Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backfill fix versions where possible from GitHub Security Advisories #211

Merged
merged 3 commits into from
Nov 25, 2024
Merged

Backfill fix versions where possible from GitHub Security Advisories #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a3305fa
Back-fill and add 'modified' date
sethmlarson Nov 25, 2024
7639251
fix pre-commit-config merge issues
sethmlarson Nov 25, 2024
ea48710
Remove test vuln record for testing schema validation
sethmlarson Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 4 additions & 51 deletions vulns/ansible-runner/PYSEC-2022-43067.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,74 +5,28 @@ affected:
purl: pkg:pypi/ansible-runner
ranges:
- events:
- introduced: '0'
- introduced: 2.0.0
- fixed: 2.1.0
type: ECOSYSTEM
versions:
- 1.0.1
- 1.0.2
- 1.0.3
- 1.0.4
- 1.0.5
- 1.1.0
- 1.1.1
- 1.1.2
- 1.2.0
- 1.3.0
- 1.3.1
- 1.3.2
- 1.3.3
- 1.3.4
- 1.4.0
- 1.4.1
- 1.4.2
- 1.4.4
- 1.4.5
- 1.4.6
- 1.4.7
- 1.4.8
- 1.4.9
- 2.0.0
- 2.0.0.0a5
- 2.0.0.0b1
- 2.0.0.0rc1
- 2.0.0.0rc2
- 2.0.0.0rc3
- 2.0.0a1
- 2.0.0a2
- 2.0.0a3
- 2.0.0a4
- 2.0.1
- 2.0.2
- 2.0.3
- 2.0.4
- 2.1.0
- 2.1.0.0a1
- 2.1.0.0a2
- 2.1.0.0b1
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.2.0
- 2.2.1
- 2.2.2
- 2.3.0
- 2.3.1
- 2.3.2
- 2.3.3
- 2.3.4
- 2.3.5
- 2.3.6
- 2.4.0
aliases:
- CVE-2021-3701
- GHSA-wwch-cmqr-hhrm
details: A flaw was found in ansible-runner where the default temporary files configuration
in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker
to pre-create the directory, resulting in reading private information or forcing
ansible-runner to write files as the legitimate user in a place they did not expect.
The highest threat from this vulnerability is to confidentiality and integrity.
id: PYSEC-2022-43067
modified: '2024-11-21T14:22:40.36338Z'
modified: '2024-11-25T18:33:04.123836Z'
published: '2022-08-23T16:15:00Z'
references:
- type: ADVISORY
Expand All @@ -92,4 +46,3 @@ references:
severity:
- score: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
type: CVSS_V3
withdrawn: '2024-11-22T04:37:03Z'
55 changes: 4 additions & 51 deletions vulns/ansible-runner/PYSEC-2022-43068.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,74 +5,28 @@ affected:
purl: pkg:pypi/ansible-runner
ranges:
- events:
- introduced: '0'
- introduced: 2.0.0
- fixed: 2.1.0
type: ECOSYSTEM
versions:
- 1.0.1
- 1.0.2
- 1.0.3
- 1.0.4
- 1.0.5
- 1.1.0
- 1.1.1
- 1.1.2
- 1.2.0
- 1.3.0
- 1.3.1
- 1.3.2
- 1.3.3
- 1.3.4
- 1.4.0
- 1.4.1
- 1.4.2
- 1.4.4
- 1.4.5
- 1.4.6
- 1.4.7
- 1.4.8
- 1.4.9
- 2.0.0
- 2.0.0.0a5
- 2.0.0.0b1
- 2.0.0.0rc1
- 2.0.0.0rc2
- 2.0.0.0rc3
- 2.0.0a1
- 2.0.0a2
- 2.0.0a3
- 2.0.0a4
- 2.0.1
- 2.0.2
- 2.0.3
- 2.0.4
- 2.1.0
- 2.1.0.0a1
- 2.1.0.0a2
- 2.1.0.0b1
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.2.0
- 2.2.1
- 2.2.2
- 2.3.0
- 2.3.1
- 2.3.2
- 2.3.3
- 2.3.4
- 2.3.5
- 2.3.6
- 2.4.0
aliases:
- CVE-2021-3702
- GHSA-772j-xvf9-qpf5
details: A race condition flaw was found in ansible-runner, where an attacker could
watch for rapid creation and deletion of a temporary directory, substitute their
directory at that name, and then have access to ansible-runner's private_data_dir
the next time ansible-runner made use of the private_data_dir. The highest Threat
out of this flaw is to integrity and confidentiality.
