Assign IDs

vulns/.id-allocator

@@ -1 +1 @@
-278115440d5b556b8b7f5fecd9a4bce9135edd23f8b332329bf1100a2b26d18b
+4307cb4f84d0150d15fb29543443cad9b87f1edc2a48c840f74d0e8775148fdd

vulns/cbor2/PYSEC-0000-CVE-2024-26134.yaml → vulns/cbor2/PYSEC-2024-155.yaml

@@ -1,48 +1,29 @@
-id: PYSEC-0000-CVE-2024-26134
-details: cbor2 provides encoding and decoding for the Concise Binary Object Representation
-  (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version
-  5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending
-  a long enough object. Version 5.6.2 contains a patch for this issue.
+id: PYSEC-2024-155
+modified: 2025-01-14T05:22:09.226388Z
+published: 2024-02-19T23:15:07Z
 aliases:
 - CVE-2024-26134
-modified: '2025-01-14T05:22:09.226388Z'
-published: '2024-02-19T23:15:07Z'
 related:
 - GHSA-375g-39jq-vq7m
 - GHSA-375g-39jq-vq7m
-references:
-- type: ADVISORY
-  url: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
-- type: ARTICLE
-  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/
-- type: ARTICLE
-  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/
-- type: ARTICLE
-  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/
-- type: EVIDENCE
-  url: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
-- type: FIX
-  url: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
-- type: FIX
-  url: https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
-- type: REPORT
-  url: https://github.com/agronholm/cbor2/pull/204
-- type: WEB
-  url: https://github.com/agronholm/cbor2/releases/tag/5.6.2
+details: cbor2 provides encoding and decoding for the Concise Binary Object Representation
+  (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version
+  5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending
+  a long enough object. Version 5.6.2 contains a patch for this issue.
 affected:
 - package:
-    name: cbor2
     ecosystem: PyPI
+    name: cbor2
     purl: pkg:pypi/cbor2
   ranges:
   - type: GIT
-    repo: https://github.com/agronholm/cbor2
     events:
-    - introduced: '0'
+    - introduced: "0"
     - fixed: 387755eacf0be35591a478d3c67fe10618a6d542
     - fixed: 4de6991ba29bf2290d7b9d83525eda7d021873df
     - fixed: 387755eacf0be35591a478d3c67fe10618a6d542
     - fixed: 4de6991ba29bf2290d7b9d83525eda7d021873df
+    repo: https://github.com/agronholm/cbor2
   - type: ECOSYSTEM
     events:
     - introduced: 5.5.1
@@ -54,3 +35,22 @@ affected:
 severity:
 - type: CVSS_V3
   score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+references:
+- type: ADVISORY
+  url: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
+- type: ARTICLE
+  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/
+- type: ARTICLE
+  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/
+- type: ARTICLE
+  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/
+- type: EVIDENCE
+  url: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
+- type: FIX
+  url: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
+- type: FIX
+  url: https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
+- type: REPORT
+  url: https://github.com/agronholm/cbor2/pull/204
+- type: WEB
+  url: https://github.com/agronholm/cbor2/releases/tag/5.6.2

