125 +modified: '2024-11-21T14:22:46.598979Z' +published: '2017-07-24T01:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-126.yaml b/vulns/exiv2/PYSEC-2017-126.yaml index ffeb966e..2e87e742 100644 --- a/vulns/exiv2/PYSEC-2017-126.yaml +++ b/vulns/exiv2/PYSEC-2017-126.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-126 -modified: 2024-11-21T14:22:46.672784Z -published: 2017-07-27T06:29:00Z -aliases: -- CVE-2017-11683 -details: There is a reachable assertion in the Internal::TiffReader::visitDirectory - function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service - attack via crafted input. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-11683 +details: There is a reachable assertion in the Internal::TiffReader::visitDirectory + function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service + attack via crafted input. +id: PYSEC-2017-126 +modified: '2024-11-21T14:22:46.672784Z' +published: '2017-07-27T06:29:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1475124 @@ -56,3 +53,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2022/11/msg00013.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2022/11/msg00013.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-127.yaml b/vulns/exiv2/PYSEC-2017-127.yaml index e54b296b..2f8a0243 100644 --- a/vulns/exiv2/PYSEC-2017-127.yaml +++ b/vulns/exiv2/PYSEC-2017-127.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-127 -modified: 2024-11-21T14:22:46.732582Z -published: 2017-08-18T21:29:00Z -aliases: -- CVE-2017-12955 -details: There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. The vulnerability - causes an out-of-bounds write in Exiv2::Image::printIFDStructure(), which may lead - to remote denial of service or possibly unspecified other impact. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2017-12955 +details: There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. The vulnerability + causes an out-of-bounds write in Exiv2::Image::printIFDStructure(), which may lead + to remote denial of service or possibly unspecified other impact. +id: PYSEC-2017-127 +modified: '2024-11-21T14:22:46.732582Z' +published: '2017-08-18T21:29:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1482295 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-128.yaml b/vulns/exiv2/PYSEC-2017-128.yaml index a829b046..ec668afb 100644 --- a/vulns/exiv2/PYSEC-2017-128.yaml +++ b/vulns/exiv2/PYSEC-2017-128.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-128 -modified: 2024-11-21T14:22:46.791764Z -published: 2017-08-18T21:29:00Z -aliases: -- CVE-2017-12956 -details: There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() in - basicio.cpp of libexiv2 in Exiv2 0.26 that will lead to remote denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,20 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-12956 +details: There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() in + basicio.cpp of libexiv2 in Exiv2 0.26 that will lead to remote denial of service. +id: PYSEC-2017-128 +modified: '2024-11-21T14:22:46.791764Z' +published: '2017-08-18T21:29:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1482296 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-129.yaml b/vulns/exiv2/PYSEC-2017-129.yaml index a02c01da..bf2a64b0 100644 --- a/vulns/exiv2/PYSEC-2017-129.yaml +++ b/vulns/exiv2/PYSEC-2017-129.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-129 -modified: 2024-11-21T14:22:46.862068Z -published: 2017-08-18T21:29:00Z -aliases: -- CVE-2017-12957 -details: There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that is - triggered in the Exiv2::Image::io function in image.cpp. It will lead to remote - denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,21 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-12957 +details: There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that is + triggered in the Exiv2::Image::io function in image.cpp. It will lead to remote + denial of service. +id: PYSEC-2017-129 +modified: '2024-11-21T14:22:46.862068Z' +published: '2017-08-18T21:29:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1482423 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-130.yaml b/vulns/exiv2/PYSEC-2017-130.yaml index 6032737c..35167e44 100644 --- a/vulns/exiv2/PYSEC-2017-130.yaml +++ b/vulns/exiv2/PYSEC-2017-130.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-130 -modified: 2024-11-21T14:22:46.923551Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14857 -details: In Exiv2 0.26, there is an invalid free in the Image class in image.cpp that - leads to a Segmentation fault. A crafted input will lead to a denial of service - attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14857 +details: In Exiv2 0.26, there is an invalid free in the Image class in image.cpp that + leads to a Segmentation fault. A crafted input will lead to a denial of service + attack. +id: PYSEC-2017-130 +modified: '2024-11-21T14:22:46.923551Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1495043 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1495043 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-131.yaml b/vulns/exiv2/PYSEC-2017-131.yaml index 1daf716c..9d42aadf 100644 --- a/vulns/exiv2/PYSEC-2017-131.yaml +++ b/vulns/exiv2/PYSEC-2017-131.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-131 -modified: 2024-11-21T14:22:46.982152Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14858 -details: There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp - in Exiv2 0.26. A Crafted input will lead to a denial of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,14 +29,22 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14858 +details: There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp + in Exiv2 0.26. A Crafted input will lead to a denial of service attack. +id: PYSEC-2017-131 +modified: '2024-11-21T14:22:46.982152Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494782 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494782 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-132.yaml b/vulns/exiv2/PYSEC-2017-132.yaml index a6a6e071..b2c191a1 100644 --- a/vulns/exiv2/PYSEC-2017-132.yaml +++ b/vulns/exiv2/PYSEC-2017-132.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-132 -modified: 2024-11-21T14:22:47.041853Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14859 -details: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read - in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application - crash, which leads to denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14859 +details: An Invalid memory address dereference was discovered in Exiv2::StringValueBase::read + in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application + crash, which leads to denial of service. +id: PYSEC-2017-132 +modified: '2024-11-21T14:22:47.041853Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494780 @@ -54,3 +51,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-133.yaml b/vulns/exiv2/PYSEC-2017-133.yaml index fbe225e3..15144830 100644 --- a/vulns/exiv2/PYSEC-2017-133.yaml +++ b/vulns/exiv2/PYSEC-2017-133.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-133 -modified: 2024-11-21T14:22:47.10072Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14860 -details: There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata - function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of - service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14860 +details: There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMetadata + function of jp2image.cpp in Exiv2 0.26. A Crafted input will lead to a denial of + service attack. +id: PYSEC-2017-133 +modified: '2024-11-21T14:22:47.10072Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494776 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494776 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-134.yaml b/vulns/exiv2/PYSEC-2017-134.yaml index 5798e458..40716db9 100644 --- a/vulns/exiv2/PYSEC-2017-134.yaml +++ b/vulns/exiv2/PYSEC-2017-134.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-134 -modified: 2024-11-21T14:22:47.157939Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14861 -details: There is a stack consumption vulnerability in the Exiv2::Internal::stringFormat - function of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial - of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14861 +details: There is a stack consumption vulnerability in the Exiv2::Internal::stringFormat + function of image.cpp in Exiv2 0.26. A Crafted input will lead to a remote denial + of service attack. +id: PYSEC-2017-134 +modified: '2024-11-21T14:22:47.157939Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494787 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494787 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-135.yaml b/vulns/exiv2/PYSEC-2017-135.yaml index 2a1eb677..4ce1df1e 100644 --- a/vulns/exiv2/PYSEC-2017-135.yaml +++ b/vulns/exiv2/PYSEC-2017-135.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-135 -modified: 2024-11-21T14:22:47.218172Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14862 -details: An Invalid memory address dereference was discovered in Exiv2::DataValue::read - in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application - crash, which leads to denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14862 +details: An Invalid memory address dereference was discovered in Exiv2::DataValue::read + in value.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application + crash, which leads to denial of service. +id: PYSEC-2017-135 +modified: '2024-11-21T14:22:47.218172Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494786 @@ -54,3 +51,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-136.yaml b/vulns/exiv2/PYSEC-2017-136.yaml index 8477e28a..a0137b46 100644 --- a/vulns/exiv2/PYSEC-2017-136.yaml +++ b/vulns/exiv2/PYSEC-2017-136.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-136 -modified: 2024-11-21T14:22:47.277896Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14863 -details: A NULL pointer dereference was discovered in Exiv2::Image::printIFDStructure - in image.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application - crash, which leads to denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14863 +details: A NULL pointer dereference was discovered in Exiv2::Image::printIFDStructure + in image.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application + crash, which leads to denial of service. +id: PYSEC-2017-136 +modified: '2024-11-21T14:22:47.277896Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494443 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494443 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-137.yaml b/vulns/exiv2/PYSEC-2017-137.yaml index d78daad4..0364291c 100644 --- a/vulns/exiv2/PYSEC-2017-137.yaml +++ b/vulns/exiv2/PYSEC-2017-137.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-137 -modified: 2024-11-21T14:22:47.340172Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14864 -details: An Invalid memory address dereference was discovered in Exiv2::getULong in - types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application - crash, which leads to denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14864 +details: An Invalid memory address dereference was discovered in Exiv2::getULong in + types.cpp in Exiv2 0.26. The vulnerability causes a segmentation fault and application + crash, which leads to denial of service. +id: PYSEC-2017-137 +modified: '2024-11-21T14:22:47.340172Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494467 @@ -54,3 +51,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-138.yaml b/vulns/exiv2/PYSEC-2017-138.yaml index a3c1376c..16023f4e 100644 --- a/vulns/exiv2/PYSEC-2017-138.yaml +++ b/vulns/exiv2/PYSEC-2017-138.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-138 -modified: 2024-11-21T14:22:47.398419Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14865 -details: There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp - in Exiv2 0.26. A Crafted input will lead to a denial of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,20 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14865 +details: There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp + in Exiv2 0.26. A Crafted input will lead to a denial of service attack. +id: PYSEC-2017-138 +modified: '2024-11-21T14:22:47.398419Z' +published: '2017-09-29T01:34:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494778 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-139.yaml b/vulns/exiv2/PYSEC-2017-139.yaml index 84d12768..9d8baad2 100644 --- a/vulns/exiv2/PYSEC-2017-139.yaml +++ b/vulns/exiv2/PYSEC-2017-139.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-139 -modified: 2024-11-21T14:22:47.458235Z -published: 2017-09-29T01:34:00Z -aliases: -- CVE-2017-14866 -details: There is a heap-based buffer overflow in the Exiv2::s2Data function of types.cpp - in Exiv2 0.26. A Crafted input will lead to a denial of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,14 +29,22 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-14866 +details: There is a heap-based buffer overflow in the Exiv2::s2Data function of types.cpp + in Exiv2 0.26. A Crafted input will lead to a denial of service attack. +id: PYSEC-2017-139 +modified: '2024-11-21T14:22:47.458235Z' +published: '2017-09-29T01:34:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1494781 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1494781 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-140.yaml b/vulns/exiv2/PYSEC-2017-140.yaml index c0a64ff9..6df9a685 100644 --- a/vulns/exiv2/PYSEC-2017-140.yaml +++ b/vulns/exiv2/PYSEC-2017-140.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2017-140 -modified: 2024-11-21T14:22:47.521911Z -published: 2017-12-13T22:29:00Z -aliases: -- CVE-2017-17669 -details: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk - function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote - denial of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-17669 +details: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk + function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote + denial of service attack. +id: PYSEC-2017-140 +modified: '2024-11-21T14:22:47.521911Z' +published: '2017-12-13T22:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/187 @@ -54,3 +51,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-141.yaml b/vulns/exiv2/PYSEC-2017-141.yaml index fbf91e5d..357839af 100644 --- a/vulns/exiv2/PYSEC-2017-141.yaml +++ b/vulns/exiv2/PYSEC-2017-141.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-141 -modified: 2024-11-21T14:22:47.817537Z -published: 2017-12-31T19:29:00Z -aliases: -- CVE-2017-18005 -details: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong - function in value.cpp, related to crafted metadata in a TIFF file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-18005 +details: Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong + function in value.cpp, related to crafted metadata in a TIFF file. +id: PYSEC-2017-141 +modified: '2024-11-21T14:22:47.817537Z' +published: '2017-12-31T19:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/168 @@ -51,3 +48,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2017-142.yaml b/vulns/exiv2/PYSEC-2017-142.yaml index 3742dc59..6c84a195 100644 --- a/vulns/exiv2/PYSEC-2017-142.yaml +++ b/vulns/exiv2/PYSEC-2017-142.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2017-142 -modified: 2024-11-21T14:22:47.877232Z -published: 2017-06-26T23:29:00Z -aliases: -- CVE-2017-9953 -details: There is an invalid free in Image::printIFDStructure that leads to a Segmentation - fault in Exiv2 0.26. A crafted input will lead to a remote denial of service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-9953 +details: There is an invalid free in Image::printIFDStructure that leads to a Segmentation + fault in Exiv2 0.26. A crafted input will lead to a remote denial of service attack. +id: PYSEC-2017-142 +modified: '2024-11-21T14:22:47.877232Z' +published: '2017-06-26T23:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 @@ -49,3 +46,7 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 - type: ADVISORY url: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-121.yaml b/vulns/exiv2/PYSEC-2018-121.yaml index c2539979..79fb6996 100644 --- a/vulns/exiv2/PYSEC-2018-121.yaml +++ b/vulns/exiv2/PYSEC-2018-121.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-121 -modified: 2024-11-21T14:22:47.579327Z -published: 2018-02-12T22:29:00Z -aliases: -- CVE-2017-17722 -details: In Exiv2 0.26, there is a reachable assertion in the readHeader function - in bigtiffimage.cpp, which will lead to a remote denial of service attack via a - crafted TIFF file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,14 +29,23 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-17722 +details: In Exiv2 0.26, there is a reachable assertion in the readHeader function + in bigtiffimage.cpp, which will lead to a remote denial of service attack via a + crafted TIFF file. +id: PYSEC-2018-121 +modified: '2024-11-21T14:22:47.579327Z' +published: '2018-02-12T22:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1524116 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1524116 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-122.yaml b/vulns/exiv2/PYSEC-2018-122.yaml index 5a561d4a..78aae22d 100644 --- a/vulns/exiv2/PYSEC-2018-122.yaml +++ b/vulns/exiv2/PYSEC-2018-122.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-122 -modified: 2024-11-21T14:22:47.638668Z -published: 2018-02-12T22:29:00Z -aliases: -- CVE-2017-17723 -details: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 - function in image.cpp. Remote attackers can exploit this vulnerability to disclose - memory data or cause a denial of service via a crafted TIFF file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H +aliases: +- CVE-2017-17723 +details: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Image::byteSwap4 + function in image.cpp. Remote attackers can exploit this vulnerability to disclose + memory data or cause a denial of service via a crafted TIFF file. +id: PYSEC-2018-122 +modified: '2024-11-21T14:22:47.638668Z' +published: '2018-02-12T22:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 @@ -50,3 +47,7 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-123.yaml b/vulns/exiv2/PYSEC-2018-123.yaml index aee3d16b..086094ec 100644 --- a/vulns/exiv2/PYSEC-2018-123.yaml +++ b/vulns/exiv2/PYSEC-2018-123.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-123 -modified: 2024-11-21T14:22:47.697229Z -published: 2018-02-12T22:29:00Z -aliases: -- CVE-2017-17724 -details: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::IptcData::printStructure - function in iptc.cpp, related to the "!= 0x1c" case. Remote attackers can exploit - this vulnerability to cause a denial of service via a crafted TIFF file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-17724 +details: In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::IptcData::printStructure + function in iptc.cpp, related to the "!= 0x1c" case. Remote attackers can exploit + this vulnerability to cause a denial of service via a crafted TIFF file. +id: PYSEC-2018-123 +modified: '2024-11-21T14:22:47.697229Z' +published: '2018-02-12T22:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 @@ -56,3 +53,7 @@ references: url: https://security.gentoo.org/glsa/201811-14 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-124.yaml b/vulns/exiv2/PYSEC-2018-124.yaml index 63f78b30..40109e4d 100644 --- a/vulns/exiv2/PYSEC-2018-124.yaml +++ b/vulns/exiv2/PYSEC-2018-124.yaml @@ -1,24 +1,14 @@ -id: PYSEC-2018-124 -modified: 2024-11-21T14:22:47.758262Z -published: 2018-02-12T22:29:00Z -aliases: -- CVE-2017-17725 -details: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer - over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit - the vulnerability to cause a denial of service via a crafted image file. Note that - this vulnerability is different from CVE-2017-14864, which is an invalid memory - address dereference. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -39,12 +29,19 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2017-17725 +details: In Exiv2 0.26, there is an integer overflow leading to a heap-based buffer + over-read in the Exiv2::getULong function in types.cpp. Remote attackers can exploit + the vulnerability to cause a denial of service via a crafted image file. Note that + this vulnerability is different from CVE-2017-14864, which is an invalid memory + address dereference. +id: PYSEC-2018-124 +modified: '2024-11-21T14:22:47.758262Z' +published: '2018-02-12T22:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/188 @@ -54,3 +51,7 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=1525055 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1525055 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-125.yaml b/vulns/exiv2/PYSEC-2018-125.yaml index d9497059..d5124539 100644 --- a/vulns/exiv2/PYSEC-2018-125.yaml +++ b/vulns/exiv2/PYSEC-2018-125.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-125 -modified: 2024-11-21T14:22:47.938221Z -published: 2018-05-07T07:29:00Z -aliases: -- CVE-2018-10780 -details: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer - over-read. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-10780 +details: Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based buffer + over-read. +id: PYSEC-2018-125 +modified: '2024-11-21T14:22:47.938221Z' +published: '2018-05-07T07:29:00Z' references: - type: EVIDENCE url: https://bugzilla.redhat.com/show_bug.cgi?id=1575201 @@ -49,3 +46,7 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=1575201 - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-126.yaml b/vulns/exiv2/PYSEC-2018-126.yaml index 6fa66bf1..2459342a 100644 --- a/vulns/exiv2/PYSEC-2018-126.yaml +++ b/vulns/exiv2/PYSEC-2018-126.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-126 -modified: 2024-11-21T14:22:47.998655Z -published: 2018-05-10T02:29:00Z -aliases: -- CVE-2018-10958 -details: In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during - an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress - call. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-10958 +details: In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during + an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress + call. +id: PYSEC-2018-126 +modified: '2024-11-21T14:22:47.998655Z' +published: '2018-05-10T02:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/302 @@ -64,3 +61,7 @@ references: url: https://security.gentoo.org/glsa/201811-14 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-127.yaml b/vulns/exiv2/PYSEC-2018-127.yaml index 0ebcc006..5191478b 100644 --- a/vulns/exiv2/PYSEC-2018-127.yaml +++ b/vulns/exiv2/PYSEC-2018-127.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-127 -modified: 2024-11-21T14:22:48.062891Z -published: 2018-05-12T04:29:00Z -aliases: -- CVE-2018-10998 -details: An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows - remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect - Safe::add call. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-10998 +details: An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows + remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect + Safe::add call. +id: PYSEC-2018-127 +modified: '2024-11-21T14:22:48.062891Z' +published: '2018-05-12T04:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/303 @@ -60,3 +57,7 @@ references: url: https://security.gentoo.org/glsa/201811-14 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-128.yaml b/vulns/exiv2/PYSEC-2018-128.yaml index b7bc5e5a..56828c90 100644 --- a/vulns/exiv2/PYSEC-2018-128.yaml +++ b/vulns/exiv2/PYSEC-2018-128.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-128 -modified: 2024-11-21T14:22:48.18647Z -published: 2018-05-12T04:29:00Z -aliases: -- CVE-2018-10999 -details: An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk - function has a heap-based buffer over-read. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-10999 +details: An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk + function has a heap-based buffer over-read. +id: PYSEC-2018-128 +modified: '2024-11-21T14:22:48.18647Z' +published: '2018-05-12T04:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/306 @@ -61,3 +58,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2018/10/msg00012.html - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-129.yaml b/vulns/exiv2/PYSEC-2018-129.yaml index c73dbf5d..8b04098b 100644 --- a/vulns/exiv2/PYSEC-2018-129.yaml +++ b/vulns/exiv2/PYSEC-2018-129.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-129 -modified: 2024-11-21T14:22:48.247062Z -published: 2018-05-14T03:29:00Z -aliases: -- CVE-2018-11037 -details: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp - allows remote attackers to cause an information leak via a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N +aliases: +- CVE-2018-11037 +details: In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimage.cpp + allows remote attackers to cause an information leak via a crafted file. +id: PYSEC-2018-129 +modified: '2024-11-21T14:22:48.247062Z' +published: '2018-05-14T03:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/307 @@ -51,3 +48,7 @@ references: url: https://security.gentoo.org/glsa/201811-14 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-130.yaml b/vulns/exiv2/PYSEC-2018-130.yaml index 5e3c3447..c15229dd 100644 --- a/vulns/exiv2/PYSEC-2018-130.yaml +++ b/vulns/exiv2/PYSEC-2018-130.yaml @@ -1,20 +1,14 @@ -id: PYSEC-2018-130 -modified: 2024-11-21T14:22:48.306556Z -published: 2018-05-29T07:29:00Z -aliases: -- CVE-2018-11531 -details: Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -35,12 +29,15 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-11531 +details: Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp. +id: PYSEC-2018-130 +modified: '2024-11-21T14:22:48.306556Z' +published: '2018-05-29T07:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/283 @@ -56,3 +53,7 @@ references: url: https://usn.ubuntu.com/3700-1/ - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-131.yaml b/vulns/exiv2/PYSEC-2018-131.yaml index 210f6f5a..1e134fc6 100644 --- a/vulns/exiv2/PYSEC-2018-131.yaml +++ b/vulns/exiv2/PYSEC-2018-131.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-131 -modified: 2024-11-21T14:22:48.369854Z -published: 2018-06-13T11:29:00Z -aliases: -- CVE-2018-12264 -details: Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp, - leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-12264 +details: Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.cpp, + leading to an out-of-bounds read in Exiv2::ValueType::setDataArea in value.hpp. +id: PYSEC-2018-131 +modified: '2024-11-21T14:22:48.369854Z' +published: '2018-06-13T11:29:00Z' references: - type: EVIDENCE url: https://github.com/TeamSeri0us/pocs/blob/master/exiv2/2-out-of-read-Poc @@ -63,3 +60,7 @@ references: url: https://access.redhat.com/errata/RHSA-2019:2101 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-132.yaml b/vulns/exiv2/PYSEC-2018-132.yaml index 1d173ed8..ec8f74d5 100644 --- a/vulns/exiv2/PYSEC-2018-132.yaml +++ b/vulns/exiv2/PYSEC-2018-132.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-132 -modified: 2024-11-21T14:22:48.43262Z -published: 2018-06-13T11:29:00Z -aliases: -- CVE-2018-12265 -details: Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in preview.cpp, - leading to an out-of-bounds read in Exiv2::MemIo::read in basicio.cpp. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-12265 +details: Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in preview.cpp, + leading to an out-of-bounds read in Exiv2::MemIo::read in basicio.cpp. +id: PYSEC-2018-132 +modified: '2024-11-21T14:22:48.43262Z' +published: '2018-06-13T11:29:00Z' references: - type: EVIDENCE url: https://github.com/TeamSeri0us/pocs/blob/master/exiv2/1-out-of-read-Poc @@ -63,3 +60,7 @@ references: url: https://access.redhat.com/errata/RHSA-2019:2101 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-133.yaml b/vulns/exiv2/PYSEC-2018-133.yaml index 7f5ffedd..8c4da588 100644 --- a/vulns/exiv2/PYSEC-2018-133.yaml +++ b/vulns/exiv2/PYSEC-2018-133.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-133 -modified: 2024-11-21T14:22:48.493339Z -published: 2018-07-13T15:29:00Z -aliases: -- CVE-2018-14046 -details: Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunks in - webpimage.cpp. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-14046 +details: Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunks in + webpimage.cpp. +id: PYSEC-2018-133 +modified: '2024-11-21T14:22:48.493339Z' +published: '2018-07-13T15:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/378 @@ -49,3 +46,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/378 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-134.yaml b/vulns/exiv2/PYSEC-2018-134.yaml index c1c1f45a..8d8faa7e 100644 --- a/vulns/exiv2/PYSEC-2018-134.yaml +++ b/vulns/exiv2/PYSEC-2018-134.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-134 -modified: 2024-11-21T14:22:48.55081Z -published: 2018-07-17T12:29:00Z -aliases: -- CVE-2018-14338 -details: samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath - function on POSIX platforms (other than Apple platforms) where glibc is not used, - possibly leading to a buffer overflow. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-14338 +details: samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath + function on POSIX platforms (other than Apple platforms) where glibc is not used, + possibly leading to a buffer overflow. +id: PYSEC-2018-134 +modified: '2024-11-21T14:22:48.55081Z' +published: '2018-07-17T12:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/382 @@ -50,3 +47,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/382 - type: REPORT url: https://github.com/Exiv2/exiv2/issues/382 +severity: +- score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-135.yaml b/vulns/exiv2/PYSEC-2018-135.yaml index b76b88e3..14dae8b3 100644 --- a/vulns/exiv2/PYSEC-2018-135.yaml +++ b/vulns/exiv2/PYSEC-2018-135.