id: PYSEC-2022-43068
modified: '2024-11-21T14:22:40.419413Z'
modified: '2024-11-25T18:33:04.123836Z'
published: '2022-08-23T16:15:00Z'
references:
- type: REPORT
Expand All @@ -90,4 +44,3 @@ references:
severity:
- score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
type: CVSS_V3
withdrawn: '2024-11-22T04:37:03Z'
41 changes: 2 additions & 39 deletions vulns/apache-iotdb/PYSEC-2022-43069.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,53 +2,17 @@ affected:
- package:
ecosystem: PyPI
name: apache-iotdb
purl: pkg:pypi/apache-iotdb
ranges:
- events:
- introduced: '0'
- fixed: 0.13.1
type: ECOSYSTEM
versions:
- 0.10.0
- 0.10.1
- 0.11.0
- 0.11.1
- 0.11.2
- 0.11.3
- 0.11.4
- 0.12.0
- 0.12.1
- 0.12.2
- 0.12.3
- 0.12.4
- 0.12.5
- 0.12.6
- 0.13.0
- 0.13.0.post1
- 0.13.1
- 0.13.2
- 0.13.3
- 0.13.5
- 0.13.5.1
- 0.14.0rc1
- 0.9.0
- 0.9.2
- 0.9.3
- 1.0.0
- 1.0.1
- 1.1.0
- 1.1.2
- 1.2.0
- 1.2.1
- 1.3.0
- 1.3.2
- 1.3.2.post0
- 1.3.3
aliases:
- CVE-2022-38369
details: Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should
upgrade to version 0.13.1 which addresses this issue.
id: PYSEC-2022-43069
modified: '2024-11-21T14:22:40.851901Z'
modified: '2024-11-25T18:33:04.123836Z'
published: '2022-09-05T10:15:00Z'
references:
- type: ARTICLE
Expand All @@ -62,4 +26,3 @@ references:
severity:
- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
type: CVSS_V3
withdrawn: '2024-11-22T04:37:03Z'
7 changes: 2 additions & 5 deletions vulns/api-res-py/PYSEC-2022-43071.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,17 @@ affected:
- package:
ecosystem: PyPI
name: api-res-py
purl: pkg:pypi/api-res-py
ranges:
- events:
- introduced: '0'
- last_affected: '0.1'
type: ECOSYSTEM
versions:
- '0.1'
aliases:
- CVE-2022-31313
details: api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor
in the request package.
id: PYSEC-2022-43071
modified: '2024-11-21T14:22:40.957734Z'
modified: '2024-11-25T18:33:04.123836Z'
published: '2022-06-08T20:15:00Z'
references:
- type: REPORT
Expand All @@ -26,4 +24,3 @@ references:
severity:
- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
type: CVSS_V3
withdrawn: '2024-11-22T04:37:03Z'
6 changes: 3 additions & 3 deletions vulns/chia-blockchain/PYSEC-2022-43072.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ affected:
ranges:
- events:
- introduced: '0'
- last_affected: 2.4.4rc3
type: ECOSYSTEM
versions:
- '0.1'
Expand Down Expand Up @@ -190,12 +191,12 @@ affected:
- 2.4.3rc1
- 2.4.3rc2
- 2.4.3rc3
- 2.4.4
- 2.4.4rc1
- 2.4.4rc2
- 2.4.4rc3
aliases:
- CVE-2022-36447
- GHSA-pvjg-jwp3-mrj5
details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0. Previously
minted tokens minted on the Chia blockchain using the CAT1 standard can be inflated
to an arbitrary extent by any holder of any amount of the token. The total amount
Expand All @@ -204,7 +205,7 @@ details: An inflation issue was discovered in Chia Network CAT1 Standard 1.0.0.
is auditable on chain, so maliciously altered coins can potentially be marked by
off-chain observers as malicious.
id: PYSEC-2022-43072
modified: '2024-11-21T14:22:41.861085Z'
modified: '2024-11-25T18:33:04.123836Z'
published: '2022-07-29T21:15:00Z'
references:
- type: ADVISORY
Expand All @@ -214,4 +215,3 @@ references:
severity:
- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
type: CVSS_V3
withdrawn: '2024-11-22T04:37:03Z'
Loading