vulns/django/PYSEC-0000-CVE-2024-53907.yaml → vulns/django/PYSEC-2024-156.yaml

@@ -1,37 +1,28 @@
-id: PYSEC-0000-CVE-2024-53907
+id: PYSEC-2024-156
+modified: 2025-01-14T05:22:11.736011Z
+published: 2024-12-06T12:15:17Z
+aliases:
+- CVE-2024-53907
 details: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and
   4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject
   to a potential denial-of-service attack via certain inputs containing large sequences
   of nested incomplete HTML entities.
-aliases:
-- CVE-2024-53907
-modified: '2025-01-14T05:22:11.736011Z'
-published: '2024-12-06T12:15:17Z'
-references:
-- type: WEB
-  url: https://docs.djangoproject.com/en/dev/releases/security/
-- type: WEB
-  url: https://groups.google.com/g/django-announce
-- type: WEB
-  url: https://www.openwall.com/lists/oss-security/2024/12/04/3
-- type: WEB
-  url: https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html
 affected:
 - package:
-    name: django
     ecosystem: PyPI
+    name: django
     purl: pkg:pypi/django
   ranges:
   - type: ECOSYSTEM
     events:
-    - introduced: '5.1'
+    - introduced: "5.1"
     - fixed: 5.1.4
-    - introduced: '5.0'
+    - introduced: "5.0"
     - fixed: 5.0.10
-    - introduced: '4.2'
+    - introduced: "4.2"
     - fixed: 4.2.17
   versions:
-  - '4.2'
+  - "4.2"
   - 4.2.1
   - 4.2.10
   - 4.2.11
@@ -48,7 +39,7 @@ affected:
   - 4.2.7
   - 4.2.8
   - 4.2.9
-  - '5.0'
+  - "5.0"
   - 5.0.1
   - 5.0.2
   - 5.0.3
@@ -58,7 +49,16 @@ affected:
   - 5.0.7
   - 5.0.8
   - 5.0.9
-  - '5.1'
+  - "5.1"
   - 5.1.1
   - 5.1.2
   - 5.1.3
+references:
+- type: WEB
+  url: https://docs.djangoproject.com/en/dev/releases/security/
+- type: WEB
+  url: https://groups.google.com/g/django-announce
+- type: WEB
+  url: https://www.openwall.com/lists/oss-security/2024/12/04/3
+- type: WEB
+  url: https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html

vulns/django/PYSEC-0000-CVE-2024-53908.yaml → vulns/django/PYSEC-2024-157.yaml

@@ -1,36 +1,29 @@
-id: PYSEC-0000-CVE-2024-53908
+id: PYSEC-2024-157
+modified: 2025-01-14T05:22:11.817473Z
+published: 2024-12-06T12:15:18Z
+aliases:
+- CVE-2024-53908
 details: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and
   4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup,
   when an Oracle database is used, is subject to SQL injection if untrusted data is
   used as an lhs value. (Applications that use the jsonfield.has_key lookup via __
   are unaffected.)
-aliases:
-- CVE-2024-53908
-modified: '2025-01-14T05:22:11.817473Z'
-published: '2024-12-06T12:15:18Z'
-references:
-- type: WEB
-  url: https://docs.djangoproject.com/en/dev/releases/security/
-- type: WEB
-  url: https://groups.google.com/g/django-announce
-- type: WEB
-  url: https://www.openwall.com/lists/oss-security/2024/12/04/3
 affected:
 - package:
-    name: django
     ecosystem: PyPI
+    name: django
     purl: pkg:pypi/django
   ranges:
   - type: ECOSYSTEM
     events:
-    - introduced: '5.1'
+    - introduced: "5.1"
     - fixed: 5.1.4
-    - introduced: '5.0'
+    - introduced: "5.0"
     - fixed: 5.0.10
-    - introduced: '4.2'
+    - introduced: "4.2"
     - fixed: 4.2.17
   versions:
-  - '4.2'
+  - "4.2"
   - 4.2.1
   - 4.2.10
   - 4.2.11
@@ -47,7 +40,7 @@ affected:
   - 4.2.7
   - 4.2.8
   - 4.2.9
-  - '5.0'
+  - "5.0"
   - 5.0.1
   - 5.0.2
   - 5.0.3
@@ -57,7 +50,14 @@ affected:
   - 5.0.7
   - 5.0.8
   - 5.0.9
-  - '5.1'
+  - "5.1"
   - 5.1.1
   - 5.1.2
   - 5.1.3
+references:
+- type: WEB
+  url: https://docs.djangoproject.com/en/dev/releases/security/
+- type: WEB
+  url: https://groups.google.com/g/django-announce
+- type: WEB
+  url: https://www.openwall.com/lists/oss-security/2024/12/04/3