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-135 -modified: 2024-11-21T14:22:48.611777Z -published: 2018-09-02T03:29:00Z -aliases: -- CVE-2018-16336 -details: Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers - to cause a denial of service (heap-based buffer over-read) via a crafted image file, - a different vulnerability than CVE-2018-10999. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-16336 +details: Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers + to cause a denial of service (heap-based buffer over-read) via a crafted image file, + a different vulnerability than CVE-2018-10999. +id: PYSEC-2018-135 +modified: '2024-11-21T14:22:48.611777Z' +published: '2018-09-02T03:29:00Z' references: - type: REPORT url: https://github.com/Exiv2/exiv2/issues/400 @@ -52,3 +49,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2018/10/msg00012.html - type: WEB url: https://usn.ubuntu.com/3852-1/ +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-136.yaml b/vulns/exiv2/PYSEC-2018-136.yaml index 43bf96da..0837aec4 100644 --- a/vulns/exiv2/PYSEC-2018-136.yaml +++ b/vulns/exiv2/PYSEC-2018-136.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-136 -modified: 2024-11-21T14:22:48.67141Z -published: 2018-09-19T22:29:00Z -aliases: -- CVE-2018-17229 -details: Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause - a denial of service (heap-based buffer overflow) via a crafted image file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-17229 +details: Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause + a denial of service (heap-based buffer overflow) via a crafted image file. +id: PYSEC-2018-136 +modified: '2024-11-21T14:22:48.67141Z' +published: '2018-09-19T22:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/453 @@ -49,3 +46,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/453 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-137.yaml b/vulns/exiv2/PYSEC-2018-137.yaml index ea51ac1d..a6b6c6de 100644 --- a/vulns/exiv2/PYSEC-2018-137.yaml +++ b/vulns/exiv2/PYSEC-2018-137.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-137 -modified: 2024-11-21T14:22:48.732242Z -published: 2018-09-19T22:29:00Z -aliases: -- CVE-2018-17230 -details: Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause - a denial of service (heap-based buffer overflow) via a crafted image file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-17230 +details: Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause + a denial of service (heap-based buffer overflow) via a crafted image file. +id: PYSEC-2018-137 +modified: '2024-11-21T14:22:48.732242Z' +published: '2018-09-19T22:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/455 @@ -49,3 +46,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/455 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-138.yaml b/vulns/exiv2/PYSEC-2018-138.yaml index c36dfadd..79f39ba5 100644 --- a/vulns/exiv2/PYSEC-2018-138.yaml +++ b/vulns/exiv2/PYSEC-2018-138.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-138 -modified: 2024-11-21T14:22:48.791028Z -published: 2018-09-20T20:29:00Z -aliases: -- CVE-2018-17282 -details: An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy - in value.cpp has a NULL pointer dereference. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-17282 +details: An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy + in value.cpp has a NULL pointer dereference. +id: PYSEC-2018-138 +modified: '2024-11-21T14:22:48.791028Z' +published: '2018-09-20T20:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/457 @@ -51,3 +48,7 @@ references: url: https://access.redhat.com/errata/RHSA-2019:2101 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-139.yaml b/vulns/exiv2/PYSEC-2018-139.yaml index fa98d291..9524a15f 100644 --- a/vulns/exiv2/PYSEC-2018-139.yaml +++ b/vulns/exiv2/PYSEC-2018-139.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2018-139 -modified: 2024-11-21T14:22:48.850406Z -published: 2018-09-28T09:29:00Z -aliases: -- CVE-2018-17581 -details: CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive - stack consumption due to a recursive function, leading to Denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-17581 +details: CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive + stack consumption due to a recursive function, leading to Denial of service. +id: PYSEC-2018-139 +modified: '2024-11-21T14:22:48.850406Z' +published: '2018-09-28T09:29:00Z' references: - type: EVIDENCE url: https://github.com/SegfaultMasters/covering360/blob/master/Exiv2 @@ -67,3 +64,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-140.yaml b/vulns/exiv2/PYSEC-2018-140.yaml index a010c9bb..b4dc84ff 100644 --- a/vulns/exiv2/PYSEC-2018-140.yaml +++ b/vulns/exiv2/PYSEC-2018-140.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-140 -modified: 2024-11-21T14:22:48.914006Z -published: 2018-11-03T04:29:00Z -aliases: -- CVE-2018-18915 -details: There is an infinite loop in the Exiv2::Image::printIFDStructure function - of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of - service attack. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-18915 +details: There is an infinite loop in the Exiv2::Image::printIFDStructure function + of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of + service attack. +id: PYSEC-2018-140 +modified: '2024-11-21T14:22:48.914006Z' +published: '2018-11-03T04:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/511 @@ -52,3 +49,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/511 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-141.yaml b/vulns/exiv2/PYSEC-2018-141.yaml index 19eeec83..f57ca03f 100644 --- a/vulns/exiv2/PYSEC-2018-141.yaml +++ b/vulns/exiv2/PYSEC-2018-141.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-141 -modified: 2024-11-21T14:22:48.973676Z -published: 2018-11-08T08:29:00Z -aliases: -- CVE-2018-19107 -details: In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp - in the PSD image reader) may suffer from a denial of service (heap-based buffer - over-read) caused by an integer overflow via a crafted PSD image file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-19107 +details: In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp + in the PSD image reader) may suffer from a denial of service (heap-based buffer + over-read) caused by an integer overflow via a crafted PSD image file. +id: PYSEC-2018-141 +modified: '2024-11-21T14:22:48.973676Z' +published: '2018-11-08T08:29:00Z' references: - type: FIX url: https://github.com/Exiv2/exiv2/pull/518 @@ -62,3 +59,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-142.yaml b/vulns/exiv2/PYSEC-2018-142.yaml index 8e0853f6..d646dc19 100644 --- a/vulns/exiv2/PYSEC-2018-142.yaml +++ b/vulns/exiv2/PYSEC-2018-142.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-142 -modified: 2024-11-21T14:22:49.03444Z -published: 2018-11-08T08:29:00Z -aliases: -- CVE-2018-19108 -details: In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image - reader may suffer from a denial of service (infinite loop) caused by an integer - overflow via a crafted PSD image file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-19108 +details: In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image + reader may suffer from a denial of service (infinite loop) caused by an integer + overflow via a crafted PSD image file. +id: PYSEC-2018-142 +modified: '2024-11-21T14:22:49.03444Z' +published: '2018-11-08T08:29:00Z' references: - type: FIX url: https://github.com/Exiv2/exiv2/pull/518 @@ -66,3 +63,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-143.yaml b/vulns/exiv2/PYSEC-2018-143.yaml index d775adcf..ec61431b 100644 --- a/vulns/exiv2/PYSEC-2018-143.yaml +++ b/vulns/exiv2/PYSEC-2018-143.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-143 -modified: 2024-11-21T14:22:49.094932Z -published: 2018-11-27T07:29:00Z -aliases: -- CVE-2018-19607 -details: Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers - to cause a denial of service (NULL pointer dereference and application crash) via - a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-19607 +details: Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers + to cause a denial of service (NULL pointer dereference and application crash) via + a crafted file. +id: PYSEC-2018-143 +modified: '2024-11-21T14:22:49.094932Z' +published: '2018-11-27T07:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/561 @@ -54,3 +51,7 @@ references: url: https://access.redhat.com/errata/RHSA-2019:2101 - type: WEB url: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00009.html +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-144.yaml b/vulns/exiv2/PYSEC-2018-144.yaml index 2a139c2e..8a37ccff 100644 --- a/vulns/exiv2/PYSEC-2018-144.yaml +++ b/vulns/exiv2/PYSEC-2018-144.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-144 -modified: 2024-11-21T14:22:49.165596Z -published: 2018-01-03T09:29:00Z -aliases: -- CVE-2018-4868 -details: The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 0.26 - allows remote attackers to cause a denial of service (excessive memory allocation) - via a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-4868 +details: The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 0.26 + allows remote attackers to cause a denial of service (excessive memory allocation) + via a crafted file. +id: PYSEC-2018-144 +modified: '2024-11-21T14:22:49.165596Z' +published: '2018-01-03T09:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/202 @@ -52,3 +49,7 @@ references: url: http://www.securityfocus.com/bid/102477 - type: ADVISORY url: http://www.securityfocus.com/bid/102477 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-145.yaml b/vulns/exiv2/PYSEC-2018-145.yaml index c82f6d59..e2d97971 100644 --- a/vulns/exiv2/PYSEC-2018-145.yaml +++ b/vulns/exiv2/PYSEC-2018-145.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2018-145 -modified: 2024-11-21T14:22:49.222538Z -published: 2018-01-18T07:29:00Z -aliases: -- CVE-2018-5772 -details: In Exiv2 0.26, there is a segmentation fault caused by uncontrolled recursion - in the Exiv2::Image::printIFDStructure function in the image.cpp file. Remote attackers - could leverage this vulnerability to cause a denial of service via a crafted tif - file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,12 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-5772 +details: In Exiv2 0.26, there is a segmentation fault caused by uncontrolled recursion + in the Exiv2::Image::printIFDStructure function in the image.cpp file. Remote attackers + could leverage this vulnerability to cause a denial of service via a crafted tif + file. +id: PYSEC-2018-145 +modified: '2024-11-21T14:22:49.222538Z' +published: '2018-01-18T07:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/216 @@ -55,3 +52,7 @@ references: url: http://www.securityfocus.com/bid/102789 - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-146.yaml b/vulns/exiv2/PYSEC-2018-146.yaml index d4ca96fe..446f7ec0 100644 --- a/vulns/exiv2/PYSEC-2018-146.yaml +++ b/vulns/exiv2/PYSEC-2018-146.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-146 -modified: 2024-11-21T14:22:49.282911Z -published: 2018-03-25T03:29:00Z -aliases: -- CVE-2018-8976 -details: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of - service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted - file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-8976 +details: In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of + service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted + file. +id: PYSEC-2018-146 +modified: '2024-11-21T14:22:49.282911Z' +published: '2018-03-25T03:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/246 @@ -58,3 +55,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-147.yaml b/vulns/exiv2/PYSEC-2018-147.yaml index 81f4668b..22bda255 100644 --- a/vulns/exiv2/PYSEC-2018-147.yaml +++ b/vulns/exiv2/PYSEC-2018-147.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2018-147 -modified: 2024-11-21T14:22:49.341312Z -published: 2018-03-25T03:29:00Z -aliases: -- CVE-2018-8977 -details: In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp - allows remote attackers to cause a denial of service (invalid memory access) via - a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-8977 +details: In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonmn_int.cpp + allows remote attackers to cause a denial of service (invalid memory access) via + a crafted file. +id: PYSEC-2018-147 +modified: '2024-11-21T14:22:49.341312Z' +published: '2018-03-25T03:29:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/247 @@ -54,3 +51,7 @@ references: url: https://security.gentoo.org/glsa/201811-14 - type: ADVISORY url: https://access.redhat.com/errata/RHSA-2019:2101 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2018-148.yaml b/vulns/exiv2/PYSEC-2018-148.yaml index e45fc8d0..ec86b00e 100644 --- a/vulns/exiv2/PYSEC-2018-148.yaml +++ b/vulns/exiv2/PYSEC-2018-148.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2018-148 -modified: 2024-11-21T14:22:49.400819Z -published: 2018-03-30T08:29:00Z -aliases: -- CVE-2018-9145 -details: 'In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue - exists in the constructor with an initial buffer size. A large size value may lead - to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have - been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.' affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,12 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-9145 +details: 'In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue + exists in the constructor with an initial buffer size. A large size value may lead + to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have + been unable to reproduce the SIGABRT when using the 4-DataBuf-abort-1 PoC file.' +id: PYSEC-2018-148 +modified: '2024-11-21T14:22:49.400819Z' +published: '2018-03-30T08:29:00Z' references: - type: EVIDENCE url: https://github.com/xiaoqx/pocs/tree/master/exiv2 @@ -55,3 +52,7 @@ references: url: https://bugzilla.novell.com/show_bug.cgi?id=1087879 - type: ADVISORY url: https://security.gentoo.org/glsa/201811-14 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-244.yaml b/vulns/exiv2/PYSEC-2019-244.yaml index b27c7b06..52e233e0 100644 --- a/vulns/exiv2/PYSEC-2019-244.yaml +++ b/vulns/exiv2/PYSEC-2019-244.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2019-244 -modified: 2024-11-21T14:22:49.479201Z -published: 2019-07-28T19:15:00Z -aliases: -- CVE-2019-14368 -details: Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage::readMetadata() - in rafimage.cpp. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,14 +29,22 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2019-14368 +details: Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage::readMetadata() + in rafimage.cpp. +id: PYSEC-2019-244 +modified: '2024-11-21T14:22:49.479201Z' +published: '2019-07-28T19:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/952 - type: REPORT url: https://github.com/Exiv2/exiv2/issues/952 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-245.yaml b/vulns/exiv2/PYSEC-2019-245.yaml index b3b24d45..aa28d875 100644 --- a/vulns/exiv2/PYSEC-2019-245.yaml +++ b/vulns/exiv2/PYSEC-2019-245.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2019-245 -modified: 2024-11-21T14:22:49.538663Z -published: 2019-07-28T19:15:00Z -aliases: -- CVE-2019-14369 -details: Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows - attackers to cause a denial of service (heap-based buffer over-read) via a crafted - image file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-14369 +details: Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows + attackers to cause a denial of service (heap-based buffer over-read) via a crafted + image file. +id: PYSEC-2019-245 +modified: '2024-11-21T14:22:49.538663Z' +published: '2019-07-28T19:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/953 @@ -52,3 +49,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-246.yaml b/vulns/exiv2/PYSEC-2019-246.yaml index 3b819c7c..7f4b327e 100644 --- a/vulns/exiv2/PYSEC-2019-246.yaml +++ b/vulns/exiv2/PYSEC-2019-246.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2019-246 -modified: 2024-11-21T14:22:49.597801Z -published: 2019-07-28T19:15:00Z -aliases: -- CVE-2019-14370 -details: In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata() - in mrwimage.cpp. It could result in denial of service. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-14370 +details: In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata() + in mrwimage.cpp. It could result in denial of service. +id: PYSEC-2019-246 +modified: '2024-11-21T14:22:49.597801Z' +published: '2019-07-28T19:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/954 @@ -51,3 +48,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-247.yaml b/vulns/exiv2/PYSEC-2019-247.yaml index 1c6de04c..d0e46a6d 100644 --- a/vulns/exiv2/PYSEC-2019-247.yaml +++ b/vulns/exiv2/PYSEC-2019-247.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2019-247 -modified: 2024-11-21T14:22:49.656989Z -published: 2019-10-09T19:15:00Z -aliases: -- CVE-2019-17402 -details: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp - when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, - because there is no validation of the relationship of the total size to the offset - and size. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,12 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-17402 +details: Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp + when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, + because there is no validation of the relationship of the total size to the offset + and size. +id: PYSEC-2019-247 +modified: '2024-11-21T14:22:49.656989Z' +published: '2019-10-09T19:15:00Z' references: - type: REPORT url: https://github.com/Exiv2/exiv2/issues/1019 @@ -57,3 +54,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-248.yaml b/vulns/exiv2/PYSEC-2019-248.yaml index 427c1464..678fae58 100644 --- a/vulns/exiv2/PYSEC-2019-248.yaml +++ b/vulns/exiv2/PYSEC-2019-248.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2019-248 -modified: 2024-11-21T14:22:49.79084Z -published: 2019-02-25T15:29:00Z -aliases: -- CVE-2019-9143 -details: An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure - in the file image.cpp. This can be triggered by a crafted file. It allows an attacker - to cause Denial of Service (Segmentation fault) or possibly have unspecified other - impact. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,12 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2019-9143 +details: An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure + in the file image.cpp. This can be triggered by a crafted file. It allows an attacker + to cause Denial of Service (Segmentation fault) or possibly have unspecified other + impact. +id: PYSEC-2019-248 +modified: '2024-11-21T14:22:49.79084Z' +published: '2019-02-25T15:29:00Z' references: - type: EVIDENCE url: https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2imageprinttiffstructure-exiv2-0-27/ @@ -57,3 +54,7 @@ references: url: http://www.securityfocus.com/bid/107161 - type: ADVISORY url: http://www.securityfocus.com/bid/107161 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2019-249.yaml b/vulns/exiv2/PYSEC-2019-249.yaml index dc815d15..77684a56 100644 --- a/vulns/exiv2/PYSEC-2019-249.yaml +++ b/vulns/exiv2/PYSEC-2019-249.yaml @@ -1,23 +1,14 @@ -id: PYSEC-2019-249 -modified: 2024-11-21T14:22:49.85073Z -published: 2019-02-25T15:29:00Z -aliases: -- CVE-2019-9144 -details: An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD - in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows - an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified - other impact. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -38,12 +29,18 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2019-9144 +details: An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD + in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows + an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified + other impact. +id: PYSEC-2019-249 +modified: '2024-11-21T14:22:49.85073Z' +published: '2019-02-25T15:29:00Z' references: - type: EVIDENCE url: https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2anonymous-namespacebigtiffimageprintifd-exiv2-0-27/ @@ -57,3 +54,7 @@ references: url: http://www.securityfocus.com/bid/107161 - type: ADVISORY url: http://www.securityfocus.com/bid/107161 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2020-344.yaml b/vulns/exiv2/PYSEC-2020-344.yaml index f6646626..ed8e61f7 100644 --- a/vulns/exiv2/PYSEC-2020-344.yaml +++ b/vulns/exiv2/PYSEC-2020-344.yaml @@ -1,27 +1,19 @@ -id: PYSEC-2020-344 -modified: 2024-11-21T14:22:49.729892Z -published: 2020-01-27T05:15:00Z -aliases: -- CVE-2019-20421 -details: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file - can result in an infinite loop and hang, with high CPU consumption. Remote attackers - could leverage this vulnerability to cause a denial of service via a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: a82098f4f90cd86297131b5663c3dec6a34470e8 repo: https://github.com/Exiv2/exiv2 - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -42,12 +34,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-20421 +details: In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file + can result in an infinite loop and hang, with high CPU consumption. Remote attackers + could leverage this vulnerability to cause a denial of service via a crafted file. +id: PYSEC-2020-344 +modified: '2024-11-21T14:22:49.729892Z' +published: '2020-01-27T05:15:00Z' references: - type: FIX url: https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8 @@ -65,3 +62,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2021/08/msg00028.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2021/08/msg00028.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2021-882.yaml b/vulns/exiv2/PYSEC-2021-882.yaml index 903b59a0..f0fcd787 100644 --- a/vulns/exiv2/PYSEC-2021-882.yaml +++ b/vulns/exiv2/PYSEC-2021-882.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2021-882 -modified: 2024-11-21T14:22:49.911764Z -published: 2021-08-23T22:15:00Z -aliases: -- CVE-2020-18771 -details: Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 - in nikonmn_int.cpp which can result in an information leak. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H +aliases: +- CVE-2020-18771 +details: Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 + in nikonmn_int.cpp which can result in an information leak. +id: PYSEC-2021-882 +modified: '2024-11-21T14:22:49.911764Z' +published: '2021-08-23T22:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/756 @@ -55,3 +52,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html - type: ADVISORY url: https://security.gentoo.org/glsa/202312-06 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2021-883.yaml b/vulns/exiv2/PYSEC-2021-883.yaml index 2be2813f..df33a510 100644 --- a/vulns/exiv2/PYSEC-2021-883.yaml +++ b/vulns/exiv2/PYSEC-2021-883.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2021-883 -modified: 2024-11-21T14:22:49.973408Z -published: 2021-08-23T22:15:00Z -aliases: -- CVE-2020-18773 -details: An invalid memory access in the decode function in iptc.cpp of Exiv2 0.27.99.0 - allows attackers to cause a denial of service (DOS) via a crafted tif file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2020-18773 +details: An invalid memory access in the decode function in iptc.cpp of Exiv2 0.27.99.0 + allows attackers to cause a denial of service (DOS) via a crafted tif file. +id: PYSEC-2021-883 +modified: '2024-11-21T14:22:49.973408Z' +published: '2021-08-23T22:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/760 @@ -49,3 +46,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/760 - type: ADVISORY url: https://security.gentoo.org/glsa/202312-06 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2021-884.yaml b/vulns/exiv2/PYSEC-2021-884.yaml index 91fb940b..f40c79c2 100644 --- a/vulns/exiv2/PYSEC-2021-884.yaml +++ b/vulns/exiv2/PYSEC-2021-884.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2021-884 -modified: 2024-11-21T14:22:50.034285Z -published: 2021-08-23T22:15:00Z -aliases: -- CVE-2020-18774 -details: A float point exception in the printLong function in tags_int.cpp of Exiv2 - 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif - file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -37,12 +29,17 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2020-18774 +details: A float point exception in the printLong function in tags_int.cpp of Exiv2 + 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif + file. +id: PYSEC-2021-884 +modified: '2024-11-21T14:22:50.034285Z' +published: '2021-08-23T22:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/759 @@ -50,3 +47,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/759 - type: ADVISORY url: https://security.gentoo.org/glsa/202312-06 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2021-885.yaml b/vulns/exiv2/PYSEC-2021-885.yaml index e03204e1..ad0576e5 100644 --- a/vulns/exiv2/PYSEC-2021-885.yaml +++ b/vulns/exiv2/PYSEC-2021-885.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2021-885 -modified: 2024-11-21T14:22:50.094265Z -published: 2021-08-19T22:15:00Z -aliases: -- CVE-2020-18898 -details: A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 - allows remote attackers to cause a denial of service (DOS) via a crafted file. affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2020-18898 +details: A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 + allows remote attackers to cause a denial of service (DOS) via a crafted file. +id: PYSEC-2021-885 +modified: '2024-11-21T14:22:50.094265Z' +published: '2021-08-19T22:15:00Z' references: - type: EVIDENCE url: https://github.com/Exiv2/exiv2/issues/741 @@ -49,3 +46,7 @@ references: url: https://github.com/Exiv2/exiv2/issues/741 - type: WEB url: https://cwe.mitre.org/data/definitions/674.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exiv2/PYSEC-2021-886.yaml b/vulns/exiv2/PYSEC-2021-886.yaml index a15bccc2..caff515a 100644 --- a/vulns/exiv2/PYSEC-2021-886.yaml +++ b/vulns/exiv2/PYSEC-2021-886.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2021-886 -modified: 2024-11-21T14:22:50.153222Z -published: 2021-07-13T22:15:00Z -aliases: -- CVE-2020-19716 -details: A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 - v0.27.1 leads to a denial of service (DOS). affected: - package: ecosystem: PyPI name: exiv2 purl: pkg:pypi/exiv2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" + - '0.1' - 0.11.0 - 0.11.1 - 0.11.2 @@ -36,12 +29,16 @@ affected: - 0.16.3.post1 - 0.17.0 - 0.17.1 - - "0.2" - - "0.3" + - '0.2' + - '0.3' - 0.3.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2020-19716 +details: A buffer overflow vulnerability in the Databuf function in types.cpp of Exiv2 + v0.27.1 leads to a denial of service (DOS). +id: PYSEC-2021-886 +modified: '2024-11-21T14:22:50.153222Z' +published: '2021-07-13T22:15:00Z' references: - type: REPORT url: https://github.com/Exiv2/exiv2/issues/980 @@ -49,3 +46,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2022/11/msg00013.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2022/11/msg00013.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/exotel/PYSEC-2022-43134.yaml b/vulns/exotel/PYSEC-2022-43134.yaml index 061e2bad..122f779a 100644 --- a/vulns/exotel/PYSEC-2022-43134.yaml +++ b/vulns/exotel/PYSEC-2022-43134.yaml @@ -1,28 +1,25 @@ -id: PYSEC-2022-43134 -modified: 2024-11-21T14:22:50.316894Z -published: 2022-08-27T20:15:00Z -aliases: -- CVE-2022-38792 -details: The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution - backdoor inserted by a third party. affected: - package: ecosystem: PyPI name: exotel purl: pkg:pypi/exotel ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.1.1 - 0.1.3 - 0.1.4 - 0.1.