From a3305faa7c62fc8c4489191ac87bde85986c4d5b Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 25 Nov 2024 13:30:12 -0600 Subject: [PATCH 1/3] Back-fill and add 'modified' date --- .pre-commit-config.yaml | 2 +- vulns/ansible-runner/PYSEC-2022-43067.yaml | 55 +---- vulns/ansible-runner/PYSEC-2022-43068.yaml | 55 +---- vulns/apache-iotdb/PYSEC-2022-43069.yaml | 41 +--- vulns/api-res-py/PYSEC-2022-43071.yaml | 7 +- vulns/chia-blockchain/PYSEC-2022-43072.yaml | 6 +- vulns/cinder/PYSEC-2013-35.yaml | 122 +---------- vulns/designate/PYSEC-2017-114.yaml | 57 +---- vulns/designate/PYSEC-2019-243.yaml | 57 +---- vulns/exotel/PYSEC-2022-43134.yaml | 14 +- vulns/extractor/PYSEC-2006-4.yaml | 8 +- vulns/freetakserver/PYSEC-2022-43135.yaml | 28 +-- vulns/galaxy-app/PYSEC-2018-149.yaml | 38 ++-- vulns/glance/PYSEC-2014-102.yaml | 77 +------ vulns/glance/PYSEC-2015-37.yaml | 85 +------- vulns/glance/PYSEC-2015-38.yaml | 85 +------- vulns/glance/PYSEC-2015-39.yaml | 79 +------ vulns/glance/PYSEC-2017-143.yaml | 77 +------ vulns/glance/PYSEC-2023-270.yaml | 77 +------ vulns/global-workqueue/PYSEC-2022-43136.yaml | 190 ++-------------- vulns/horizon/PYSEC-2015-40.yaml | 94 +------- vulns/keystone/PYSEC-2013-39.yaml | 57 +---- vulns/keystone/PYSEC-2013-41.yaml | 55 +---- vulns/keystone/PYSEC-2013-42.yaml | 57 +---- vulns/keystone/PYSEC-2014-105.yaml | 55 +---- vulns/keystone/PYSEC-2014-106.yaml | 55 +---- vulns/keystone/PYSEC-2014-107.yaml | 55 +---- vulns/keystone/PYSEC-2014-108.yaml | 55 +---- vulns/keystone/PYSEC-2014-109.yaml | 55 +---- vulns/keystone/PYSEC-2016-38.yaml | 57 +---- vulns/keystone/PYSEC-2018-152.yaml | 75 ++----- vulns/lief/PYSEC-2022-43138.yaml | 14 +- vulns/lief/PYSEC-2022-43139.yaml | 14 +- vulns/lief/PYSEC-2022-43140.yaml | 13 +- vulns/mayan-edms/PYSEC-2023-276.yaml | 55 +---- vulns/moin/PYSEC-2008-12.yaml | 40 ++-- vulns/moin/PYSEC-2008-13.yaml | 33 ++- vulns/moin/PYSEC-2009-12.yaml | 24 +-- vulns/moin/PYSEC-2009-13.yaml | 33 ++- vulns/nova/PYSEC-2013-43.yaml | 124 +---------- vulns/nova/PYSEC-2013-44.yaml | 124 +---------- vulns/nova/PYSEC-2014-111.yaml | 124 +---------- vulns/nova/PYSEC-2014-112.yaml | 124 +---------- vulns/nova/PYSEC-2014-113.yaml | 124 +---------- vulns/nova/PYSEC-2017-145.yaml | 124 +---------- vulns/patchelf/PYSEC-2022-43144.yaml | 10 +- vulns/pg-query/PYSEC-2018-154.yaml | 7 +- vulns/pillow/PYSEC-2022-43145.yaml | 105 +-------- vulns/plone/PYSEC-2006-5.yaml | 197 +---------------- vulns/plone/PYSEC-2006-6.yaml | 197 +---------------- vulns/plone/PYSEC-2007-4.yaml | 203 +----------------- vulns/plone/PYSEC-2008-14.yaml | 195 +---------------- vulns/plone/PYSEC-2011-25.yaml | 197 +---------------- vulns/plone/PYSEC-2021-889.yaml | 48 +---- vulns/plone/PYSEC-2023-289.yaml | 123 +---------- vulns/py-cord/PYSEC-2022-43146.yaml | 32 +-- vulns/pyboolector/PYSEC-2019-252.yaml | 111 +--------- vulns/pyo/PYSEC-2021-890.yaml | 7 +- vulns/pypatchelf/PYSEC-2022-43151.yaml | 4 +- vulns/pyspark/PYSEC-2017-147.yaml | 53 +---- vulns/python-scciclient/PYSEC-2022-43152.yaml | 13 +- vulns/pywasm3/PYSEC-2022-43154.yaml | 5 +- vulns/reqmon/PYSEC-2022-43163.yaml | 191 ++-------------- vulns/safeurl-python/PYSEC-2023-298.yaml | 22 +- vulns/swift/PYSEC-2014-116.yaml | 57 ++--- vulns/tmp/PYSEC-2024-1.yaml | 1 + vulns/upydev/PYSEC-2023-302.yaml | 5 +- vulns/wmagent/PYSEC-2022-43174.yaml | 188 ++-------------- vulns/zope/PYSEC-2010-32.yaml | 93 ++------ 69 files changed, 377 insertions(+), 4487 deletions(-) create mode 100644 vulns/tmp/PYSEC-2024-1.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5368cde0..04b7eff2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,7 @@ repos: hooks: - id: check-jsonschema files: "^vulns/[a-z0-9_-]+/.+\\.yaml" - args: [--schemafile, "https://raw.githubusercontent.com/ossf/osv-schema/refs/tags/v1.6.7/validation/schema.json", --no-cache] + args: [--schemafile, "https://raw.githubusercontent.com/ossf/osv-schema/refs/tags/v1.6.7/validation/schema.json"] - repo: https://github.com/jackdewinter/pymarkdown rev: v0.9.25 hooks: diff --git a/vulns/ansible-runner/PYSEC-2022-43067.yaml b/vulns/ansible-runner/PYSEC-2022-43067.yaml index 0849e721..571acbc2 100644 --- a/vulns/ansible-runner/PYSEC-2022-43067.yaml +++ b/vulns/ansible-runner/PYSEC-2022-43067.yaml @@ -5,74 +5,28 @@ affected: purl: pkg:pypi/ansible-runner ranges: - events: - - introduced: '0' + - introduced: 2.0.0 + - fixed: 2.1.0 type: ECOSYSTEM versions: - - 1.0.1 - - 1.0.2 - - 1.0.3 - - 1.0.4 - - 1.0.5 - - 1.1.0 - - 1.1.1 - - 1.1.2 - - 1.2.0 - - 1.3.0 - - 1.3.1 - - 1.3.2 - - 1.3.3 - - 1.3.4 - - 1.4.0 - - 1.4.1 - - 1.4.2 - - 1.4.4 - - 1.4.5 - - 1.4.6 - - 1.4.7 - - 1.4.8 - - 1.4.9 - 2.0.0 - - 2.0.0.0a5 - - 2.0.0.0b1 - - 2.0.0.0rc1 - - 2.0.0.0rc2 - - 2.0.0.0rc3 - - 2.0.0a1 - - 2.0.0a2 - - 2.0.0a3 - - 2.0.0a4 - 2.0.1 - 2.0.2 - 2.0.3 - 2.0.4 - - 2.1.0 - 2.1.0.0a1 - 2.1.0.0a2 - 2.1.0.0b1 - - 2.1.1 - - 2.1.2 - - 2.1.3 - - 2.1.4 - - 2.2.0 - - 2.2.1 - - 2.2.2 - - 2.3.0 - - 2.3.1 - - 2.3.2 - - 2.3.3 - - 2.3.4 - - 2.3.5 - - 2.3.6 - - 2.4.0 aliases: - CVE-2021-3701 +- GHSA-wwch-cmqr-hhrm details: A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity. id: PYSEC-2022-43067 -modified: '2024-11-21T14:22:40.36338Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2022-08-23T16:15:00Z' references: - type: ADVISORY @@ -92,4 +46,3 @@ references: severity: - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/ansible-runner/PYSEC-2022-43068.yaml b/vulns/ansible-runner/PYSEC-2022-43068.yaml index d267825c..6eadbc95 100644 --- a/vulns/ansible-runner/PYSEC-2022-43068.yaml +++ b/vulns/ansible-runner/PYSEC-2022-43068.yaml @@ -5,74 +5,28 @@ affected: purl: pkg:pypi/ansible-runner ranges: - events: - - introduced: '0' + - introduced: 2.0.0 + - fixed: 2.1.0 type: ECOSYSTEM versions: - - 1.0.1 - - 1.0.2 - - 1.0.3 - - 1.0.4 - - 1.0.5 - - 1.1.0 - - 1.1.1 - - 1.1.2 - - 1.2.0 - - 1.3.0 - - 1.3.1 - - 1.3.2 - - 1.3.3 - - 1.3.4 - - 1.4.0 - - 1.4.1 - - 1.4.2 - - 1.4.4 - - 1.4.5 - - 1.4.6 - - 1.4.7 - - 1.4.8 - - 1.4.9 - 2.0.0 - - 2.0.0.0a5 - - 2.0.0.0b1 - - 2.0.0.0rc1 - - 2.0.0.0rc2 - - 2.0.0.0rc3 - - 2.0.0a1 - - 2.0.0a2 - - 2.0.0a3 - - 2.0.0a4 - 2.0.1 - 2.0.2 - 2.0.3 - 2.0.4 - - 2.1.0 - 2.1.0.0a1 - 2.1.0.0a2 - 2.1.0.0b1 - - 2.1.1 - - 2.1.2 - - 2.1.3 - - 2.1.4 - - 2.2.0 - - 2.2.1 - - 2.2.2 - - 2.3.0 - - 2.3.1 - - 2.3.2 - - 2.3.3 - - 2.3.4 - - 2.3.5 - - 2.3.6 - - 2.4.0 aliases: - CVE-2021-3702 +- GHSA-772j-xvf9-qpf5 details: A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality. id: PYSEC-2022-43068 -modified: '2024-11-21T14:22:40.419413Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2022-08-23T16:15:00Z' references: - type: REPORT @@ -90,4 +44,3 @@ references: severity: - score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/apache-iotdb/PYSEC-2022-43069.yaml b/vulns/apache-iotdb/PYSEC-2022-43069.yaml index a450a710..7f555e15 100644 --- a/vulns/apache-iotdb/PYSEC-2022-43069.yaml +++ b/vulns/apache-iotdb/PYSEC-2022-43069.yaml @@ -2,53 +2,17 @@ affected: - package: ecosystem: PyPI name: apache-iotdb - purl: pkg:pypi/apache-iotdb ranges: - events: - introduced: '0' + - fixed: 0.13.1 type: ECOSYSTEM - versions: - - 0.10.0 - - 0.10.1 - - 0.11.0 - - 0.11.1 - - 0.11.2 - - 0.11.3 - - 0.11.4 - - 0.12.0 - - 0.12.1 - - 0.12.2 - - 0.12.3 - - 0.12.4 - - 0.12.5 - - 0.12.6 - - 0.13.0 - - 0.13.0.post1 - - 0.13.1 - - 0.13.2 - - 0.13.3 - - 0.13.5 - - 0.13.5.1 - - 0.14.0rc1 - - 0.9.0 - - 0.9.2 - - 0.9.3 - - 1.0.0 - - 1.0.1 - - 1.1.0 - - 1.1.2 - - 1.2.0 - - 1.2.1 - - 1.3.0 - - 1.3.2 - - 1.3.2.post0 - - 1.3.3 aliases: - CVE-2022-38369 details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. id: PYSEC-2022-43069 -modified: '2024-11-21T14:22:40.851901Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2022-09-05T10:15:00Z' references: - type: ARTICLE @@ -62,4 +26,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/api-res-py/PYSEC-2022-43071.yaml b/vulns/api-res-py/PYSEC-2022-43071.yaml index fc5dc080..07f43c84 100644 --- a/vulns/api-res-py/PYSEC-2022-43071.yaml +++ b/vulns/api-res-py/PYSEC-2022-43071.yaml @@ -2,19 +2,17 @@ affected: - package: ecosystem: PyPI name: api-res-py - purl: pkg:pypi/api-res-py ranges: - events: - introduced: '0' + - last_affected: '0.1' type: ECOSYSTEM - versions: - - '0.1' aliases: - CVE-2022-31313 details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor in the request package. id: PYSEC-2022-43071 -modified: '2024-11-21T14:22:40.957734Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2022-06-08T20:15:00Z' references: - type: REPORT @@ -26,4 +24,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/chia-blockchain/PYSEC-2022-43072.yaml b/vulns/chia-blockchain/PYSEC-2022-43072.yaml index e7aca244..ee7267cf 100644 --- a/vulns/chia-blockchain/PYSEC-2022-43072.yaml +++ b/vulns/chia-blockchain/PYSEC-2022-43072.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 2.4.4rc3 type: ECOSYSTEM versions: - '0.1' @@ -190,12 +191,12 @@ affected: - 2.4.3rc1 - 2.4.3rc2 - 2.4.3rc3 - - 2.4.4 - 2.4.4rc1 - 2.4.4rc2 - 2.4.4rc3 aliases: - CVE-2022-36447 +- GHSA-pvjg-jwp3-mrj5 details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated to an arbitrary extent by any holder of any amount of the token. The total amount @@ -204,7 +205,7 @@ details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. is auditable on chain, so maliciously altered coins can potentially be marked by off-chain observers as malicious. id: PYSEC-2022-43072 -modified: '2024-11-21T14:22:41.861085Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2022-07-29T21:15:00Z' references: - type: ADVISORY @@ -214,4 +215,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/cinder/PYSEC-2013-35.yaml b/vulns/cinder/PYSEC-2013-35.yaml index eceb3187..4a0d4c11 100644 --- a/vulns/cinder/PYSEC-2013-35.yaml +++ b/vulns/cinder/PYSEC-2013-35.yaml @@ -6,131 +6,16 @@ affected: ranges: - events: - introduced: '0' + - fixed: 7.0.0a0 type: ECOSYSTEM - versions: - - 10.0.8 - - 11.2.0 - - 11.2.1 - - 11.2.2 - - 12.0.10 - - 12.0.4 - - 12.0.5 - - 12.0.6 - - 12.0.7 - - 12.0.8 - - 12.0.9 - - 13.0.1 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 13.0.5 - - 13.0.6 - - 13.0.7 - - 13.0.8 - - 13.0.9 - - 14.0.0 - - 14.0.0.0rc1 - - 14.0.0.0rc2 - - 14.0.1 - - 14.0.2 - - 14.0.3 - - 14.0.4 - - 14.1.0 - - 14.2.0 - - 14.2.1 - - 14.3.0 - - 14.3.1 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 15.1.0 - - 15.2.0 - - 15.3.0 - - 15.4.0 - - 15.4.1 - - 15.5.0 - - 15.6.0 - - 16.0.0 - - 16.0.0.0b1 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.0.0rc3 - - 16.1.0 - - 16.2.0 - - 16.2.1 - - 16.3.0 - - 16.4.0 - - 16.4.1 - - 16.4.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 17.1.0 - - 17.2.0 - - 17.3.0 - - 17.4.0 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.0.0rc2 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.1.0 - - 19.1.1 - - 19.2.0 - - 19.3.0 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 20.3.0 - - 20.3.1 - - 20.3.2 - - 21.0.0 - - 21.0.0.0rc2 - - 21.1.0 - - 21.2.0 - - 21.3.0 - - 21.3.1 - - 21.3.2 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.0.0rc2 - - 22.1.0 - - 22.1.1 - - 22.1.2 - - 22.2.0 - - 22.3.