vulns/djoser/PYSEC-0000-CVE-2024-21543.yaml → vulns/djoser/PYSEC-2024-158.yaml

@@ -1,38 +1,27 @@
-id: PYSEC-0000-CVE-2024-21543
+id: PYSEC-2024-158
+modified: 2025-01-14T05:22:11.856636Z
+published: 2024-12-13T05:15:07Z
+aliases:
+- CVE-2024-21543
 details: Versions of the package djoser before 2.3.0 are vulnerable to Authentication
   Bypass when the authenticate() function fails. This is because the system falls
   back to querying the database directly, granting access to users with valid credentials,
   and eventually bypassing custom authentication checks such as two-factor authentication,
   LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
-aliases:
-- CVE-2024-21543
-modified: '2025-01-14T05:22:11.856636Z'
-published: '2024-12-13T05:15:07Z'
-references:
-- type: FIX
-  url: https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
-- type: REPORT
-  url: https://github.com/sunscrapers/djoser/issues/795
-- type: WEB
-  url: https://github.com/sunscrapers/djoser/pull/819
-- type: WEB
-  url: https://github.com/sunscrapers/djoser/releases/tag/2.3.0
-- type: WEB
-  url: https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
 affected:
 - package:
-    name: djoser
     ecosystem: PyPI
+    name: djoser
     purl: pkg:pypi/djoser
   ranges:
   - type: GIT
-    repo: https://github.com/sunscrapers/djoser
     events:
-    - introduced: '0'
+    - introduced: "0"
     - fixed: d33c3993c0c735f23cbedc60fa59fce69354f19d
+    repo: https://github.com/sunscrapers/djoser
   - type: ECOSYSTEM
     events:
-    - introduced: '0'
+    - introduced: "0"
     - fixed: 2.3.0
   versions:
   - 0.0.1
@@ -81,3 +70,14 @@ affected:
   - 2.2.1
   - 2.2.2
   - 2.2.3
+references:
+- type: FIX
+  url: https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
+- type: REPORT
+  url: https://github.com/sunscrapers/djoser/issues/795
+- type: WEB
+  url: https://github.com/sunscrapers/djoser/pull/819
+- type: WEB
+  url: https://github.com/sunscrapers/djoser/releases/tag/2.3.0
+- type: WEB
+  url: https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540

vulns/luigi/PYSEC-0000-CVE-2024-21542.yaml → vulns/luigi/PYSEC-2024-159.yaml

@@ -1,37 +1,28 @@
-id: PYSEC-0000-CVE-2024-21542
+id: PYSEC-2024-159
+modified: 2025-01-14T05:22:17.204098Z
+published: 2024-12-10T05:15:07Z
+aliases:
+- CVE-2024-21542
 details: Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File
   Write via Archive Extraction (Zip Slip) due to improper destination file path validation
   in the _extract_packages_archive function.
-aliases:
-- CVE-2024-21542
-modified: '2025-01-14T05:22:17.204098Z'
-published: '2024-12-10T05:15:07Z'
-references:
-- type: FIX
-  url: https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
-- type: REPORT
-  url: https://github.com/spotify/luigi/issues/3301
-- type: WEB
-  url: https://github.com/spotify/luigi/releases/tag/v3.6.0
-- type: WEB
-  url: https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489
 affected:
 - package:
-    name: luigi
     ecosystem: PyPI
+    name: luigi
     purl: pkg:pypi/luigi
   ranges:
   - type: GIT
-    repo: https://github.com/spotify/luigi
     events:
-    - introduced: '0'
+    - introduced: "0"
     - fixed: b5d1b965ead7d9f777a3216369b5baf23ec08999
+    repo: https://github.com/spotify/luigi
   - type: ECOSYSTEM
     events:
-    - introduced: '0'
+    - introduced: "0"
     - fixed: 3.6.0
   versions:
-  - '1.0'
+  - "1.0"
   - 1.0.1
   - 1.0.10
   - 1.0.11
@@ -114,3 +105,12 @@ affected:
   - 3.5.0
   - 3.5.1
   - 3.5.2
+references:
+- type: FIX
+  url: https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
+- type: REPORT
+  url: https://github.com/spotify/luigi/issues/3301
+- type: WEB
+  url: https://github.com/spotify/luigi/releases/tag/v3.6.0
+- type: WEB
+  url: https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489