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-38792 +details: The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution + backdoor inserted by a third party. +id: PYSEC-2022-43134 +modified: '2024-11-21T14:22:50.316894Z' +published: '2022-08-27T20:15:00Z' references: - type: REPORT url: https://github.com/jertel/elastalert2/pull/931 @@ -36,3 +33,7 @@ references: url: https://pypi.org/project/exotel/ - type: REPORT url: https://github.com/sarathsp06/exotel-py/issues/10 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/extractor/PYSEC-2006-4.yaml b/vulns/extractor/PYSEC-2006-4.yaml index 7b3ceaf6..a6ef9145 100644 --- a/vulns/extractor/PYSEC-2006-4.yaml +++ b/vulns/extractor/PYSEC-2006-4.yaml @@ -1,23 +1,23 @@ -id: PYSEC-2006-4 -modified: 2024-11-21T14:22:50.369284Z -published: 2006-05-18T23:02:00Z -aliases: -- CVE-2006-2458 -details: Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlier allow - remote attackers to execute arbitrary code via (1) the asf_read_header function - in the ASF plugin (plugins/asfextractor.c), and (2) the parse_trak_atom function - in the QT plugin (plugins/qtextractor.c). affected: - package: ecosystem: PyPI name: extractor purl: pkg:pypi/extractor ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.5" + - '0.5' +aliases: +- CVE-2006-2458 +details: Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlier allow + remote attackers to execute arbitrary code via (1) the asf_read_header function + in the ASF plugin (plugins/asfextractor.c), and (2) the parse_trak_atom function + in the QT plugin (plugins/qtextractor.c). +id: PYSEC-2006-4 +modified: '2024-11-21T14:22:50.369284Z' +published: '2006-05-18T23:02:00Z' references: - type: EVIDENCE url: http://www.securityfocus.com/bid/18021 @@ -55,3 +55,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/26531 - type: WEB url: http://www.securityfocus.com/archive/1/434288/100/0/threaded +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/freeipa/PYSEC-2013-36.yaml b/vulns/freeipa/PYSEC-2013-36.yaml index a762371e..64ba4a18 100644 --- a/vulns/freeipa/PYSEC-2013-36.yaml +++ b/vulns/freeipa/PYSEC-2013-36.yaml @@ -1,29 +1,21 @@ -id: PYSEC-2013-36 -modified: 2024-11-21T14:22:50.474073Z -published: 2013-01-27T18:55:00Z -aliases: -- CVE-2012-5484 -details: The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the - Certification Authority (CA) certificate from the server, which allows man-in-the-middle - attackers to spoof a join procedure via a crafted certificate. affected: - package: ecosystem: PyPI name: freeipa purl: pkg:pypi/freeipa ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 - fixed: 18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f - fixed: a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 - fixed: 31e41eea6c2322689826e6065ceba82551c565aa - fixed: a40285c5a0288669b72f9d991508d4405885bffc repo: https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -52,6 +44,14 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2012-5484 +details: The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the + Certification Authority (CA) certificate from the server, which allows man-in-the-middle + attackers to spoof a join procedure via a crafted certificate. +id: PYSEC-2013-36 +modified: '2024-11-21T14:22:50.474073Z' +published: '2013-01-27T18:55:00Z' references: - type: ADVISORY url: http://www.freeipa.org/page/CVE-2012-5484 @@ -71,3 +71,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0188.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2013-0189.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/freeipa/PYSEC-2014-100.yaml b/vulns/freeipa/PYSEC-2014-100.yaml index d4214630..7e37ce7c 100644 --- a/vulns/freeipa/PYSEC-2014-100.yaml +++ b/vulns/freeipa/PYSEC-2014-100.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-100 -modified: 2024-11-21T14:22:50.537629Z -published: 2014-05-29T14:19:00Z -aliases: -- CVE-2013-0199 -details: The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access - to the (1) ipaNTTrustAuthIncoming and (2) ipaNTTrustAuthOutgoing attributes, which - allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified - vectors. affected: - package: ecosystem: PyPI name: freeipa purl: pkg:pypi/freeipa ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -44,6 +35,15 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2013-0199 +details: The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access + to the (1) ipaNTTrustAuthIncoming and (2) ipaNTTrustAuthOutgoing attributes, which + allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified + vectors. +id: PYSEC-2014-100 +modified: '2024-11-21T14:22:50.537629Z' +published: '2014-05-29T14:19:00Z' references: - type: WEB url: http://www.securityfocus.com/bid/57542 @@ -57,3 +57,4 @@ references: url: http://www.freeipa.org/page/CVE-2013-0199 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/81486 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/freeipa/PYSEC-2014-101.yaml b/vulns/freeipa/PYSEC-2014-101.yaml index c49672b8..86e3ddeb 100644 --- a/vulns/freeipa/PYSEC-2014-101.yaml +++ b/vulns/freeipa/PYSEC-2014-101.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2014-101 -modified: 2024-11-21T14:22:50.589801Z -published: 2014-11-19T18:59:00Z -aliases: -- CVE-2014-7828 -details: FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows - remote attackers to bypass the password requirement of the two-factor authentication - leveraging an enabled OTP token, which triggers an anonymous bind. affected: - package: ecosystem: PyPI name: freeipa purl: pkg:pypi/freeipa ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -43,6 +35,14 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2014-7828 +details: FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows + remote attackers to bypass the password requirement of the two-factor authentication + leveraging an enabled OTP token, which triggers an anonymous bind. +id: PYSEC-2014-101 +modified: '2024-11-21T14:22:50.589801Z' +published: '2014-11-19T18:59:00Z' references: - type: WEB url: https://www.redhat.com/archives/freeipa-users/2014-November/msg00077.html @@ -60,3 +60,4 @@ references: url: http://www.freeipa.org/page/Releases/4.1.1 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/98500 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/freetakserver/PYSEC-2022-43135.yaml b/vulns/freetakserver/PYSEC-2022-43135.yaml index 953f7947..c0a09244 100644 --- a/vulns/freetakserver/PYSEC-2022-43135.yaml +++ b/vulns/freetakserver/PYSEC-2022-43135.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2022-43135 -modified: 2024-11-21T14:22:50.654358Z -published: 2022-03-11T00:15:00Z -aliases: -- CVE-2022-25510 -details: FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers - to create crafted cookies to bypass authentication or escalate privileges. affected: - package: ecosystem: PyPI name: freetakserver purl: pkg:pypi/freetakserver ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1.5 - 0.1.0 @@ -49,8 +42,8 @@ affected: - 0.1.9.8.5 - 0.1.9.9.1 - 0.1.9.9.5.5 - - "0.111" - - "0.112" + - '0.111' + - '0.112' - 0.2.0.11a0 - 0.2.0.13 - 0.2.0.17b0 @@ -79,14 +72,14 @@ affected: - 0.9.9.1 - 0.9.9.2 - 1.0.3 - - "1.1" + - '1.1' - 1.1.1 - 1.1.2 - - "1.2" + - '1.2' - 1.2.0.1 - 1.2.0.2 - 1.2.5 - - "1.3" + - '1.3' - 1.3.0.5 - 1.3.0.6 - 1.5.10 @@ -95,9 +88,9 @@ affected: - 1.5.12 - 1.7.1 - 1.7.5 - - "1.8" + - '1.8' - 1.8.1 - - "1.9" + - '1.9' - 1.9.1 - 1.9.1.5 - 1.9.5 @@ -121,19 +114,27 @@ affected: - 2.0.21 - 2.0.66 - 2.0.69 - - "2.1" + - '2.1' - 2.1.1 - 2.1.2 - 2.1.3 - 2.1.4.5 - - "2.2" + - '2.2' - 2.2.0.1 - 2.2.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-25510 +details: FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers + to create crafted cookies to bypass authentication or escalate privileges. +id: PYSEC-2022-43135 +modified: '2024-11-21T14:22:50.654358Z' +published: '2022-03-11T00:15:00Z' references: - type: EVIDENCE url: https://github.com/FreeTAKTeam/FreeTakServer/issues/292 - type: REPORT url: https://github.com/FreeTAKTeam/FreeTakServer/issues/292 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/galaxy-app/PYSEC-2018-149.yaml b/vulns/galaxy-app/PYSEC-2018-149.yaml index 9eaa5d95..1f5b85b4 100644 --- a/vulns/galaxy-app/PYSEC-2018-149.yaml +++ b/vulns/galaxy-app/PYSEC-2018-149.yaml @@ -1,26 +1,12 @@ -id: PYSEC-2018-149 -modified: 2024-11-21T14:22:50.762055Z -published: 2018-06-26T16:29:00Z -aliases: -- CVE-2018-1000516 -details: 'The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization - of Input During Web Page Generation vulnerability in Many templates used in the - Galaxy server did not properly sanitize user''s input, which would allow for cross-site - scripting (XSS) attacks. In this form of attack, a malicious person can create a - URL which, when opened by a Galaxy user or administrator, would allow the malicious - user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code - execution. This attack appear to be exploitable via The victim must interact with - component on page witch contains injected JavaScript code.. This vulnerability appears - to have been fixed in v14.10.1, v15.01.' affected: - package: ecosystem: PyPI name: galaxy-app purl: pkg:pypi/galaxy-app ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 20.5.0 - 20.9.0 @@ -45,9 +31,24 @@ affected: - 24.1.1 - 24.1.2 - 24.1.3 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2018-1000516 +details: 'The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization + of Input During Web Page Generation vulnerability in Many templates used in the + Galaxy server did not properly sanitize user''s input, which would allow for cross-site + scripting (XSS) attacks. In this form of attack, a malicious person can create a + URL which, when opened by a Galaxy user or administrator, would allow the malicious + user to execute arbitrary Javascript. that can result in Arbitrary JavaScript code + execution. This attack appear to be exploitable via The victim must interact with + component on page witch contains injected JavaScript code.. This vulnerability appears + to have been fixed in v14.10.1, v15.01.' +id: PYSEC-2018-149 +modified: '2024-11-21T14:22:50.762055Z' +published: '2018-06-26T16:29:00Z' references: - type: ADVISORY url: https://galaxyproject.org/archive/dev-news-briefs/2015-01-13/#security +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/gattlib-py/PYSEC-2019-250.yaml b/vulns/gattlib-py/PYSEC-2019-250.yaml index 397d977e..38352836 100644 --- a/vulns/gattlib-py/PYSEC-2019-250.yaml +++ b/vulns/gattlib-py/PYSEC-2019-250.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2019-250 -modified: 2024-11-21T14:22:50.820785Z -published: 2019-01-21T06:29:00Z -aliases: -- CVE-2019-6498 -details: GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c - because strncpy is misused. affected: - package: ecosystem: PyPI name: gattlib-py purl: pkg:pypi/gattlib-py ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.4.0 - 0.4.1 @@ -35,9 +28,13 @@ affected: - 0.7.0 - 0.7.1 - 0.7.2 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2019-6498 +details: GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c + because strncpy is misused. +id: PYSEC-2019-250 +modified: '2024-11-21T14:22:50.820785Z' +published: '2019-01-21T06:29:00Z' references: - type: EVIDENCE url: https://github.com/labapart/gattlib/issues/82 @@ -53,3 +50,7 @@ references: url: https://www.exploit-db.com/exploits/46215/ - type: ADVISORY url: https://www.exploit-db.com/exploits/46215/ +severity: +- score: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/gattlib-py/PYSEC-2021-887.yaml b/vulns/gattlib-py/PYSEC-2021-887.yaml index abe74e11..7cb0a486 100644 --- a/vulns/gattlib-py/PYSEC-2021-887.yaml +++ b/vulns/gattlib-py/PYSEC-2021-887.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2021-887 -modified: 2024-11-21T14:22:50.881327Z -published: 2021-05-27T11:15:00Z -aliases: -- CVE-2021-33590 -details: GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac - in dbus/gattlib.c. affected: - package: ecosystem: PyPI name: gattlib-py purl: pkg:pypi/gattlib-py ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.4.0 - 0.4.1 @@ -35,11 +28,19 @@ affected: - 0.7.0 - 0.7.1 - 0.7.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2021-33590 +details: GattLib 0.3-rc1 has a stack-based buffer over-read in get_device_path_from_mac + in dbus/gattlib.c. +id: PYSEC-2021-887 +modified: '2024-11-21T14:22:50.881327Z' +published: '2021-05-27T11:15:00Z' references: - type: EVIDENCE url: https://github.com/labapart/gattlib/issues/219 - type: REPORT url: https://github.com/labapart/gattlib/issues/219 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2012-29.yaml b/vulns/glance/PYSEC-2012-29.yaml index d1f846b9..66021873 100644 --- a/vulns/glance/PYSEC-2012-29.yaml +++ b/vulns/glance/PYSEC-2012-29.yaml @@ -1,27 +1,19 @@ -id: PYSEC-2012-29 -modified: 2024-11-21T14:22:51.054769Z -published: 2012-11-11T13:00:00Z -aliases: -- CVE-2012-4573 -details: The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) - allows remote authenticated users to delete arbitrary non-protected images via an - image deletion request, a different vulnerability than CVE-2012-5482. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 90bcdc5a89e350a358cf320a03f5afe99795f6f6 - fixed: efd7e75b1f419a52c7103c7840e24af8e5deb29d - fixed: 6ab0992e5472ae3f9bef0d2ced41030655d9d2bc repo: https://github.com/openstack/glance - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -94,6 +86,14 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2012-4573 +details: The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) + allows remote authenticated users to delete arbitrary non-protected images via an + image deletion request, a different vulnerability than CVE-2012-5482. +id: PYSEC-2012-29 +modified: '2024-11-21T14:22:51.054769Z' +published: '2012-11-11T13:00:00Z' references: - type: FIX url: https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6 @@ -129,3 +129,4 @@ references: url: http://osvdb.org/87248 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/79895 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2012-30.yaml b/vulns/glance/PYSEC-2012-30.yaml index 9fe0dc89..4b481f92 100644 --- a/vulns/glance/PYSEC-2012-30.yaml +++ b/vulns/glance/PYSEC-2012-30.yaml @@ -1,27 +1,18 @@ -id: PYSEC-2012-30 -modified: 2024-11-21T14:22:51.113933Z -published: 2012-11-11T13:00:00Z -aliases: -- CVE-2012-5482 -details: 'The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) - allows remote authenticated users to delete arbitrary non-protected images via an - image deletion request. NOTE: this vulnerability exists because of an incomplete - fix for CVE-2012-4573.' affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3 - fixed: b591304b8980d8aca8fa6cda9ea1621aca000c88 repo: https://github.com/openstack/glance - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -94,6 +85,15 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2012-5482 +details: 'The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) + allows remote authenticated users to delete arbitrary non-protected images via an + image deletion request. NOTE: this vulnerability exists because of an incomplete + fix for CVE-2012-4573.' +id: PYSEC-2012-30 +modified: '2024-11-21T14:22:51.113933Z' +published: '2012-11-11T13:00:00Z' references: - type: WEB url: https://bugs.launchpad.net/glance/+bug/1076506 @@ -121,3 +121,4 @@ references: url: http://osvdb.org/87248 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/80019 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2013-37.yaml b/vulns/glance/PYSEC-2013-37.yaml index 96117e94..4134ed79 100644 --- a/vulns/glance/PYSEC-2013-37.yaml +++ b/vulns/glance/PYSEC-2013-37.yaml @@ -1,29 +1,19 @@ -id: PYSEC-2013-37 -modified: 2024-11-21T14:22:51.177765Z -published: 2013-02-24T21:55:00Z -aliases: -- CVE-2013-0212 -details: store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before - 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's - user name and password in cleartext when the endpoint is misconfigured or unusable, - allows remote authenticated users to obtain sensitive information by reading the - error messages. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: e96273112b5b5da58d970796b7cfce04c5030a89 - fixed: 37d4d96bf88c2bf3e7e9511b5e321cf4bed364b7 - fixed: 96a470be64adcef97f235ca96ed3c59ed954a4c1 repo: https://github.com/openstack/glance - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -96,6 +86,16 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2013-0212 +details: store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before + 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's + user name and password in cleartext when the endpoint is misconfigured or unusable, + allows remote authenticated users to obtain sensitive information by reading the + error messages. +id: PYSEC-2013-37 +modified: '2024-11-21T14:22:51.177765Z' +published: '2013-02-24T21:55:00Z' references: - type: FIX url: https://bugzilla.redhat.com/show_bug.cgi?id=902964 @@ -121,3 +121,4 @@ references: url: http://secunia.com/advisories/51957 - type: FIX url: https://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed954a4c1 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2014-102.yaml b/vulns/glance/PYSEC-2014-102.yaml index 1d8c74ad..54528b67 100644 --- a/vulns/glance/PYSEC-2014-102.yaml +++ b/vulns/glance/PYSEC-2014-102.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-102 -modified: 2024-11-21T14:22:51.234051Z -published: 2014-02-14T15:55:00Z -aliases: -- CVE-2014-1948 -details: OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 - and Icehouse before icehouse-2 logs a URL containing the Swift store backend password - when authentication fails and WARNING level logging is enabled, which allows local - users to obtain sensitive information by reading the log. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -88,6 +79,15 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2014-1948 +details: OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 + and Icehouse before icehouse-2 logs a URL containing the Swift store backend password + when authentication fails and WARNING level logging is enabled, which allows local + users to obtain sensitive information by reading the log. +id: PYSEC-2014-102 +modified: '2024-11-21T14:22:51.234051Z' +published: '2014-02-14T15:55:00Z' references: - type: WEB url: https://bugs.launchpad.net/glance/+bug/1275062 @@ -99,3 +99,4 @@ references: url: http://secunia.com/advisories/56419 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-0229.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-37.yaml b/vulns/glance/PYSEC-2015-37.yaml index 3e618201..df30828c 100644 --- a/vulns/glance/PYSEC-2015-37.yaml +++ b/vulns/glance/PYSEC-2015-37.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2015-37 -modified: 2024-11-21T14:22:51.289332Z -published: 2015-02-24T15:59:00Z -aliases: -- CVE-2014-9684 -details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 - does not properly remove images, which allows remote authenticated users to cause - a denial of service (disk consumption) by creating a large number of images using - the task v2 API and then deleting them before the uploads finish, a different vulnerability - than CVE-2015-1881. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -89,6 +79,16 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2014-9684 +details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 + does not properly remove images, which allows remote authenticated users to cause + a denial of service (disk consumption) by creating a large number of images using + the task v2 API and then deleting them before the uploads finish, a different vulnerability + than CVE-2015-1881. +id: PYSEC-2015-37 +modified: '2024-11-21T14:22:51.289332Z' +published: '2015-02-24T15:59:00Z' references: - type: ADVISORY url: http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html @@ -98,3 +98,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2015-0938.html - type: WEB url: http://www.securityfocus.com/bid/72692 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-38.yaml b/vulns/glance/PYSEC-2015-38.yaml index 18cc873a..c8645ab9 100644 --- a/vulns/glance/PYSEC-2015-38.yaml +++ b/vulns/glance/PYSEC-2015-38.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2015-38 -modified: 2024-11-21T14:22:51.342319Z -published: 2015-02-24T15:59:00Z -aliases: -- CVE-2015-1881 -details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 - does not properly remove images, which allows remote authenticated users to cause - a denial of service (disk consumption) by creating a large number of images using - the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -88,6 +79,15 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2015-1881 +details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 + does not properly remove images, which allows remote authenticated users to cause + a denial of service (disk consumption) by creating a large number of images using + the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. +id: PYSEC-2015-38 +modified: '2024-11-21T14:22:51.342319Z' +published: '2015-02-24T15:59:00Z' references: - type: EVIDENCE url: https://bugs.launchpad.net/glance/+bug/1420696 @@ -97,3 +97,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2015-0938.html - type: WEB url: http://www.securityfocus.com/bid/72694 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-39.yaml b/vulns/glance/PYSEC-2015-39.yaml index 243bd710..64562108 100644 --- a/vulns/glance/PYSEC-2015-39.yaml +++ b/vulns/glance/PYSEC-2015-39.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2015-39 -modified: 2024-11-21T14:22:51.397712Z -published: 2015-08-19T15:59:00Z -aliases: -- CVE-2015-5163 -details: The import task action in OpenStack Image Service (Glance) 2015.1.x before - 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read - arbitrary files via a crafted backing file for a qcow2 image. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -87,6 +79,14 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 +aliases: +- CVE-2015-5163 +details: The import task action in OpenStack Image Service (Glance) 2015.1.x before + 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read + arbitrary files via a crafted backing file for a qcow2 image. +id: PYSEC-2015-39 +modified: '2024-11-21T14:22:51.397712Z' +published: '2015-08-19T15:59:00Z' references: - type: WEB url: http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html @@ -96,3 +96,4 @@ references: url: https://bugs.launchpad.net/glance/+bug/1471912 - type: WEB url: http://www.securityfocus.com/bid/76346 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2017-143.yaml b/vulns/glance/PYSEC-2017-143.yaml index b75f0846..3869ddf5 100644 --- a/vulns/glance/PYSEC-2017-143.yaml +++ b/vulns/glance/PYSEC-2017-143.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2017-143 -modified: 2024-11-21T14:22:51.45285Z -published: 2017-03-29T14:59:00Z -aliases: -- CVE-2015-8234 -details: The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers - to bypass the signature verification process via a crafted image, which triggers - an MD5 collision. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -87,9 +79,14 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N +aliases: +- CVE-2015-8234 +details: The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers + to bypass the signature verification process via a crafted image, which triggers + an MD5 collision. +id: PYSEC-2017-143 +modified: '2024-11-21T14:22:51.45285Z' +published: '2017-03-29T14:59:00Z' references: - type: WEB url: https://wiki.openstack.org/wiki/OSSN/OSSN-0061 @@ -103,3 +100,7 @@ references: url: http://seclists.org/oss-sec/2015/q4/303 - type: WEB url: http://seclists.org/oss-sec/2015/q4/303 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2023-270.yaml b/vulns/glance/PYSEC-2023-270.yaml index b31c4326..b1018b2d 100644 --- a/vulns/glance/PYSEC-2023-270.yaml +++ b/vulns/glance/PYSEC-2023-270.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2023-270 -modified: 2024-11-21T14:22:51.507003Z -published: 2023-03-06T23:15:00Z -aliases: -- CVE-2022-4134 -details: A flaw was found in openstack-glance. This issue could allow a remote, authenticated - attacker to tamper with images, compromising the integrity of virtual machines created - using these modified images. affected: - package: ecosystem: PyPI name: glance purl: pkg:pypi/glance ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.0.2 - 17.0.1 @@ -87,9 +79,14 @@ affected: - 29.0.0.0b2 - 29.0.0.0b3 - 29.0.0.0rc1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N +aliases: +- CVE-2022-4134 +details: A flaw was found in openstack-glance. This issue could allow a remote, authenticated + attacker to tamper with images, compromising the integrity of virtual machines created + using these modified images. +id: PYSEC-2023-270 +modified: '2024-11-21T14:22:51.507003Z' +published: '2023-03-06T23:15:00Z' references: - type: ADVISORY url: https://wiki.openstack.org/wiki/OSSN/OSSN-0090 @@ -97,3 +94,7 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=2147462 - type: REPORT url: https://bugs.launchpad.net/glance/+bug/1990157 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/global-workqueue/PYSEC-2022-43136.yaml b/vulns/global-workqueue/PYSEC-2022-43136.yaml index 08cd0064..1e8a9878 100644 --- a/vulns/global-workqueue/PYSEC-2022-43136.yaml +++ b/vulns/global-workqueue/PYSEC-2022-43136.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43136 -modified: 2024-11-21T14:22:51.561103Z -published: 2022-07-28T23:15:00Z -aliases: -- CVE-2022-34558 -details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, - and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted - dbs-client package. affected: - package: ecosystem: PyPI name: global-workqueue purl: pkg:pypi/global-workqueue ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.0.4 - 2.1.1 @@ -171,11 +163,20 @@ affected: - 2.3.6rc8 - 2.3.7 - 2.3.7.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34558 +details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, + and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted + dbs-client package. +id: PYSEC-2022-43136 +modified: '2024-11-21T14:22:51.561103Z' +published: '2022-07-28T23:15:00Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/golismero/PYSEC-2012-31.yaml b/vulns/golismero/PYSEC-2012-31.yaml index 49b4424b..50edbb1b 100644 --- a/vulns/golismero/PYSEC-2012-31.yaml +++ b/vulns/golismero/PYSEC-2012-31.yaml @@ -1,24 +1,24 @@ -id: PYSEC-2012-31 -modified: 2024-11-21T14:22:51.617446Z -published: 2012-03-19T19:55:00Z -aliases: -- CVE-2012-0054 -details: libs/updater.py in GoLismero 0.6.3, and other versions before Git revision - 2b3bb43d6867, as used in backtrack and possibly other products, allows local users - to overwrite arbitrary files via a symlink attack on GoLismero-controlled files, - as demonstrated using Admin/changes.dat. affected: - package: ecosystem: PyPI name: golismero purl: pkg:pypi/golismero ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.0.3 - 2.0.3-1 +aliases: +- CVE-2012-0054 +details: libs/updater.py in GoLismero 0.6.3, and other versions before Git revision + 2b3bb43d6867, as used in backtrack and possibly other products, allows local users + to overwrite arbitrary files via a symlink attack on GoLismero-controlled files, + as demonstrated using Admin/changes.dat. +id: PYSEC-2012-31 +modified: '2024-11-21T14:22:51.617446Z' +published: '2012-03-19T19:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2012/01/17/7 @@ -28,3 +28,4 @@ references: url: http://www.osvdb.org/78472 - type: WEB url: http://code.google.com/p/golismero/source/detail?r=2b3bb43d68676efd687361f7de29380189031ab8 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/horizon/PYSEC-2012-32.yaml b/vulns/horizon/PYSEC-2012-32.yaml index 4df2cbf3..7e93aa2e 100644 --- a/vulns/horizon/PYSEC-2012-32.yaml +++ b/vulns/horizon/PYSEC-2012-32.yaml @@ -1,26 +1,17 @@ -id: PYSEC-2012-32 -modified: 2024-11-21T14:22:51.729618Z -published: 2012-06-05T22:55:00Z -aliases: -- CVE-2012-2094 -details: Cross-site scripting (XSS) vulnerability in the refresh mechanism in the - log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) - folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web - script or HTML via the guest console. affected: - package: ecosystem: PyPI name: horizon purl: pkg:pypi/horizon ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 7f8c788aa70db98ac904f37fa4197fcabb802942 repo: https://github.com/openstack/horizon - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -110,6 +101,15 @@ affected: - 24.0.0 - 25.0.0 - 25.1.0 +aliases: +- CVE-2012-2094 +details: Cross-site scripting (XSS) vulnerability in the refresh mechanism in the + log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) + folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web + script or HTML via the guest console. +id: PYSEC-2012-32 +modified: '2024-11-21T14:22:51.729618Z' +published: '2012-06-05T22:55:00Z' references: - type: ADVISORY url: http://secunia.com/advisories/49024 @@ -129,3 +129,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079160.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/76136 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/horizon/PYSEC-2012-33.yaml b/vulns/horizon/PYSEC-2012-33.yaml index 23277559..846b13ff 100644 --- a/vulns/horizon/PYSEC-2012-33.yaml +++ b/vulns/horizon/PYSEC-2012-33.yaml @@ -1,24 +1,17 @@ -id: PYSEC-2012-33 -modified: 2024-11-21T14:22:51.786908Z -published: 2012-06-05T22:55:00Z -aliases: -- CVE-2012-2144 -details: Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 - and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie. affected: - package: ecosystem: PyPI name: horizon purl: pkg:pypi/horizon ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 041b1c44c7d6cf5429505067c32f8f35166a8bab repo: https://github.com/openstack/horizon - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -108,6 +101,13 @@ affected: - 24.0.0 - 25.0.0 - 25.1.0 +aliases: +- CVE-2012-2144 +details: Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 + and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie. +id: PYSEC-2012-33 +modified: '2024-11-21T14:22:51.786908Z' +published: '2012-06-05T22:55:00Z' references: - type: WEB url: http://www.securityfocus.com/bid/53399 @@ -131,3 +131,4 @@ references: url: http://www.osvdb.org/81741 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/75423 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/horizon/PYSEC-2015-40.yaml b/vulns/horizon/PYSEC-2015-40.yaml index 0308adcc..4fea084b 100644 --- a/vulns/horizon/PYSEC-2015-40.yaml +++ b/vulns/horizon/PYSEC-2015-40.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2015-40 -modified: 2024-11-21T14:22:51.843481Z -published: 2015-08-20T20:59:00Z -aliases: -- CVE-2015-3219 -details: Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section - in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 - allows remote attackers to inject arbitrary web script or HTML via the description - parameter in a heat template, which is not properly handled in the help_text attribute - in the Field class. affected: - package: ecosystem: PyPI name: horizon purl: pkg:pypi/horizon ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -106,6 +96,16 @@ affected: - 24.0.0 - 25.0.0 - 25.1.0 +aliases: +- CVE-2015-3219 +details: Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section + in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 + allows remote attackers to inject arbitrary web script or HTML via the description + parameter in a heat template, which is not properly handled in the help_text attribute + in the Field class. +id: PYSEC-2015-40 +modified: '2024-11-21T14:22:51.843481Z' +published: '2015-08-20T20:59:00Z' references: - type: FIX url: http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html @@ -125,3 +125,4 @@ references: url: http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2015-1679.