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 23.2.0 - - 23.3.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.2.0 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.0.0rc2 aliases: - CVE-2013-4183 +- GHSA-q3rw-wcj6-8cjf details: The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors. id: PYSEC-2013-35 -modified: '2024-11-21T14:22:42.067708Z' +modified: '2024-11-25T18:33:04.123836Z' published: '2013-09-16T19:14:00Z' references: - type: FIX @@ -141,4 +26,3 @@ references: url: https://bugs.launchpad.net/cinder/+bug/1198185 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2005-1 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/designate/PYSEC-2017-114.yaml b/vulns/designate/PYSEC-2017-114.yaml index 9102cafb..53425d1c 100644 --- a/vulns/designate/PYSEC-2017-114.yaml +++ b/vulns/designate/PYSEC-2017-114.yaml @@ -3,69 +3,17 @@ affected: ecosystem: PyPI name: designate purl: pkg:pypi/designate - ranges: - - events: - - introduced: '0' - type: ECOSYSTEM versions: - - 10.0.0 - - 10.0.0.0rc1 - - 10.0.0.0rc2 - - 10.0.1 - - 10.0.2 - - 11.0.0 - - 11.0.0.0rc1 - - 11.0.1 - - 11.0.2 - - 12.0.0 - - 12.0.0.0rc1 - - 12.0.1 - - 12.1.0 - - 13.0.0 - - 13.0.0.0rc1 - - 13.0.1 - - 13.0.2 - - 14.0.0 - - 14.0.0.0rc1 - - 14.0.1 - - 14.0.2 - - 14.0.3 - - 14.0.4 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 15.0.2 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 19.0.0 - - 19.0.0.0rc1 - 2015.1.0b2 - - 5.0.3 - - 7.0.1 - - 8.0.0 - - 8.0.0.0rc1 - - 8.0.1 - - 9.0.0 - - 9.0.0.0rc1 - - 9.0.1 - - 9.0.2 aliases: - CVE-2015-5695 +- GHSA-m6h2-634h-jcpj details: Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set. id: PYSEC-2017-114 -modified: '2024-11-21T14:22:45.305089Z' +modified: '2024-11-25T22:09:33.909779Z' published: '2017-08-31T22:29:00Z' references: - type: ARTICLE @@ -97,4 +45,3 @@ references: severity: - score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/designate/PYSEC-2019-243.yaml b/vulns/designate/PYSEC-2019-243.yaml index f5576740..703774de 100644 --- a/vulns/designate/PYSEC-2019-243.yaml +++ b/vulns/designate/PYSEC-2019-243.yaml @@ -3,66 +3,14 @@ affected: ecosystem: PyPI name: designate purl: pkg:pypi/designate - ranges: - - events: - - introduced: '0' - type: ECOSYSTEM versions: - - 10.0.0 - - 10.0.0.0rc1 - - 10.0.0.0rc2 - - 10.0.1 - - 10.0.2 - - 11.0.0 - - 11.0.0.0rc1 - - 11.0.1 - - 11.0.2 - - 12.0.0 - - 12.0.0.0rc1 - - 12.0.1 - - 12.1.0 - - 13.0.0 - - 13.0.0.0rc1 - - 13.0.1 - - 13.0.2 - - 14.0.0 - - 14.0.0.0rc1 - - 14.0.1 - - 14.0.2 - - 14.0.3 - - 14.0.4 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 15.0.2 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 19.0.0 - - 19.0.0.0rc1 - 2015.1.0b2 - - 5.0.3 - - 7.0.1 - - 8.0.0 - - 8.0.0.0rc1 - - 8.0.1 - - 9.0.0 - - 9.0.0.0rc1 - - 9.0.1 - - 9.0.2 aliases: - CVE-2015-5694 +- GHSA-c33m-22cr-j9x4 details: Designate does not enforce the DNS protocol limit concerning record set sizes id: PYSEC-2019-243 -modified: '2024-11-21T14:22:45.251201Z' +modified: '2024-11-25T22:09:33.909779Z' published: '2019-11-22T15:15:00Z' references: - type: REPORT @@ -80,4 +28,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:03Z' diff --git a/vulns/exotel/PYSEC-2022-43134.yaml b/vulns/exotel/PYSEC-2022-43134.yaml index 122f779a..89dd0e7c 100644 --- a/vulns/exotel/PYSEC-2022-43134.yaml +++ b/vulns/exotel/PYSEC-2022-43134.yaml @@ -3,22 +3,15 @@ affected: ecosystem: PyPI name: exotel purl: pkg:pypi/exotel - ranges: - - events: - - introduced: '0' - type: ECOSYSTEM versions: - - 0.1.0 - - 0.1.1 - - 0.1.3 - - 0.1.4 - - 0.1.5 + - 0.1.6 aliases: - CVE-2022-38792 +- GHSA-cv6j-9835-p7fh details: The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party. id: PYSEC-2022-43134 -modified: '2024-11-21T14:22:50.316894Z' +modified: '2024-11-25T22:09:33.909779Z' published: '2022-08-27T20:15:00Z' references: - type: REPORT @@ -36,4 +29,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/extractor/PYSEC-2006-4.yaml b/vulns/extractor/PYSEC-2006-4.yaml index a6ef9145..68524f36 100644 --- a/vulns/extractor/PYSEC-2006-4.yaml +++ b/vulns/extractor/PYSEC-2006-4.yaml @@ -3,20 +3,17 @@ affected: ecosystem: PyPI name: extractor purl: pkg:pypi/extractor - ranges: - - events: - - introduced: '0' - type: ECOSYSTEM versions: - '0.5' aliases: - CVE-2006-2458 +- GHSA-f836-7jqw-3684 details: Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlier allow remote attackers to execute arbitrary code via (1) the asf_read_header function in the ASF plugin (plugins/asfextractor.c), and (2) the parse_trak_atom function in the QT plugin (plugins/qtextractor.c). id: PYSEC-2006-4 -modified: '2024-11-21T14:22:50.369284Z' +modified: '2024-11-25T22:09:33.909779Z' published: '2006-05-18T23:02:00Z' references: - type: EVIDENCE @@ -55,4 +52,3 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/26531 - type: WEB url: http://www.securityfocus.com/archive/1/434288/100/0/threaded -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/freetakserver/PYSEC-2022-43135.yaml b/vulns/freetakserver/PYSEC-2022-43135.yaml index c0a09244..da8a4072 100644 --- a/vulns/freetakserver/PYSEC-2022-43135.yaml +++ b/vulns/freetakserver/PYSEC-2022-43135.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 1.9.8.5 type: ECOSYSTEM versions: - 0.0.1.5 @@ -99,35 +100,13 @@ affected: - 1.9.6.1 - 1.9.7 - 1.9.8 - - 1.9.8.5 - - 1.9.8.6 - - 1.9.8.7 - - 1.9.8.8 - - 1.9.9 - - 1.9.9.1 - - 1.9.9.1.0.1 - - 1.9.9.2 - - 1.9.9.3 - - 1.9.9.4 - - 1.9.9.5 - - 1.9.9.6 - - 2.0.21 - - 2.0.66 - - 2.0.69 - - '2.1' - - 2.1.1 - - 2.1.2 - - 2.1.3 - - 2.1.4.5 - - '2.2' - - 2.2.0.1 - - 2.2.1 aliases: - CVE-2022-25510 +- GHSA-f897-875p-23x7 details: FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges. id: PYSEC-2022-43135 -modified: '2024-11-21T14:22:50.654358Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-03-11T00:15:00Z' references: - type: EVIDENCE @@ -137,4 +116,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/galaxy-app/PYSEC-2018-149.yaml b/vulns/galaxy-app/PYSEC-2018-149.yaml index 1f5b85b4..9130fafa 100644 --- a/vulns/galaxy-app/PYSEC-2018-149.yaml +++ b/vulns/galaxy-app/PYSEC-2018-149.yaml @@ -6,33 +6,20 @@ affected: ranges: - events: - introduced: '0' + - fixed: 14.10.1 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: galaxy-app + purl: pkg:pypi/galaxy-app + ranges: + - events: + - introduced: '15.0' + - fixed: '15.01' type: ECOSYSTEM - versions: - - 20.5.0 - - 20.9.0 - - 21.9.0 - - 22.1.1 - - 23.0.1 - - 23.0.2 - - 23.0.3 - - 23.0.4 - - 23.0.5 - - 23.0.6 - - 23.1.1 - - 23.1.2 - - 23.1.3 - - 23.1.4 - - 23.1.dev0 - - 23.2.1 - - 24.0.0 - - 24.0.1 - - 24.0.2 - - 24.0.3 - - 24.1.1 - - 24.1.2 - - 24.1.3 aliases: - CVE-2018-1000516 +- GHSA-qqr6-vm23-m488 details: 'The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability in Many templates used in the Galaxy server did not properly sanitize user''s input, which would allow for cross-site @@ -43,7 +30,7 @@ details: 'The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper N component on page witch contains injected JavaScript code.. This vulnerability appears to have been fixed in v14.10.1, v15.01.' id: PYSEC-2018-149 -modified: '2024-11-21T14:22:50.762055Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2018-06-26T16:29:00Z' references: - type: ADVISORY @@ -51,4 +38,3 @@ references: severity: - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2014-102.yaml b/vulns/glance/PYSEC-2014-102.yaml index 54528b67..98d5fd97 100644 --- a/vulns/glance/PYSEC-2014-102.yaml +++ b/vulns/glance/PYSEC-2014-102.yaml @@ -6,87 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 11.0.0a0 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2014-1948 +- GHSA-4xw6-hj5p-4j79 details: OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log. id: PYSEC-2014-102 -modified: '2024-11-21T14:22:51.234051Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-02-14T15:55:00Z' references: - type: WEB @@ -99,4 +29,3 @@ references: url: http://secunia.com/advisories/56419 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-0229.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-37.yaml b/vulns/glance/PYSEC-2015-37.yaml index df30828c..22275017 100644 --- a/vulns/glance/PYSEC-2015-37.yaml +++ b/vulns/glance/PYSEC-2015-37.yaml @@ -2,83 +2,19 @@ affected: - package: ecosystem: PyPI name: glance - purl: pkg:pypi/glance ranges: - events: - introduced: '0' + - fixed: 11.0.0a0 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: glance + ranges: + - events: + - introduced: '0' + - fixed: 11.0.0a0 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2014-9684 details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 @@ -87,7 +23,7 @@ details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2 the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881. id: PYSEC-2015-37 -modified: '2024-11-21T14:22:51.289332Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2015-02-24T15:59:00Z' references: - type: ADVISORY @@ -98,4 +34,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2015-0938.html - type: WEB url: http://www.securityfocus.com/bid/72692 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-38.yaml b/vulns/glance/PYSEC-2015-38.yaml index c8645ab9..37597e62 100644 --- a/vulns/glance/PYSEC-2015-38.yaml +++ b/vulns/glance/PYSEC-2015-38.yaml @@ -2,83 +2,19 @@ affected: - package: ecosystem: PyPI name: glance - purl: pkg:pypi/glance ranges: - events: - introduced: '0' + - fixed: 11.0.0a0 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: glance + ranges: + - events: + - introduced: '0' + - fixed: 11.0.0a0 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2015-1881 details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 @@ -86,7 +22,7 @@ details: OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2 a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. id: PYSEC-2015-38 -modified: '2024-11-21T14:22:51.342319Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2015-02-24T15:59:00Z' references: - type: EVIDENCE @@ -97,4 +33,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2015-0938.html - type: WEB url: http://www.securityfocus.com/bid/72694 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2015-39.yaml b/vulns/glance/PYSEC-2015-39.yaml index 64562108..50c26d82 100644 --- a/vulns/glance/PYSEC-2015-39.yaml +++ b/vulns/glance/PYSEC-2015-39.yaml @@ -5,87 +5,17 @@ affected: purl: pkg:pypi/glance ranges: - events: - - introduced: '0' + - introduced: 2015.1.0 + - fixed: 2015.1.2 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2015-5163 +- GHSA-q73f-vjc2-3gqf details: The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. id: PYSEC-2015-39 -modified: '2024-11-21T14:22:51.397712Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2015-08-19T15:59:00Z' references: - type: WEB @@ -96,4 +26,3 @@ references: url: https://bugs.launchpad.net/glance/+bug/1471912 - type: WEB url: http://www.securityfocus.com/bid/76346 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2017-143.yaml b/vulns/glance/PYSEC-2017-143.yaml index 3869ddf5..8a822ae3 100644 --- a/vulns/glance/PYSEC-2017-143.yaml +++ b/vulns/glance/PYSEC-2017-143.yaml @@ -6,86 +6,16 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 11.0.0 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2015-8234 +- GHSA-wmhw-fvg9-87fc details: The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision. id: PYSEC-2017-143 -modified: '2024-11-21T14:22:51.45285Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2017-03-29T14:59:00Z' references: - type: WEB @@ -103,4 +33,3 @@ references: severity: - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/glance/PYSEC-2023-270.yaml b/vulns/glance/PYSEC-2023-270.yaml index b1018b2d..626cd949 100644 --- a/vulns/glance/PYSEC-2023-270.yaml +++ b/vulns/glance/PYSEC-2023-270.yaml @@ -2,90 +2,18 @@ affected: - package: ecosystem: PyPI name: glance - purl: pkg:pypi/glance ranges: - events: - introduced: '0' + - last_affected: 25.1.0 type: ECOSYSTEM - versions: - - 15.0.2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0b1 - - 18.0.0.0rc1 - - 18.0.1 - - 19.0.0 - - 19.0.0.0b1 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.0.4 - - 20.0.0 - - 20.0.0.0b1 - - 20.0.0.0b2 - - 20.0.0.0b3 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.2.0 - - 21.0.0 - - 21.0.0.0b1 - - 21.0.0.0b2 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 22.0.0 - - 22.0.0.0b2 - - 22.0.0.0b3 - - 22.0.0.0rc1 - - 22.1.0 - - 22.1.1 - - 23.0.0 - - 23.0.0.0b2 - - 23.0.0.0b3 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.1.0 - - 24.0.0 - - 24.0.0.0rc1 - - 24.1.0 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0b2 - - 25.0.0.0b3 - - 25.0.0.0rc1 - - 25.1.0 - - 26.0.0 - - 26.0.0.0b2 - - 26.0.0.0b3 - - 26.0.0.0rc1 - - 26.1.0 - - 27.0.0 - - 27.0.0.0b1 - - 27.0.0.0b2 - - 27.0.0.0rc1 - - 27.1.0 - - 28.0.0 - - 28.0.0.0b2 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 29.0.0 - - 29.0.0.0b1 - - 29.0.0.0b2 - - 29.0.0.0b3 - - 29.0.0.0rc1 aliases: - CVE-2022-4134 details: A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images. id: PYSEC-2023-270 -modified: '2024-11-21T14:22:51.507003Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2023-03-06T23:15:00Z' references: - type: ADVISORY @@ -97,4 +25,3 @@ references: severity: - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/global-workqueue/PYSEC-2022-43136.yaml b/vulns/global-workqueue/PYSEC-2022-43136.yaml index 756deaf8..b825a658 100644 --- a/vulns/global-workqueue/PYSEC-2022-43136.yaml +++ b/vulns/global-workqueue/PYSEC-2022-43136.yaml @@ -1,183 +1,27 @@ -id: PYSEC-2022-43136 +affected: +- package: + ecosystem: PyPI + name: global-workqueue + ranges: + - events: + - introduced: 1.4.1rc5 + - fixed: 2.0.4 + type: ECOSYSTEM + versions: + - 1.4.1rc5 +aliases: +- CVE-2022-34558 details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package. -aliases: -- CVE-2022-34558 -modified: '2024-11-25T20:23:29.143219Z' +id: PYSEC-2022-43136 +modified: '2024-11-25T22:09:33.909779Z' published: '2022-07-28T23:15:00Z' -withdrawn: '2024-11-22T04:37:04Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 -affected: -- package: - name: global-workqueue - ecosystem: PyPI - purl: pkg:pypi/global-workqueue - ranges: - - type: ECOSYSTEM - events: - - introduced: '0' - versions: - - 2.0.4 - - 2.1.1 - - 2.1.2rc4 - - 2.1.4 - - 2.1.4rc1 - - 2.1.4rc2 - - 2.1.4rc3 - - 2.1.4rc4 - - 2.1.4rc5 - - 2.1.4rc6 - - 2.1.4rc7 - - 2.1.5 - - 2.1.5.1 - - 2.1.5rc1 - - 2.1.5rc2 - - 2.1.5rc4 - - 2.1.5rc5 - - 2.1.5rc6 - - 2.1.5rc7 - - 2.1.6 - - 2.1.6.1 - - 2.1.6.2 - - 2.1.6.3 - - 2.1.6rc1 - - 2.1.6rc2 - - 2.1.6rc3 - - 2.1.6rc4 - - 2.1.6rc5 - - 2.1.6rc6 - - 2.1.7 - - 2.1.7rc1 - - 2.1.7rc2 - - 2.1.7rc3 - - 2.1.7rc4 - - 2.1.7rc5 - - 2.1.7rc6 - - 2.1.7rc7 - - 2.1.8 - - 2.1.8rc1 - - 2.1.8rc2 - - 2.2.0 - - 2.2.0.1 - - 2.2.0.2 - - 2.2.0.3 - - 2.2.0.4 - - 2.2.0.5 - - 2.2.0.7 - - 2.2.0rc1 - - 2.2.0rc2 - - 2.2.0rc3 - - 2.2.0rc4 - - 2.2.0rc5 - - 2.2.0rc6 - - 2.2.0rc7 - - 2.2.0rc8 - - 2.2.0rc9 - - 2.2.1 - - 2.2.1rc1 - - 2.2.1rc2 - - 2.2.1rc3 - - 2.2.1rc4 - - 2.2.1rc5 - - 2.2.2 - - 2.2.2.1 - - 2.2.2rc1 - - 2.2.2rc10 - - 2.2.2rc11 - - 2.2.2rc12 - - 2.2.2rc2 - - 2.2.2rc3 - - 2.2.2rc4 - - 2.2.2rc5 - - 2.2.2rc6 - - 2.2.2rc7 - - 2.2.2rc8 - - 2.2.2rc9 - - 2.2.3.1 - - 2.2.3.2 - - 2.2.4 - - 2.2.4.1 - - 2.2.4.2 - - 2.2.4.3 - - 2.2.4.4 - - 2.2.4.6 - - 2.2.4.7 - - 2.2.4rc1 - - 2.2.4rc10 - - 2.2.4rc2 - - 2.2.4rc3 - - 2.2.4rc4 - - 2.2.4rc5 - - 2.2.4rc6 - - 2.2.4rc7 - - 2.2.4rc8 - - 2.2.4rc9 - - 2.2.5 - - 2.2.6 - - 2.2.6rc1 - - 2.2.6rc2 - - 2.2.6rc3 - - 2.2.6rc4 - - 2.2.6rc5 - - 2.2.6rc6 - - 2.2.6rc7 - - 2.2.6rc8 - - 2.3.0 - - 2.3.0.1 - - 2.3.0.2 - - 2.3.1 - - 2.3.1rc1 - - 2.3.1rc2 - - 2.3.1rc3 - - 2.3.1rc4 - - 2.3.2 - - 2.3.2rc1 - - 2.3.2rc2 - - 2.3.2rc3 - - 2.3.2rc4 - - 2.3.2rc5 - - 2.3.2rc6 - - 2.3.2rc8 - - 2.3.2rc9 - - 2.3.3 - - 2.3.4 - - 2.3.4.1 - - 2.3.4.2 - - 2.3.4.3 - - 2.3.4.4 - - 2.3.4rc1 - - 2.3.4rc10 - - 2.3.4rc11 - - 2.3.4rc12 - - 2.3.4rc2 - - 2.3.4rc3 - - 2.3.4rc4 - - 2.3.4rc5 - - 2.3.4rc6 - - 2.3.4rc7 - - 2.3.4rc8 - - 2.3.4rc9 - - 2.3.5 - - 2.3.5.1 - - 2.3.5rc1 - - 2.3.5rc3 - - 2.3.6 - - 2.3.6rc1 - - 2.3.6rc2 - - 2.3.6rc3 - - 2.3.6rc4 - - 2.3.6rc5 - - 2.3.6rc6 - - 2.3.6rc7 - - 2.3.6rc8 - - 2.3.7 - - 2.3.7.1 - - 2.3.8rc5 severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 diff --git a/vulns/horizon/PYSEC-2015-40.yaml b/vulns/horizon/PYSEC-2015-40.yaml index 4fea084b..14d0504f 100644 --- a/vulns/horizon/PYSEC-2015-40.yaml +++ b/vulns/horizon/PYSEC-2015-40.yaml @@ -6,105 +6,18 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 12.0.4 - - 13.0.0 - - 13.0.0.0b3 - - 13.0.0.0rc1 - - 13.0.0.0rc2 - - 13.0.1 - - 13.0.2 - - 13.0.3 - - 14.0.0 - - 14.0.0.0b1 - - 14.0.0.0b2 - - 14.0.0.0b3 - - 14.0.0.0rc1 - - 14.0.0.0rc2 - - 14.0.1 - - 14.0.2 - - 14.0.3 - - 14.0.4 - - 14.1.0 - - 15.0.0 - - 15.0.0.0b1 - - 15.0.0.0b2 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.1.0 - - 15.1.1 - - 15.2.0 - - 15.3.0 - - 15.3.1 - - 15.3.2 - - 16.0.0 - - 16.0.0.0b1 - - 16.0.0.0b2 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.1.0 - - 16.2.0 - - 16.2.1 - - 16.2.2 - - 17.0.0 - - 17.1.0 - - 18.0.0 - - 18.1.0 - - 18.2.0 - - 18.3.0 - - 18.3.1 - - 18.3.2 - - 18.3.3 - - 18.3.4 - - 18.3.5 - - 18.4.0 - - 18.4.1 - - 18.5.0 - - 18.6.0 - - 18.6.1 - - 18.6.2 - - 18.6.3 - - 18.6.4 - - 19.0.0 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.4.0 - - 20.0.0 - - 20.1.0 - - 20.1.1 - - 20.1.2 - - 20.1.3 - - 20.1.4 - - 20.2.0 - - 21.0.0 - - 22.0.0 - - 22.1.0 - - 22.1.1 - - 22.2.0 - - 23.0.0 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.1.1 - - 23.2.0 - - 23.3.0 - - 23.4.0 - - 24.0.0 - - 25.0.0 - - 25.1.0 aliases: - CVE-2015-3219 +- GHSA-rhjj-f6gq-6gx2 details: Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. id: PYSEC-2015-40 -modified: '2024-11-21T14:22:51.843481Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2015-08-20T20:59:00Z' references: - type: FIX @@ -125,4 +38,3 @@ references: url: http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2015-1679.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-39.yaml b/vulns/keystone/PYSEC-2013-39.yaml index 67c0f9f6..0476e525 100644 --- a/vulns/keystone/PYSEC-2013-39.yaml +++ b/vulns/keystone/PYSEC-2013-39.yaml @@ -2,68 +2,18 @@ affected: - package: ecosystem: PyPI name: keystone - purl: pkg:pypi/keystone ranges: - events: - - introduced: '0' + - introduced: '2012.2' + - fixed: 2012.2.4 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2013-1865 details: OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. id: PYSEC-2013-39 -modified: '2024-11-21T14:22:52.4602Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2013-03-22T21:55:00Z' references: - type: WEB @@ -86,4 +36,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0708.html - type: WEB url: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-41.yaml b/vulns/keystone/PYSEC-2013-41.yaml index 3c16efcb..bf1aecb0 100644 --- a/vulns/keystone/PYSEC-2013-41.yaml +++ b/vulns/keystone/PYSEC-2013-41.yaml @@ -6,65 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2013-2059 +- GHSA-hj89-qmx9-8qmh details: OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. id: PYSEC-2013-41 -modified: '2024-11-21T14:22:52.573879Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2013-05-21T18:55:00Z' references: - type: EVIDENCE @@ -89,4 +41,3 @@ references: url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/84135 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2013-42.yaml b/vulns/keystone/PYSEC-2013-42.yaml index bb42f463..9cd12d6e 100644 --- a/vulns/keystone/PYSEC-2013-42.yaml +++ b/vulns/keystone/PYSEC-2013-42.yaml @@ -5,66 +5,18 @@ affected: purl: pkg:pypi/keystone ranges: - events: - - introduced: '0' + - introduced: 2012.2.0 + - fixed: 2013.1.4 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2013-4294 +- GHSA-5qpp-v56f-mqfm details: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token. id: PYSEC-2013-42 -modified: '2024-11-21T14:22:52.629772Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2013-09-23T20:55:00Z' references: - type: ADVISORY @@ -79,4 +31,3 @@ references: url: http://secunia.com/advisories/54706 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2002-1 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-105.yaml b/vulns/keystone/PYSEC-2014-105.yaml index db35e189..19bba351 100644 --- a/vulns/keystone/PYSEC-2014-105.yaml +++ b/vulns/keystone/PYSEC-2014-105.yaml @@ -6,66 +6,18 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2014-2237 +- GHSA-23x9-8hxr-978c details: The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. id: PYSEC-2014-105 -modified: '2024-11-21T14:22:52.681779Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-04-01T06:35:00Z' references: - type: WEB @@ -76,4 +28,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-0580.html - type: WEB url: http://www.securityfocus.com/bid/65895 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-106.yaml b/vulns/keystone/PYSEC-2014-106.yaml index 1ae56fd2..4a17a302 100644 --- a/vulns/keystone/PYSEC-2014-106.yaml +++ b/vulns/keystone/PYSEC-2014-106.yaml @@ -6,65 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2014-2828 +- GHSA-6mv3-p2gr-wgqf details: The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." id: PYSEC-2014-106 -modified: '2024-11-21T14:22:52.734949Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-04-15T14:55:00Z' references: - type: WEB @@ -73,4 +25,3 @@ references: url: https://bugs.launchpad.net/keystone/+bug/1300274 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1688.