Withdraw all unbounded vulnerabilities introduced in the past 2 days. (…

…#209) Fixes: #205, #207
pypa · Nov 22, 2024 · c892811 · c892811
1 parent 7d27b8b
commit c892811
Show file tree

Hide file tree

Showing 279 changed files with 4,568 additions and 4,289 deletions.
diff --git a/vulns/aamiles/PYSEC-2022-43066.yaml b/vulns/aamiles/PYSEC-2022-43066.yaml
@@ -1,27 +1,24 @@
-id: PYSEC-2022-43066
-modified: 2024-11-21T14:22:40.256677Z
-published: 2022-06-24T21:15:00Z
-aliases:
-- CVE-2022-33001
-details: The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution
-  backdoor via the request package. This vulnerability allows attackers to access
-  sensitive user information and digital currency keys, as well as escalate privileges.
 affected:
 - package:
     ecosystem: PyPI
     name: aamiles
     purl: pkg:pypi/aamiles
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
   - 0.1.0
   - 0.1.1
   - 0.1.2
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+aliases:
+- CVE-2022-33001
+details: The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution
+  backdoor via the request package. This vulnerability allows attackers to access
+  sensitive user information and digital currency keys, as well as escalate privileges.
+id: PYSEC-2022-43066
+modified: '2024-11-21T14:22:40.256677Z'
+published: '2022-06-24T21:15:00Z'
 references:
 - type: EVIDENCE
   url: https://github.com/bOrionis/AAmiles/issues/1
@@ -31,3 +28,7 @@ references:
   url: http://pypi.doubanio.com/simple/request
 - type: PACKAGE
   url: https://pypi.org/project/AAmiles/
+severity:
+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/admesh/PYSEC-2023-263.yaml b/vulns/admesh/PYSEC-2023-263.yaml
@@ -1,29 +1,20 @@
-id: PYSEC-2023-263
-modified: 2024-11-21T14:22:40.308634Z
-published: 2023-04-03T16:15:00Z
-aliases:
-- CVE-2022-38072
-details: An improper array index validation vulnerability exists in the stl_fix_normal_directions
-  functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl
-  file can lead to a heap buffer overflow. An attacker can provide a malicious file
-  to trigger this vulnerability.
 affected:
 - package:
     ecosystem: PyPI
     name: admesh
     purl: pkg:pypi/admesh
   ranges:
-  - type: GIT
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
     - fixed: 5fab257268a0ee6f832c18d72af89810a29fbd5f
     repo: https://github.com/admesh/admesh
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+    type: GIT
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
-  - "0.96"
-  - "0.98"
+  - '0.96'
+  - '0.98'
   - 0.98.1
   - 0.98.2
   - 0.98.3
@@ -34,13 +25,23 @@ affected:
   - 0.98.8
   - 0.98.9
   - 0.98a1
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+aliases:
+- CVE-2022-38072
+details: An improper array index validation vulnerability exists in the stl_fix_normal_directions
+  functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl
+  file can lead to a heap buffer overflow. An attacker can provide a malicious file
+  to trigger this vulnerability.
+id: PYSEC-2023-263
+modified: '2024-11-21T14:22:40.308634Z'
+published: '2023-04-03T16:15:00Z'
 references:
 - type: EVIDENCE
   url: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1594
 - type: WEB
   url: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1594
 - type: FIX
   url: https://github.com/admesh/admesh/commit/5fab257268a0ee6f832c18d72af89810a29fbd5f
+severity:
+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/ansible-runner/PYSEC-2022-43067.yaml b/vulns/ansible-runner/PYSEC-2022-43067.yaml
@@ -1,22 +1,12 @@
-id: PYSEC-2022-43067
-modified: 2024-11-21T14:22:40.36338Z
-published: 2022-08-23T16:15:00Z
-aliases:
-- CVE-2021-3701
-details: A flaw was found in ansible-runner where the default temporary files configuration
-  in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker
-  to pre-create the directory, resulting in reading private information or forcing
-  ansible-runner to write files as the legitimate user in a place they did not expect.
-  The highest threat from this vulnerability is to confidentiality and integrity.
 affected:
 - package:
     ecosystem: PyPI
     name: ansible-runner
     purl: pkg:pypi/ansible-runner
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
   - 1.0.1
   - 1.0.2
@@ -74,9 +64,16 @@ affected:
   - 2.3.5
   - 2.3.6
   - 2.4.0
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
+aliases:
+- CVE-2021-3701
+details: A flaw was found in ansible-runner where the default temporary files configuration
+  in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker
+  to pre-create the directory, resulting in reading private information or forcing
+  ansible-runner to write files as the legitimate user in a place they did not expect.
+  The highest threat from this vulnerability is to confidentiality and integrity.
+id: PYSEC-2022-43067
+modified: '2024-11-21T14:22:40.36338Z'
+published: '2022-08-23T16:15:00Z'
 references:
 - type: ADVISORY
   url: https://access.redhat.com/security/cve/CVE-2021-3701
@@ -92,3 +89,7 @@ references:
   url: https://github.com/ansible/ansible-runner/pull/742/commits
 - type: REPORT
   url: https://github.com/ansible/ansible-runner/issues/738
+severity:
+- score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/ansible-runner/PYSEC-2022-43068.yaml b/vulns/ansible-runner/PYSEC-2022-43068.yaml
@@ -1,22 +1,12 @@
-id: PYSEC-2022-43068
-modified: 2024-11-21T14:22:40.419413Z
-published: 2022-08-23T16:15:00Z
-aliases:
-- CVE-2021-3702
-details: A race condition flaw was found in ansible-runner, where an attacker could
-  watch for rapid creation and deletion of a temporary directory, substitute their
-  directory at that name, and then have access to ansible-runner's private_data_dir
-  the next time ansible-runner made use of the private_data_dir. The highest Threat
-  out of this flaw is to integrity and confidentiality.
 affected:
 - package:
     ecosystem: PyPI
     name: ansible-runner
     purl: pkg:pypi/ansible-runner
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
   - 1.0.1
   - 1.0.2
@@ -74,9 +64,16 @@ affected:
   - 2.3.5
   - 2.3.6
   - 2.4.0
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
+aliases:
+- CVE-2021-3702
+details: A race condition flaw was found in ansible-runner, where an attacker could
+  watch for rapid creation and deletion of a temporary directory, substitute their
+  directory at that name, and then have access to ansible-runner's private_data_dir
+  the next time ansible-runner made use of the private_data_dir. The highest Threat
+  out of this flaw is to integrity and confidentiality.
+id: PYSEC-2022-43068
+modified: '2024-11-21T14:22:40.419413Z'
+published: '2022-08-23T16:15:00Z'
 references:
 - type: REPORT
   url: https://bugzilla.redhat.com/show_bug.cgi?id=1977965
@@ -90,3 +87,7 @@ references:
   url: https://github.com/ansible/ansible-runner/pull/742/commits
 - type: WEB
   url: https://github.com/ansible/ansible-runner/pull/742/commits
+severity:
+- score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/apache-iotdb/PYSEC-2022-43069.yaml b/vulns/apache-iotdb/PYSEC-2022-43069.yaml
@@ -1,19 +1,12 @@
-id: PYSEC-2022-43069
-modified: 2024-11-21T14:22:40.851901Z
-published: 2022-09-05T10:15:00Z
-aliases:
-- CVE-2022-38369
-details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should
-  upgrade to version 0.13.1 which addresses this issue.
 affected:
 - package:
     ecosystem: PyPI
     name: apache-iotdb
     purl: pkg:pypi/apache-iotdb
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
   - 0.10.0
   - 0.10.1
@@ -50,9 +43,13 @@ affected:
   - 1.3.2
   - 1.3.2.post0
   - 1.3.3
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+aliases:
+- CVE-2022-38369
+details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should
+  upgrade to version 0.13.1 which addresses this issue.
+id: PYSEC-2022-43069
+modified: '2024-11-21T14:22:40.851901Z'
+published: '2022-09-05T10:15:00Z'
 references:
 - type: ARTICLE
   url: https://lists.apache.org/thread/7nk03ywvx3t3yjbcxzt7zy4nyc89y9b0
@@ -62,3 +59,7 @@ references:
   url: http://www.openwall.com/lists/oss-security/2022/09/05/1
 - type: WEB
   url: http://www.openwall.com/lists/oss-security/2022/09/05/1
+severity:
+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/apache-iotdb/PYSEC-2022-43070.yaml b/vulns/apache-iotdb/PYSEC-2022-43070.yaml
@@ -1,20 +1,12 @@
-id: PYSEC-2022-43070
-modified: 2024-11-21T14:22:40.90699Z
-published: 2022-09-05T10:15:00Z
-aliases:
-- CVE-2022-38370
-details: Apache IoTDB grafana-connector version 0.13.0 contains an interface without
-  authorization, which may expose the internal structure of database. Users should
-  upgrade to version 0.13.1 which addresses this issue.
 affected:
 - package:
     ecosystem: PyPI
     name: apache-iotdb
     purl: pkg:pypi/apache-iotdb
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
   - 0.10.0
   - 0.10.1
@@ -51,9 +43,14 @@ affected:
   - 1.3.2
   - 1.3.2.post0
   - 1.3.3
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+aliases:
+- CVE-2022-38370
+details: Apache IoTDB grafana-connector version 0.13.0 contains an interface without
+  authorization, which may expose the internal structure of database. Users should
+  upgrade to version 0.13.1 which addresses this issue.
+id: PYSEC-2022-43070
+modified: '2024-11-21T14:22:40.90699Z'
+published: '2022-09-05T10:15:00Z'
 references:
 - type: ARTICLE
   url: https://lists.apache.org/thread/kcpqgstvgf8sxy9ktxm1836nlwc8xy3j
@@ -63,3 +60,7 @@ references:
   url: http://www.openwall.com/lists/oss-security/2022/09/05/2
 - type: WEB
   url: http://www.openwall.com/lists/oss-security/2022/09/05/2
+severity:
+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'
diff --git a/vulns/api-res-py/PYSEC-2022-43071.yaml b/vulns/api-res-py/PYSEC-2022-43071.yaml
@@ -1,28 +1,29 @@
-id: PYSEC-2022-43071
-modified: 2024-11-21T14:22:40.957734Z
-published: 2022-06-08T20:15:00Z
-aliases:
-- CVE-2022-31313
-details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor
-  in the request package.
 affected:
 - package:
     ecosystem: PyPI
     name: api-res-py
     purl: pkg:pypi/api-res-py
   ranges:
-  - type: ECOSYSTEM
-    events:
-    - introduced: "0"
+  - events:
+    - introduced: '0'
+    type: ECOSYSTEM
   versions:
-  - "0.1"
-severity:
-- type: CVSS_V3
-  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+  - '0.1'
+aliases:
+- CVE-2022-31313
+details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor
+  in the request package.
+id: PYSEC-2022-43071
+modified: '2024-11-21T14:22:40.957734Z'
+published: '2022-06-08T20:15:00Z'
 references:
 - type: REPORT
   url: https://github.com/rakeshrkz7/as_api_res/issues/1
 - type: WEB
   url: http://pypi.doubanio.com/simple/request
 - type: PACKAGE
   url: https://pypi.org/project/api-res-py/
+severity:
+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+  type: CVSS_V3
+withdrawn: '2024-11-22T04:37:03Z'