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ipa/PYSEC-2013-38.yaml b/vulns/ipa/PYSEC-2013-38.yaml index b55e8d48..7d330285 100644 --- a/vulns/ipa/PYSEC-2013-38.yaml +++ b/vulns/ipa/PYSEC-2013-38.yaml @@ -1,29 +1,21 @@ -id: PYSEC-2013-38 -modified: 2024-11-21T14:22:51.898526Z -published: 2013-01-27T18:55:00Z -aliases: -- CVE-2012-5484 -details: The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the - Certification Authority (CA) certificate from the server, which allows man-in-the-middle - attackers to spoof a join procedure via a crafted certificate. affected: - package: ecosystem: PyPI name: ipa purl: pkg:pypi/ipa ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 - fixed: 18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f - fixed: a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 - fixed: 31e41eea6c2322689826e6065ceba82551c565aa - fixed: a40285c5a0288669b72f9d991508d4405885bffc repo: https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -51,6 +43,14 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2012-5484 +details: The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the + Certification Authority (CA) certificate from the server, which allows man-in-the-middle + attackers to spoof a join procedure via a crafted certificate. +id: PYSEC-2013-38 +modified: '2024-11-21T14:22:51.898526Z' +published: '2013-01-27T18:55:00Z' references: - type: ADVISORY url: http://www.freeipa.org/page/CVE-2012-5484 @@ -70,3 +70,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0188.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2013-0189.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ipa/PYSEC-2014-103.yaml b/vulns/ipa/PYSEC-2014-103.yaml index a20bea00..74fde3c8 100644 --- a/vulns/ipa/PYSEC-2014-103.yaml +++ b/vulns/ipa/PYSEC-2014-103.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-103 -modified: 2024-11-21T14:22:51.957056Z -published: 2014-05-29T14:19:00Z -aliases: -- CVE-2013-0199 -details: The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access - to the (1) ipaNTTrustAuthIncoming and (2) ipaNTTrustAuthOutgoing attributes, which - allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified - vectors. affected: - package: ecosystem: PyPI name: ipa purl: pkg:pypi/ipa ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -43,6 +34,15 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2013-0199 +details: The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access + to the (1) ipaNTTrustAuthIncoming and (2) ipaNTTrustAuthOutgoing attributes, which + allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified + vectors. +id: PYSEC-2014-103 +modified: '2024-11-21T14:22:51.957056Z' +published: '2014-05-29T14:19:00Z' references: - type: WEB url: http://www.securityfocus.com/bid/57542 @@ -56,3 +56,4 @@ references: url: http://www.freeipa.org/page/CVE-2013-0199 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/81486 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ipa/PYSEC-2014-104.yaml b/vulns/ipa/PYSEC-2014-104.yaml index 0447cfa2..13214e28 100644 --- a/vulns/ipa/PYSEC-2014-104.yaml +++ b/vulns/ipa/PYSEC-2014-104.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2014-104 -modified: 2024-11-21T14:22:52.00819Z -published: 2014-11-19T18:59:00Z -aliases: -- CVE-2014-7828 -details: FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows - remote attackers to bypass the password requirement of the two-factor authentication - leveraging an enabled OTP token, which triggers an anonymous bind. affected: - package: ecosystem: PyPI name: ipa purl: pkg:pypi/ipa ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 4.10.2 - 4.12.2 @@ -42,6 +34,14 @@ affected: - 4.8.7 - 4.8.9 - 4.9.12 +aliases: +- CVE-2014-7828 +details: FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled, allows + remote attackers to bypass the password requirement of the two-factor authentication + leveraging an enabled OTP token, which triggers an anonymous bind. +id: PYSEC-2014-104 +modified: '2024-11-21T14:22:52.00819Z' +published: '2014-11-19T18:59:00Z' references: - type: WEB url: https://www.redhat.com/archives/freeipa-users/2014-November/msg00077.html @@ -59,3 +59,4 @@ references: url: http://www.freeipa.org/page/Releases/4.1.1 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/98500 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ipsilon/PYSEC-2015-41.yaml b/vulns/ipsilon/PYSEC-2015-41.yaml index 664df633..a593a948 100644 --- a/vulns/ipsilon/PYSEC-2015-41.yaml +++ b/vulns/ipsilon/PYSEC-2015-41.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2015-41 -modified: 2024-11-21T14:22:52.059518Z -published: 2015-11-17T15:59:00Z -aliases: -- CVE-2015-5217 -details: providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon - 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service - Provider (SP) owner, which allows remote authenticated users to cause a denial of - service via a duplicate SP name. affected: - package: ecosystem: PyPI name: ipsilon purl: pkg:pypi/ipsilon ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.2.0 - 3.0.0 @@ -23,6 +14,15 @@ affected: - 3.0.2 - 3.0.3 - 3.0.4 +aliases: +- CVE-2015-5217 +details: providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon + 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service + Provider (SP) owner, which allows remote authenticated users to cause a denial of + service via a duplicate SP name. +id: PYSEC-2015-41 +modified: '2024-11-21T14:22:52.059518Z' +published: '2015-11-17T15:59:00Z' references: - type: WEB url: https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.1 @@ -32,3 +32,4 @@ references: url: https://pagure.io/ipsilon/826e6339441546f596320f3d73304ab5f7c10de6 - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=1255172 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ipsilon/PYSEC-2015-42.yaml b/vulns/ipsilon/PYSEC-2015-42.yaml index fa567da3..d2402eeb 100644 --- a/vulns/ipsilon/PYSEC-2015-42.yaml +++ b/vulns/ipsilon/PYSEC-2015-42.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2015-42 -modified: 2024-11-21T14:22:52.110596Z -published: 2015-11-17T15:59:00Z -aliases: -- CVE-2015-5301 -details: providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon - 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which - allows remote authenticated users to cause a denial of service by deleting a SAML2 - Service Provider (SP). affected: - package: ecosystem: PyPI name: ipsilon purl: pkg:pypi/ipsilon ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.2.0 - 3.0.0 @@ -23,6 +14,15 @@ affected: - 3.0.2 - 3.0.3 - 3.0.4 +aliases: +- CVE-2015-5301 +details: providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon + 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which + allows remote authenticated users to cause a denial of service by deleting a SAML2 + Service Provider (SP). +id: PYSEC-2015-42 +modified: '2024-11-21T14:22:52.110596Z' +published: '2015-11-17T15:59:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2015/10/27/8 @@ -40,3 +40,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171067.html - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171052.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/iroha/PYSEC-2018-150.yaml b/vulns/iroha/PYSEC-2018-150.yaml index 33c6b2bf..411cf41c 100644 --- a/vulns/iroha/PYSEC-2018-150.yaml +++ b/vulns/iroha/PYSEC-2018-150.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2018-150 -modified: 2024-11-21T14:22:52.162008Z -published: 2018-06-01T19:29:00Z -aliases: -- CVE-2018-3756 -details: Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to - transaction and block signature verification bypass in the transaction and block - validator allowing a single node to sign a transaction and/or block multiple times, - each with a random nonce, and have other validating nodes accept them as separate - valid signatures. affected: - package: ecosystem: PyPI name: iroha purl: pkg:pypi/iroha ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 @@ -31,9 +21,20 @@ affected: - 1.4.1.1 - 1.6.0.1 - 1.6.0.2 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +aliases: +- CVE-2018-3756 +details: Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to + transaction and block signature verification bypass in the transaction and block + validator allowing a single node to sign a transaction and/or block multiple times, + each with a random nonce, and have other validating nodes accept them as separate + valid signatures. +id: PYSEC-2018-150 +modified: '2024-11-21T14:22:52.162008Z' +published: '2018-06-01T19:29:00Z' references: - type: WEB url: https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/jupyterhub/PYSEC-2018-151.yaml b/vulns/jupyterhub/PYSEC-2018-151.yaml index 4156d6e3..9dac6da9 100644 --- a/vulns/jupyterhub/PYSEC-2018-151.yaml +++ b/vulns/jupyterhub/PYSEC-2018-151.yaml @@ -1,29 +1,17 @@ -id: PYSEC-2018-151 -modified: 2024-11-21T14:22:52.286953Z -published: 2018-02-18T03:29:00Z -aliases: -- CVE-2018-7206 -details: An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x - before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting - for access control, group membership was not checked correctly, allowing members - not in the whitelisted groups to create accounts on the Hub. (Users were not allowed - to access other users' accounts, but could create their own accounts on the Hub - linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist - is unaffected. No other Authenticators are affected.) affected: - package: ecosystem: PyPI name: jupyterhub purl: pkg:pypi/jupyterhub ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 1845c0e4b1bff3462c91c3108c85205acd3c75a2 repo: https://github.com/jupyterhub/oauthenticator - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.2.0 @@ -112,9 +100,18 @@ affected: - 5.1.0 - 5.2.0 - 5.2.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2018-7206 +details: An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x + before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting + for access control, group membership was not checked correctly, allowing members + not in the whitelisted groups to create accounts on the Hub. (Users were not allowed + to access other users' accounts, but could create their own accounts on the Hub + linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist + is unaffected. No other Authenticators are affected.) +id: PYSEC-2018-151 +modified: '2024-11-21T14:22:52.286953Z' +published: '2018-02-18T03:29:00Z' references: - type: ARTICLE url: https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76 @@ -124,3 +121,7 @@ references: url: https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16 - type: ADVISORY url: https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2012-34.yaml b/vulns/keystone/PYSEC-2012-34.yaml index 0a2f949c..a1ae80dd 100644 --- a/vulns/keystone/PYSEC-2012-34.yaml +++ b/vulns/keystone/PYSEC-2012-34.yaml @@ -1,23 +1,11 @@ -id: PYSEC-2012-34 -modified: 2024-11-21T14:22:52.344123Z -published: 2012-07-31T10:45:00Z -aliases: -- CVE-2012-3426 -details: OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 - and OpenStack Essex, does not properly implement token expiration, which allows - remote authenticated users to bypass intended authorization restrictions by (1) - creating new tokens through token chaining, (2) leveraging possession of a token - for a disabled user account, or (3) leveraging possession of a token for an account - with a changed password. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: ea03d05ed5de0c015042876100d37a6a14bf56de - fixed: 628149b3dc6b58b91fd08e6ca8d91c728ccb8626 - fixed: 375838cfceb88cacc312ff6564e64eb18ee6a355 @@ -25,9 +13,10 @@ affected: - fixed: 29e74e73a6e51cffc0371b32354558391826a4aa - fixed: a67b24878a6156eab17b9098fa649f0279256f5d repo: https://github.com/openstack/keystone - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -78,6 +67,17 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2012-3426 +details: OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 + and OpenStack Essex, does not properly implement token expiration, which allows + remote authenticated users to bypass intended authorization restrictions by (1) + creating new tokens through token chaining, (2) leveraging possession of a token + for a disabled user account, or (3) leveraging possession of a token for an account + with a changed password. +id: PYSEC-2012-34 +modified: '2024-11-21T14:22:52.344123Z' +published: '2012-07-31T10:45:00Z' references: - type: FIX url: http://www.openwall.com/lists/oss-security/2012/07/27/4 @@ -111,3 +111,4 @@ references: url: http://secunia.com/advisories/50045 - type: ADVISORY url: http://secunia.com/advisories/50494 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2012-35.yaml b/vulns/keystone/PYSEC-2012-35.yaml index e9a792b3..e76b20ea 100644 --- a/vulns/keystone/PYSEC-2012-35.yaml +++ b/vulns/keystone/PYSEC-2012-35.yaml @@ -1,28 +1,19 @@ -id: PYSEC-2012-35 -modified: 2024-11-21T14:22:52.404569Z -published: 2012-12-18T01:55:00Z -aliases: -- CVE-2012-5571 -details: OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle - EC2 tokens when the user role has been removed from a tenant, which allows remote - authenticated users to bypass intended authorization restrictions by leveraging - a token for the removed user role. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 37308dd4f3e33f7bd0f71d83fd51734d1870713b - fixed: 8735009dc5b895db265a1cd573f39f4acfca2a19 - fixed: 9d68b40cb9ea818c48152e6c712ff41586ad9653 repo: https://github.com/openstack/keystone - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -73,6 +64,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2012-5571 +details: OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle + EC2 tokens when the user role has been removed from a tenant, which allows remote + authenticated users to bypass intended authorization restrictions by leveraging + a token for the removed user role. +id: PYSEC-2012-35 +modified: '2024-11-21T14:22:52.404569Z' +published: '2012-12-18T01:55:00Z' references: - type: FIX url: http://www.openwall.com/lists/oss-security/2012/11/28/5 @@ -102,3 +102,4 @@ references: url: http://www.securityfocus.com/bid/56726 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/80333 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-39.yaml b/vulns/keystone/PYSEC-2013-39.yaml index f93bc5d0..67c0f9f6 100644 --- a/vulns/keystone/PYSEC-2013-39.yaml +++ b/vulns/keystone/PYSEC-2013-39.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2013-39 -modified: 2024-11-21T14:22:52.4602Z -published: 2013-03-22T21:55:00Z -aliases: -- CVE-2013-1865 -details: OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks - for Keystone PKI tokens when done through a server, which allows remote attackers - to bypass intended access restrictions via a revoked PKI token. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -65,6 +57,14 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2013-1865 +details: OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks + for Keystone PKI tokens when done through a server, which allows remote attackers + to bypass intended access restrictions via a revoked PKI token. +id: PYSEC-2013-39 +modified: '2024-11-21T14:22:52.4602Z' +published: '2013-03-22T21:55:00Z' references: - type: WEB url: https://review.openstack.org/#/c/24906/ @@ -86,3 +86,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0708.html - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-40.yaml b/vulns/keystone/PYSEC-2013-40.yaml index 3a9487bf..12883098 100644 --- a/vulns/keystone/PYSEC-2013-40.yaml +++ b/vulns/keystone/PYSEC-2013-40.yaml @@ -1,25 +1,17 @@ -id: PYSEC-2013-40 -modified: 2024-11-21T14:22:52.515884Z -published: 2013-05-21T18:55:00Z -aliases: -- CVE-2013-2006 -details: OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is - enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows - local users to obtain sensitive by reading the log file. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd repo: https://github.com/openstack/keystone - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -70,6 +62,14 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2013-2006 +details: OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is + enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows + local users to obtain sensitive by reading the log file. +id: PYSEC-2013-40 +modified: '2024-11-21T14:22:52.515884Z' +published: '2013-05-21T18:55:00Z' references: - type: WEB url: https://bugs.launchpad.net/ossn/+bug/1168252 @@ -89,3 +89,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106220.html - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-41.yaml b/vulns/keystone/PYSEC-2013-41.yaml index 727ef380..3c16efcb 100644 --- a/vulns/keystone/PYSEC-2013-41.yaml +++ b/vulns/keystone/PYSEC-2013-41.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2013-41 -modified: 2024-11-21T14:22:52.573879Z -published: 2013-05-21T18:55:00Z -aliases: -- CVE-2013-2059 -details: OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before - 2013.1.1, and Havana does not immediately revoke the authentication token when deleting - a user through the Keystone v2 API, which allows remote authenticated users to retain - access via the token. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,6 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2013-2059 +details: OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before + 2013.1.1, and Havana does not immediately revoke the authentication token when deleting + a user through the Keystone v2 API, which allows remote authenticated users to retain + access via the token. +id: PYSEC-2013-41 +modified: '2024-11-21T14:22:52.573879Z' +published: '2013-05-21T18:55:00Z' references: - type: EVIDENCE url: https://bugs.launchpad.net/keystone/+bug/1166670 @@ -89,3 +89,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/84135 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-42.yaml b/vulns/keystone/PYSEC-2013-42.yaml index 635f8f5e..bb42f463 100644 --- a/vulns/keystone/PYSEC-2013-42.yaml +++ b/vulns/keystone/PYSEC-2013-42.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2013-42 -modified: 2024-11-21T14:22:52.629772Z -published: 2013-09-23T20:55:00Z -aliases: -- CVE-2013-4294 -details: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) - Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token - revocation list with PKI tokens, which allow remote attackers to bypass intended - access restrictions via a revoked PKI token. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,6 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2013-4294 +details: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) + Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token + revocation list with PKI tokens, which allow remote attackers to bypass intended + access restrictions via a revoked PKI token. +id: PYSEC-2013-42 +modified: '2024-11-21T14:22:52.629772Z' +published: '2013-09-23T20:55:00Z' references: - type: ADVISORY url: https://bugs.launchpad.net/keystone/+bug/1202952 @@ -79,3 +79,4 @@ references: url: http://secunia.com/advisories/54706 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2002-1 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-105.yaml b/vulns/keystone/PYSEC-2014-105.yaml index 9c547ba7..db35e189 100644 --- a/vulns/keystone/PYSEC-2014-105.yaml +++ b/vulns/keystone/PYSEC-2014-105.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2014-105 -modified: 2024-11-21T14:22:52.681779Z -published: 2014-04-01T06:35:00Z -aliases: -- CVE-2014-2237 -details: The memcache token backend in OpenStack Identity (Keystone) 2013.1 through - 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing - a trust token with impersonation enabled, does not include this token in the trustee's - token-index-list, which prevents the token from being invalidated by bulk token - revocation and allows the trustee to bypass intended access restrictions. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -67,6 +57,16 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2014-2237 +details: The memcache token backend in OpenStack Identity (Keystone) 2013.1 through + 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing + a trust token with impersonation enabled, does not include this token in the trustee's + token-index-list, which prevents the token from being invalidated by bulk token + revocation and allows the trustee to bypass intended access restrictions. +id: PYSEC-2014-105 +modified: '2024-11-21T14:22:52.681779Z' +published: '2014-04-01T06:35:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/03/04/16 @@ -76,3 +76,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-0580.html - type: WEB url: http://www.securityfocus.com/bid/65895 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-106.yaml b/vulns/keystone/PYSEC-2014-106.yaml index f1504400..1ae56fd2 100644 --- a/vulns/keystone/PYSEC-2014-106.yaml +++ b/vulns/keystone/PYSEC-2014-106.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-106 -modified: 2024-11-21T14:22:52.734949Z -published: 2014-04-15T14:55:00Z -aliases: -- CVE-2014-2828 -details: The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse - before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) - via a large number of the same authentication method in a request, aka "authentication - chaining." affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,6 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2014-2828 +details: The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse + before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) + via a large number of the same authentication method in a request, aka "authentication + chaining." +id: PYSEC-2014-106 +modified: '2024-11-21T14:22:52.734949Z' +published: '2014-04-15T14:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/04/10/20 @@ -73,3 +73,4 @@ references: url: https://bugs.launchpad.net/keystone/+bug/1300274 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1688.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-107.yaml b/vulns/keystone/PYSEC-2014-107.yaml index cc2c39d7..bf983e35 100644 --- a/vulns/keystone/PYSEC-2014-107.yaml +++ b/vulns/keystone/PYSEC-2014-107.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-107 -modified: 2024-11-21T14:22:52.786892Z -published: 2014-08-25T14:55:00Z -aliases: -- CVE-2014-5251 -details: The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 - and Juno before Juno-3 stores timestamps with the incorrect precision, which causes - the expiration comparison for tokens to fail and allows remote authenticated users - to retain access via an expired token. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,6 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2014-5251 +details: The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 + and Juno before Juno-3 stores timestamps with the incorrect precision, which causes + the expiration comparison for tokens to fail and allows remote authenticated users + to retain access via an expired token. +id: PYSEC-2014-107 +modified: '2024-11-21T14:22:52.786892Z' +published: '2014-08-25T14:55:00Z' references: - type: WEB url: https://bugs.launchpad.net/keystone/+bug/1347961 @@ -77,3 +77,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-108.yaml b/vulns/keystone/PYSEC-2014-108.yaml index fc7e25a2..8db3e4ab 100644 --- a/vulns/keystone/PYSEC-2014-108.yaml +++ b/vulns/keystone/PYSEC-2014-108.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-108 -modified: 2024-11-21T14:22:52.84065Z -published: 2014-08-25T14:55:00Z -aliases: -- CVE-2014-5252 -details: The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and - Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows - remote authenticated users to bypass the token expiration and retain access via - a verification (1) GET or (2) HEAD request to v3/auth/tokens/. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,6 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2014-5252 +details: The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and + Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows + remote authenticated users to bypass the token expiration and retain access via + a verification (1) GET or (2) HEAD request to v3/auth/tokens/. +id: PYSEC-2014-108 +modified: '2024-11-21T14:22:52.84065Z' +published: '2014-08-25T14:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/08/15/6 @@ -77,3 +77,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-109.yaml b/vulns/keystone/PYSEC-2014-109.yaml index 7d179236..c4c8f9f9 100644 --- a/vulns/keystone/PYSEC-2014-109.yaml +++ b/vulns/keystone/PYSEC-2014-109.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2014-109 -modified: 2024-11-21T14:22:52.89692Z -published: 2014-08-25T14:55:00Z -aliases: -- CVE-2014-5253 -details: OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before - Juno-3 does not properly revoke tokens when a domain is invalidated, which allows - remote authenticated users to retain access via a domain-scoped token for that domain. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -65,6 +57,14 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 +aliases: +- CVE-2014-5253 +details: OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before + Juno-3 does not properly revoke tokens when a domain is invalidated, which allows + remote authenticated users to retain access via a domain-scoped token for that domain. +id: PYSEC-2014-109 +modified: '2024-11-21T14:22:52.89692Z' +published: '2014-08-25T14:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/08/15/6 @@ -76,3 +76,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2016-38.yaml b/vulns/keystone/PYSEC-2016-38.yaml index 3985151d..c01ab884 100644 --- a/vulns/keystone/PYSEC-2016-38.yaml +++ b/vulns/keystone/PYSEC-2016-38.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2016-38 -modified: 2024-11-21T14:22:52.950772Z -published: 2016-06-13T14:59:00Z -aliases: -- CVE-2016-4911 -details: The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 - (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens - and bypass intended access restrictions by rescoping a token. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -65,9 +57,14 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N +aliases: +- CVE-2016-4911 +details: The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 + (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens + and bypass intended access restrictions by rescoping a token. +id: PYSEC-2016-38 +modified: '2024-11-21T14:22:52.950772Z' +published: '2016-06-13T14:59:00Z' references: - type: ARTICLE url: http://www.openwall.com/lists/oss-security/2016/05/17/10 @@ -85,3 +82,7 @@ references: url: http://www.securityfocus.com/bid/90728 - type: ADVISORY url: http://www.securityfocus.com/bid/90728 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2018-152.yaml b/vulns/keystone/PYSEC-2018-152.yaml index 07da7808..d9124f58 100644 --- a/vulns/keystone/PYSEC-2018-152.yaml +++ b/vulns/keystone/PYSEC-2018-152.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2018-152 -modified: 2024-11-21T14:22:53.005774Z -published: 2018-07-19T13:29:00Z -aliases: -- CVE-2017-2673 -details: An authorization-check flaw was discovered in federation configurations of - the OpenStack Identity service (keystone). An authenticated federated user could - request permissions to a project and unintentionally be granted all related roles - including administrative roles. affected: - package: ecosystem: PyPI name: keystone purl: pkg:pypi/keystone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 12.0.2 - 12.0.3 @@ -66,9 +57,15 @@ affected: - 25.0.0.0rc1 - 26.0.0 - 26.0.0.0rc1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2017-2673 +details: An authorization-check flaw was discovered in federation configurations of + the OpenStack Identity service (keystone). An authenticated federated user could + request permissions to a project and unintentionally be granted all related roles + including administrative roles. +id: PYSEC-2018-152 +modified: '2024-11-21T14:22:53.005774Z' +published: '2018-07-19T13:29:00Z' references: - type: REPORT url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2673 @@ -96,3 +93,7 @@ references: url: http://www.securityfocus.com/bid/98032 - type: ADVISORY url: http://www.securityfocus.com/bid/98032 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/koji/PYSEC-2017-144.yaml b/vulns/koji/PYSEC-2017-144.yaml index ea42d3cd..f9d51b67 100644 --- a/vulns/koji/PYSEC-2017-144.yaml +++ b/vulns/koji/PYSEC-2017-144.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2017-144 -modified: 2024-11-21T14:22:53.117821Z -published: 2017-10-06T17:29:00Z -aliases: -- CVE-2017-1002153 -details: Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to - work around blacklisted paths for build submission. affected: - package: ecosystem: PyPI name: koji purl: pkg:pypi/koji ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.15.0 - 1.16.0 @@ -57,11 +50,19 @@ affected: - 1.34.3 - 1.35.0 - 1.35.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +aliases: +- CVE-2017-1002153 +details: Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to + work around blacklisted paths for build submission. +id: PYSEC-2017-144 +modified: '2024-11-21T14:22:53.117821Z' +published: '2017-10-06T17:29:00Z' references: - type: REPORT url: https://pagure.io/koji/issue/563 - type: FIX url: https://pagure.io/koji/issue/563 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43138.yaml b/vulns/lief/PYSEC-2022-43138.yaml index bbb95808..7a24dd67 100644 --- a/vulns/lief/PYSEC-2022-43138.yaml +++ b/vulns/lief/PYSEC-2022-43138.