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-107.yaml b/vulns/keystone/PYSEC-2014-107.yaml index bf983e35..e5f8d69b 100644 --- a/vulns/keystone/PYSEC-2014-107.yaml +++ b/vulns/keystone/PYSEC-2014-107.yaml @@ -6,65 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2014-5251 +- GHSA-gmvp-5rf9-mxcm details: The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. id: PYSEC-2014-107 -modified: '2024-11-21T14:22:52.786892Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-08-25T14:55:00Z' references: - type: WEB @@ -77,4 +29,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-108.yaml b/vulns/keystone/PYSEC-2014-108.yaml index 8db3e4ab..de330df7 100644 --- a/vulns/keystone/PYSEC-2014-108.yaml +++ b/vulns/keystone/PYSEC-2014-108.yaml @@ -6,65 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2014-5252 +- GHSA-v8fq-gq9j-3v7h details: The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. id: PYSEC-2014-108 -modified: '2024-11-21T14:22:52.84065Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-08-25T14:55:00Z' references: - type: WEB @@ -77,4 +29,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2014-109.yaml b/vulns/keystone/PYSEC-2014-109.yaml index c4c8f9f9..aafc1682 100644 --- a/vulns/keystone/PYSEC-2014-109.yaml +++ b/vulns/keystone/PYSEC-2014-109.yaml @@ -6,64 +6,16 @@ affected: ranges: - events: - introduced: '0' + - fixed: 8.0.0a0 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2014-5253 +- GHSA-77w8-qv8m-386h details: OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. id: PYSEC-2014-109 -modified: '2024-11-21T14:22:52.89692Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-08-25T14:55:00Z' references: - type: WEB @@ -76,4 +28,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2014-1121.html - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-1122.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2016-38.yaml b/vulns/keystone/PYSEC-2016-38.yaml index c01ab884..90ffdc31 100644 --- a/vulns/keystone/PYSEC-2016-38.yaml +++ b/vulns/keystone/PYSEC-2016-38.yaml @@ -5,65 +5,17 @@ affected: purl: pkg:pypi/keystone ranges: - events: - - introduced: '0' + - introduced: 9.0.0 + - fixed: 9.0.1 type: ECOSYSTEM - versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 aliases: - CVE-2016-4911 +- GHSA-f82m-w3p3-cgp3 details: The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token. id: PYSEC-2016-38 -modified: '2024-11-21T14:22:52.950772Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2016-06-13T14:59:00Z' references: - type: ARTICLE @@ -85,4 +37,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/keystone/PYSEC-2018-152.yaml b/vulns/keystone/PYSEC-2018-152.yaml index d9124f58..cedae5d7 100644 --- a/vulns/keystone/PYSEC-2018-152.yaml +++ b/vulns/keystone/PYSEC-2018-152.yaml @@ -5,66 +5,38 @@ affected: purl: pkg:pypi/keystone ranges: - events: - - introduced: '0' + - introduced: 9.0.0 + - last_affected: 9.3.0 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: keystone + purl: pkg:pypi/keystone + ranges: + - events: + - introduced: 10.0.0 + - fixed: 10.0.2 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: keystone + purl: pkg:pypi/keystone + ranges: + - events: + - introduced: 11.0.0 + - fixed: 11.0.1 type: ECOSYSTEM versions: - - 12.0.2 - - 12.0.3 - - 13.0.2 - - 13.0.3 - - 13.0.4 - - 14.0.0 - - 14.0.1 - - 14.1.0 - - 14.2.0 - - 15.0.0 - - 15.0.0.0rc1 - - 15.0.0.0rc2 - - 15.0.1 - - 16.0.0 - - 16.0.0.0rc1 - - 16.0.0.0rc2 - - 16.0.1 - - 16.0.2 - - 17.0.0 - - 17.0.0.0rc1 - - 17.0.0.0rc2 - - 17.0.1 - - 18.0.0 - - 18.0.0.0rc1 - - 18.1.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.1 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.0.2 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.1 - - 23.0.2 - - 24.0.0 - - 24.0.0.0rc1 - - 25.0.0 - - 25.0.0.0rc1 - - 26.0.0 - - 26.0.0.0rc1 + - 11.0.0 aliases: - CVE-2017-2673 +- GHSA-j36m-hv43-7w7m details: An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles. id: PYSEC-2018-152 -modified: '2024-11-21T14:22:53.005774Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2018-07-19T13:29:00Z' references: - type: REPORT @@ -96,4 +68,3 @@ references: severity: - score: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43138.yaml b/vulns/lief/PYSEC-2022-43138.yaml index 7a24dd67..f5c3939e 100644 --- a/vulns/lief/PYSEC-2022-43138.yaml +++ b/vulns/lief/PYSEC-2022-43138.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 0.12.2 type: ECOSYSTEM versions: - 0.10.0 @@ -18,15 +19,6 @@ affected: - 0.11.5 - 0.12.0 - 0.12.1 - - 0.12.2 - - 0.12.3 - - 0.13.0 - - 0.13.1 - - 0.13.2 - - 0.14.0 - - 0.14.1 - - 0.15.0 - - 0.15.1 - 0.8.0 - 0.8.1 - 0.8.2 @@ -34,11 +26,12 @@ affected: - 0.9.0 aliases: - CVE-2022-40922 +- GHSA-38hf-c37x-32hv details: A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. id: PYSEC-2022-43138 -modified: '2024-11-21T14:22:53.903108Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-10-03T13:15:00Z' references: - type: EVIDENCE @@ -48,4 +41,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43139.yaml b/vulns/lief/PYSEC-2022-43139.yaml index 2b80d88b..a88e1f77 100644 --- a/vulns/lief/PYSEC-2022-43139.yaml +++ b/vulns/lief/PYSEC-2022-43139.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 0.12.1 type: ECOSYSTEM versions: - 0.10.0 @@ -18,15 +19,6 @@ affected: - 0.11.5 - 0.12.0 - 0.12.1 - - 0.12.2 - - 0.12.3 - - 0.13.0 - - 0.13.1 - - 0.13.2 - - 0.14.0 - - 0.14.1 - - 0.15.0 - - 0.15.1 - 0.8.0 - 0.8.1 - 0.8.2 @@ -34,11 +26,12 @@ affected: - 0.9.0 aliases: - CVE-2022-40923 +- GHSA-rm2x-hgr8-w343 details: A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. id: PYSEC-2022-43139 -modified: '2024-11-21T14:22:53.968694Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-09-30T19:15:00Z' references: - type: EVIDENCE @@ -50,4 +43,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/lief/PYSEC-2022-43140.yaml b/vulns/lief/PYSEC-2022-43140.yaml index 14ffab0e..0dfa9898 100644 --- a/vulns/lief/PYSEC-2022-43140.yaml +++ b/vulns/lief/PYSEC-2022-43140.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 0.12.3 type: ECOSYSTEM versions: - 0.10.0 @@ -19,14 +20,6 @@ affected: - 0.12.0 - 0.12.1 - 0.12.2 - - 0.12.3 - - 0.13.0 - - 0.13.1 - - 0.13.2 - - 0.14.0 - - 0.14.1 - - 0.15.0 - - 0.15.1 - 0.8.0 - 0.8.1 - 0.8.2 @@ -34,11 +27,12 @@ affected: - 0.9.0 aliases: - CVE-2022-43171 +- GHSA-jvp9-phwp-p738 details: A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file. id: PYSEC-2022-43140 -modified: '2024-11-21T14:22:54.027776Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-11-17T23:15:00Z' references: - type: EVIDENCE @@ -50,4 +44,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/mayan-edms/PYSEC-2023-276.yaml b/vulns/mayan-edms/PYSEC-2023-276.yaml index ea9cf09a..f1c93c16 100644 --- a/vulns/mayan-edms/PYSEC-2023-276.yaml +++ b/vulns/mayan-edms/PYSEC-2023-276.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 4.3.6 type: ECOSYSTEM versions: - 1.0.0 @@ -207,68 +208,19 @@ affected: - 4.2rc1 - '4.3' - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - 4.3.2 - 4.3.3 - 4.3.4 - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - 4.3a1 - 4.3rc1 - - '4.4' - - 4.4.1 - - 4.4.10 - - 4.4.11 - - 4.4.12 - - 4.4.13 - - 4.4.14 - - 4.4.15 - - 4.4.16 - - 4.4.2 - - 4.4.3 - - 4.4.4 - - 4.4.5 - - 4.4.6 - - 4.4.7 - - 4.4.8 - - 4.4.9 - - '4.5' - - 4.5.1 - - 4.5.10 - - 4.5.11 - - 4.5.12 - - 4.5.13 - - 4.5.2 - - 4.5.3 - - 4.5.4 - - 4.5.5 - - 4.5.6 - - 4.5.7 - - 4.5.8 - - 4.5.9 - - '4.6' - - 4.6.1 - - 4.6.2 - - 4.6.3 - - 4.6.4 - - 4.6.5 - - '4.7' - - 4.7.1 - - '4.8' - - 4.8.1 - - 4.8.2 - - 4.8.3 aliases: - CVE-2022-47419 +- GHSA-5m6v-2xgf-qhrw details: An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system. id: PYSEC-2023-276 -modified: '2024-11-21T14:22:54.315889Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2023-02-07T22:15:00Z' references: - type: EVIDENCE @@ -280,4 +232,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2008-12.yaml b/vulns/moin/PYSEC-2008-12.yaml index 3b379a37..db03545a 100644 --- a/vulns/moin/PYSEC-2008-12.yaml +++ b/vulns/moin/PYSEC-2008-12.yaml @@ -2,37 +2,36 @@ affected: - package: ecosystem: PyPI name: moin - purl: pkg:pypi/moin ranges: - events: - introduced: '0' + - fixed: 1.6.3 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: moin + ranges: + - events: + - introduced: '0' + - fixed: 1.6.3 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: moin + ranges: + - events: + - introduced: '1.7' + - fixed: 1.7.1 type: ECOSYSTEM versions: - - 1.8.4 - - 1.8.5 - - 1.8.6 - - 1.8.7 - - 1.9.0 - - 1.9.1 - - 1.9.10 - - 1.9.11 - - 1.9.2 - - 1.9.3 - - 1.9.4 - - 1.9.5 - - 1.9.6 - - 1.9.7 - - 1.9.8 - - 1.9.9 - - 2.0.0a1 - - 2.0.0b1 + - '1.7' aliases: - CVE-2008-1937 details: The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges. id: PYSEC-2008-12 -modified: '2024-11-21T14:22:55.213739Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2008-04-25T06:05:00Z' references: - type: EVIDENCE @@ -51,4 +50,3 @@ references: url: http://www.vupen.com/english/advisories/2008/1307/references - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41909 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2008-13.yaml b/vulns/moin/PYSEC-2008-13.yaml index bc35f8eb..9f4ffaf2 100644 --- a/vulns/moin/PYSEC-2008-13.yaml +++ b/vulns/moin/PYSEC-2008-13.yaml @@ -6,33 +6,27 @@ affected: ranges: - events: - introduced: '0' + - fixed: 1.6.4 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: moin + purl: pkg:pypi/moin + ranges: + - events: + - introduced: 1.7.0 + - fixed: 1.7.1 type: ECOSYSTEM versions: - - 1.8.4 - - 1.8.5 - - 1.8.6 - - 1.8.7 - - 1.9.0 - - 1.9.1 - - 1.9.10 - - 1.9.11 - - 1.9.2 - - 1.9.3 - - 1.9.4 - - 1.9.5 - - 1.9.6 - - 1.9.7 - - 1.9.8 - - 1.9.9 - - 2.0.0a1 - - 2.0.0b1 + - 1.7.0 aliases: - CVE-2008-3381 +- GHSA-q7q4-5g8p-33fq details: Multiple cross-site scripting (XSS) vulnerabilities in macro/AdvancedSearch.py in moin (and MoinMoin) 1.6.3 and 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. id: PYSEC-2008-13 -modified: '2024-11-21T14:22:55.267769Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2008-07-30T18:41:00Z' references: - type: EVIDENCE @@ -49,4 +43,3 @@ references: url: http://www.vupen.com/english/advisories/2008/2147/references - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/43899 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2009-12.yaml b/vulns/moin/PYSEC-2009-12.yaml index a25bc646..71f3a0d5 100644 --- a/vulns/moin/PYSEC-2009-12.yaml +++ b/vulns/moin/PYSEC-2009-12.yaml @@ -6,34 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 1.6.1 type: ECOSYSTEM - versions: - - 1.8.4 - - 1.8.5 - - 1.8.6 - - 1.8.7 - - 1.9.0 - - 1.9.1 - - 1.9.10 - - 1.9.11 - - 1.9.2 - - 1.9.3 - - 1.9.4 - - 1.9.5 - - 1.9.6 - - 1.9.7 - - 1.9.8 - - 1.9.9 - - 2.0.0a1 - - 2.0.0b1 aliases: - CVE-2008-6549 +- GHSA-wjjc-m3fc-fcm8 details: The password_checker function in