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43138 -modified: 2024-11-21T14:22:53.903108Z -published: 2022-10-03T13:15:00Z -aliases: -- CVE-2022-40922 -details: A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function - of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation - fault via a crafted MachO file. affected: - package: ecosystem: PyPI name: lief purl: pkg:pypi/lief ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.10.1 @@ -40,11 +32,20 @@ affected: - 0.8.2 - 0.8.3 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-40922 +details: A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function + of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation + fault via a crafted MachO file. +id: PYSEC-2022-43138 +modified: '2024-11-21T14:22:53.903108Z' +published: '2022-10-03T13:15:00Z' references: - type: EVIDENCE url: https://github.com/lief-project/LIEF/issues/781 - type: REPORT url: https://github.com/lief-project/LIEF/issues/781 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43139.yaml b/vulns/lief/PYSEC-2022-43139.yaml index 3e6fe10a..2b80d88b 100644 --- a/vulns/lief/PYSEC-2022-43139.yaml +++ b/vulns/lief/PYSEC-2022-43139.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43139 -modified: 2024-11-21T14:22:53.968694Z -published: 2022-09-30T19:15:00Z -aliases: -- CVE-2022-40923 -details: A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function - of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation - fault via a crafted MachO file. affected: - package: ecosystem: PyPI name: lief purl: pkg:pypi/lief ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.10.1 @@ -40,9 +32,14 @@ affected: - 0.8.2 - 0.8.3 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-40923 +details: A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function + of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation + fault via a crafted MachO file. +id: PYSEC-2022-43139 +modified: '2024-11-21T14:22:53.968694Z' +published: '2022-09-30T19:15:00Z' references: - type: EVIDENCE url: https://github.com/lief-project/LIEF/issues/784 @@ -50,3 +47,7 @@ references: url: https://github.com/lief-project/LIEF/issues/784 - type: FIX url: https://github.com/lief-project/LIEF/issues/784 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43140.yaml b/vulns/lief/PYSEC-2022-43140.yaml index 0e458f54..14ffab0e 100644 --- a/vulns/lief/PYSEC-2022-43140.yaml +++ b/vulns/lief/PYSEC-2022-43140.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43140 -modified: 2024-11-21T14:22:54.027776Z -published: 2022-11-17T23:15:00Z -aliases: -- CVE-2022-43171 -details: A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind - function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via - a crafted MachO file. affected: - package: ecosystem: PyPI name: lief purl: pkg:pypi/lief ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.10.1 @@ -40,9 +32,14 @@ affected: - 0.8.2 - 0.8.3 - 0.9.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-43171 +details: A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind + function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via + a crafted MachO file. +id: PYSEC-2022-43140 +modified: '2024-11-21T14:22:54.027776Z' +published: '2022-11-17T23:15:00Z' references: - type: EVIDENCE url: https://github.com/lief-project/LIEF/issues/782 @@ -50,3 +47,7 @@ references: url: https://github.com/lief-project/LIEF/issues/782 - type: REPORT url: https://github.com/lief-project/LIEF/issues/782 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/mayan-edms/PYSEC-2014-110.yaml b/vulns/mayan-edms/PYSEC-2014-110.yaml index 06e83934..58af130e 100644 --- a/vulns/mayan-edms/PYSEC-2014-110.yaml +++ b/vulns/mayan-edms/PYSEC-2014-110.yaml @@ -1,26 +1,17 @@ -id: PYSEC-2014-110 -modified: 2024-11-21T14:22:54.240407Z -published: 2014-05-27T13:55:00Z -aliases: -- CVE-2014-3840 -details: Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html - in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script - or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name - field in a bootstrap setup, or Title field in a (4) smart link or (5) web form. affected: - package: ecosystem: PyPI name: mayan-edms purl: pkg:pypi/mayan-edms ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 398c480c10416d76e7c1dcb607e726e8fc988e72 repo: https://github.com/mayan-edms/mayan-edms - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.0.rc1 @@ -34,7 +25,7 @@ affected: - 2.0.0rc1 - 2.0.1 - 2.0.2 - - "2.1" + - '2.1' - 2.1.1 - 2.1.10 - 2.1.11 @@ -45,30 +36,30 @@ affected: - 2.1.6 - 2.1rc1 - 2.1rc2 - - "2.2" + - '2.2' - 2.2b1 - 2.2b2 - 2.2b3 - 2.2rc1 - - "2.3" - - "2.4" - - "2.5" + - '2.3' + - '2.4' + - '2.5' - 2.5.1 - 2.5.2 - - "2.6" + - '2.6' - 2.6.1 - 2.6.2 - 2.6.3 - 2.6.4 - - "2.7" + - '2.7' - 2.7.1 - 2.7.2 - 2.7.3 - - "3.0" + - '3.0' - 3.0.1 - 3.0.2 - 3.0.3 - - "3.1" + - '3.1' - 3.1.1 - 3.1.10 - 3.1.2 @@ -79,7 +70,7 @@ affected: - 3.1.7 - 3.1.8 - 3.1.9 - - "3.2" + - '3.2' - 3.2.1 - 3.2.10 - 3.2.11 @@ -93,7 +84,7 @@ affected: - 3.2.9 - 3.2b1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.10 - 3.3.11 @@ -112,7 +103,7 @@ affected: - 3.3.7 - 3.3.8 - 3.3.9 - - "3.4" + - '3.4' - 3.4.1 - 3.4.10 - 3.4.11 @@ -135,7 +126,7 @@ affected: - 3.4.7 - 3.4.8 - 3.4.9 - - "3.5" + - '3.5' - 3.5.1 - 3.5.10 - 3.5.11 @@ -148,7 +139,7 @@ affected: - 3.5.7 - 3.5.8 - 3.5.9 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.11 @@ -180,7 +171,7 @@ affected: - 4.0rc1 - 4.0rc2 - 4.0rc3 - - "4.1" + - '4.1' - 4.1.1 - 4.1.10 - 4.1.11 @@ -197,7 +188,7 @@ affected: - 4.1b2 - 4.1rc1 - 4.1rc2 - - "4.2" + - '4.2' - 4.2.1 - 4.2.10 - 4.2.11 @@ -219,7 +210,7 @@ affected: - 4.2a1 - 4.2b1 - 4.2rc1 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -234,7 +225,7 @@ affected: - 4.3.9 - 4.3a1 - 4.3rc1 - - "4.4" + - '4.4' - 4.4.1 - 4.4.10 - 4.4.11 @@ -251,7 +242,7 @@ affected: - 4.4.7 - 4.4.8 - 4.4.9 - - "4.5" + - '4.5' - 4.5.1 - 4.5.10 - 4.5.11 @@ -265,18 +256,27 @@ affected: - 4.5.7 - 4.5.8 - 4.5.9 - - "4.6" + - '4.6' - 4.6.1 - 4.6.2 - 4.6.3 - 4.6.4 - 4.6.5 - - "4.7" + - '4.7' - 4.7.1 - - "4.8" + - '4.8' - 4.8.1 - 4.8.2 - 4.8.3 +aliases: +- CVE-2014-3840 +details: Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html + in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script + or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name + field in a bootstrap setup, or Title field in a (4) smart link or (5) web form. +id: PYSEC-2014-110 +modified: '2024-11-21T14:22:54.240407Z' +published: '2014-05-27T13:55:00Z' references: - type: WEB url: http://www.securityfocus.com/bid/67552 @@ -296,3 +296,4 @@ references: url: https://github.com/mayan-edms/mayan-edms/commit/398c480c10416d76e7c1dcb607e726e8fc988e72 - type: WEB url: http://www.exploit-db.com/exploits/33493 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/mayan-edms/PYSEC-2023-276.yaml b/vulns/mayan-edms/PYSEC-2023-276.yaml index 19d9c1b4..ea9cf09a 100644 --- a/vulns/mayan-edms/PYSEC-2023-276.yaml +++ b/vulns/mayan-edms/PYSEC-2023-276.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2023-276 -modified: 2024-11-21T14:22:54.315889Z -published: 2023-02-07T22:15:00Z -aliases: -- CVE-2022-47419 -details: An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS - exploitation was observed in the in-product tagging system. affected: - package: ecosystem: PyPI name: mayan-edms purl: pkg:pypi/mayan-edms ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.0.rc1 @@ -27,7 +20,7 @@ affected: - 2.0.0rc1 - 2.0.1 - 2.0.2 - - "2.1" + - '2.1' - 2.1.1 - 2.1.10 - 2.1.11 @@ -38,30 +31,30 @@ affected: - 2.1.6 - 2.1rc1 - 2.1rc2 - - "2.2" + - '2.2' - 2.2b1 - 2.2b2 - 2.2b3 - 2.2rc1 - - "2.3" - - "2.4" - - "2.5" + - '2.3' + - '2.4' + - '2.5' - 2.5.1 - 2.5.2 - - "2.6" + - '2.6' - 2.6.1 - 2.6.2 - 2.6.3 - 2.6.4 - - "2.7" + - '2.7' - 2.7.1 - 2.7.2 - 2.7.3 - - "3.0" + - '3.0' - 3.0.1 - 3.0.2 - 3.0.3 - - "3.1" + - '3.1' - 3.1.1 - 3.1.10 - 3.1.2 @@ -72,7 +65,7 @@ affected: - 3.1.7 - 3.1.8 - 3.1.9 - - "3.2" + - '3.2' - 3.2.1 - 3.2.10 - 3.2.11 @@ -86,7 +79,7 @@ affected: - 3.2.9 - 3.2b1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.10 - 3.3.11 @@ -105,7 +98,7 @@ affected: - 3.3.7 - 3.3.8 - 3.3.9 - - "3.4" + - '3.4' - 3.4.1 - 3.4.10 - 3.4.11 @@ -128,7 +121,7 @@ affected: - 3.4.7 - 3.4.8 - 3.4.9 - - "3.5" + - '3.5' - 3.5.1 - 3.5.10 - 3.5.11 @@ -141,7 +134,7 @@ affected: - 3.5.7 - 3.5.8 - 3.5.9 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.11 @@ -173,7 +166,7 @@ affected: - 4.0rc1 - 4.0rc2 - 4.0rc3 - - "4.1" + - '4.1' - 4.1.1 - 4.1.10 - 4.1.11 @@ -190,7 +183,7 @@ affected: - 4.1b2 - 4.1rc1 - 4.1rc2 - - "4.2" + - '4.2' - 4.2.1 - 4.2.10 - 4.2.11 @@ -212,7 +205,7 @@ affected: - 4.2a1 - 4.2b1 - 4.2rc1 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -227,7 +220,7 @@ affected: - 4.3.9 - 4.3a1 - 4.3rc1 - - "4.4" + - '4.4' - 4.4.1 - 4.4.10 - 4.4.11 @@ -244,7 +237,7 @@ affected: - 4.4.7 - 4.4.8 - 4.4.9 - - "4.5" + - '4.5' - 4.5.1 - 4.5.10 - 4.5.11 @@ -258,21 +251,25 @@ affected: - 4.5.7 - 4.5.8 - 4.5.9 - - "4.6" + - '4.6' - 4.6.1 - 4.6.2 - 4.6.3 - 4.6.4 - 4.6.5 - - "4.7" + - '4.7' - 4.7.1 - - "4.8" + - '4.8' - 4.8.1 - 4.8.2 - 4.8.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2022-47419 +details: An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS + exploitation was observed in the in-product tagging system. +id: PYSEC-2023-276 +modified: '2024-11-21T14:22:54.315889Z' +published: '2023-02-07T22:15:00Z' references: - type: EVIDENCE url: https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/ @@ -280,3 +277,7 @@ references: url: https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/ - type: WEB url: https://www.mayan-edms.com/news/2023/02/version-4.3.6/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/mindsdb/PYSEC-2023-278.yaml b/vulns/mindsdb/PYSEC-2023-278.yaml index be28454c..16a68627 100644 --- a/vulns/mindsdb/PYSEC-2023-278.yaml +++ b/vulns/mindsdb/PYSEC-2023-278.yaml @@ -1,27 +1,17 @@ -id: PYSEC-2023-278 -modified: 2024-11-21T14:22:54.470006Z -published: 2023-12-11T21:15:00Z -aliases: -- CVE-2023-49796 -- GHSA-crhp-7c74-cg4c -details: MindsDB connects artificial intelligence models to real time data. Versions - prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users - should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the - issue. affected: - package: ecosystem: PyPI name: mindsdb purl: pkg:pypi/mindsdb ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 8d13c9c28ebcf3b36509eb679378004d4648d8fe repo: https://github.com/mindsdb/mindsdb - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.6.5 - 0.6.6 @@ -60,7 +50,7 @@ affected: - 0.9.0.1 - 0.9.1.0 - 0.9.2.0 - - "1.0" + - '1.0' - 1.0.1 - 1.0.2 - 1.0.3 @@ -523,11 +513,22 @@ affected: - 24.9.3.2 - 24.9.4.0 - 24.9.4.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N +aliases: +- CVE-2023-49796 +- GHSA-crhp-7c74-cg4c +details: MindsDB connects artificial intelligence models to real time data. Versions + prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users + should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the + issue. +id: PYSEC-2023-278 +modified: '2024-11-21T14:22:54.470006Z' +published: '2023-12-11T21:15:00Z' references: - type: ADVISORY url: https://github.com/mindsdb/mindsdb/security/advisories/GHSA-crhp-7c74-cg4c - type: FIX url: https://github.com/mindsdb/mindsdb/commit/8d13c9c28ebcf3b36509eb679378004d4648d8fe +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/modoboa/PYSEC-2019-251.yaml b/vulns/modoboa/PYSEC-2019-251.yaml index a5c061af..1b12a595 100644 --- a/vulns/modoboa/PYSEC-2019-251.yaml +++ b/vulns/modoboa/PYSEC-2019-251.yaml @@ -1,22 +1,12 @@ -id: PYSEC-2019-251 -modified: 2024-11-21T14:22:54.995455Z -published: 2019-12-10T20:15:00Z -aliases: -- CVE-2019-19702 -details: The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External - Entity Injection (XXE) attack when processing XML data. A remote attacker could - exploit this to perform a denial of service against the DMARC reporting functionality, - such as by referencing the /dev/random file within XML documents that are emailed - to the address in the rua field of the DMARC records of a domain. affected: - package: ecosystem: PyPI name: modoboa purl: pkg:pypi/modoboa ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.7.0 - 1.10.0 @@ -99,11 +89,22 @@ affected: - 2.3.0b4 - 2.3.1 - 2.3.2 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-19702 +details: The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External + Entity Injection (XXE) attack when processing XML data. A remote attacker could + exploit this to perform a denial of service against the DMARC reporting functionality, + such as by referencing the /dev/random file within XML documents that are emailed + to the address in the rua field of the DMARC records of a domain. +id: PYSEC-2019-251 +modified: '2024-11-21T14:22:54.995455Z' +published: '2019-12-10T20:15:00Z' references: - type: EVIDENCE url: https://github.com/modoboa/modoboa-dmarc/issues/38 - type: REPORT url: https://github.com/modoboa/modoboa-dmarc/issues/38 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2008-12.yaml b/vulns/moin/PYSEC-2008-12.yaml index e69e10a3..3b379a37 100644 --- a/vulns/moin/PYSEC-2008-12.yaml +++ b/vulns/moin/PYSEC-2008-12.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2008-12 -modified: 2024-11-21T14:22:55.213739Z -published: 2008-04-25T06:05:00Z -aliases: -- CVE-2008-1937 -details: The user form processing (userform.py) in MoinMoin before 1.6.3, when using - ACLs or a non-empty superusers list, does not properly manage users, which allows - remote attackers to gain privileges. affected: - package: ecosystem: PyPI name: moin purl: pkg:pypi/moin ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.8.4 - 1.8.5 @@ -34,6 +26,14 @@ affected: - 1.9.9 - 2.0.0a1 - 2.0.0b1 +aliases: +- CVE-2008-1937 +details: The user form processing (userform.py) in MoinMoin before 1.6.3, when using + ACLs or a non-empty superusers list, does not properly manage users, which allows + remote attackers to gain privileges. +id: PYSEC-2008-12 +modified: '2024-11-21T14:22:55.213739Z' +published: '2008-04-25T06:05:00Z' references: - type: EVIDENCE url: http://hg.moinmo.in/moin/1.6/rev/f405012e67af @@ -51,3 +51,4 @@ references: url: http://www.vupen.com/english/advisories/2008/1307/references - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41909 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2008-13.yaml b/vulns/moin/PYSEC-2008-13.yaml index a4bd8bfe..bc35f8eb 100644 --- a/vulns/moin/PYSEC-2008-13.yaml +++ b/vulns/moin/PYSEC-2008-13.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2008-13 -modified: 2024-11-21T14:22:55.267769Z -published: 2008-07-30T18:41:00Z -aliases: -- CVE-2008-3381 -details: Multiple cross-site scripting (XSS) vulnerabilities in macro/AdvancedSearch.py - in moin (and MoinMoin) 1.6.3 and 1.7.0 allow remote attackers to inject arbitrary - web script or HTML via unspecified vectors. affected: - package: ecosystem: PyPI name: moin purl: pkg:pypi/moin ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.8.4 - 1.8.5 @@ -34,6 +26,14 @@ affected: - 1.9.9 - 2.0.0a1 - 2.0.0b1 +aliases: +- CVE-2008-3381 +details: Multiple cross-site scripting (XSS) vulnerabilities in macro/AdvancedSearch.py + in moin (and MoinMoin) 1.6.3 and 1.7.0 allow remote attackers to inject arbitrary + web script or HTML via unspecified vectors. +id: PYSEC-2008-13 +modified: '2024-11-21T14:22:55.267769Z' +published: '2008-07-30T18:41:00Z' references: - type: EVIDENCE url: http://hg.moinmo.in/moin/1.6/rev/8686a10f1f58 @@ -49,3 +49,4 @@ references: url: http://www.vupen.com/english/advisories/2008/2147/references - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/43899 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2009-12.yaml b/vulns/moin/PYSEC-2009-12.yaml index 6f0ec470..a25bc646 100644 --- a/vulns/moin/PYSEC-2009-12.yaml +++ b/vulns/moin/PYSEC-2009-12.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2009-12 -modified: 2024-11-21T14:22:55.31913Z -published: 2009-03-30T01:30:00Z -aliases: -- CVE-2008-6549 -details: The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 - uses the cracklib and python-crack features even though they are not thread-safe, - which allows remote attackers to cause a denial of service (segmentation fault and - crash) via unknown vectors. affected: - package: ecosystem: PyPI name: moin purl: pkg:pypi/moin ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.8.4 - 1.8.5 @@ -35,6 +26,15 @@ affected: - 1.9.9 - 2.0.0a1 - 2.0.0b1 +aliases: +- CVE-2008-6549 +details: The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 + uses the cracklib and python-crack features even though they are not thread-safe, + which allows remote attackers to cause a denial of service (segmentation fault and + crash) via unknown vectors. +id: PYSEC-2009-12 +modified: '2024-11-21T14:22:55.31913Z' +published: '2009-03-30T01:30:00Z' references: - type: EVIDENCE url: http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546 @@ -42,3 +42,4 @@ references: url: http://moinmo.in/SecurityFixes - type: WEB url: http://osvdb.org/48876 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2009-13.yaml b/vulns/moin/PYSEC-2009-13.yaml index 6cfa9a43..1f84e280 100644 --- a/vulns/moin/PYSEC-2009-13.yaml +++ b/vulns/moin/PYSEC-2009-13.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2009-13 -modified: 2024-11-21T14:22:55.369914Z -published: 2009-04-03T18:30:00Z -aliases: -- CVE-2008-6603 -details: MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic - is set to True, which might allow remote attackers to bypass intended access restrictions, - a different vulnerability than CVE-2008-1937. affected: - package: ecosystem: PyPI name: moin purl: pkg:pypi/moin ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.8.4 - 1.8.5 @@ -34,6 +26,14 @@ affected: - 1.9.9 - 2.0.0a1 - 2.0.0b1 +aliases: +- CVE-2008-6603 +details: MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic + is set to True, which might allow remote attackers to bypass intended access restrictions, + a different vulnerability than CVE-2008-1937. +id: PYSEC-2009-13 +modified: '2024-11-21T14:22:55.369914Z' +published: '2009-04-03T18:30:00Z' references: - type: WEB url: http://osvdb.org/48875 @@ -51,3 +51,4 @@ references: url: http://www.securityfocus.com/bid/34655 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41911 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-36.yaml b/vulns/nova/PYSEC-2012-36.yaml index 8b3e7a7c..cd589095 100644 --- a/vulns/nova/PYSEC-2012-36.yaml +++ b/vulns/nova/PYSEC-2012-36.yaml @@ -1,28 +1,19 @@ -id: PYSEC-2012-36 -modified: 2024-11-21T14:22:55.825436Z -published: 2012-06-07T19:55:00Z -aliases: -- CVE-2012-2101 -details: Openstack Compute (Nova) Folsom, 2012.1, and 2011.3 does not limit the number - of security group rules, which allows remote authenticated users with certain permissions - to cause a denial of service (CPU and hard drive consumption) via a network request - that triggers a large number of iptables rules. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 8c8735a73afb16d5856f0aa6088e9ae406c52beb - fixed: a67db4586f70ed881d65e80035b2a25be195ce64 - fixed: 1f644d210557b1254f7c7b39424b09a45329ade7 repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -142,6 +133,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-2101 +details: Openstack Compute (Nova) Folsom, 2012.1, and 2011.3 does not limit the number + of security group rules, which allows remote authenticated users with certain permissions + to cause a denial of service (CPU and hard drive consumption) via a network request + that triggers a large number of iptables rules. +id: PYSEC-2012-36 +modified: '2024-11-21T14:22:55.825436Z' +published: '2012-06-07T19:55:00Z' references: - type: WEB url: https://lists.launchpad.net/openstack/msg10268.html @@ -167,3 +167,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079434.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/75243 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-37.yaml b/vulns/nova/PYSEC-2012-37.yaml index 67e877f3..33657664 100644 --- a/vulns/nova/PYSEC-2012-37.yaml +++ b/vulns/nova/PYSEC-2012-37.yaml @@ -1,27 +1,18 @@ -id: PYSEC-2012-37 -modified: 2024-11-21T14:22:55.891133Z -published: 2012-06-21T15:55:00Z -aliases: -- CVE-2012-2654 -details: The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), - Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security - groups are created and the network protocol is not specified entirely in lowercase, - which allows remote attackers to bypass intended access restrictions. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 9f9e9da777161426a6f8cb4314b78e09beac2978 - fixed: ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654 repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -141,6 +132,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-2654 +details: The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), + Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security + groups are created and the network protocol is not specified entirely in lowercase, + which allows remote attackers to bypass intended access restrictions. +id: PYSEC-2012-37 +modified: '2024-11-21T14:22:55.891133Z' +published: '2012-06-21T15:55:00Z' references: - type: WEB url: https://review.openstack.org/#/c/8239/ @@ -164,3 +164,4 @@ references: url: http://secunia.com/advisories/46808 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/76110 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-38.yaml b/vulns/nova/PYSEC-2012-38.yaml index 285f4c41..ef60f384 100644 --- a/vulns/nova/PYSEC-2012-38.yaml +++ b/vulns/nova/PYSEC-2012-38.yaml @@ -1,27 +1,18 @@ -id: PYSEC-2012-38 -modified: 2024-11-21T14:22:56.434839Z -published: 2012-07-22T16:55:00Z -aliases: -- CVE-2012-3360 -details: Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute - (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, - allows remote authenticated users to write arbitrary files to the disk image via - a .. (dot dot) in the path attribute of a file element. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: b0feaffdb2b1c51182b8dce41b367f3449af5dd9 - fixed: 2427d4a99bed35baefd8f17ba422cb7aae8dcca7 repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -141,6 +132,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-3360 +details: Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute + (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, + allows remote authenticated users to write arbitrary files to the disk image via + a .. (dot dot) in the path attribute of a file element. +id: PYSEC-2012-38 +modified: '2024-11-21T14:22:56.434839Z' +published: '2012-07-22T16:55:00Z' references: - type: WEB url: https://bugs.launchpad.net/nova/+bug/1015531 @@ -162,3 +162,4 @@ references: url: http://www.ubuntu.com/usn/USN-1497-1 - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-39.yaml b/vulns/nova/PYSEC-2012-39.yaml index 8d2b3575..ebd9b512 100644 --- a/vulns/nova/PYSEC-2012-39.yaml +++ b/vulns/nova/PYSEC-2012-39.yaml @@ -1,26 +1,18 @@ -id: PYSEC-2012-39 -modified: 2024-11-21T14:22:56.493974Z -published: 2012-07-22T16:55:00Z -aliases: -- CVE-2012-3361 -details: virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), - and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files - via a symlink attack on a file in an image. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: b0feaffdb2b1c51182b8dce41b367f3449af5dd9 - fixed: 2427d4a99bed35baefd8f17ba422cb7aae8dcca7 repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -140,6 +132,14 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-3361 +details: virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), + and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files + via a symlink attack on a file in an image. +id: PYSEC-2012-39 +modified: '2024-11-21T14:22:56.493974Z' +published: '2012-07-22T16:55:00Z' references: - type: ADVISORY url: http://secunia.com/advisories/49802 @@ -167,3 +167,4 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-40.yaml b/vulns/nova/PYSEC-2012-40.yaml index 8f16a2c2..e98aa6a3 100644 --- a/vulns/nova/PYSEC-2012-40.yaml +++ b/vulns/nova/PYSEC-2012-40.yaml @@ -1,26 +1,17 @@ -id: PYSEC-2012-40 -modified: 2024-11-21T14:22:56.558714Z -published: 2012-07-17T21:55:00Z -aliases: -- CVE-2012-3371 -details: The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex - (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated - users to cause a denial of service (excessive database lookup calls and server hang) - via a request with many repeated IDs in the os:scheduler_hints section. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 034762e8060dcf0a11cb039b9d426b0d0bb1801d repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -140,6 +131,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-3371 +details: The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex + (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated + users to cause a denial of service (excessive database lookup calls and server hang) + via a request with many repeated IDs in the os:scheduler_hints section. +id: PYSEC-2012-40 +modified: '2024-11-21T14:22:56.558714Z' +published: '2012-07-17T21:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2012/07/11/13 @@ -155,3 +155,4 @@ references: url: https://lists.launchpad.net/openstack/msg14452.html - type: WEB url: http://www.securityfocus.com/bid/54388 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2012-41.yaml b/vulns/nova/PYSEC-2012-41.yaml index 0f81fbdb..bcda41c6 100644 --- a/vulns/nova/PYSEC-2012-41.yaml +++ b/vulns/nova/PYSEC-2012-41.yaml @@ -1,27 +1,18 @@ -id: PYSEC-2012-41 -modified: 2024-11-21T14:22:56.616552Z -published: 2012-12-26T22:55:00Z -aliases: -- CVE-2012-5625 -details: OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt - and LVM backed instances, does not properly clear physical volume (PV) content when - reallocating for instances, which allows attackers to obtain sensitive information - by reading the memory of the previous logical volume (LV). affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: a99a802e008eed18e39fc1d98170edc495cbd354 - fixed: 9d2ea970422591f8cdc394001be9a2deca499a5f repo: https://github.com/openstack/nova - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -141,6 +132,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2012-5625 +details: OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt + and LVM backed instances, does not properly clear physical volume (PV) content when + reallocating for instances, which allows attackers to obtain sensitive information + by reading the memory of the previous logical volume (LV). +id: PYSEC-2012-41 +modified: '2024-11-21T14:22:56.616552Z' +published: '2012-12-26T22:55:00Z' references: - type: FIX url: https://github.com/openstack/nova/commit/a99a802e008eed18e39fc1d98170edc495cbd354 @@ -162,3 +162,4 @@ references: url: https://bugzilla.redhat.com/show_bug.cgi?id=884293 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2013-0208.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2013-43.yaml b/vulns/nova/PYSEC-2013-43.yaml index a23525ed..23176562 100644 --- a/vulns/nova/PYSEC-2013-43.yaml +++ b/vulns/nova/PYSEC-2013-43.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2013-43 -modified: 2024-11-21T14:22:56.678255Z -published: 2013-03-22T21:55:00Z -aliases: -- CVE-2013-0335 -details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows - remote authenticated users to gain access to a VM in opportunistic circumstances - by using the VNC token for a deleted VM that was bound to the same VNC port. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -134,6 +126,14 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2013-0335 +details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows + remote authenticated users to gain access to a VM in opportunistic circumstances + by using the VNC token for a deleted VM that was bound to the same VNC port. +id: PYSEC-2013-43 +modified: '2024-11-21T14:22:56.678255Z' +published: '2013-03-22T21:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2013/02/26/7 @@ -155,3 +155,4 @@ references: url: http://www.osvdb.org/90657 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2013-0709.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2013-44.yaml b/vulns/nova/PYSEC-2013-44.yaml index c68565a2..eb1b207d 100644 --- a/vulns/nova/PYSEC-2013-44.yaml +++ b/vulns/nova/PYSEC-2013-44.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2013-44 -modified: 2024-11-21T14:22:56.735821Z -published: 2013-03-22T21:55:00Z -aliases: -- CVE-2013-1838 -details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does - not properly implement a quota for fixed IPs, which allows remote authenticated - users to cause a denial of service (resource exhaustion and failure to spawn new - instances) via a large number of calls to the addFixedIp function. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -135,6 +126,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2013-1838 +details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does + not properly implement a quota for fixed IPs, which allows remote authenticated + users to cause a denial of service (resource exhaustion and failure to spawn new + instances) via a large number of calls to the addFixedIp function. +id: PYSEC-2013-44 +modified: '2024-11-21T14:22:56.735821Z' +published: '2013-03-22T21:55:00Z' references: - type: WEB url: https://review.openstack.org/#/c/24453/ @@ -164,3 +164,4 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0709.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/82877 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2013-45.yaml b/vulns/nova/PYSEC-2013-45.yaml index d60694ac..40cf613f 100644 --- a/vulns/nova/PYSEC-2013-45.yaml +++ b/vulns/nova/PYSEC-2013-45.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2013-45 -modified: 2024-11-21T14:22:56.793365Z -published: 2013-12-27T01:55:00Z -aliases: -- CVE-2013-2030 -details: keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and - Havana uses an insecure temporary directory for storing signing certificates, which - allows local users to spoof servers by pre-creating this directory, which is reused - by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -135,6 +126,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2013-2030 +details: keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and + Havana uses an insecure temporary directory for storing signing certificates, which + allows local users to spoof servers by pre-creating this directory, which is reused + by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora. +id: PYSEC-2013-45 +modified: '2024-11-21T14:22:56.793365Z' +published: '2013-12-27T01:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2013/05/09/2 @@ -148,3 +148,4 @@ references: url: https://bugs.launchpad.net/nova/+bug/1174608 - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-111.yaml b/vulns/nova/PYSEC-2014-111.yaml index 968f801c..69050683 100644 --- a/vulns/nova/PYSEC-2014-111.yaml +++ b/vulns/nova/PYSEC-2014-111.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-111 -modified: 2024-11-21T14:22:56.854091Z -published: 2014-02-06T17:00:00Z -aliases: -- CVE-2013-7130 -details: The i_create_images_and_backing (aka create_images_and_backing) method in - libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using - KVM live block migration, does not properly create all expected files, which allows - attackers to obtain snapshot root disk contents of other users via ephemeral storage. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -135,6 +126,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2013-7130 +details: The i_create_images_and_backing (aka create_images_and_backing) method in + libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using + KVM live block migration, does not properly create all expected files, which allows + attackers to obtain snapshot root disk contents of other users via ephemeral storage. +id: PYSEC-2014-111 +modified: '2024-11-21T14:22:56.854091Z' +published: '2014-02-06T17:00:00Z' references: - type: WEB url: http://osvdb.org/102416 @@ -162,3 +162,4 @@ references: url: http://www.ubuntu.com/usn/USN-2247-1 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/90652 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-112.yaml b/vulns/nova/PYSEC-2014-112.yaml index 73072aaa..54f83217 100644 --- a/vulns/nova/PYSEC-2014-112.yaml +++ b/vulns/nova/PYSEC-2014-112.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-112 -modified: 2024-11-21T14:22:56.917584Z -published: 2014-05-08T14:29:00Z -aliases: -- CVE-2014-0134 -details: The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 - and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images - is set to false, allows remote authenticated users to read certain compute host - files by overwriting an instance disk with a crafted image. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -135,6 +126,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2014-0134 +details: The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 + and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images + is set to false, allows remote authenticated users to read certain compute host + files by overwriting an instance disk with a crafted image. +id: PYSEC-2014-112 +modified: '2024-11-21T14:22:56.917584Z' +published: '2014-05-08T14:29:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/03/27/6 @@ -142,3 +142,4 @@ references: url: https://bugs.launchpad.net/nova/+bug/1221190 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2247-1 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-113.yaml b/vulns/nova/PYSEC-2014-113.yaml index 9628d00d..16bc7751 100644 --- a/vulns/nova/PYSEC-2014-113.yaml +++ b/vulns/nova/PYSEC-2014-113.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-113 -modified: 2024-11-21T14:22:56.977165Z -published: 2014-03-25T16:55:00Z -aliases: -- CVE-2014-2573 -details: The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does - not properly put VMs into RESCUE status, which allows remote authenticated users - to bypass the quota limit and cause a denial of service (resource consumption) by - requesting the VM be put into rescue and then deleting the image. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -135,6 +126,15 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 +aliases: +- CVE-2014-2573 +details: The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does + not properly put VMs into RESCUE status, which allows remote authenticated users + to bypass the quota limit and cause a denial of service (resource consumption) by + requesting the VM be put into rescue and then deleting the image. +id: PYSEC-2014-113 +modified: '2024-11-21T14:22:56.977165Z' +published: '2014-03-25T16:55:00Z' references: - type: WEB url: http://www.openwall.com/lists/oss-security/2014/03/21/1 @@ -144,3 +144,4 @@ references: url: https://bugs.launchpad.net/nova/+bug/1269418 - type: ADVISORY url: http://secunia.com/advisories/57498 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2017-145.yaml b/vulns/nova/PYSEC-2017-145.yaml index d8fbf156..0fbb613e 100644 --- a/vulns/nova/PYSEC-2017-145.yaml +++ b/vulns/nova/PYSEC-2017-145.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2017-145 -modified: 2024-11-21T14:22:57.038308Z -published: 2017-08-09T18:29:00Z -aliases: -- CVE-2015-2687 -details: OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails - allows local users to access VM volumes that they would normally not have permissions - for. affected: - package: ecosystem: PyPI name: nova purl: pkg:pypi/nova ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 15.1.5 - 16.1.6 @@ -134,9 +126,14 @@ affected: - 29.2.0 - 30.0.0 - 30.0.0.0rc1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N +aliases: +- CVE-2015-2687 +details: OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails + allows local users to access VM volumes that they would normally not have permissions + for. +id: PYSEC-2017-145 +modified: '2024-11-21T14:22:57.038308Z' +published: '2017-08-09T18:29:00Z' references: - type: WEB url: https://review.openstack.org/#/c/338929/ @@ -162,3 +159,7 @@ references: url: http://www.openwall.com/lists/oss-security/2015/03/24/10 - type: WEB url: http://www.openwall.com/lists/oss-security/2015/03/24/10 +severity: +- score: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/ntopng/PYSEC-2014-114.yaml b/vulns/ntopng/PYSEC-2014-114.yaml index c1b9d94c..69c76dda 100644 --- a/vulns/ntopng/PYSEC-2014-114.yaml +++ b/vulns/ntopng/PYSEC-2014-114.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2014-114 -modified: 2024-11-21T14:22:57.09034Z -published: 2014-06-19T10:50:00Z -aliases: -- CVE-2014-4329 -details: Cross-site scripting (XSS) vulnerability in lua/host_details.lua in ntopng - 1.1 allows remote attackers to inject arbitrary web script or HTML via the host - parameter. affected: - package: ecosystem: PyPI name: ntopng purl: pkg:pypi/ntopng ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 5.5.221205 - 5.5.221212 @@ -30,6 +22,14 @@ affected: - 5.7.230203 - 5.7.230213 - 6.1.240321 +aliases: +- CVE-2014-4329 +details: Cross-site scripting (XSS) vulnerability in lua/host_details.lua in ntopng + 1.1 allows remote attackers to inject arbitrary web script or HTML via the host + parameter. +id: PYSEC-2014-114 +modified: '2024-11-21T14:22:57.09034Z' +published: '2014-06-19T10:50:00Z' references: - type: REPORT url: https://svn.ntop.org/bugzilla/show_bug.cgi?id=379 @@ -41,3 +41,4 @@ references: url: http://packetstormsecurity.com/files/127329/Ntop-NG-1.1-Cross-Site-Scripting.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/92135 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/opencc-py/PYSEC-2018-153.yaml b/vulns/opencc-py/PYSEC-2018-153.yaml index 88c17e33..5d7e47d2 100644 --- a/vulns/opencc-py/PYSEC-2018-153.yaml +++ b/vulns/opencc-py/PYSEC-2018-153.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2018-153 -modified: 2024-11-21T14:22:57.249534Z -published: 2018-09-13T02:29:00Z -aliases: -- CVE-2018-16982 -details: Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial of - service (segmentation fault) because BinaryDict::NewFromFile in BinaryDict.cpp may - have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file. affected: - package: ecosystem: PyPI name: opencc-py purl: pkg:pypi/opencc-py ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.6 - 1.1.0 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2018-16982 +details: Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial of + service (segmentation fault) because BinaryDict::NewFromFile in BinaryDict.cpp may + have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file. +id: PYSEC-2018-153 +modified: '2024-11-21T14:22:57.249534Z' +published: '2018-09-13T02:29:00Z' references: - type: EVIDENCE url: https://github.com/BYVoid/OpenCC/issues/303 - type: ADVISORY url: https://github.com/BYVoid/OpenCC/issues/303 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/openzeppelin-cairo-contracts-test/PYSEC-2022-43143.yaml b/vulns/openzeppelin-cairo-contracts-test/PYSEC-2022-43143.yaml index 63ace5b5..de09e0e7 100644 --- a/vulns/openzeppelin-cairo-contracts-test/PYSEC-2022-43143.yaml +++ b/vulns/openzeppelin-cairo-contracts-test/PYSEC-2022-43143.yaml @@ -1,35 +1,32 @@ -id: PYSEC-2022-43143 -modified: 2024-11-21T14:22:57.304802Z -published: 2022-07-15T18:15:00Z -aliases: -- CVE-2022-31153 -- GHSA-8mjr-jr5h-q2xr -details: OpenZeppelin Contracts for Cairo is a library for contract development written - in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to - an error that renders account contracts unusable on live networks. This issue affects - all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin - Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli - deployments of v0.2.0 accounts are affected. This faulty behavior is not observed - in StarkNet's testing framework. This bug has been patched in v0.2.1. affected: - package: ecosystem: PyPI name: openzeppelin-cairo-contracts-test purl: pkg:pypi/openzeppelin-cairo-contracts-test ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 2cd60279c3332285d47edf9ee3888b71257acdc9 repo: https://github.com/OpenZeppelin/cairo-contracts - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-31153 +- GHSA-8mjr-jr5h-q2xr +details: OpenZeppelin Contracts for Cairo is a library for contract development written + in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to + an error that renders account contracts unusable on live networks. This issue affects + all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin + Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli + deployments of v0.2.0 accounts are affected. This faulty behavior is not observed + in StarkNet's testing framework. This bug has been patched in v0.2.1. +id: PYSEC-2022-43143 +modified: '2024-11-21T14:22:57.304802Z' +published: '2022-07-15T18:15:00Z' references: - type: EVIDENCE url: https://github.com/OpenZeppelin/cairo-contracts/issues/386 @@ -49,3 +46,7 @@ references: url: https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 - type: WEB url: https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/patchelf/PYSEC-2022-43144.yaml b/vulns/patchelf/PYSEC-2022-43144.yaml index 73afcc23..b4b8d30e 100644 --- a/vulns/patchelf/PYSEC-2022-43144.yaml +++ b/vulns/patchelf/PYSEC-2022-43144.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2022-43144 -modified: 2024-11-21T14:22:58.452456Z -published: 2022-12-19T22:15:00Z -aliases: -- CVE-2022-44940 -details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function - modifyRPath at src/patchelf.cc. affected: - package: ecosystem: PyPI name: patchelf purl: pkg:pypi/patchelf ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.11.0.0 - 0.12.0.0 @@ -30,9 +23,13 @@ affected: - 0.17.2.0 - 0.17.2.1 - 0.18.0.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H +aliases: +- CVE-2022-44940 +details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function + modifyRPath at src/patchelf.cc. +id: PYSEC-2022-43144 +modified: '2024-11-21T14:22:58.452456Z' +published: '2022-12-19T22:15:00Z' references: - type: EVIDENCE url: https://github.com/NixOS/patchelf/pull/419 @@ -40,3 +37,7 @@ references: url: https://github.com/NixOS/patchelf/pull/419 - type: WEB url: https://github.com/NixOS/patchelf/pull/419 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/pg-query/PYSEC-2018-154.yaml b/vulns/pg-query/PYSEC-2018-154.yaml index e3bb7d80..e7a7e468 100644 --- a/vulns/pg-query/PYSEC-2018-154.yaml +++ b/vulns/pg-query/PYSEC-2018-154.yaml @@ -1,54 +1,55 @@ -id: PYSEC-2018-154 -modified: 2024-11-21T14:22:58.504401Z -published: 2018-10-18T18:29:00Z -aliases: -- CVE-2018-18482 -details: An issue was discovered in libpg_query 10-1.0.2. There is a memory leak in - pg_query_raw_parse in pg_query_parse.c, which might lead to a denial of service. affected: - package: ecosystem: PyPI name: pg-query purl: pkg:pypi/pg-query ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" - - "0.10" - - "0.11" - - "0.12" - - "0.13" - - "0.14" - - "0.15" - - "0.16" - - "0.17" - - "0.18" - - "0.19" - - "0.2" - - "0.20" - - "0.21" - - "0.22" - - "0.23" - - "0.24" - - "0.25" - - "0.26" - - "0.27" - - "0.28" - - "0.29" - - "0.3" - - "0.4" - - "0.5" - - "0.6" - - "0.7" - - "0.8" - - "0.9" -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + - '0.1' + - '0.10' + - '0.11' + - '0.12' + - '0.13' + - '0.14' + - '0.15' + - '0.16' + - '0.17' + - '0.18' + - '0.19' + - '0.2' + - '0.20' + - '0.21' + - '0.22' + - '0.23' + - '0.24' + - '0.25' + - '0.26' + - '0.27' + - '0.28' + - '0.29' + - '0.3' + - '0.4' + - '0.5' + - '0.6' + - '0.7' + - '0.8' + - '0.9' +aliases: +- CVE-2018-18482 +details: An issue was discovered in libpg_query 10-1.0.2. There is a memory leak in + pg_query_raw_parse in pg_query_parse.c, which might lead to a denial of service. +id: PYSEC-2018-154 +modified: '2024-11-21T14:22:58.504401Z' +published: '2018-10-18T18:29:00Z' references: - type: EVIDENCE url: https://github.com/lfittl/libpg_query/issues/49 - type: REPORT url: https://github.com/lfittl/libpg_query/issues/49 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/pillow/PYSEC-2022-43145.yaml b/vulns/pillow/PYSEC-2022-43145.yaml index 83af5853..9ff50e57 100644 --- a/vulns/pillow/PYSEC-2022-43145.yaml +++ b/vulns/pillow/PYSEC-2022-43145.yaml @@ -1,27 +1,20 @@ -id: PYSEC-2022-43145 -modified: 2024-11-21T14:22:58.587524Z -published: 2022-05-25T12:15:00Z -aliases: -- CVE-2022-30595 -details: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the - processing of invalid TGA image files. affected: - package: ecosystem: PyPI name: pillow purl: pkg:pypi/pillow ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "1.0" - - "1.1" - - "1.2" - - "1.3" - - "1.4" - - "1.5" - - "1.6" + - '1.0' + - '1.1' + - '1.2' + - '1.3' + - '1.4' + - '1.5' + - '1.6' - 1.7.0 - 1.7.1 - 1.7.2 @@ -114,9 +107,13 @@ affected: - 9.3.0 - 9.4.0 - 9.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-30595 +details: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the + processing of invalid TGA image files. +id: PYSEC-2022-43145 +modified: '2024-11-21T14:22:58.587524Z' +published: '2022-05-25T12:15:00Z' references: - type: WEB url: https://pillow.readthedocs.io/en/stable/releasenotes/9.1.1.html @@ -124,3 +121,7 @@ references: url: https://github.com/python-pillow/Pillow/blob/main/src/libImaging/TgaRleDecode.c - type: WEB url: https://github.com/python-pillow/Pillow/blob/main/src/libImaging/TgaRleDecode.c +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2006-5.yaml b/vulns/plone/PYSEC-2006-5.yaml index 55ae42a0..6eab9b32 100644 --- a/vulns/plone/PYSEC-2006-5.yaml +++ b/vulns/plone/PYSEC-2006-5.yaml @@ -1,28 +1,20 @@ -id: PYSEC-2006-5 -modified: 2024-11-21T14:22:58.650753Z -published: 2006-09-29T19:07:00Z -aliases: -- CVE-2006-4247 -details: Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone - 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other - users, related to "an erroneous security declaration." affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -35,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -57,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -71,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -85,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -111,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -203,6 +195,15 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 +aliases: +- CVE-2006-4247 +details: Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone + 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other + users, related to "an erroneous security declaration." +id: PYSEC-2006-5 +modified: '2024-11-21T14:22:58.650753Z' +published: '2006-09-29T19:07:00Z' references: - type: FIX url: http://plone.org/about/security/advisories/cve-2006-4247 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2006-6.yaml b/vulns/plone/PYSEC-2006-6.yaml index 624791ad..78d96d01 100644 --- a/vulns/plone/PYSEC-2006-6.yaml +++ b/vulns/plone/PYSEC-2006-6.yaml @@ -1,27 +1,20 @@ -id: PYSEC-2006-6 -modified: 2024-11-21T14:22:58.714411Z -published: 2006-12-07T23:28:00Z -aliases: -- CVE-2006-4249 -details: Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous - member registration is enabled, allows an attacker to "masquerade as a group." affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -34,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -56,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -70,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -84,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -110,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -202,6 +195,13 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 +aliases: +- CVE-2006-4249 +details: Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous + member registration is enabled, allows an attacker to "masquerade as a group." +id: PYSEC-2006-6 +modified: '2024-11-21T14:22:58.714411Z' +published: '2006-12-07T23:28:00Z' references: - type: FIX url: http://plone.org/about/security/advisories/cve-2006-4249/ @@ -217,3 +217,4 @@ references: url: http://www.vupen.com/english/advisories/2006/4878 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/30762 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2007-4.yaml b/vulns/plone/PYSEC-2007-4.yaml index 991e3224..af96477b 100644 --- a/vulns/plone/PYSEC-2007-4.yaml +++ b/vulns/plone/PYSEC-2007-4.yaml @@ -1,28 +1,20 @@ -id: PYSEC-2007-4 -modified: 2024-11-21T14:22:58.776616Z -published: 2007-11-07T21:46:00Z -aliases: -- CVE-2007-5741 -details: Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to - execute arbitrary Python code via network data containing pickled objects for the - (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes. affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -35,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -57,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -71,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -85,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -111,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -203,6 +195,14 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 +aliases: +- CVE-2007-5741 +details: Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to + execute arbitrary Python code via network data containing pickled objects for the + (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes. +id: PYSEC-2007-4 +modified: '2024-11-21T14:22:58.776616Z' +published: '2007-11-07T21:46:00Z' references: - type: ADVISORY url: http://plone.org/about/security/advisories/cve-2007-5741 @@ -226,3 +226,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/38288 - type: WEB url: http://www.securityfocus.com/archive/1/483343/100/0/threaded +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2008-14.yaml b/vulns/plone/PYSEC-2008-14.yaml index 179b2e96..4737e8b3 100644 --- a/vulns/plone/PYSEC-2008-14.yaml +++ b/vulns/plone/PYSEC-2008-14.yaml @@ -1,29 +1,20 @@ -id: PYSEC-2008-14 -modified: 2024-11-21T14:22:58.841714Z -published: 2008-03-20T00:44:00Z -aliases: -- CVE-2008-0164 -details: Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 - and 3.0.6 allow remote attackers to (1) add arbitrary accounts via the join_form - page and (2) change the privileges of arbitrary groups via the prefs_groups_overview - page. affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -36,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -58,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -72,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -86,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -112,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -204,6 +195,15 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 +aliases: +- CVE-2008-0164 +details: Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 + and 3.0.6 allow remote attackers to (1) add arbitrary accounts via the join_form + page and (2) change the privileges of arbitrary groups via the prefs_groups_overview + page. +id: PYSEC-2008-14 +modified: '2024-11-21T14:22:58.841714Z' +published: '2008-03-20T00:44:00Z' references: - type: ADVISORY url: http://plone.org/about/security/advisories/cve-2008-0164 @@ -217,3 +217,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41263 - type: WEB url: http://www.securityfocus.com/archive/1/489544/100/0/threaded +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2011-25.yaml b/vulns/plone/PYSEC-2011-25.yaml index 72f4d22a..847e742d 100644 --- a/vulns/plone/PYSEC-2011-25.yaml +++ b/vulns/plone/PYSEC-2011-25.yaml @@ -1,30 +1,20 @@ -id: PYSEC-2011-25 -modified: 2024-11-21T14:22:58.906196Z -published: 2011-07-19T20:55:00Z -aliases: -- CVE-2011-2528 -details: 'Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before - 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for - Plone 3.x allows attackers to gain privileges via unspecified vectors, related to - a "highly serious vulnerability." NOTE: this vulnerability exists because of an - incorrect fix for CVE-2011-0720.' affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -37,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -59,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -73,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -87,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -113,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -205,6 +195,16 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 +aliases: +- CVE-2011-2528 +details: 'Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before + 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for + Plone 3.x allows attackers to gain privileges via unspecified vectors, related to + a "highly serious vulnerability." NOTE: this vulnerability exists because of an + incorrect fix for CVE-2011-0720.' +id: PYSEC-2011-25 +modified: '2024-11-21T14:22:58.906196Z' +published: '2011-07-19T20:55:00Z' references: - type: FIX url: http://plone.org/products/plone-hotfix/releases/20110622 @@ -226,3 +226,4 @@ references: url: http://secunia.com/advisories/45111 - type: FIX url: http://www.openwall.com/lists/oss-security/2011/07/04/6 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2021-889.yaml b/vulns/plone/PYSEC-2021-889.yaml index 94c34810..ae713a8f 100644 --- a/vulns/plone/PYSEC-2021-889.yaml +++ b/vulns/plone/PYSEC-2021-889.yaml @@ -1,27 +1,20 @@ -id: PYSEC-2021-889 -modified: 2024-11-21T14:22:58.969592Z -published: 2021-03-24T15:15:00Z -aliases: -- CVE-2021-29002 -details: A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists - in site-controlpanel via the "form.widgets.site_title" parameter. affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -34,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -56,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -70,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -84,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -110,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -202,9 +195,13 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2021-29002 +details: A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists + in site-controlpanel via the "form.widgets.site_title" parameter. +id: PYSEC-2021-889 +modified: '2024-11-21T14:22:58.969592Z' +published: '2021-03-24T15:15:00Z' references: - type: EVIDENCE url: https://www.exploit-db.com/exploits/49668 @@ -216,3 +213,7 @@ references: url: https://github.com/plone/Products.CMFPlone/issues/3255 - type: REPORT url: https://github.com/plone/Products.CMFPlone/issues/3255 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2023-289.yaml b/vulns/plone/PYSEC-2023-289.yaml index eb940f01..b779c98f 100644 --- a/vulns/plone/PYSEC-2023-289.yaml +++ b/vulns/plone/PYSEC-2023-289.yaml @@ -1,30 +1,20 @@ -id: PYSEC-2023-289 -modified: 2024-11-21T14:22:59.034188Z -published: 2023-02-17T18:15:00Z -aliases: -- CVE-2021-33926 -details: An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, - 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, - 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, - 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows - attacker to access sensitive information via the RSS feed protlet. affected: - package: ecosystem: PyPI name: plone purl: pkg:pypi/plone ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "3.2" + - '3.2' - 3.2.1 - 3.2.2 - 3.2.3 - 3.2a1 - 3.2rc1 - - "3.3" + - '3.3' - 3.3.1 - 3.3.2 - 3.3.3 @@ -37,7 +27,7 @@ affected: - 3.3rc3 - 3.3rc4 - 3.3rc5 - - "4.0" + - '4.0' - 4.0.1 - 4.0.10 - 4.0.2 @@ -59,7 +49,7 @@ affected: - 4.0b4 - 4.0b5 - 4.0rc1 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 @@ -73,7 +63,7 @@ affected: - 4.1b2 - 4.1rc2 - 4.1rc3 - - "4.2" + - '4.2' - 4.2.1 - 4.2.2 - 4.2.3 @@ -87,7 +77,7 @@ affected: - 4.2b2 - 4.2rc1 - 4.2rc2 - - "4.3" + - '4.3' - 4.3.1 - 4.3.10 - 4.3.11 @@ -113,7 +103,7 @@ affected: - 4.3b1 - 4.3b2 - 4.3rc1 - - "5.0" + - '5.0' - 5.0.1 - 5.0.10 - 5.0.2 @@ -205,9 +195,16 @@ affected: - 6.1.0a4 - 6.1.0a5 - 6.1.0b1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2021-33926 +details: An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, + 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, + 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, + 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows + attacker to access sensitive information via the RSS feed protlet. +id: PYSEC-2023-289 +modified: '2024-11-21T14:22:59.034188Z' +published: '2023-02-17T18:15:00Z' references: - type: EVIDENCE url: https://github.com/s-kustm/Subodh/blob/master/Plone%205.2.4%20Vulnerable%20to%20bilend%20SSRF.pdf @@ -217,3 +214,7 @@ references: url: https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url - type: WEB url: https://plone.org/security/hotfix/20210518 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/portage/PYSEC-2014-115.yaml b/vulns/portage/PYSEC-2014-115.yaml index fa92b743..91b9b286 100644 --- a/vulns/portage/PYSEC-2014-115.yaml +++ b/vulns/portage/PYSEC-2014-115.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2014-115 -modified: 2024-11-21T14:22:59.10272Z -published: 2014-09-29T22:55:00Z -aliases: -- CVE-2013-2100 -details: The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, - when using HTTPS, does not verify X.509 certificates from SSL servers, which allows - man-in-the-middle attackers to spoof servers and modify binary package lists via - a crafted certificate. affected: - package: ecosystem: PyPI name: portage purl: pkg:pypi/portage ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 3.0.18 - 3.0.19 @@ -71,6 +62,15 @@ affected: - 3.0.65 - 3.0.66 - 3.0.66.1 +aliases: +- CVE-2013-2100 +details: The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, + when using HTTPS, does not verify X.509 certificates from SSL servers, which allows + man-in-the-middle attackers to spoof servers and modify binary package lists via + a crafted certificate. +id: PYSEC-2014-115 +modified: '2024-11-21T14:22:59.10272Z' +published: '2014-09-29T22:55:00Z' references: - type: EVIDENCE url: http://openwall.com/lists/oss-security/2013/05/15/5 @@ -84,3 +84,4 @@ references: url: https://security.gentoo.org/glsa/201507-16 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/84315 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml b/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml index c9225dbb..c106c76f 100644 --- a/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml +++ b/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml @@ -1,24 +1,24 @@ -id: PYSEC-2011-26 -modified: 2024-11-21T14:22:59.154748Z -published: 2011-10-10T10:55:00Z -aliases: -- CVE-2011-3587 -details: Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x - through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary - commands via vectors related to the p_ class in OFS/misc_.py and the use of Python - modules. affected: - package: ecosystem: PyPI name: products-plonehotfix20110928 purl: pkg:pypi/products-plonehotfix20110928 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "1.0" - - "1.1" + - '1.0' + - '1.1' +aliases: +- CVE-2011-3587 +details: Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x + through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary + commands via vectors related to the p_ class in OFS/misc_.py and the use of Python + modules. +id: PYSEC-2011-26 +modified: '2024-11-21T14:22:59.154748Z' +published: '2011-10-10T10:55:00Z' references: - type: FIX url: https://bugzilla.redhat.com/show_bug.cgi?id=742297 @@ -38,3 +38,4 @@ references: url: http://plone.org/products/plone-hotfix/releases/20110928 - type: ADVISORY url: http://secunia.com/advisories/46323 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml b/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml index 514f2e9e..5edaf9db 100644 --- a/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml +++ b/vulns/products-plonehotfix20110928/PYSEC-2011-27.yaml @@ -1,24 +1,24 @@ -id: PYSEC-2011-27 -modified: 2024-11-21T14:22:59.206417Z -published: 2011-10-10T10:55:00Z -aliases: -- CVE-2011-4030 -details: The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 - through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, - which allows remote attackers to access sub-objects via unspecified vectors, a different - vulnerability than CVE-2011-3587. affected: - package: ecosystem: PyPI name: products-plonehotfix20110928 purl: pkg:pypi/products-plonehotfix20110928 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "1.0" - - "1.1" + - '1.0' + - '1.1' +aliases: +- CVE-2011-4030 +details: The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 + through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, + which allows remote attackers to access sub-objects via unspecified vectors, a different + vulnerability than CVE-2011-3587. +id: PYSEC-2011-27 +modified: '2024-11-21T14:22:59.206417Z' +published: '2011-10-10T10:55:00Z' references: - type: FIX url: http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0 @@ -30,3 +30,4 @@ references: url: http://secunia.com/advisories/46323 - type: WEB url: http://www.securityfocus.com/bid/50287 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/py-cord/PYSEC-2022-43146.yaml b/vulns/py-cord/PYSEC-2022-43146.yaml index 923d8523..43f1f11a 100644 --- a/vulns/py-cord/PYSEC-2022-43146.yaml +++ b/vulns/py-cord/PYSEC-2022-43146.yaml @@ -1,24 +1,12 @@ -id: PYSEC-2022-43146 -modified: 2024-11-21T14:22:59.25812Z -published: 2022-08-18T15:15:00Z -aliases: -- CVE-2022-36024 -- GHSA-qmhj-m29v-gvmr -details: py-cord is a an API wrapper for Discord written in Python. Bots creating - using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added - to the server with the `application.commands` scope without the `bot` scope. Currently, - it appears that all public bots that use slash commands are affected. This issue - has been patched in version 2.0.1. There are currently no recommended workarounds - - please upgrade to a patched version. affected: - package: ecosystem: PyPI name: py-cord purl: pkg:pypi/py-cord ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.7.3 - 2.0.0 @@ -47,9 +35,18 @@ affected: - 2.5.0 - 2.6.0 - 2.6.