config/multiconfig.py in MoinMoin 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors. id: PYSEC-2009-12 -modified: '2024-11-21T14:22:55.31913Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2009-03-30T01:30:00Z' references: - type: EVIDENCE @@ -42,4 +25,3 @@ references: url: http://moinmo.in/SecurityFixes - type: WEB url: http://osvdb.org/48876 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/moin/PYSEC-2009-13.yaml b/vulns/moin/PYSEC-2009-13.yaml index 1f84e280..916bae51 100644 --- a/vulns/moin/PYSEC-2009-13.yaml +++ b/vulns/moin/PYSEC-2009-13.yaml @@ -6,33 +6,27 @@ affected: ranges: - events: - introduced: '0' + - fixed: 1.6.3 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: moin + purl: pkg:pypi/moin + ranges: + - events: + - introduced: '1.7' + - fixed: 1.7.1 type: ECOSYSTEM versions: - - 1.8.4 - - 1.8.5 - - 1.8.6 - - 1.8.7 - - 1.9.0 - - 1.9.1 - - 1.9.10 - - 1.9.11 - - 1.9.2 - - 1.9.3 - - 1.9.4 - - 1.9.5 - - 1.9.6 - - 1.9.7 - - 1.9.8 - - 1.9.9 - - 2.0.0a1 - - 2.0.0b1 + - '1.7' aliases: - CVE-2008-6603 +- GHSA-wc8w-gh5m-62fv details: MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937. id: PYSEC-2009-13 -modified: '2024-11-21T14:22:55.369914Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2009-04-03T18:30:00Z' references: - type: WEB @@ -51,4 +45,3 @@ references: url: http://www.securityfocus.com/bid/34655 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41911 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2013-43.yaml b/vulns/nova/PYSEC-2013-43.yaml index 23176562..f8f980b4 100644 --- a/vulns/nova/PYSEC-2013-43.yaml +++ b/vulns/nova/PYSEC-2013-43.yaml @@ -6,133 +6,16 @@ affected: ranges: - events: - introduced: '0' + - fixed: 12.0.0a0 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2013-0335 +- GHSA-qfp8-hfqx-c79c details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port. id: PYSEC-2013-43 -modified: '2024-11-21T14:22:56.678255Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2013-03-22T21:55:00Z' references: - type: WEB @@ -155,4 +38,3 @@ references: url: http://www.osvdb.org/90657 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2013-0709.html -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2013-44.yaml b/vulns/nova/PYSEC-2013-44.yaml index eb1b207d..43394379 100644 --- a/vulns/nova/PYSEC-2013-44.yaml +++ b/vulns/nova/PYSEC-2013-44.yaml @@ -6,134 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 12.0.0a0 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2013-1838 +- GHSA-63fq-8fp9-vhwq details: OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function. id: PYSEC-2013-44 -modified: '2024-11-21T14:22:56.735821Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2013-03-22T21:55:00Z' references: - type: WEB @@ -164,4 +47,3 @@ references: url: http://rhn.redhat.com/errata/RHSA-2013-0709.html - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/82877 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-111.yaml b/vulns/nova/PYSEC-2014-111.yaml index 69050683..0d4f73e6 100644 --- a/vulns/nova/PYSEC-2014-111.yaml +++ b/vulns/nova/PYSEC-2014-111.yaml @@ -6,134 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 12.0.0a0 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2013-7130 +- GHSA-99rx-9x8v-9j8p details: The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage. id: PYSEC-2014-111 -modified: '2024-11-21T14:22:56.854091Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-02-06T17:00:00Z' references: - type: WEB @@ -162,4 +45,3 @@ references: url: http://www.ubuntu.com/usn/USN-2247-1 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/90652 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-112.yaml b/vulns/nova/PYSEC-2014-112.yaml index 54f83217..bd7e427f 100644 --- a/vulns/nova/PYSEC-2014-112.yaml +++ b/vulns/nova/PYSEC-2014-112.yaml @@ -6,134 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 12.0.0a0 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2014-0134 +- GHSA-w429-xc55-hc48 details: The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image. id: PYSEC-2014-112 -modified: '2024-11-21T14:22:56.917584Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-05-08T14:29:00Z' references: - type: WEB @@ -142,4 +25,3 @@ references: url: https://bugs.launchpad.net/nova/+bug/1221190 - type: ADVISORY url: http://www.ubuntu.com/usn/USN-2247-1 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2014-113.yaml b/vulns/nova/PYSEC-2014-113.yaml index 16bc7751..e337ef16 100644 --- a/vulns/nova/PYSEC-2014-113.yaml +++ b/vulns/nova/PYSEC-2014-113.yaml @@ -6,134 +6,17 @@ affected: ranges: - events: - introduced: '0' + - fixed: 12.0.0a0 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2014-2573 +- GHSA-jv34-xvjq-ppch details: The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. id: PYSEC-2014-113 -modified: '2024-11-21T14:22:56.977165Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-03-25T16:55:00Z' references: - type: WEB @@ -144,4 +27,3 @@ references: url: https://bugs.launchpad.net/nova/+bug/1269418 - type: ADVISORY url: http://secunia.com/advisories/57498 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/nova/PYSEC-2017-145.yaml b/vulns/nova/PYSEC-2017-145.yaml index 0fbb613e..cbcd5f15 100644 --- a/vulns/nova/PYSEC-2017-145.yaml +++ b/vulns/nova/PYSEC-2017-145.yaml @@ -6,133 +6,16 @@ affected: ranges: - events: - introduced: '0' + - fixed: 15.0.0.0b1 type: ECOSYSTEM - versions: - - 15.1.5 - - 16.1.6 - - 16.1.7 - - 16.1.8 - - 17.0.10 - - 17.0.11 - - 17.0.12 - - 17.0.13 - - 17.0.7 - - 17.0.8 - - 17.0.9 - - 18.0.2 - - 18.0.3 - - 18.1.0 - - 18.2.0 - - 18.2.1 - - 18.2.2 - - 18.2.3 - - 18.3.0 - - 19.0.0 - - 19.0.0.0rc1 - - 19.0.0.0rc2 - - 19.0.1 - - 19.0.2 - - 19.0.3 - - 19.1.0 - - 19.2.0 - - 19.3.0 - - 19.3.1 - - 19.3.2 - - 20.0.0 - - 20.0.0.0rc1 - - 20.0.0.0rc2 - - 20.0.1 - - 20.1.0 - - 20.1.1 - - 20.2.0 - - 20.3.0 - - 20.4.0 - - 20.4.1 - - 20.5.0 - - 20.6.0 - - 20.6.1 - - 21.0.0 - - 21.0.0.0rc1 - - 21.0.0.0rc2 - - 21.1.0 - - 21.1.1 - - 21.1.2 - - 21.2.0 - - 21.2.1 - - 21.2.2 - - 21.2.3 - - 21.2.4 - - 22.0.0 - - 22.0.0.0rc1 - - 22.0.1 - - 22.1.0 - - 22.2.0 - - 22.2.1 - - 22.2.2 - - 22.3.0 - - 22.4.0 - - 23.0.0 - - 23.0.0.0rc1 - - 23.0.0.0rc2 - - 23.0.1 - - 23.0.2 - - 23.1.0 - - 23.2.0 - - 23.2.1 - - 23.2.2 - - 24.0.0 - - 24.0.0.0rc1 - - 24.0.0.0rc2 - - 24.1.0 - - 24.1.1 - - 24.2.0 - - 24.2.1 - - 25.0.0 - - 25.0.0.0rc1 - - 25.0.1 - - 25.1.0 - - 25.1.1 - - 25.2.0 - - 25.2.1 - - 25.3.0 - - 26.0.0 - - 26.0.0.0rc1 - - 26.0.0.0rc2 - - 26.1.0 - - 26.1.1 - - 26.2.0 - - 26.2.1 - - 26.2.2 - - 26.3.0 - - 27.0.0 - - 27.0.0.0rc1 - - 27.1.0 - - 27.2.0 - - 27.3.0 - - 27.4.0 - - 27.5.0 - - 27.5.1 - - 28.0.0 - - 28.0.0.0rc1 - - 28.0.1 - - 28.1.0 - - 28.2.0 - - 28.3.0 - - 29.0.0 - - 29.0.0.0rc1 - - 29.0.1 - - 29.0.2 - - 29.1.0 - - 29.2.0 - - 30.0.0 - - 30.0.0.0rc1 aliases: - CVE-2015-2687 +- GHSA-97fv-22hc-mrgj details: OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for. id: PYSEC-2017-145 -modified: '2024-11-21T14:22:57.038308Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2017-08-09T18:29:00Z' references: - type: WEB @@ -162,4 +45,3 @@ references: severity: - score: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/patchelf/PYSEC-2022-43144.yaml b/vulns/patchelf/PYSEC-2022-43144.yaml index b4b8d30e..78719a56 100644 --- a/vulns/patchelf/PYSEC-2022-43144.yaml +++ b/vulns/patchelf/PYSEC-2022-43144.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 0.16.1.0 type: ECOSYSTEM versions: - 0.11.0.0 @@ -18,17 +19,13 @@ affected: - 0.14.3.0 - 0.14.5.0 - 0.15.0.0 - - 0.16.1.0 - - 0.17.0.0 - - 0.17.2.0 - - 0.17.2.1 - - 0.18.0.0 aliases: - CVE-2022-44940 +- GHSA-5pcj-3m26-w633 details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc. id: PYSEC-2022-43144 -modified: '2024-11-21T14:22:58.452456Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-12-19T22:15:00Z' references: - type: EVIDENCE @@ -40,4 +37,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/pg-query/PYSEC-2018-154.yaml b/vulns/pg-query/PYSEC-2018-154.yaml index e7a7e468..972d9f05 100644 --- a/vulns/pg-query/PYSEC-2018-154.yaml +++ b/vulns/pg-query/PYSEC-2018-154.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: '0.28' type: ECOSYSTEM versions: - '0.1' @@ -28,8 +29,6 @@ affected: - '0.25' - '0.26' - '0.27' - - '0.28' - - '0.29' - '0.3' - '0.4' - '0.5' @@ -39,10 +38,11 @@ affected: - '0.9' aliases: - CVE-2018-18482 +- GHSA-vm3q-58wm-2r2x details: An issue was discovered in libpg_query 10-1.0.2. There is a memory leak in pg_query_raw_parse in pg_query_parse.c, which might lead to a denial of service. id: PYSEC-2018-154 -modified: '2024-11-21T14:22:58.504401Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2018-10-18T18:29:00Z' references: - type: EVIDENCE @@ -52,4 +52,3 @@ references: severity: - score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:04Z' diff --git a/vulns/pillow/PYSEC-2022-43145.yaml b/vulns/pillow/PYSEC-2022-43145.yaml index 9ff50e57..b5e04f11 100644 --- a/vulns/pillow/PYSEC-2022-43145.yaml +++ b/vulns/pillow/PYSEC-2022-43145.yaml @@ -5,114 +5,18 @@ affected: purl: pkg:pypi/pillow ranges: - events: - - introduced: '0' + - introduced: 9.1.0 + - fixed: 9.1.1 type: ECOSYSTEM versions: - - '1.0' - - '1.1' - - '1.2' - - '1.3' - - '1.4' - - '1.5' - - '1.6' - - 1.7.0 - - 1.7.1 - - 1.7.2 - - 1.7.3 - - 1.7.4 - - 1.7.5 - - 1.7.6 - - 1.7.7 - - 1.7.8 - - 10.0.0 - - 10.0.1 - - 10.1.0 - - 10.2.0 - - 10.3.0 - - 10.4.0 - - 11.0.0 - - 2.0.0 - - 2.1.0 - - 2.2.0 - - 2.2.1 - - 2.2.2 - - 2.3.0 - - 2.3.1 - - 2.3.2 - - 2.4.0 - - 2.5.0 - - 2.5.1 - - 2.5.2 - - 2.5.3 - - 2.6.0 - - 2.6.1 - - 2.6.2 - - 2.7.0 - - 2.8.0 - - 2.8.1 - - 2.8.2 - - 2.9.0 - - 3.0.0 - - 3.1.0 - - 3.1.0.rc1 - - 3.1.0rc1 - - 3.1.1 - - 3.1.2 - - 3.2.0 - - 3.3.0 - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.4.0 - - 3.4.1 - - 3.4.2 - - 4.0.0 - - 4.1.0 - - 4.1.1 - - 4.2.0 - - 4.2.1 - - 4.3.0 - - 5.0.0 - - 5.1.0 - - 5.2.0 - - 5.3.0 - - 5.4.0 - - 5.4.0.dev0 - - 5.4.1 - - 6.0.0 - - 6.1.0 - - 6.2.0 - - 6.2.1 - - 6.2.2 - - 7.0.0 - - 7.1.0 - - 7.1.1 - - 7.1.2 - - 7.2.0 - - 8.0.0 - - 8.0.1 - - 8.1.0 - - 8.1.1 - - 8.1.2 - - 8.2.0 - - 8.3.0 - - 8.3.1 - - 8.3.2 - - 8.4.0 - - 9.0.0 - - 9.0.1 - 9.1.0 - - 9.1.1 - - 9.2.0 - - 9.3.0 - - 9.4.0 - - 9.5.0 aliases: - CVE-2022-30595 +- GHSA-hr8g-f6r6-mr22 details: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. id: PYSEC-2022-43145 -modified: '2024-11-21T14:22:58.587524Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-05-25T12:15:00Z' references: - type: WEB @@ -124,4 +28,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2006-5.yaml b/vulns/plone/PYSEC-2006-5.yaml index 6eab9b32..cdf950d1 100644 --- a/vulns/plone/PYSEC-2006-5.yaml +++ b/vulns/plone/PYSEC-2006-5.yaml @@ -1,209 +1,20 @@ affected: - package: ecosystem: PyPI - name: plone - purl: pkg:pypi/plone + name: Plone ranges: - events: - - introduced: '0' + - introduced: '2.5' + - fixed: 