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-36024 +- GHSA-qmhj-m29v-gvmr +details: py-cord is a an API wrapper for Discord written in Python. Bots creating + using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added + to the server with the `application.commands` scope without the `bot` scope. Currently, + it appears that all public bots that use slash commands are affected. This issue + has been patched in version 2.0.1. There are currently no recommended workarounds + - please upgrade to a patched version. +id: PYSEC-2022-43146 +modified: '2024-11-21T14:22:59.25812Z' +published: '2022-08-18T15:15:00Z' references: - type: ADVISORY url: https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr @@ -57,3 +54,7 @@ references: url: https://github.com/Pycord-Development/pycord/pull/1568 - type: WEB url: https://github.com/Pycord-Development/pycord/pull/1568 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyanxdns/PYSEC-2022-43147.yaml b/vulns/pyanxdns/PYSEC-2022-43147.yaml index 01c15303..74f46ddf 100644 --- a/vulns/pyanxdns/PYSEC-2022-43147.yaml +++ b/vulns/pyanxdns/PYSEC-2022-43147.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43147 -modified: 2024-11-21T14:22:59.309018Z -published: 2022-06-08T20:15:00Z -aliases: -- CVE-2022-30882 -details: 'pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. - The impact is: execute arbitrary code (remote). When installing the pyanxdns package - of version 0.2, the request package will be installed.' affected: - package: ecosystem: PyPI name: pyanxdns purl: pkg:pypi/pyanxdns ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.2.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-30882 +details: 'pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. + The impact is: execute arbitrary code (remote). When installing the pyanxdns package + of version 0.2, the request package will be installed.' +id: PYSEC-2022-43147 +modified: '2024-11-21T14:22:59.309018Z' +published: '2022-06-08T20:15:00Z' references: - type: EVIDENCE url: https://github.com/egeback/pyanxdns/issues/1 @@ -29,3 +26,7 @@ references: url: https://pypi.org/project/pyanxdns/ - type: WEB url: http://pypi.doubanio.com/simple/request +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyassimp/PYSEC-2022-43148.yaml b/vulns/pyassimp/PYSEC-2022-43148.yaml index 448fafae..9e669eb2 100644 --- a/vulns/pyassimp/PYSEC-2022-43148.yaml +++ b/vulns/pyassimp/PYSEC-2022-43148.yaml @@ -1,30 +1,27 @@ -id: PYSEC-2022-43148 -modified: 2024-11-21T14:22:59.35793Z -published: 2022-01-01T00:15:00Z -aliases: -- CVE-2021-45948 -details: Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer - overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). affected: - package: ecosystem: PyPI name: pyassimp purl: pkg:pypi/pyassimp ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" - - "3.3" + - '0.1' + - '3.3' - 4.1.1 - 4.1.2 - 4.1.3 - 4.1.4 - 5.2.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2021-45948 +details: Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer + overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). +id: PYSEC-2022-43148 +modified: '2024-11-21T14:22:59.35793Z' +published: '2022-01-01T00:15:00Z' references: - type: EVIDENCE url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 @@ -36,3 +33,7 @@ references: url: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml - type: ADVISORY url: https://security.gentoo.org/glsa/202210-01 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyassimp/PYSEC-2022-43149.yaml b/vulns/pyassimp/PYSEC-2022-43149.yaml index 20fc2a0d..71be80b1 100644 --- a/vulns/pyassimp/PYSEC-2022-43149.yaml +++ b/vulns/pyassimp/PYSEC-2022-43149.yaml @@ -1,32 +1,33 @@ -id: PYSEC-2022-43149 -modified: 2024-11-21T14:22:59.412324Z -published: 2022-09-06T23:15:00Z -aliases: -- CVE-2022-38528 -details: Open Asset Import Library (assimp) commit 3c253ca was discovered to contain - a segmentation violation via the component Assimp::XFileImporter::CreateMeshes. affected: - package: ecosystem: PyPI name: pyassimp purl: pkg:pypi/pyassimp ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" - - "3.3" + - '0.1' + - '3.3' - 4.1.1 - 4.1.2 - 4.1.3 - 4.1.4 - 5.2.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-38528 +details: Open Asset Import Library (assimp) commit 3c253ca was discovered to contain + a segmentation violation via the component Assimp::XFileImporter::CreateMeshes. +id: PYSEC-2022-43149 +modified: '2024-11-21T14:22:59.412324Z' +published: '2022-09-06T23:15:00Z' references: - type: EVIDENCE url: https://github.com/assimp/assimp/issues/4662 - type: REPORT url: https://github.com/assimp/assimp/issues/4662 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyassimp/PYSEC-2023-290.yaml b/vulns/pyassimp/PYSEC-2023-290.yaml index 964dd503..83ad7618 100644 --- a/vulns/pyassimp/PYSEC-2023-290.yaml +++ b/vulns/pyassimp/PYSEC-2023-290.yaml @@ -1,32 +1,33 @@ -id: PYSEC-2023-290 -modified: 2024-11-21T14:22:59.461917Z -published: 2023-01-20T19:15:00Z -aliases: -- CVE-2022-45748 -details: An issue was discovered with assimp 5.1.4, a use after free occurred in function - ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp. affected: - package: ecosystem: PyPI name: pyassimp purl: pkg:pypi/pyassimp ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.1" - - "3.3" + - '0.1' + - '3.3' - 4.1.1 - 4.1.2 - 4.1.3 - 4.1.4 - 5.2.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-45748 +details: An issue was discovered with assimp 5.1.4, a use after free occurred in function + ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp. +id: PYSEC-2023-290 +modified: '2024-11-21T14:22:59.461917Z' +published: '2023-01-20T19:15:00Z' references: - type: EVIDENCE url: https://github.com/assimp/assimp/issues/4286 - type: REPORT url: https://github.com/assimp/assimp/issues/4286 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyboolector/PYSEC-2019-252.yaml b/vulns/pyboolector/PYSEC-2019-252.yaml index dac5817d..cbea0326 100644 --- a/vulns/pyboolector/PYSEC-2019-252.yaml +++ b/vulns/pyboolector/PYSEC-2019-252.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2019-252 -modified: 2024-11-21T14:22:59.57901Z -published: 2019-02-07T07:29:00Z -aliases: -- CVE-2019-7560 -details: In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input - file leads to a use after free in get_failed_assumptions or btor_delete. affected: - package: ecosystem: PyPI name: pyboolector purl: pkg:pypi/pyboolector ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 3.0.0.1 - 3.0.0.20191102.28 @@ -125,9 +118,13 @@ affected: - 3.2.3.20240822.1 - 3.2.3.20240822.20 - 3.2.4.20240823.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-7560 +details: In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input + file leads to a use after free in get_failed_assumptions or btor_delete. +id: PYSEC-2019-252 +modified: '2024-11-21T14:22:59.57901Z' +published: '2019-02-07T07:29:00Z' references: - type: EVIDENCE url: https://github.com/Boolector/boolector/issues/29 @@ -141,3 +138,7 @@ references: url: https://github.com/Boolector/boolector/issues/28 - type: REPORT url: https://github.com/Boolector/boolector/issues/28 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyignite/PYSEC-2017-146.yaml b/vulns/pyignite/PYSEC-2017-146.yaml index 588cb2d4..2ad6e5b0 100644 --- a/vulns/pyignite/PYSEC-2017-146.yaml +++ b/vulns/pyignite/PYSEC-2017-146.yaml @@ -1,23 +1,12 @@ -id: PYSEC-2017-146 -modified: 2024-11-21T14:22:59.736776Z -published: 2017-06-28T13:29:00Z -aliases: -- CVE-2017-7686 -details: Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update - the users about new project releases that include additional functionality, bug - fixes and performance improvements. To do that the component communicates to an - external PHP server (http://ignite.run) where it needs to send some system properties - like Apache Ignite or Java version. Some of the properties might contain user sensitive - information. affected: - package: ecosystem: PyPI name: pyignite purl: pkg:pypi/pyignite ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.1.3 @@ -36,9 +25,17 @@ affected: - 0.5.2 - 0.6.0 - 0.6.1 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +aliases: +- CVE-2017-7686 +details: Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to update + the users about new project releases that include additional functionality, bug + fixes and performance improvements. To do that the component communicates to an + external PHP server (http://ignite.run) where it needs to send some system properties + like Apache Ignite or Java version. Some of the properties might contain user sensitive + information. +id: PYSEC-2017-146 +modified: '2024-11-21T14:22:59.736776Z' +published: '2017-06-28T13:29:00Z' references: - type: WEB url: http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2017-7686-Apache-Ignite-Information-Disclosure-td19168.html @@ -46,3 +43,7 @@ references: url: http://www.securityfocus.com/bid/99292 - type: ADVISORY url: http://www.securityfocus.com/bid/99292 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyo/PYSEC-2021-890.yaml b/vulns/pyo/PYSEC-2021-890.yaml index 43f199da..1d82a3f4 100644 --- a/vulns/pyo/PYSEC-2021-890.yaml +++ b/vulns/pyo/PYSEC-2021-890.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2021-890 -modified: 2024-11-21T14:22:59.907617Z -published: 2021-12-17T21:15:00Z -aliases: -- CVE-2021-41498 -details: Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init - function. which allows attackers to conduct Denial of Service attacks by arbitrary - constructing a overlong server name. affected: - package: ecosystem: PyPI name: pyo purl: pkg:pypi/pyo ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.0.1 @@ -22,11 +14,20 @@ affected: - 1.0.3 - 1.0.4 - 1.0.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2021-41498 +details: Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init + function. which allows attackers to conduct Denial of Service attacks by arbitrary + constructing a overlong server name. +id: PYSEC-2021-890 +modified: '2024-11-21T14:22:59.907617Z' +published: '2021-12-17T21:15:00Z' references: - type: EVIDENCE url: https://github.com/belangeo/pyo/issues/221 - type: REPORT url: https://github.com/belangeo/pyo/issues/221 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pypatchelf/PYSEC-2022-43151.yaml b/vulns/pypatchelf/PYSEC-2022-43151.yaml index 9fde2da0..eb681baa 100644 --- a/vulns/pypatchelf/PYSEC-2022-43151.yaml +++ b/vulns/pypatchelf/PYSEC-2022-43151.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43151 -modified: 2024-11-21T14:22:59.956918Z -published: 2022-12-19T22:15:00Z -aliases: -- CVE-2022-44940 -details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function - modifyRPath at src/patchelf.cc. affected: - package: ecosystem: PyPI name: pypatchelf purl: pkg:pypi/pypatchelf ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0.8" - - "0.9" -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H + - '0.8' + - '0.9' +aliases: +- CVE-2022-44940 +details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function + modifyRPath at src/patchelf.cc. +id: PYSEC-2022-43151 +modified: '2024-11-21T14:22:59.956918Z' +published: '2022-12-19T22:15:00Z' references: - type: EVIDENCE url: https://github.com/NixOS/patchelf/pull/419 @@ -27,3 +24,7 @@ references: url: https://github.com/NixOS/patchelf/pull/419 - type: WEB url: https://github.com/NixOS/patchelf/pull/419 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyspark/PYSEC-2017-147.yaml b/vulns/pyspark/PYSEC-2017-147.yaml index 4889dc94..c8417d67 100644 --- a/vulns/pyspark/PYSEC-2017-147.yaml +++ b/vulns/pyspark/PYSEC-2017-147.yaml @@ -1,24 +1,12 @@ -id: PYSEC-2017-147 -modified: 2024-11-21T14:23:00.007173Z -published: 2017-09-13T16:29:00Z -aliases: -- CVE-2017-12612 -details: In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization - of data received by its socket. This makes applications launched programmatically - using the launcher API potentially vulnerable to arbitrary code execution by an - attacker with access to any user account on the local machine. It does not affect - apps run by spark-submit or spark-shell. The attacker would be able to execute code - as the user that ran the Spark application. Users are encouraged to update to version - 2.2.0 or later. affected: - package: ecosystem: PyPI name: pyspark purl: pkg:pypi/pyspark ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.1.1 - 2.1.2 @@ -69,9 +57,18 @@ affected: - 3.5.3 - 4.0.0.dev1 - 4.0.0.dev2 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2017-12612 +details: In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization + of data received by its socket. This makes applications launched programmatically + using the launcher API potentially vulnerable to arbitrary code execution by an + attacker with access to any user account on the local machine. It does not affect + apps run by spark-submit or spark-shell. The attacker would be able to execute code + as the user that ran the Spark application. Users are encouraged to update to version + 2.2.0 or later. +id: PYSEC-2017-147 +modified: '2024-11-21T14:23:00.007173Z' +published: '2017-09-13T16:29:00Z' references: - type: ARTICLE url: https://mail-archives.apache.org/mod_mbox/spark-dev/201709.mbox/%3CCAEccTyy-1yYuhdNgkBUg0sr9NeaZSrBKkBePdTNZbxXZNTAR-g%40mail.gmail.com%3E @@ -81,3 +78,7 @@ references: url: http://www.securityfocus.com/bid/100823 - type: ADVISORY url: http://www.securityfocus.com/bid/100823 +severity: +- score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/python-scciclient/PYSEC-2022-43152.yaml b/vulns/python-scciclient/PYSEC-2022-43152.yaml index 2494a915..29eb9dc8 100644 --- a/vulns/python-scciclient/PYSEC-2022-43152.yaml +++ b/vulns/python-scciclient/PYSEC-2022-43152.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43152 -modified: 2024-11-21T14:23:00.061403Z -published: 2022-09-01T18:15:00Z -aliases: -- CVE-2022-2996 -details: A flaw was found in the python-scciclient when making an HTTPS connection - to a server where the server's certificate would not be verified. This issue opens - up the connection to possible Man-in-the-middle (MITM) attacks. affected: - package: ecosystem: PyPI name: python-scciclient purl: pkg:pypi/python-scciclient ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.1.0 @@ -61,9 +53,14 @@ affected: - 0.9.3 - 0.9.4 - 0.9.5 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N +aliases: +- CVE-2022-2996 +details: A flaw was found in the python-scciclient when making an HTTPS connection + to a server where the server's certificate would not be verified. This issue opens + up the connection to possible Man-in-the-middle (MITM) attacks. +id: PYSEC-2022-43152 +modified: '2024-11-21T14:23:00.061403Z' +published: '2022-09-01T18:15:00Z' references: - type: FIX url: https://opendev.org/x/python-scciclient/commit/274dca0344b65b4ac113d3271d21c17e970a636c @@ -73,3 +70,7 @@ references: url: https://lists.debian.org/debian-lts-announce/2022/11/msg00006.html - type: WEB url: https://lists.debian.org/debian-lts-announce/2022/11/msg00006.html +severity: +- score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pywasm3/PYSEC-2022-43153.yaml b/vulns/pywasm3/PYSEC-2022-43153.yaml index 65ea1940..a877e7fd 100644 --- a/vulns/pywasm3/PYSEC-2022-43153.yaml +++ b/vulns/pywasm3/PYSEC-2022-43153.yaml @@ -1,30 +1,31 @@ -id: PYSEC-2022-43153 -modified: 2024-11-21T14:23:00.113164Z -published: 2022-04-16T16:15:00Z -aliases: -- CVE-2022-28966 -details: Wasm3 0.5.0 has a heap-based buffer overflow in NewCodePage in m3_code.c - (called indirectly from Compile_BranchTable in m3_compile.c). affected: - package: ecosystem: PyPI name: pywasm3 purl: pkg:pypi/pywasm3 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.4.8 - 0.4.9 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-28966 +details: Wasm3 0.5.0 has a heap-based buffer overflow in NewCodePage in m3_code.c + (called indirectly from Compile_BranchTable in m3_compile.c). +id: PYSEC-2022-43153 +modified: '2024-11-21T14:23:00.113164Z' +published: '2022-04-16T16:15:00Z' references: - type: EVIDENCE url: https://github.com/wasm3/wasm3/issues/320 - type: REPORT url: https://github.com/wasm3/wasm3/issues/320 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pywasm3/PYSEC-2022-43154.yaml b/vulns/pywasm3/PYSEC-2022-43154.yaml index b40b57ad..a95f19ab 100644 --- a/vulns/pywasm3/PYSEC-2022-43154.yaml +++ b/vulns/pywasm3/PYSEC-2022-43154.yaml @@ -1,28 +1,25 @@ -id: PYSEC-2022-43154 -modified: 2024-11-21T14:23:00.161107Z -published: 2022-05-20T19:15:00Z -aliases: -- CVE-2022-28990 -details: WASM3 v0.5.0 was discovered to contain a heap overflow via the component - /wabt/bin/poc.wasm. affected: - package: ecosystem: PyPI name: pywasm3 purl: pkg:pypi/pywasm3 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.4.8 - 0.4.9 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-28990 +details: WASM3 v0.5.0 was discovered to contain a heap overflow via the component + /wabt/bin/poc.wasm. +id: PYSEC-2022-43154 +modified: '2024-11-21T14:23:00.161107Z' +published: '2022-05-20T19:15:00Z' references: - type: EVIDENCE url: https://github.com/wasm3/wasm3/issues/323 @@ -32,3 +29,7 @@ references: url: https://github.com/wasm3/wasm3/pull/324 - type: WEB url: https://github.com/wasm3/wasm3/pull/324 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pywasm3/PYSEC-2022-43155.yaml b/vulns/pywasm3/PYSEC-2022-43155.yaml index b3707503..e2daf624 100644 --- a/vulns/pywasm3/PYSEC-2022-43155.yaml +++ b/vulns/pywasm3/PYSEC-2022-43155.yaml @@ -1,30 +1,31 @@ -id: PYSEC-2022-43155 -modified: 2024-11-21T14:23:00.213494Z -published: 2022-12-13T23:15:00Z -aliases: -- CVE-2022-44874 -details: wasm3 commit 7890a2097569fde845881e0b352d813573e371f9 was discovered to contain - a segmentation fault via the component op_CallIndirect at /m3_exec.h. affected: - package: ecosystem: PyPI name: pywasm3 purl: pkg:pypi/pywasm3 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.4.8 - 0.4.9 - 0.5.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-44874 +details: wasm3 commit 7890a2097569fde845881e0b352d813573e371f9 was discovered to contain + a segmentation fault via the component op_CallIndirect at /m3_exec.h. +id: PYSEC-2022-43155 +modified: '2024-11-21T14:23:00.213494Z' +published: '2022-12-13T23:15:00Z' references: - type: EVIDENCE url: https://github.com/wasm3/wasm3/issues/380 - type: REPORT url: https://github.com/wasm3/wasm3/issues/380 +severity: +- score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/redis/PYSEC-2022-43162.yaml b/vulns/redis/PYSEC-2022-43162.yaml index 89d84dc7..f9587f46 100644 --- a/vulns/redis/PYSEC-2022-43162.yaml +++ b/vulns/redis/PYSEC-2022-43162.yaml @@ -1,27 +1,21 @@ -id: PYSEC-2022-43162 -modified: 2024-11-21T14:23:00.635277Z -published: 2022-06-23T17:15:00Z -aliases: -- CVE-2022-33105 -details: Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. affected: - package: ecosystem: PyPI name: redis purl: pkg:pypi/redis ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 4a7a4e42db8ff757cdf3f4a824f66426036034ef repo: https://github.com/redis/redis - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.6.0 - 0.6.1 - - "1.34" + - '1.34' - 1.34.1 - 2.0.0 - 2.10.0 @@ -154,9 +148,12 @@ affected: - 5.1.0b7 - 5.1.1 - 5.2.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2022-33105 +details: Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. +id: PYSEC-2022-43162 +modified: '2024-11-21T14:23:00.635277Z' +published: '2022-06-23T17:15:00Z' references: - type: EVIDENCE url: https://github.com/redis/redis/pull/10829 @@ -180,3 +177,7 @@ references: url: https://security.netapp.com/advisory/ntap-20220729-0005/ - type: ADVISORY url: https://security.gentoo.org/glsa/202209-17 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/repox/PYSEC-2023-293.yaml b/vulns/repox/PYSEC-2023-293.yaml index 4d325aca..942ef225 100644 --- a/vulns/repox/PYSEC-2023-293.yaml +++ b/vulns/repox/PYSEC-2023-293.yaml @@ -1,27 +1,28 @@ -id: PYSEC-2023-293 -modified: 2024-11-21T14:23:00.689595Z -published: 2023-12-13T09:15:00Z -aliases: -- CVE-2023-6718 -details: An authentication bypass vulnerability has been found in Repox, which allows - a remote user to send a specially crafted POST request, due to the lack of any authentication - method, resulting in the alteration or creation of users. affected: - package: ecosystem: PyPI name: repox purl: pkg:pypi/repox ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.0.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +aliases: +- CVE-2023-6718 +details: An authentication bypass vulnerability has been found in Repox, which allows + a remote user to send a specially crafted POST request, due to the lack of any authentication + method, resulting in the alteration or creation of users. +id: PYSEC-2023-293 +modified: '2024-11-21T14:23:00.689595Z' +published: '2023-12-13T09:15:00Z' references: - type: WEB url: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/repox/PYSEC-2023-294.yaml b/vulns/repox/PYSEC-2023-294.yaml index 287e02d5..179909a3 100644 --- a/vulns/repox/PYSEC-2023-294.yaml +++ b/vulns/repox/PYSEC-2023-294.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2023-294 -modified: 2024-11-21T14:23:00.74018Z -published: 2023-12-13T10:15:00Z -aliases: -- CVE-2023-6719 -details: An XSS vulnerability has been detected in Repox, which allows an attacker - to compromise interactions between a user and the vulnerable application, and can - be exploited by a third party by sending a specially crafted JavaScript payload - to a user, and thus gain full control of their session. affected: - package: ecosystem: PyPI name: repox purl: pkg:pypi/repox ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.0.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2023-6719 +details: An XSS vulnerability has been detected in Repox, which allows an attacker + to compromise interactions between a user and the vulnerable application, and can + be exploited by a third party by sending a specially crafted JavaScript payload + to a user, and thus gain full control of their session. +id: PYSEC-2023-294 +modified: '2024-11-21T14:23:00.74018Z' +published: '2023-12-13T10:15:00Z' references: - type: WEB url: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/repox/PYSEC-2023-295.yaml b/vulns/repox/PYSEC-2023-295.yaml index 5f2560c4..114735df 100644 --- a/vulns/repox/PYSEC-2023-295.yaml +++ b/vulns/repox/PYSEC-2023-295.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2023-295 -modified: 2024-11-21T14:23:00.792103Z -published: 2023-12-13T10:15:00Z -aliases: -- CVE-2023-6720 -details: An XSS vulnerability stored in Repox has been identified, which allows a - local attacker to store a specially crafted JavaScript payload on the server, due - to the lack of proper sanitisation of field elements, allowing the attacker to trigger - the malicious payload when the application loads. affected: - package: ecosystem: PyPI name: repox purl: pkg:pypi/repox ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.0.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2023-6720 +details: An XSS vulnerability stored in Repox has been identified, which allows a + local attacker to store a specially crafted JavaScript payload on the server, due + to the lack of proper sanitisation of field elements, allowing the attacker to trigger + the malicious payload when the application loads. +id: PYSEC-2023-295 +modified: '2024-11-21T14:23:00.792103Z' +published: '2023-12-13T10:15:00Z' references: - type: WEB url: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/repox/PYSEC-2023-296.yaml b/vulns/repox/PYSEC-2023-296.yaml index 16de322d..62145686 100644 --- a/vulns/repox/PYSEC-2023-296.yaml +++ b/vulns/repox/PYSEC-2023-296.yaml @@ -1,27 +1,28 @@ -id: PYSEC-2023-296 -modified: 2024-11-21T14:23:00.841929Z -published: 2023-12-13T10:15:00Z -aliases: -- CVE-2023-6721 -details: An XEE vulnerability has been found in Repox, which allows a remote attacker - to interfere with the application's XML data processing in the fileupload function, - resulting in interaction between the attacker and the server's file system. affected: - package: ecosystem: PyPI name: repox purl: pkg:pypi/repox ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.0.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +aliases: +- CVE-2023-6721 +details: An XEE vulnerability has been found in Repox, which allows a remote attacker + to interfere with the application's XML data processing in the fileupload function, + resulting in interaction between the attacker and the server's file system. +id: PYSEC-2023-296 +modified: '2024-11-21T14:23:00.841929Z' +published: '2023-12-13T10:15:00Z' references: - type: WEB url: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/repox/PYSEC-2023-297.yaml b/vulns/repox/PYSEC-2023-297.yaml index 35d7d016..cc9fced4 100644 --- a/vulns/repox/PYSEC-2023-297.yaml +++ b/vulns/repox/PYSEC-2023-297.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2023-297 -modified: 2024-11-21T14:23:00.892241Z -published: 2023-12-13T10:15:00Z -aliases: -- CVE-2023-6722 -details: A path traversal vulnerability has been detected in Repox, which allows an - attacker to read arbitrary files on the running server, resulting in a disclosure - of sensitive information. An attacker could access files such as application code - or data, backend credentials, operating system files... affected: - package: ecosystem: PyPI name: repox purl: pkg:pypi/repox ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 - 0.0.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +aliases: +- CVE-2023-6722 +details: A path traversal vulnerability has been detected in Repox, which allows an + attacker to read arbitrary files on the running server, resulting in a disclosure + of sensitive information. An attacker could access files such as application code + or data, backend credentials, operating system files... +id: PYSEC-2023-297 +modified: '2024-11-21T14:23:00.892241Z' +published: '2023-12-13T10:15:00Z' references: - type: WEB url: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/reqmon/PYSEC-2022-43163.yaml b/vulns/reqmon/PYSEC-2022-43163.yaml index 066de310..046cc69a 100644 --- a/vulns/reqmon/PYSEC-2022-43163.yaml +++ b/vulns/reqmon/PYSEC-2022-43163.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43163 -modified: 2024-11-21T14:23:00.945269Z -published: 2022-07-28T23:15:00Z -aliases: -- CVE-2022-34558 -details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, - and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted - dbs-client package. affected: - package: ecosystem: PyPI name: reqmon purl: pkg:pypi/reqmon ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.0.4 - 2.1.1 @@ -172,11 +164,20 @@ affected: - 2.3.6rc8 - 2.3.7 - 2.3.7.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34558 +details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, + and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted + dbs-client package. +id: PYSEC-2022-43163 +modified: '2024-11-21T14:23:00.945269Z' +published: '2022-07-28T23:15:00Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/rondolu-yt-concate/PYSEC-2022-43164.yaml b/vulns/rondolu-yt-concate/PYSEC-2022-43164.yaml index 6ca929b7..2b0e0f55 100644 --- a/vulns/rondolu-yt-concate/PYSEC-2022-43164.yaml +++ b/vulns/rondolu-yt-concate/PYSEC-2022-43164.yaml @@ -1,25 +1,22 @@ -id: PYSEC-2022-43164 -modified: 2024-11-21T14:23:00.996865Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34065 -details: The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a - code execution backdoor. This vulnerability allows attackers to access sensitive - user information and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: rondolu-yt-concate purl: pkg:pypi/rondolu-yt-concate ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34065 +details: The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a + code execution backdoor. This vulnerability allows attackers to access sensitive + user information and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43164 +modified: '2024-11-21T14:23:00.996865Z' +published: '2022-06-24T21:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/rondolu-yt-concate/ @@ -29,3 +26,7 @@ references: url: https://github.com/rondolu/project-yt-concate/issues/1 - type: WEB url: http://pypi.doubanio.com/simple/request +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/safeurl-python/PYSEC-2023-298.yaml b/vulns/safeurl-python/PYSEC-2023-298.yaml index 42691d0e..ea859b58 100644 --- a/vulns/safeurl-python/PYSEC-2023-298.yaml +++ b/vulns/safeurl-python/PYSEC-2023-298.yaml @@ -1,29 +1,30 @@ -id: PYSEC-2023-298 -modified: 2024-11-21T14:23:01.045324Z -published: 2023-01-30T05:15:00Z -aliases: -- CVE-2023-24622 -- GHSA-jgh8-vchw-q3g7 -details: isInList in the safeurl-python package before 1.2 for Python has an insufficiently - restrictive regular expression for external domains, leading to SSRF. affected: - package: ecosystem: PyPI name: safeurl-python purl: pkg:pypi/safeurl-python ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "1.0" - - "1.2" - - "1.3" -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + - '1.0' + - '1.2' + - '1.3' +aliases: +- CVE-2023-24622 +- GHSA-jgh8-vchw-q3g7 +details: isInList in the safeurl-python package before 1.2 for Python has an insufficiently + restrictive regular expression for external domains, leading to SSRF. +id: PYSEC-2023-298 +modified: '2024-11-21T14:23:01.045324Z' +published: '2023-01-30T05:15:00Z' references: - type: EVIDENCE url: https://github.com/IncludeSecurity/safeurl-python/security/advisories/GHSA-jgh8-vchw-q3g7 - type: ADVISORY url: https://github.com/IncludeSecurity/safeurl-python/security/advisories/GHSA-jgh8-vchw-q3g7 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/scoptrial/PYSEC-2022-43165.yaml b/vulns/scoptrial/PYSEC-2022-43165.yaml index 73cdac30..426cd3c2 100644 --- a/vulns/scoptrial/PYSEC-2022-43165.yaml +++ b/vulns/scoptrial/PYSEC-2022-43165.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2022-43165 -modified: 2024-11-21T14:23:01.181819Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34057 -details: The Scoptrial package in PyPI version v0.0.5 was discovered to contain a - code execution backdoor via the request package. This vulnerability allows attackers - to access sensitive user information and digital currency keys, as well as escalate - privileges. affected: - package: ecosystem: PyPI name: scoptrial purl: pkg:pypi/scoptrial ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 @@ -25,11 +16,21 @@ affected: - 0.0.6 - 0.1.0 - 0.1.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34057 +details: The Scoptrial package in PyPI version v0.0.5 was discovered to contain a + code execution backdoor via the request package. This vulnerability allows attackers + to access sensitive user information and digital currency keys, as well as escalate + privileges. +id: PYSEC-2022-43165 +modified: '2024-11-21T14:23:01.181819Z' +published: '2022-06-24T21:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/scoptrial/ - type: WEB url: http://pypi.doubanio.com/simple/request +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/sixfab-tool/PYSEC-2022-43168.yaml b/vulns/sixfab-tool/PYSEC-2022-43168.yaml index 026172f9..37c81b5d 100644 --- a/vulns/sixfab-tool/PYSEC-2022-43168.yaml +++ b/vulns/sixfab-tool/PYSEC-2022-43168.yaml @@ -1,24 +1,21 @@ -id: PYSEC-2022-43168 -modified: 2022-07-06T19:30:00Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34059 -details: The Sixfab-Tool in PyPI v0.0.2 to v0.0.3 was discovered to contain a code - execution backdoor via the request package. This vulnerability allows attackers - to access sensitive user information and digital currency keys, as well as escalate - privileges. affected: - package: ecosystem: PyPI name: sixfab-tool purl: pkg:pypi/sixfab-tool ranges: - - type: ECOSYSTEM - events: - - introduced: "0" -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + - events: + - introduced: '0' + type: ECOSYSTEM +aliases: +- CVE-2022-34059 +details: The Sixfab-Tool in PyPI v0.0.2 to v0.0.3 was discovered to contain a code + execution backdoor via the request package. This vulnerability allows attackers + to access sensitive user information and digital currency keys, as well as escalate + privileges. +id: PYSEC-2022-43168 +modified: '2022-07-06T19:30:00Z' +published: '2022-06-24T21:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/sixfab-tool/ @@ -28,3 +25,7 @@ references: url: https://github.com/sixfab/setup-and-diagnostic-tool/issues/7 - type: WEB url: http://pypi.doubanio.com/simple/request +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/swift/PYSEC-2014-116.yaml b/vulns/swift/PYSEC-2014-116.yaml index 4125efd2..a3008354 100644 --- a/vulns/swift/PYSEC-2014-116.yaml +++ b/vulns/swift/PYSEC-2014-116.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2014-116 -modified: 2024-11-21T14:23:01.425354Z -published: 2014-01-23T01:55:00Z -aliases: -- CVE-2014-0006 -details: The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through - 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret - URLs by leveraging an object name and a timing side-channel attack. affected: - package: ecosystem: PyPI name: swift purl: pkg:pypi/swift ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.2 - 2.15.2 @@ -47,6 +39,14 @@ affected: - 2.32.0 - 2.33.0 - 2.34.0 +aliases: +- CVE-2014-0006 +details: The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through + 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret + URLs by leveraging an object name and a timing side-channel attack. +id: PYSEC-2014-116 +modified: '2024-11-21T14:23:01.425354Z' +published: '2014-01-23T01:55:00Z' references: - type: ADVISORY url: https://bugs.launchpad.net/swift/+bug/1265665 @@ -54,3 +54,4 @@ references: url: http://www.openwall.com/lists/oss-security/2014/01/17/5 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-0232.html +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/tahoe-lafs/PYSEC-2019-253.yaml b/vulns/tahoe-lafs/PYSEC-2019-253.yaml index 2dac6cec..c740fc17 100644 --- a/vulns/tahoe-lafs/PYSEC-2019-253.yaml +++ b/vulns/tahoe-lafs/PYSEC-2019-253.yaml @@ -1,21 +1,14 @@ -id: PYSEC-2019-253 -modified: 2024-11-21T14:23:01.477737Z -published: 2019-11-07T18:15:00Z -aliases: -- CVE-2012-0051 -details: Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers - to corrupt mutable files or directories upon retrieval. affected: - package: ecosystem: PyPI name: tahoe-lafs purl: pkg:pypi/tahoe-lafs ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "0" + - '0' - 1.11.0 - 1.12.0 - 1.12.1 @@ -27,9 +20,13 @@ affected: - 1.17.1 - 1.18.0 - 1.19.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N +aliases: +- CVE-2012-0051 +details: Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers + to corrupt mutable files or directories upon retrieval. +id: PYSEC-2019-253 +modified: '2024-11-21T14:23:01.477737Z' +published: '2019-11-07T18:15:00Z' references: - type: EVIDENCE url: http://www.openwall.com/lists/oss-security/2012/01/15/11 @@ -57,3 +54,7 @@ references: url: http://www.openwall.com/lists/oss-security/2012/01/26/9 - type: WEB url: http://www.openwall.com/lists/oss-security/2012/01/26/9 +severity: +- score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/tarantool/PYSEC-2016-39.yaml b/vulns/tarantool/PYSEC-2016-39.yaml index 8a3bc2e5..eeb176d1 100644 --- a/vulns/tarantool/PYSEC-2016-39.yaml +++ b/vulns/tarantool/PYSEC-2016-39.yaml @@ -1,23 +1,12 @@ -id: PYSEC-2016-39 -modified: 2024-11-21T14:23:01.531112Z -published: 2016-12-23T22:59:00Z -aliases: -- CVE-2016-9037 -details: An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode - function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the - function to access an element outside the bounds of a global array that is used - to determine the type of the specified key's value. This can lead to an out of bounds - read within the context of the server. An attacker who exploits this vulnerability - can cause a denial of service vulnerability on the server. affected: - package: ecosystem: PyPI name: tarantool purl: pkg:pypi/tarantool ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.10.0 - 0.11.0 @@ -50,9 +39,17 @@ affected: - 1.1.1 - 1.1.2 - 1.2.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +aliases: +- CVE-2016-9037 +details: An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode + function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the + function to access an element outside the bounds of a global array that is used + to determine the type of the specified key's value. This can lead to an out of bounds + read within the context of the server. An attacker who exploits this vulnerability + can cause a denial of service vulnerability on the server. +id: PYSEC-2016-39 +modified: '2024-11-21T14:23:01.531112Z' +published: '2016-12-23T22:59:00Z' references: - type: EVIDENCE url: http://www.talosintelligence.com/reports/TALOS-2016-0255/ @@ -62,3 +59,7 @@ references: url: http://www.securityfocus.com/bid/95063 - type: ADVISORY url: http://www.securityfocus.com/bid/95063 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/tautulli/PYSEC-2019-254.yaml b/vulns/tautulli/PYSEC-2019-254.yaml index 2187954e..775233f5 100644 --- a/vulns/tautulli/PYSEC-2019-254.yaml +++ b/vulns/tautulli/PYSEC-2019-254.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2019-254 -modified: 2024-11-21T14:23:01.583905Z -published: 2019-12-18T18:15:00Z -aliases: -- CVE-2019-19833 -details: In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down - the remote media server. (Also, anonymous access can be achieved in applications - that do not have a user login area). affected: - package: ecosystem: PyPI name: tautulli purl: pkg:pypi/tautulli ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.1.0 @@ -58,9 +50,14 @@ affected: - 4.3.2.2140 - 4.3.3.2140 - 4.3.4.2140 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H +aliases: +- CVE-2019-19833 +details: In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down + the remote media server. (Also, anonymous access can be achieved in applications + that do not have a user login area). +id: PYSEC-2019-254 +modified: '2024-11-21T14:23:01.583905Z' +published: '2019-12-18T18:15:00Z' references: - type: WEB url: https://github.com/Tautulli/Tautulli/compare/v2.1.9...v2.1.10-beta @@ -76,3 +73,7 @@ references: url: http://packetstormsecurity.com/files/155974/Tautulli-2.1.9-Denial-Of-Service.html - type: ADVISORY url: http://packetstormsecurity.com/files/155974/Tautulli-2.1.9-Denial-Of-Service.html +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/tautulli/PYSEC-2019-255.yaml b/vulns/tautulli/PYSEC-2019-255.yaml index 5113596f..2631a873 100644 --- a/vulns/tautulli/PYSEC-2019-255.yaml +++ b/vulns/tautulli/PYSEC-2019-255.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2019-255 -modified: 2024-11-21T14:23:01.636914Z -published: 2019-02-19T16:29:00Z -aliases: -- CVE-2019-8939 -details: data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted - Plex username that is mishandled when constructing the History page. affected: - package: ecosystem: PyPI name: tautulli purl: pkg:pypi/tautulli ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.1.0 @@ -57,9 +50,13 @@ affected: - 4.3.2.2140 - 4.3.3.2140 - 4.3.4.2140 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +aliases: +- CVE-2019-8939 +details: data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted + Plex username that is mishandled when constructing the History page. +id: PYSEC-2019-255 +modified: '2024-11-21T14:23:01.636914Z' +published: '2019-02-19T16:29:00Z' references: - type: EVIDENCE url: https://github.com/Tautulli/Tautulli-Issues/issues/161 @@ -71,3 +68,7 @@ references: url: http://www.securityfocus.com/bid/107171 - type: ADVISORY url: http://www.securityfocus.com/bid/107171 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/togglee/PYSEC-2022-43169.yaml b/vulns/togglee/PYSEC-2022-43169.yaml index e2d9b389..d121b620 100644 --- a/vulns/togglee/PYSEC-2022-43169.yaml +++ b/vulns/togglee/PYSEC-2022-43169.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43169 -modified: 2024-11-21T14:23:01.740031Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34060 -details: The Togglee package in PyPI version v0.0.8 was discovered to contain a code - execution backdoor. This vulnerability allows attackers to access sensitive user - information and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: togglee purl: pkg:pypi/togglee ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.25 @@ -30,9 +22,14 @@ affected: - 0.0.47 - 0.0.8 - 1.0.48 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34060 +details: The Togglee package in PyPI version v0.0.8 was discovered to contain a code + execution backdoor. This vulnerability allows attackers to access sensitive user + information and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43169 +modified: '2024-11-21T14:23:01.740031Z' +published: '2022-06-24T21:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/togglee/ @@ -42,3 +39,7 @@ references: url: https://github.com/togglee/togglee-python/issues/2 - type: REPORT url: https://github.com/togglee/togglee-python/issues/2 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/upydev/PYSEC-2023-302.yaml b/vulns/upydev/PYSEC-2023-302.yaml index 5ca99a4f..9f81dfca 100644 --- a/vulns/upydev/PYSEC-2023-302.yaml +++ b/vulns/upydev/PYSEC-2023-302.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2023-302 -modified: 2024-11-21T14:23:02.508814Z -published: 2023-11-20T23:15:00Z -aliases: -- CVE-2023-48051 -details: An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt - sensitive information via weak encryption padding. affected: - package: ecosystem: PyPI name: upydev purl: pkg:pypi/upydev ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.2 @@ -58,11 +51,19 @@ affected: - 0.4.1 - 0.4.2 - 0.4.3 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +aliases: +- CVE-2023-48051 +details: An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt + sensitive information via weak encryption padding. +id: PYSEC-2023-302 +modified: '2024-11-21T14:23:02.508814Z' +published: '2023-11-20T23:15:00Z' references: - type: EVIDENCE url: https://github.com/Carglglz/upydev/issues/38 - type: REPORT url: https://github.com/Carglglz/upydev/issues/38 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/watertools/PYSEC-2022-43172.yaml b/vulns/watertools/PYSEC-2022-43172.yaml index 8325a143..21cc0ca7 100644 --- a/vulns/watertools/PYSEC-2022-43172.yaml +++ b/vulns/watertools/PYSEC-2022-43172.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43172 -modified: 2024-11-21T14:23:03.143453Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34056 -details: The Watertools package in PyPI v0.0.0 was discovered to contain a code execution - backdoor via the request package. This vulnerability allows attackers to access - sensitive user information and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: watertools purl: pkg:pypi/watertools ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.0.1 - 0.0.10 @@ -53,9 +45,14 @@ affected: - 0.0.7 - 0.0.8 - 0.0.9 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34056 +details: The Watertools package in PyPI v0.0.0 was discovered to contain a code execution + backdoor via the request package. This vulnerability allows attackers to access + sensitive user information and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43172 +modified: '2024-11-21T14:23:03.143453Z' +published: '2022-06-24T21:15:00Z' references: - type: EVIDENCE url: https://github.com/TimHessels/watertools/issues/1 @@ -65,3 +62,7 @@ references: url: http://pypi.doubanio.com/simple/request - type: PACKAGE url: https://pypi.org/project/watertools/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/webp/PYSEC-2019-256.yaml b/vulns/webp/PYSEC-2019-256.yaml index c428b162..b3815197 100644 --- a/vulns/webp/PYSEC-2019-256.yaml +++ b/vulns/webp/PYSEC-2019-256.yaml @@ -1,18 +1,12 @@ -id: PYSEC-2019-256 -modified: 2024-11-21T14:23:03.194401Z -published: 2019-05-23T18:29:00Z -aliases: -- CVE-2016-9969 -details: In libwebp 0.5.1, there is a double free bug in libwebpmux. affected: - package: ecosystem: PyPI name: webp purl: pkg:pypi/webp ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 0.1.0 - 0.1.0a10 @@ -38,9 +32,12 @@ affected: - 0.2.0 - 0.3.0 - 0.4.0 -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H +aliases: +- CVE-2016-9969 +details: In libwebp 0.5.1, there is a double free bug in libwebpmux. +id: PYSEC-2019-256 +modified: '2024-11-21T14:23:03.194401Z' +published: '2019-05-23T18:29:00Z' references: - type: REPORT url: https://bugs.chromium.org/p/webp/issues/detail?id=322 @@ -48,3 +45,7 @@ references: url: https://bugs.chromium.org/p/webp/issues/detail?id=322 - type: WEB url: https://bugs.chromium.org/p/webp/issues/detail?id=322 +severity: +- score: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/wikifaces/PYSEC-2022-43173.yaml b/vulns/wikifaces/PYSEC-2022-43173.yaml index d02a46da..896e2d21 100644 --- a/vulns/wikifaces/PYSEC-2022-43173.yaml +++ b/vulns/wikifaces/PYSEC-2022-43173.yaml @@ -1,19 +1,12 @@ -id: PYSEC-2022-43173 -modified: 2024-11-21T14:23:03.244154Z -published: 2022-07-22T15:15:00Z -aliases: -- CVE-2022-34509 -details: The wikifaces package in PyPI v1.0 included a code execution backdoor inserted - by a third party. affected: - package: ecosystem: PyPI name: wikifaces purl: pkg:pypi/wikifaces ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.1 - 1.0.2 @@ -22,9 +15,13 @@ affected: - 1.0.6 - 1.0.7 - 1.0.8 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34509 +details: The wikifaces package in PyPI v1.0 included a code execution backdoor inserted + by a third party. +id: PYSEC-2022-43173 +modified: '2024-11-21T14:23:03.244154Z' +published: '2022-07-22T15:15:00Z' references: - type: REPORT url: https://github.com/tford9/Wiki-Faces-Downloader/issues/1 @@ -32,3 +29,7 @@ references: url: http://pypi.doubanio.com/simple/request - type: PACKAGE url: https://pypi.org/project/wikifaces/ +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/wmagent/PYSEC-2022-43174.yaml b/vulns/wmagent/PYSEC-2022-43174.yaml index 2090accf..7defcd2e 100644 --- a/vulns/wmagent/PYSEC-2022-43174.yaml +++ b/vulns/wmagent/PYSEC-2022-43174.yaml @@ -1,20 +1,12 @@ -id: PYSEC-2022-43174 -modified: 2024-11-21T14:23:03.299162Z -published: 2022-07-28T23:15:00Z -aliases: -- CVE-2022-34558 -details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, - and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted - dbs-client package. affected: - package: ecosystem: PyPI name: wmagent purl: pkg:pypi/wmagent ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.0.4 - 2.1.1 @@ -171,11 +163,20 @@ affected: - 2.3.6rc8 - 2.3.7 - 2.3.7.1 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34558 +details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, + and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted + dbs-client package. +id: PYSEC-2022-43174 +modified: '2024-11-21T14:23:03.299162Z' +published: '2022-07-28T23:15:00Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/zibal/PYSEC-2022-43176.yaml b/vulns/zibal/PYSEC-2022-43176.yaml index 19acad9f..ee8eee17 100644 --- a/vulns/zibal/PYSEC-2022-43176.yaml +++ b/vulns/zibal/PYSEC-2022-43176.yaml @@ -1,28 +1,29 @@ -id: PYSEC-2022-43176 -modified: 2024-11-21T14:23:03.404044Z -published: 2022-06-24T21:15:00Z -aliases: -- CVE-2022-34064 -details: The Zibal package in PyPI v1.0.0 was discovered to contain a code execution - backdoor. This vulnerability allows attackers to access sensitive user information - and digital currency keys, as well as escalate privileges. affected: - package: ecosystem: PyPI name: zibal purl: pkg:pypi/zibal ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 1.0.0 - 1.1.0 -severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +aliases: +- CVE-2022-34064 +details: The Zibal package in PyPI v1.0.0 was discovered to contain a code execution + backdoor. This vulnerability allows attackers to access sensitive user information + and digital currency keys, as well as escalate privileges. +id: PYSEC-2022-43176 +modified: '2024-11-21T14:23:03.404044Z' +published: '2022-06-24T21:15:00Z' references: - type: PACKAGE url: https://pypi.org/project/zibal/ - type: WEB url: http://pypi.doubanio.com/simple/request +severity: +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/zope/PYSEC-2010-32.yaml b/vulns/zope/PYSEC-2010-32.yaml index e61935ab..1474b2a5 100644 --- a/vulns/zope/PYSEC-2010-32.yaml +++ b/vulns/zope/PYSEC-2010-32.yaml @@ -1,22 +1,14 @@ -id: PYSEC-2010-32 -modified: 2024-11-21T14:23:03.519027Z -published: 2010-09-08T20:00:00Z -aliases: -- CVE-2010-3198 -details: ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote - attackers to cause a denial of service (crash of worker threads) via vectors that - trigger uncaught exceptions. affected: - package: ecosystem: PyPI name: zope purl: pkg:pypi/zope ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "4.0" + - '4.0' - 4.0b1 - 4.0b10 - 4.0b2 @@ -27,30 +19,30 @@ affected: - 4.0b7 - 4.0b8 - 4.0b9 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 - - "4.2" + - '4.2' - 4.2.1 - - "4.3" - - "4.4" + - '4.3' + - '4.4' - 4.4.1 - 4.4.2 - 4.4.3 - 4.4.4 - - "4.5" + - '4.5' - 4.5.1 - 4.5.2 - 4.5.3 - 4.5.4 - 4.5.5 - - "4.6" + - '4.6' - 4.6.1 - 4.6.2 - 4.6.3 - - "4.7" - - "4.8" + - '4.7' + - '4.8' - 4.8.1 - 4.8.10 - 4.8.11 @@ -62,35 +54,43 @@ affected: - 4.8.7 - 4.8.8 - 4.8.9 - - "5.0" + - '5.0' - 5.0a1 - 5.0a2 - - "5.1" + - '5.1' - 5.1.1 - 5.1.2 - - "5.10" - - "5.11" + - '5.10' + - '5.11' - 5.11.1 - - "5.2" + - '5.2' - 5.2.1 - - "5.3" - - "5.4" - - "5.5" + - '5.3' + - '5.4' + - '5.5' - 5.5.1 - 5.5.2 - - "5.6" - - "5.7" + - '5.6' + - '5.7' - 5.7.1 - 5.7.2 - 5.7.3 - - "5.8" + - '5.8' - 5.8.1 - 5.8.2 - 5.8.3 - 5.8.4 - 5.8.5 - 5.8.6 - - "5.9" + - '5.9' +aliases: +- CVE-2010-3198 +details: ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote + attackers to cause a denial of service (crash of worker threads) via vectors that + trigger uncaught exceptions. +id: PYSEC-2010-32 +modified: '2024-11-21T14:23:03.519027Z' +published: '2010-09-08T20:00:00Z' references: - type: FIX url: https://mail.zope.org/pipermail/zope-announce/2010-September/002247.html @@ -110,3 +110,4 @@ references: url: https://bugs.launchpad.net/zope2/+bug/627988 - type: ADVISORY url: https://bugs.launchpad.net/zope2/+bug/627988 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/zope/PYSEC-2017-148.yaml b/vulns/zope/PYSEC-2017-148.yaml index 941be755..addaf521 100644 --- a/vulns/zope/PYSEC-2017-148.yaml +++ b/vulns/zope/PYSEC-2017-148.yaml @@ -1,27 +1,19 @@ -id: PYSEC-2017-148 -modified: 2024-11-21T14:23:03.459792Z -published: 2017-08-07T17:29:00Z -aliases: -- CVE-2009-5145 -details: Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message - in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, - 2.12. affected: - package: ecosystem: PyPI name: zope purl: pkg:pypi/zope ranges: - - type: GIT - events: - - introduced: "0" + - events: + - introduced: '0' - fixed: 2abdf14620f146857dc8e3ffd2b6a754884c331d repo: https://github.com/zopefoundation/Zope - - type: ECOSYSTEM - events: - - introduced: "0" + type: GIT + - events: + - introduced: '0' + type: ECOSYSTEM versions: - - "4.0" + - '4.0' - 4.0b1 - 4.0b10 - 4.0b2 @@ -32,30 +24,30 @@ affected: - 4.0b7 - 4.0b8 - 4.0b9 - - "4.1" + - '4.1' - 4.1.1 - 4.1.2 - 4.1.3 - - "4.2" + - '4.2' - 4.2.1 - - "4.3" - - "4.4" + - '4.3' + - '4.4' - 4.4.1 - 4.4.2 - 4.4.3 - 4.4.4 - - "4.5" + - '4.5' - 4.5.1 - 4.5.2 - 4.5.3 - 4.5.4 - 4.5.5 - - "4.6" + - '4.6' - 4.6.1 - 4.6.2 - 4.6.3 - - "4.7" - - "4.8" + - '4.7' + - '4.8' - 4.8.1 - 4.8.10 - 4.8.11 @@ -67,38 +59,43 @@ affected: - 4.8.7 - 4.8.8 - 4.8.9 - - "5.0" + - '5.0' - 5.0a1 - 5.0a2 - - "5.1" + - '5.1' - 5.1.1 - 5.1.2 - - "5.10" - - "5.11" + - '5.10' + - '5.11' - 5.11.1 - - "5.2" + - '5.2' - 5.2.1 - - "5.3" - - "5.4" - - "5.5" + - '5.3' + - '5.4' + - '5.5' - 5.5.1 - 5.5.2 - - "5.6" - - "5.7" + - '5.6' + - '5.7' - 5.7.1 - 5.7.2 - 5.7.3 - - "5.8" + - '5.8' - 5.8.1 - 5.8.2 - 5.8.3 - 5.8.4 - 5.8.5 - 5.8.6 - - "5.9" -severity: -- type: CVSS_V3 - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + - '5.9' +aliases: +- CVE-2009-5145 +details: Cross-site scripting (XSS) vulnerability in ZMI pages that use the manage_tabs_message + in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, + 2.12. +id: PYSEC-2017-148 +modified: '2024-11-21T14:23:03.459792Z' +published: '2017-08-07T17:29:00Z' references: - type: WEB url: https://security-tracker.debian.org/tracker/CVE-2009-5145/ @@ -118,3 +115,7 @@ references: url: http://www.openwall.com/lists/oss-security/2015/03/02/7 - type: WEB url: http://cve.killedkenny.io/cve/CVE-2009-5145 +severity: +- score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + type: CVSS_V3 +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/zope2/PYSEC-2006-7.yaml b/vulns/zope2/PYSEC-2006-7.yaml index 3b5a899d..0bdde50d 100644 --- a/vulns/zope2/PYSEC-2006-7.yaml +++ b/vulns/zope2/PYSEC-2006-7.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2006-7 -modified: 2024-11-21T14:23:03.576588Z -published: 2006-07-07T23:05:00Z -aliases: -- CVE-2006-3458 -details: Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not - disable the "raw" command when providing untrusted users with restructured text - (reStructuredText) functionality from docutils, which allows local users to read - arbitrary files. affected: - package: ecosystem: PyPI name: zope2 purl: pkg:pypi/zope2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.12.0 - 2.12.0.a1 @@ -92,7 +83,7 @@ affected: - 2.13.7 - 2.13.8 - 2.13.9 - - "4.0" + - '4.0' - 4.0a1 - 4.0a2 - 4.0a3 @@ -100,6 +91,15 @@ affected: - 4.0a5 - 4.0a6 - 4.0b1 +aliases: +- CVE-2006-3458 +details: Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not + disable the "raw" command when providing untrusted users with restructured text + (reStructuredText) functionality from docutils, which allows local users to read + arbitrary files. +id: PYSEC-2006-7 +modified: '2024-11-21T14:23:03.576588Z' +published: '2006-07-07T23:05:00Z' references: - type: WEB url: http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt @@ -125,3 +125,4 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/27636 - type: WEB url: https://usn.ubuntu.com/317-1/ +withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/zope2/PYSEC-2006-8.yaml b/vulns/zope2/PYSEC-2006-8.yaml index 2f769bca..b2660949 100644 --- a/vulns/zope2/PYSEC-2006-8.yaml +++ b/vulns/zope2/PYSEC-2006-8.yaml @@ -1,21 +1,12 @@ -id: PYSEC-2006-8 -modified: 2024-11-21T14:23:03.63347Z -published: 2006-09-19T18:07:00Z -aliases: -- CVE-2006-4684 -details: The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through - 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which - allows remote attackers to read arbitrary files via a csv_table directive, a different - vulnerability than CVE-2006-3458. affected: - package: ecosystem: PyPI name: zope2 purl: pkg:pypi/zope2 ranges: - - type: ECOSYSTEM - events: - - introduced: "0" + - events: + - introduced: '0' + type: ECOSYSTEM versions: - 2.12.0 - 2.12.0.a1 @@ -92,7 +83,7 @@ affected: - 2.13.7 - 2.13.8 - 2.13.9 - - "4.0" + - '4.0' - 4.0a1 - 4.0a2 - 4.0a3 @@ -100,6 +91,15 @@ affected: - 4.0a5 - 4.0a6 - 4.0b1 +aliases: +- CVE-2006-4684 +details: The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through + 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which + allows remote attackers to read arbitrary files via a csv_table directive, a different + vulnerability than CVE-2006-3458. +id: PYSEC-2006-8 +modified: '2024-11-21T14:23:03.63347Z' +published: '2006-09-19T18:07:00Z' references: - type: WEB url: http://mail.zope.org/pipermail/zope-announce/2006-August/002005.html @@ -121,3 +121,4 @@ references: url: http://www.securityfocus.com/bid/20022 - type: ADVISORY url: http://www.vupen.com/english/advisories/2006/3653 +withdrawn: '2024-11-22T04:37:05Z' From f3567b5cb28a835acc9737b93d6f0af032ea4dad Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Fri, 22 Nov 2024 15:50:42 +1100 Subject: [PATCH 2/2] Stop importing unbounded advisories automatically. (#210) They're frequently false positives. This updates the vulnfeeds tool to the latest, which recently had `-exclude_unbounded` added. Ref: #205, #207. --- .github/workflows/auto_import.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto_import.yaml b/.github/workflows/auto_import.yaml index 011a462a..a7b0449a 100644 --- a/.github/workflows/auto_import.yaml +++ b/.github/workflows/auto_import.yaml @@ -17,16 +17,16 @@ jobs: wget http://pypa-advisory-db.storage.googleapis.com/triage/pypi_links.json wget http://pypa-advisory-db.storage.googleapis.com/triage/pypi_versions.json - run: | - wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.zip - unzip nvdcve-1.1-modified.json.zip + wget https://storage.googleapis.com/cve-osv-conversion/nvd/nvdcve-2.0-2024.json - run: | - go install github.com/google/osv/vulnfeeds/cmd/pypi@v0.0.0-20231127000918-ec867e7fd72b + go install github.com/google/osv/vulnfeeds/cmd/pypi@master pypi -false_positives triage/false_positives.yaml \ - -nvd_json nvdcve-1.1-modified.json \ + -nvd_json nvdcve-2.0-2024.json \ -pypi_links pypi_links.json \ -pypi_versions pypi_versions.json \ -out_dir vulns \ - -without_notes + -without_notes \ + -exclude_unbounded git config user.name github-actions git config user.email github-actions@github.com git add vulns