2.5.1 type: ECOSYSTEM - versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - - '4.3' - - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - - 4.3.13 - - 4.3.14 - - 4.3.15 - - 4.3.16 - - 4.3.17 - - 4.3.18 - - 4.3.19 - - 4.3.2 - - 4.3.20 - - 4.3.3 - - 4.3.4 - - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - - '5.0' - - 5.0.1 - - 5.0.10 - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - 5.0.6 - - 5.0.7 - - 5.0.8 - - 5.0.9 - - 5.0a1 - - 5.0a2 - - 5.0a3 - - 5.0b1 - - 5.0b2 - - 5.0b3 - - 5.0b4 - - 5.0rc1 - - 5.0rc2 - - 5.0rc3 - - 5.1.0 - - 5.1.1 - - 5.1.2 - - 5.1.3 - - 5.1.4 - - 5.1.5 - - 5.1.6 - - 5.1.7 - - 5.1a1 - - 5.1a2 - - 5.1b1 - - 5.1b2 - - 5.1b3 - - 5.1b4 - - 5.1rc1 - - 5.1rc2 - - 5.2.0 - - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - - 5.2.2 - - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - - 5.2a1 - - 5.2a2 - - 5.2b1 - - 5.2rc1 - - 5.2rc2 - - 5.2rc3 - - 5.2rc4 - - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2006-4247 details: Unspecified vulnerability in the Password Reset Tool before 0.4.1 on Plone 2.5 and 2.5.1 Release Candidate allows attackers to reset the passwords of other users, related to "an erroneous security declaration." id: PYSEC-2006-5 -modified: '2024-11-21T14:22:58.650753Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2006-09-29T19:07:00Z' references: - type: FIX url: http://plone.org/about/security/advisories/cve-2006-4247 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2006-6.yaml b/vulns/plone/PYSEC-2006-6.yaml index 78d96d01..5e70662e 100644 --- a/vulns/plone/PYSEC-2006-6.yaml +++ b/vulns/plone/PYSEC-2006-6.yaml @@ -1,206 +1,18 @@ affected: - package: ecosystem: PyPI - name: plone - purl: pkg:pypi/plone + name: Plone ranges: - events: - - introduced: '0' + - introduced: '2.5' + - fixed: 2.5.2 type: ECOSYSTEM - versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - - '4.3' - - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - - 4.3.13 - - 4.3.14 - - 4.3.15 - - 4.3.16 - - 4.3.17 - - 4.3.18 - - 4.3.19 - - 4.3.2 - - 4.3.20 - - 4.3.3 - - 4.3.4 - - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - - '5.0' - - 5.0.1 - - 5.0.10 - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - 5.0.6 - - 5.0.7 - - 5.0.8 - - 5.0.9 - - 5.0a1 - - 5.0a2 - - 5.0a3 - - 5.0b1 - - 5.0b2 - - 5.0b3 - - 5.0b4 - - 5.0rc1 - - 5.0rc2 - - 5.0rc3 - - 5.1.0 - - 5.1.1 - - 5.1.2 - - 5.1.3 - - 5.1.4 - - 5.1.5 - - 5.1.6 - - 5.1.7 - - 5.1a1 - - 5.1a2 - - 5.1b1 - - 5.1b2 - - 5.1b3 - - 5.1b4 - - 5.1rc1 - - 5.1rc2 - - 5.2.0 - - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - - 5.2.2 - - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - - 5.2a1 - - 5.2a2 - - 5.2b1 - - 5.2rc1 - - 5.2rc2 - - 5.2rc3 - - 5.2rc4 - - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2006-4249 details: Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous member registration is enabled, allows an attacker to "masquerade as a group." id: PYSEC-2006-6 -modified: '2024-11-21T14:22:58.714411Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2006-12-07T23:28:00Z' references: - type: FIX @@ -217,4 +29,3 @@ references: url: http://www.vupen.com/english/advisories/2006/4878 - type: WEB url: https://exchange.xforce.ibmcloud.com/vulnerabilities/30762 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2007-4.yaml b/vulns/plone/PYSEC-2007-4.yaml index af96477b..7c3b9797 100644 --- a/vulns/plone/PYSEC-2007-4.yaml +++ b/vulns/plone/PYSEC-2007-4.yaml @@ -2,206 +2,26 @@ affected: - package: ecosystem: PyPI name: plone - purl: pkg:pypi/plone ranges: - events: - - introduced: '0' + - introduced: '2.5' + - fixed: 2.5.5 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: plone + ranges: + - events: + - introduced: '3.0' + - fixed: 3.0.3 type: ECOSYSTEM - versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - - '4.3' - - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - - 4.3.13 - - 4.3.14 - - 4.3.15 - - 4.3.16 - - 4.3.17 - - 4.3.18 - - 4.3.19 - - 4.3.2 - - 4.3.20 - - 4.3.3 - - 4.3.4 - - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - - '5.0' - - 5.0.1 - - 5.0.10 - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - 5.0.6 - - 5.0.7 - - 5.0.8 - - 5.0.9 - - 5.0a1 - - 5.0a2 - - 5.0a3 - - 5.0b1 - - 5.0b2 - - 5.0b3 - - 5.0b4 - - 5.0rc1 - - 5.0rc2 - - 5.0rc3 - - 5.1.0 - - 5.1.1 - - 5.1.2 - - 5.1.3 - - 5.1.4 - - 5.1.5 - - 5.1.6 - - 5.1.7 - - 5.1a1 - - 5.1a2 - - 5.1b1 - - 5.1b2 - - 5.1b3 - - 5.1b4 - - 5.1rc1 - - 5.1rc2 - - 5.2.0 - - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - - 5.2.2 - - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - - 5.2a1 - - 5.2a2 - - 5.2b1 - - 5.2rc1 - - 5.2rc2 - - 5.2rc3 - - 5.2rc4 - - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2007-5741 details: Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes. id: PYSEC-2007-4 -modified: '2024-11-21T14:22:58.776616Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2007-11-07T21:46:00Z' references: - type: ADVISORY @@ -226,4 +46,3 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/38288 - type: WEB url: http://www.securityfocus.com/archive/1/483343/100/0/threaded -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2008-14.yaml b/vulns/plone/PYSEC-2008-14.yaml index 4737e8b3..32da1b8f 100644 --- a/vulns/plone/PYSEC-2008-14.yaml +++ b/vulns/plone/PYSEC-2008-14.yaml @@ -1,200 +1,12 @@ affected: - package: ecosystem: PyPI - name: plone - purl: pkg:pypi/plone + name: Plone ranges: - events: - introduced: '0' + - fixed: '3.1' type: ECOSYSTEM - versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - - '4.3' - - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - - 4.3.13 - - 4.3.14 - - 4.3.15 - - 4.3.16 - - 4.3.17 - - 4.3.18 - - 4.3.19 - - 4.3.2 - - 4.3.20 - - 4.3.3 - - 4.3.4 - - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - - '5.0' - - 5.0.1 - - 5.0.10 - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - 5.0.6 - - 5.0.7 - - 5.0.8 - - 5.0.9 - - 5.0a1 - - 5.0a2 - - 5.0a3 - - 5.0b1 - - 5.0b2 - - 5.0b3 - - 5.0b4 - - 5.0rc1 - - 5.0rc2 - - 5.0rc3 - - 5.1.0 - - 5.1.1 - - 5.1.2 - - 5.1.3 - - 5.1.4 - - 5.1.5 - - 5.1.6 - - 5.1.7 - - 5.1a1 - - 5.1a2 - - 5.1b1 - - 5.1b2 - - 5.1b3 - - 5.1b4 - - 5.1rc1 - - 5.1rc2 - - 5.2.0 - - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - - 5.2.2 - - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - - 5.2a1 - - 5.2a2 - - 5.2b1 - - 5.2rc1 - - 5.2rc2 - - 5.2rc3 - - 5.2rc4 - - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2008-0164 details: Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 @@ -202,7 +14,7 @@ details: Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS page and (2) change the privileges of arbitrary groups via the prefs_groups_overview page. id: PYSEC-2008-14 -modified: '2024-11-21T14:22:58.841714Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2008-03-20T00:44:00Z' references: - type: ADVISORY @@ -217,4 +29,3 @@ references: url: https://exchange.xforce.ibmcloud.com/vulnerabilities/41263 - type: WEB url: http://www.securityfocus.com/archive/1/489544/100/0/threaded -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2011-25.yaml b/vulns/plone/PYSEC-2011-25.yaml index 847e742d..c57c7ed3 100644 --- a/vulns/plone/PYSEC-2011-25.yaml +++ b/vulns/plone/PYSEC-2011-25.yaml @@ -1,200 +1,12 @@ affected: - package: ecosystem: PyPI - name: plone - purl: pkg:pypi/plone + name: Plone ranges: - events: - - introduced: '0' + - introduced: 3.3.2 + - fixed: 3.3.6 type: ECOSYSTEM - versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - - '4.3' - - 4.3.1 - - 4.3.10 - - 4.3.11 - - 4.3.12 - - 4.3.13 - - 4.3.14 - - 4.3.15 - - 4.3.16 - - 4.3.17 - - 4.3.18 - - 4.3.19 - - 4.3.2 - - 4.3.20 - - 4.3.3 - - 4.3.4 - - 4.3.5 - - 4.3.6 - - 4.3.7 - - 4.3.8 - - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - - '5.0' - - 5.0.1 - - 5.0.10 - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - 5.0.6 - - 5.0.7 - - 5.0.8 - - 5.0.9 - - 5.0a1 - - 5.0a2 - - 5.0a3 - - 5.0b1 - - 5.0b2 - - 5.0b3 - - 5.0b4 - - 5.0rc1 - - 5.0rc2 - - 5.0rc3 - - 5.1.0 - - 5.1.1 - - 5.1.2 - - 5.1.3 - - 5.1.4 - - 5.1.5 - - 5.1.6 - - 5.1.7 - - 5.1a1 - - 5.1a2 - - 5.1b1 - - 5.1b2 - - 5.1b3 - - 5.1b4 - - 5.1rc1 - - 5.1rc2 - - 5.2.0 - - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - - 5.2.2 - - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - - 5.2a1 - - 5.2a2 - - 5.2b1 - - 5.2rc1 - - 5.2rc2 - - 5.2rc3 - - 5.2rc4 - - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2011-2528 details: 'Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before @@ -203,7 +15,7 @@ details: 'Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.' id: PYSEC-2011-25 -modified: '2024-11-21T14:22:58.906196Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2011-07-19T20:55:00Z' references: - type: FIX @@ -226,4 +38,3 @@ references: url: http://secunia.com/advisories/45111 - type: FIX url: http://www.openwall.com/lists/oss-security/2011/07/04/6 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2021-889.yaml b/vulns/plone/PYSEC-2021-889.yaml index ae713a8f..eb3e94e0 100644 --- a/vulns/plone/PYSEC-2021-889.yaml +++ b/vulns/plone/PYSEC-2021-889.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 5.2.3 type: ECOSYSTEM versions: - '3.2' @@ -142,20 +143,8 @@ affected: - 5.1rc2 - 5.2.0 - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - 5.2.2 - 5.2.3 - - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - 5.2a1 - 5.2a2 - 5.2b1 @@ -164,43 +153,13 @@ affected: - 5.2rc3 - 5.2rc4 - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2021-29002 +- GHSA-38g6-x6jv-jwff details: A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter. id: PYSEC-2021-889 -modified: '2024-11-21T14:22:58.969592Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2021-03-24T15:15:00Z' references: - type: EVIDENCE @@ -216,4 +175,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/plone/PYSEC-2023-289.yaml b/vulns/plone/PYSEC-2023-289.yaml index b779c98f..8485897e 100644 --- a/vulns/plone/PYSEC-2023-289.yaml +++ b/vulns/plone/PYSEC-2023-289.yaml @@ -5,78 +5,10 @@ affected: purl: pkg:pypi/plone ranges: - events: - - introduced: '0' + - introduced: '4.3' + - fixed: 5.2.5 type: ECOSYSTEM versions: - - '3.2' - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2a1 - - 3.2rc1 - - '3.3' - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.3.5 - - 3.3.6 - - 3.3b1 - - 3.3rc1 - - 3.3rc2 - - 3.3rc3 - - 3.3rc4 - - 3.3rc5 - - '4.0' - - 4.0.1 - - 4.0.10 - - 4.0.2 - - 4.0.3 - - 4.0.4 - - 4.0.5 - - 4.0.6 - - 4.0.7 - - 4.0.8 - - 4.0.9 - - 4.0a1 - - 4.0a2 - - 4.0a3 - - 4.0a4 - - 4.0a5 - - 4.0b1 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0rc1 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - 4.1.4 - - 4.1.5 - - 4.1.6 - - 4.1a1 - - 4.1a2 - - 4.1a3 - - 4.1b1 - - 4.1b2 - - 4.1rc2 - - 4.1rc3 - - '4.2' - - 4.2.1 - - 4.2.2 - - 4.2.3 - - 4.2.4 - - 4.2.5 - - 4.2.6 - - 4.2.7 - - 4.2a1 - - 4.2a2 - - 4.2b1 - - 4.2b2 - - 4.2rc1 - - 4.2rc2 - '4.3' - 4.3.1 - 4.3.10 @@ -98,11 +30,6 @@ affected: - 4.3.7 - 4.3.8 - 4.3.9 - - 4.3a1 - - 4.3a2 - - 4.3b1 - - 4.3b2 - - 4.3rc1 - '5.0' - 5.0.1 - 5.0.10 @@ -142,20 +69,9 @@ affected: - 5.1rc2 - 5.2.0 - 5.2.1 - - 5.2.10 - - 5.2.11 - - 5.2.12 - - 5.2.13 - - 5.2.14 - - 5.2.15 - 5.2.2 - 5.2.3 - 5.2.4 - - 5.2.5 - - 5.2.6 - - 5.2.7 - - 5.2.8 - - 5.2.9 - 5.2a1 - 5.2a2 - 5.2b1 @@ -164,46 +80,16 @@ affected: - 5.2rc3 - 5.2rc4 - 5.2rc5 - - 6.0.0 - - 6.0.0a1 - - 6.0.0a2 - - 6.0.0a3 - - 6.0.0a4 - - 6.0.0a5 - - 6.0.0a6 - - 6.0.0b1 - - 6.0.0b2 - - 6.0.0b3 - - 6.0.0rc1 - - 6.0.0rc2 - - 6.0.1 - - 6.0.10 - - 6.0.11 - - 6.0.12 - - 6.0.13 - - 6.0.2 - - 6.0.3 - - 6.0.4 - - 6.0.5 - - 6.0.6 - - 6.0.7 - - 6.0.8 - - 6.0.9 - - 6.1.0a1 - - 6.1.0a2 - - 6.1.0a3 - - 6.1.0a4 - - 6.1.0a5 - - 6.1.0b1 aliases: - CVE-2021-33926 +- GHSA-47p5-p3jw-w78w details: An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet. id: PYSEC-2023-289 -modified: '2024-11-21T14:22:59.034188Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2023-02-17T18:15:00Z' references: - type: EVIDENCE @@ -217,4 +103,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/py-cord/PYSEC-2022-43146.yaml b/vulns/py-cord/PYSEC-2022-43146.yaml index 43f1f11a..fc5c625c 100644 --- a/vulns/py-cord/PYSEC-2022-43146.yaml +++ b/vulns/py-cord/PYSEC-2022-43146.yaml @@ -5,36 +5,11 @@ affected: purl: pkg:pypi/py-cord ranges: - events: - - introduced: '0' + - introduced: 2.0.0 + - fixed: 2.0.1 type: ECOSYSTEM versions: - - 1.7.3 - 2.0.0 - - 2.0.0b1 - - 2.0.0b2 - - 2.0.0b3 - - 2.0.0b4 - - 2.0.0b5 - - 2.0.0b6 - - 2.0.0b7 - - 2.0.0rc1 - - 2.0.1 - - 2.1.0 - - 2.1.1 - - 2.1.2 - - 2.1.3 - - 2.2.0 - - 2.2.1 - - 2.2.2 - - 2.3.0 - - 2.3.1 - - 2.3.2 - - 2.3.3 - - 2.4.0 - - 2.4.1 - - 2.5.0 - - 2.6.0 - - 2.6.1 aliases: - CVE-2022-36024 - GHSA-qmhj-m29v-gvmr @@ -45,7 +20,7 @@ details: py-cord is a an API wrapper for Discord written in Python. Bots creatin has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version. id: PYSEC-2022-43146 -modified: '2024-11-21T14:22:59.25812Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-08-18T15:15:00Z' references: - type: ADVISORY @@ -57,4 +32,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyboolector/PYSEC-2019-252.yaml b/vulns/pyboolector/PYSEC-2019-252.yaml index cbea0326..df4b8a18 100644 --- a/vulns/pyboolector/PYSEC-2019-252.yaml +++ b/vulns/pyboolector/PYSEC-2019-252.yaml @@ -6,124 +6,20 @@ affected: ranges: - events: - introduced: '0' + - fixed: 3.1.0 type: ECOSYSTEM versions: - 3.0.0.1 - 3.0.0.20191102.28 - 3.0.0.20191119.1 - 3.0.0.20191119.2 - - 3.2.0.20200301.4 - - 3.2.1 - - 3.2.1.20200410.3 - - 3.2.1.20200413.1 - - 3.2.1.20200414.1 - - 3.2.1.20200415.1 - - 3.2.1.20200421.2 - - 3.2.1.20200423.1 - - 3.2.1.20200429.1 - - 3.2.1.20200429.2 - - 3.2.1.20200520.1 - - 3.2.1.20200521.1 - - 3.2.1.20200615.1 - - 3.2.1.20200616.1 - - 3.2.1.20200711.1 - - 3.2.1.20200711.3 - - 3.2.1.20200714.1 - - 3.2.1.20200720.2 - - 3.2.1.20200731.1 - - 3.2.1.20200804.1 - - 3.2.1.20200811.1 - - 3.2.1.20200826.2 - - 3.2.1.20200906.1 - - 3.2.1.20200906.10 - - 3.2.1.20200906.11 - - 3.2.1.20200906.12 - - 3.2.1.20200906.13 - - 3.2.1.20200906.14 - - 3.2.1.20200906.15 - - 3.2.1.20200906.16 - - 3.2.1.20200906.17 - - 3.2.1.20200906.18 - - 3.2.1.20200906.2 - - 3.2.1.20200906.3 - - 3.2.1.20200906.4 - - 3.2.1.20200906.5 - - 3.2.1.20200906.6 - - 3.2.1.20200906.7 - - 3.2.1.20200906.8 - - 3.2.1.20200906.9 - - 3.2.1.20200907.10 - - 3.2.1.20200907.11 - - 3.2.1.20200907.3 - - 3.2.1.20200907.4 - - 3.2.1.20200907.5 - - 3.2.1.20200907.6 - - 3.2.1.20200907.7 - - 3.2.1.20200907.8 - - 3.2.1.20200907.9 - - 3.2.1.20200914.2 - - 3.2.1.20200925.1 - - 3.2.1.20200926.1 - - 3.2.1.20201020.2 - - 3.2.1.20201030.2 - - 3.2.1.20201201.2 - - 3.2.1.20210109.1 - - 3.2.1.20210314.1 - - 3.2.1.20210314.2 - - 3.2.1.20210414.7 - - 3.2.1.20210414.8 - - 3.2.1.20210513.1 - - 3.2.1.20210513.2 - - 3.2.1.20210513.3 - - 3.2.1.20210519.1 - - 3.2.1.20210519.2 - - 3.2.1.20210519.3 - - 3.2.1.20210519.4 - - 3.2.1.20210519.5 - - 3.2.1.20210520.1 - - 3.2.1.20210520.2 - - 3.2.1.20210520.3 - - 3.2.1.20210527.1 - - 3.2.2.20210528.1 - - 3.2.2.20210602.1 - - 3.2.2.20210616.1 - - 3.2.2.20210617.2 - - 3.2.2.20211015.1 - - 3.2.2.20211110.1 - - 3.2.2.20211110.2 - - 3.2.2.20211216.1 - - 3.2.2.20220114.1 - - 3.2.2.20220115.1 - - 3.2.2.20220115.2 - - 3.2.2.20220119.1 - - 3.2.2.20220125.14 - - 3.2.2.20220802.4 - - 3.2.2.20221010.1 - - 3.2.2.20230104.1 - - 3.2.2.20230105.2 - - 3.2.2.20230105.4 - - 3.2.2.20230105.5 - - 3.2.2.20230110.1 - - 3.2.2.20230110.2 - - 3.2.2.20230110.4 - - 3.2.2.20230911.3 - - 3.2.2.350174618 - - 3.2.2.350174922 - - 3.2.3.20230911.5 - - 3.2.3.20230913.1 - - 3.2.3.20231101.1 - - 3.2.3.20231106.1 - - 3.2.3.20240215.1 - - 3.2.3.20240305.1 - - 3.2.3.20240822.1 - - 3.2.3.20240822.20 - - 3.2.4.20240823.1 aliases: - CVE-2019-7560 +- GHSA-g58x-799h-v9h6 details: In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted input file leads to a use after free in get_failed_assumptions or btor_delete. id: PYSEC-2019-252 -modified: '2024-11-21T14:22:59.57901Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2019-02-07T07:29:00Z' references: - type: EVIDENCE @@ -141,4 +37,3 @@ references: severity: - score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyo/PYSEC-2021-890.yaml b/vulns/pyo/PYSEC-2021-890.yaml index 1d82a3f4..ad5de9ed 100644 --- a/vulns/pyo/PYSEC-2021-890.yaml +++ b/vulns/pyo/PYSEC-2021-890.yaml @@ -6,21 +6,21 @@ affected: ranges: - events: - introduced: '0' + - fixed: 1.0.4 type: ECOSYSTEM versions: - 1.0.0 - 1.0.1 - 1.0.2 - 1.0.3 - - 1.0.4 - - 1.0.5 aliases: - CVE-2021-41498 +- GHSA-qj27-32wp-ghrg details: Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init function. which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong server name. id: PYSEC-2021-890 -modified: '2024-11-21T14:22:59.907617Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2021-12-17T21:15:00Z' references: - type: EVIDENCE @@ -30,4 +30,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pypatchelf/PYSEC-2022-43151.yaml b/vulns/pypatchelf/PYSEC-2022-43151.yaml index eb681baa..26334a78 100644 --- a/vulns/pypatchelf/PYSEC-2022-43151.yaml +++ b/vulns/pypatchelf/PYSEC-2022-43151.yaml @@ -12,10 +12,11 @@ affected: - '0.9' aliases: - CVE-2022-44940 +- GHSA-5pcj-3m26-w633 details: Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc. id: PYSEC-2022-43151 -modified: '2024-11-21T14:22:59.956918Z' +modified: '2024-11-25T22:09:33.909779Z' published: '2022-12-19T22:15:00Z' references: - type: EVIDENCE @@ -27,4 +28,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pyspark/PYSEC-2017-147.yaml b/vulns/pyspark/PYSEC-2017-147.yaml index c8417d67..7d942aed 100644 --- a/vulns/pyspark/PYSEC-2017-147.yaml +++ b/vulns/pyspark/PYSEC-2017-147.yaml @@ -6,59 +6,13 @@ affected: ranges: - events: - introduced: '0' + - fixed: 2.1.2 type: ECOSYSTEM versions: - 2.1.1 - - 2.1.2 - - 2.1.3 - - 2.2.0 - - 2.2.1 - - 2.2.2 - - 2.2.3 - - 2.3.0 - - 2.3.1 - - 2.3.2 - - 2.3.3 - - 2.3.4 - - 2.4.0 - - 2.4.1 - - 2.4.2 - - 2.4.3 - - 2.4.4 - - 2.4.5 - - 2.4.6 - - 2.4.7 - - 2.4.8 - - 3.0.0 - - 3.0.1 - - 3.0.2 - - 3.0.3 - - 3.1.1 - - 3.1.2 - - 3.1.3 - - 3.2.0 - - 3.2.1 - - 3.2.2 - - 3.2.3 - - 3.2.4 - - 3.3.0 - - 3.3.1 - - 3.3.2 - - 3.3.3 - - 3.3.4 - - 3.4.0 - - 3.4.1 - - 3.4.2 - - 3.4.3 - - 3.4.4 - - 3.5.0 - - 3.5.1 - - 3.5.2 - - 3.5.3 - - 4.0.0.dev1 - - 4.0.0.dev2 aliases: - CVE-2017-12612 +- GHSA-8rhc-48pp-52gr details: In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an @@ -67,7 +21,7 @@ details: In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe des as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. id: PYSEC-2017-147 -modified: '2024-11-21T14:23:00.007173Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2017-09-13T16:29:00Z' references: - type: ARTICLE @@ -81,4 +35,3 @@ references: severity: - score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/python-scciclient/PYSEC-2022-43152.yaml b/vulns/python-scciclient/PYSEC-2022-43152.yaml index 29eb9dc8..5521dfe1 100644 --- a/vulns/python-scciclient/PYSEC-2022-43152.yaml +++ b/vulns/python-scciclient/PYSEC-2022-43152.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - fixed: 0.12.0 type: ECOSYSTEM versions: - 0.0.1 @@ -18,14 +19,6 @@ affected: - 0.11.2 - 0.11.3 - 0.11.4 - - 0.12.0 - - 0.12.1 - - 0.12.2 - - 0.12.3 - - 0.13.0 - - 0.14.0 - - 0.15.0 - - 0.16.0 - 0.2.0 - 0.3.0 - 0.3.1 @@ -55,11 +48,12 @@ affected: - 0.9.5 aliases: - CVE-2022-2996 +- GHSA-rf3f-3p37-2qh4 details: A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-middle (MITM) attacks. id: PYSEC-2022-43152 -modified: '2024-11-21T14:23:00.061403Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-09-01T18:15:00Z' references: - type: FIX @@ -73,4 +67,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/pywasm3/PYSEC-2022-43154.yaml b/vulns/pywasm3/PYSEC-2022-43154.yaml index a95f19ab..6729a59f 100644 --- a/vulns/pywasm3/PYSEC-2022-43154.yaml +++ b/vulns/pywasm3/PYSEC-2022-43154.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 0.5.0 type: ECOSYSTEM versions: - 0.0.1 @@ -15,10 +16,11 @@ affected: - 0.5.0 aliases: - CVE-2022-28990 +- GHSA-77fq-4xf5-hph4 details: WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm. id: PYSEC-2022-43154 -modified: '2024-11-21T14:23:00.161107Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2022-05-20T19:15:00Z' references: - type: EVIDENCE @@ -32,4 +34,3 @@ references: severity: - score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/reqmon/PYSEC-2022-43163.yaml b/vulns/reqmon/PYSEC-2022-43163.yaml index a3673d45..2c5c57a8 100644 --- a/vulns/reqmon/PYSEC-2022-43163.yaml +++ b/vulns/reqmon/PYSEC-2022-43163.yaml @@ -1,184 +1,27 @@ -id: PYSEC-2022-43163 +affected: +- package: + ecosystem: PyPI + name: reqmon + ranges: + - events: + - introduced: 1.4.1rc5 + - fixed: 2.0.4 + type: ECOSYSTEM + versions: + - 1.4.1rc5 +aliases: +- CVE-2022-34558 details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package. -aliases: -- CVE-2022-34558 -modified: '2024-11-25T20:23:38.449800Z' +id: PYSEC-2022-43163 +modified: '2024-11-25T22:09:33.909779Z' published: '2022-07-28T23:15:00Z' -withdrawn: '2024-11-22T04:37:05Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 -affected: -- package: - name: reqmon - ecosystem: PyPI - purl: pkg:pypi/reqmon - ranges: - - type: ECOSYSTEM - events: - - introduced: '0' - versions: - - 2.0.4 - - 2.1.1 - - 2.1.2rc4 - - 2.1.4 - - 2.1.4rc1 - - 2.1.4rc2 - - 2.1.4rc3 - - 2.1.4rc4 - - 2.1.4rc5 - - 2.1.4rc6 - - 2.1.4rc7 - - 2.1.5 - - 2.1.5.1 - - 2.1.5rc1 - - 2.1.5rc2 - - 2.1.5rc4 - - 2.1.5rc5 - - 2.1.5rc6 - - 2.1.5rc7 - - 2.1.6 - - 2.1.6.1 - - 2.1.6.2 - - 2.1.6.3 - - 2.1.6rc1 - - 2.1.6rc2 - - 2.1.6rc3 - - 2.1.6rc4 - - 2.1.6rc5 - - 2.1.6rc6 - - 2.1.7 - - 2.1.7rc1 - - 2.1.7rc2 - - 2.1.7rc3 - - 2.1.7rc4 - - 2.1.7rc5 - - 2.1.7rc6 - - 2.1.7rc7 - - 2.1.8 - - 2.1.8rc1 - - 2.1.8rc2 - - 2.2.0 - - 2.2.0.1 - - 2.2.0.2 - - 2.2.0.3 - - 2.2.0.4 - - 2.2.0.5 - - 2.2.0.6 - - 2.2.0.7 - - 2.2.0rc1 - - 2.2.0rc2 - - 2.2.0rc3 - - 2.2.0rc4 - - 2.2.0rc5 - - 2.2.0rc6 - - 2.2.0rc7 - - 2.2.0rc8 - - 2.2.0rc9 - - 2.2.1 - - 2.2.1rc1 - - 2.2.1rc2 - - 2.2.1rc3 - - 2.2.1rc4 - - 2.2.1rc5 - - 2.2.2 - - 2.2.2.1 - - 2.2.2rc1 - - 2.2.2rc10 - - 2.2.2rc11 - - 2.2.2rc12 - - 2.2.2rc2 - - 2.2.2rc3 - - 2.2.2rc4 - - 2.2.2rc5 - - 2.2.2rc6 - - 2.2.2rc7 - - 2.2.2rc8 - - 2.2.2rc9 - - 2.2.3.1 - - 2.2.3.2 - - 2.2.4 - - 2.2.4.1 - - 2.2.4.2 - - 2.2.4.3 - - 2.2.4.4 - - 2.2.4.6 - - 2.2.4.7 - - 2.2.4rc1 - - 2.2.4rc10 - - 2.2.4rc2 - - 2.2.4rc3 - - 2.2.4rc4 - - 2.2.4rc5 - - 2.2.4rc6 - - 2.2.4rc7 - - 2.2.4rc8 - - 2.2.4rc9 - - 2.2.5 - - 2.2.6 - - 2.2.6rc1 - - 2.2.6rc2 - - 2.2.6rc3 - - 2.2.6rc4 - - 2.2.6rc5 - - 2.2.6rc6 - - 2.2.6rc7 - - 2.2.6rc8 - - 2.3.0 - - 2.3.0.1 - - 2.3.0.2 - - 2.3.1 - - 2.3.1rc1 - - 2.3.1rc2 - - 2.3.1rc3 - - 2.3.1rc4 - - 2.3.2 - - 2.3.2rc1 - - 2.3.2rc2 - - 2.3.2rc3 - - 2.3.2rc4 - - 2.3.2rc5 - - 2.3.2rc6 - - 2.3.2rc8 - - 2.3.2rc9 - - 2.3.3 - - 2.3.4 - - 2.3.4.1 - - 2.3.4.2 - - 2.3.4.3 - - 2.3.4.4 - - 2.3.4rc1 - - 2.3.4rc10 - - 2.3.4rc11 - - 2.3.4rc12 - - 2.3.4rc2 - - 2.3.4rc3 - - 2.3.4rc4 - - 2.3.4rc5 - - 2.3.4rc6 - - 2.3.4rc7 - - 2.3.4rc8 - - 2.3.4rc9 - - 2.3.5 - - 2.3.5.1 - - 2.3.5rc1 - - 2.3.5rc3 - - 2.3.6 - - 2.3.6rc1 - - 2.3.6rc2 - - 2.3.6rc3 - - 2.3.6rc4 - - 2.3.6rc5 - - 2.3.6rc6 - - 2.3.6rc7 - - 2.3.6rc8 - - 2.3.7 - - 2.3.7.1 - - 2.3.8rc5 severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 diff --git a/vulns/safeurl-python/PYSEC-2023-298.yaml b/vulns/safeurl-python/PYSEC-2023-298.yaml index ea859b58..c889a669 100644 --- a/vulns/safeurl-python/PYSEC-2023-298.yaml +++ b/vulns/safeurl-python/PYSEC-2023-298.yaml @@ -6,18 +6,33 @@ affected: ranges: - events: - introduced: '0' + - fixed: '1.2' type: ECOSYSTEM versions: - '1.0' - - '1.2' - - '1.3' +- package: + ecosystem: PyPI + name: safeurl-python + ranges: + - events: + - introduced: '0' + - fixed: '1.2' + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: safeurl-python + ranges: + - events: + - introduced: '0' + - fixed: '1.2' + type: ECOSYSTEM aliases: - CVE-2023-24622 - GHSA-jgh8-vchw-q3g7 details: isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF. id: PYSEC-2023-298 -modified: '2024-11-21T14:23:01.045324Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2023-01-30T05:15:00Z' references: - type: EVIDENCE @@ -27,4 +42,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/swift/PYSEC-2014-116.yaml b/vulns/swift/PYSEC-2014-116.yaml index a3008354..9d2a09e9 100644 --- a/vulns/swift/PYSEC-2014-116.yaml +++ b/vulns/swift/PYSEC-2014-116.yaml @@ -5,47 +5,37 @@ affected: purl: pkg:pypi/swift ranges: - events: - - introduced: '0' + - introduced: 1.4.6 + - last_affected: 1.8.0 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: swift + purl: pkg:pypi/swift + ranges: + - events: + - introduced: 1.9.0 + - last_affected: 1.10.0 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: swift + purl: pkg:pypi/swift + ranges: + - events: + - introduced: 1.11.0 + - fixed: 1.12.0 type: ECOSYSTEM versions: - - 1.0.2 - - 2.15.2 - - 2.17.1 - - 2.19.1 - - 2.19.2 - - 2.20.0 - - 2.21.0 - - 2.21.1 - - 2.22.0 - - 2.23.0 - - 2.23.1 - - 2.23.2 - - 2.23.3 - - 2.24.0 - - 2.25.0 - - 2.25.1 - - 2.25.2 - - 2.26.0 - - 2.27.0 - - 2.28.0 - - 2.28.1 - - 2.29.0 - - 2.29.1 - - 2.29.2 - - 2.30.0 - - 2.30.1 - - 2.31.0 - - 2.31.1 - - 2.32.0 - - 2.33.0 - - 2.34.0 + - 1.11.0 aliases: - CVE-2014-0006 +- GHSA-cf9m-q836-vf26 details: The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack. id: PYSEC-2014-116 -modified: '2024-11-21T14:23:01.425354Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2014-01-23T01:55:00Z' references: - type: ADVISORY @@ -54,4 +44,3 @@ references: url: http://www.openwall.com/lists/oss-security/2014/01/17/5 - type: ADVISORY url: http://rhn.redhat.com/errata/RHSA-2014-0232.html -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/tmp/PYSEC-2024-1.yaml b/vulns/tmp/PYSEC-2024-1.yaml new file mode 100644 index 00000000..9ce7649d --- /dev/null +++ b/vulns/tmp/PYSEC-2024-1.yaml @@ -0,0 +1 @@ +garbage diff --git a/vulns/upydev/PYSEC-2023-302.yaml b/vulns/upydev/PYSEC-2023-302.yaml index 9f81dfca..69be9eb6 100644 --- a/vulns/upydev/PYSEC-2023-302.yaml +++ b/vulns/upydev/PYSEC-2023-302.yaml @@ -6,6 +6,7 @@ affected: ranges: - events: - introduced: '0' + - last_affected: 0.4.3 type: ECOSYSTEM versions: - 0.0.1 @@ -53,10 +54,11 @@ affected: - 0.4.3 aliases: - CVE-2023-48051 +- GHSA-qc4j-hrj6-cppf details: An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding. id: PYSEC-2023-302 -modified: '2024-11-21T14:23:02.508814Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2023-11-20T23:15:00Z' references: - type: EVIDENCE @@ -66,4 +68,3 @@ references: severity: - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N type: CVSS_V3 -withdrawn: '2024-11-22T04:37:05Z' diff --git a/vulns/wmagent/PYSEC-2022-43174.yaml b/vulns/wmagent/PYSEC-2022-43174.yaml index 2d71a802..7c55f9a3 100644 --- a/vulns/wmagent/PYSEC-2022-43174.yaml +++ b/vulns/wmagent/PYSEC-2022-43174.yaml @@ -1,183 +1,25 @@ -id: PYSEC-2022-43174 +affected: +- package: + ecosystem: PyPI + name: wmagent + ranges: + - events: + - introduced: 1.3.3rc1 + - fixed: 2.0.4 + type: ECOSYSTEM +aliases: +- CVE-2022-34558 details: WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package. -aliases: -- CVE-2022-34558 -modified: '2024-11-25T20:23:40.734434Z' +id: PYSEC-2022-43174 +modified: '2024-11-25T22:09:33.909779Z' published: '2022-07-28T23:15:00Z' -withdrawn: '2024-11-22T04:37:05Z' references: - type: EVIDENCE url: https://github.com/dmwm/WMCore/issues/11188 - type: REPORT url: https://github.com/dmwm/WMCore/issues/11188 -affected: -- package: - name: wmagent - ecosystem: PyPI - purl: pkg:pypi/wmagent - ranges: - - type: ECOSYSTEM - events: - - introduced: '0' - versions: - - 2.0.4 - - 2.1.1 - - 2.1.2rc4 - - 2.1.4 - - 2.1.4rc1 - - 2.1.4rc2 - - 2.1.4rc3 - - 2.1.4rc4 - - 2.1.4rc5 - - 2.1.4rc6 - - 2.1.4rc7 - - 2.1.5 - - 2.1.5.1 - - 2.1.5rc1 - - 2.1.5rc2 - - 2.1.5rc4 - - 2.1.5rc5 - - 2.1.5rc6 - - 2.1.5rc7 - - 2.1.6 - - 2.1.6.1 - - 2.1.6.2 - - 2.1.6.3 - - 2.1.6rc1 - - 2.1.6rc2 - - 2.1.6rc3 - - 2.1.6rc4 - - 2.1.6rc5 - - 2.1.6rc6 - - 2.1.7 - - 2.1.7rc1 - - 2.1.7rc2 - - 2.1.7rc3 - - 2.1.7rc4 - - 2.1.7rc5 - - 2.1.7rc6 - - 2.1.7rc7 - - 2.1.8 - - 2.1.8rc1 - - 2.1.8rc2 - - 2.2.0 - - 2.2.0.1 - - 2.2.0.2 - - 2.2.0.3 - - 2.2.0.4 - - 2.2.0.5 - - 2.2.0.7 - - 2.2.0rc1 - - 2.2.0rc2 - - 2.2.0rc3 - - 2.2.0rc4 - - 2.2.0rc5 - - 2.2.0rc6 - - 2.2.0rc7 - - 2.2.0rc8 - - 2.2.0rc9 - - 2.2.1 - - 2.2.1rc1 - - 2.2.1rc2 - - 2.2.1rc3 - - 2.2.1rc4 - - 2.2.1rc5 - - 2.2.2 - - 2.2.2.1 - - 2.2.2rc1 - - 2.2.2rc10 - - 2.2.2rc11 - - 2.2.2rc12 - - 2.2.2rc2 - - 2.2.2rc3 - - 2.2.2rc4 - - 2.2.2rc5 - - 2.2.2rc6 - - 2.2.2rc7 - - 2.2.2rc8 - - 2.2.2rc9 - - 2.2.3.1 - - 2.2.3.2 - - 2.2.4 - - 2.2.4.1 - - 2.2.4.2 - - 2.2.4.3 - - 2.2.4.4 - - 2.2.4.6 - - 2.2.4.7 - - 2.2.4rc1 - - 2.2.4rc10 - - 2.2.4rc2 - - 2.2.4rc3 - - 2.2.4rc4 - - 2.2.4rc5 - - 2.2.4rc6 - - 2.2.4rc7 - - 2.2.4rc8 - - 2.2.4rc9 - - 2.2.5 - - 2.2.6 - - 2.2.6rc1 - - 2.2.6rc2 - - 2.2.6rc3 - - 2.2.6rc4 - - 2.2.6rc5 - - 2.2.6rc6 - - 2.2.6rc7 - - 2.2.6rc8 - - 2.3.0 - - 2.3.0.1 - - 2.3.0.2 - - 2.3.1 - - 2.3.1rc1 - - 2.3.1rc2 - - 2.3.1rc3 - - 2.3.1rc4 - - 2.3.2 - - 2.3.2rc1 - - 2.3.2rc2 - - 2.3.2rc3 - - 2.3.2rc4 - - 2.3.2rc5 - - 2.3.2rc6 - - 2.3.2rc8 - - 2.3.2rc9 - - 2.3.3 - - 2.3.4 - - 2.3.4.1 - - 2.3.4.2 - - 2.3.4.3 - - 2.3.4.4 - - 2.3.4rc1 - - 2.3.4rc10 - - 2.3.4rc11 - - 2.3.4rc12 - - 2.3.4rc2 - - 2.3.4rc3 - - 2.3.4rc4 - - 2.3.4rc5 - - 2.3.4rc6 - - 2.3.4rc7 - - 2.3.4rc8 - - 2.3.4rc9 - - 2.3.5 - - 2.3.5.1 - - 2.3.5rc1 - - 2.3.5rc3 - - 2.3.6 - - 2.3.6rc1 - - 2.3.6rc2 - - 2.3.6rc3 - - 2.3.6rc4 - - 2.3.6rc5 - - 2.3.6rc6 - - 2.3.6rc7 - - 2.3.6rc8 - - 2.3.7 - - 2.3.7.1 - - 2.3.8rc5 severity: -- type: CVSS_V3 - score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + type: CVSS_V3 diff --git a/vulns/zope/PYSEC-2010-32.yaml b/vulns/zope/PYSEC-2010-32.yaml index 1474b2a5..5a47cd9f 100644 --- a/vulns/zope/PYSEC-2010-32.yaml +++ b/vulns/zope/PYSEC-2010-32.yaml @@ -1,95 +1,27 @@ affected: - package: ecosystem: PyPI - name: zope - purl: pkg:pypi/zope + name: Zope ranges: - events: - - introduced: '0' + - introduced: 2.10.0 + - fixed: 2.10.12 + type: ECOSYSTEM +- package: + ecosystem: PyPI + name: Zope + ranges: + - events: + - introduced: 2.11.0 + - fixed: 2.11.7 type: ECOSYSTEM - versions: - - '4.0' - - 4.0b1 - - 4.0b10 - - 4.0b2 - - 4.0b3 - - 4.0b4 - - 4.0b5 - - 4.0b6 - - 4.0b7 - - 4.0b8 - - 4.0b9 - - '4.1' - - 4.1.1 - - 4.1.2 - - 4.1.3 - - '4.2' - - 4.2.1 - - '4.3' - - '4.4' - - 4.4.1 - - 4.4.2 - - 4.4.3 - - 4.4.4 - - '4.5' - - 4.5.1 - - 4.5.2 - - 4.5.3 - - 4.5.4 - - 4.5.5 - - '4.6' - - 4.6.1 - - 4.6.2 - - 4.6.3 - - '4.7' - - '4.8' - - 4.8.1 - - 4.8.10 - - 4.8.11 - - 4.8.2 - - 4.8.3 - - 4.8.4 - - 4.8.5 - - 4.8.6 - - 4.8.7 - - 4.8.8 - - 4.8.9 - - '5.0' - - 5.0a1 - - 5.0a2 - - '5.1' - - 5.1.1 - - 5.1.2 - - '5.10' - - '5.11' - - 5.11.1 - - '5.2' - - 5.2.1 - - '5.3' - - '5.4' - - '5.5' - - 5.5.1 - - 5.5.2 - - '5.6' - - '5.7' - - 5.7.1 - - 5.7.2 - - 5.7.3 - - '5.8' - - 5.8.1 - - 5.8.2 - - 5.8.3 - - 5.8.4 - - 5.8.5 - - 5.8.6 - - '5.9' aliases: - CVE-2010-3198 details: ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions. id: PYSEC-2010-32 -modified: '2024-11-21T14:23:03.519027Z' +modified: '2024-11-25T18:35:18.357593Z' published: '2010-09-08T20:00:00Z' references: - type: FIX @@ -110,4 +42,3 @@ references: url: https://bugs.launchpad.net/zope2/+bug/627988 - type: ADVISORY url: https://bugs.launchpad.net/zope2/+bug/627988 -withdrawn: '2024-11-22T04:37:05Z' From 7639251b79e6251bd840bc80d216966e9834995d Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 25 Nov 2024 13:49:53 -0600 Subject: [PATCH 2/3] fix pre-commit-config merge issues --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 04b7eff2..5368cde0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,7 @@ repos: hooks: - id: check-jsonschema files: "^vulns/[a-z0-9_-]+/.+\\.yaml" - args: [--schemafile, "https://raw.githubusercontent.com/ossf/osv-schema/refs/tags/v1.6.7/validation/schema.json"] + args: [--schemafile, "https://raw.githubusercontent.com/ossf/osv-schema/refs/tags/v1.6.7/validation/schema.json", --no-cache] - repo: https://github.com/jackdewinter/pymarkdown rev: v0.9.25 hooks: From ea487102942bffa9268adf1cec37164d9317ff79 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 25 Nov 2024 13:58:24 -0600 Subject: [PATCH 3/3] Remove test vuln record for testing schema validation --- vulns/tmp/PYSEC-2024-1.yaml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 vulns/tmp/PYSEC-2024-1.yaml diff --git a/vulns/tmp/PYSEC-2024-1.yaml b/vulns/tmp/PYSEC-2024-1.yaml deleted file mode 100644 index 9ce7649d..00000000 --- a/vulns/tmp/PYSEC-2024-1.yaml +++ /dev/null @@ -1 +0,0 @@ -garbage