From 45aff76b37e145adb447913d7cd5d1d509322359 Mon Sep 17 00:00:00 2001 From: Andrew Foote Date: Thu, 7 Aug 2025 11:27:49 -0400 Subject: [PATCH 1/5] Initial release of dev branch --- ChangeLog.md | 70 +- README.md | 251 +- config/custom-environment-variables.jsonc | 24 + config/default.jsonc | 22 + config/devel.jsonc | 47 + config/prod.jsonc | 17 + docs/BasicSearchManager.md | 12 +- index.ts | 69 +- jest.config.js | 5 +- package-lock.json | 635 +- package.json | 24 +- src/adapters/config/AppConfig.test.int.ts | 73 + src/adapters/config/AppConfig.ts | 79 + .../console/ConsoleInputReader.test.unit.ts | 45 + src/adapters/console/ConsoleInputReader.ts | 60 + .../cveservice/CveService.test.unit.ts | 115 + src/adapters/cveservice/CveService.ts | 116 + src/adapters/cveservice/CveServiceBaseUrl.ts | 32 + .../cveservice/CveServiceCommon.test.unit.ts | 121 + src/adapters/cveservice/CveServiceCreds.ts | 49 + .../cve/CveServiceCveReader.test.int.ts | 87 + .../cve/CveServiceCveReader.test.unit.ts | 156 + .../cveservice/cve/CveServiceCveReader.ts | 135 + .../CveServiceHealthReader.test.int.ts | 28 + .../CveServiceHealthReader.test.unit.ts | 67 + .../healthCheck/CveServiceHealthReader.ts | 33 + src/adapters/fs/CveFsReader.test.ts | 3 +- src/adapters/fs/CveFsReader.ts | 10 +- src/adapters/fs/DirectoryWalker.test.ts | 155 + src/adapters/fs/DirectoryWalker.ts | 89 + src/adapters/fs/FsReader.test.ts | 53 +- src/adapters/fs/FsReader.ts | 72 + src/adapters/fs/FsWriter.test.ts | 65 +- src/adapters/fs/FsWriter.ts | 72 +- .../search/SearchAdapter.test.unit.ts | 19 + src/adapters/search/SearchAdapter.ts | 42 +- src/adapters/search/SearchReader.test.int.ts | 35 +- src/adapters/search/SearchReader.test.unit.ts | 25 +- src/adapters/search/SearchReader.ts | 64 +- src/adapters/zip/Zip.test.e2e.ts | 32 + src/adapters/zip/Zip.ts | 37 + src/commands/DateCommand.ts | 2 +- src/commands/DeltaCommand.ts | 2 +- src/commands/GenericCommand.test.ts | 2 +- src/commands/GenericCommand.ts | 2 +- src/commands/UpdateCommand.test.ts | 46 - src/commands/UpdateCommand.ts | 141 - src/common/Json/Json.test.ts | 6 +- .../comparer}/CveComparer.test.ts | 41 +- src/{core => common/comparer}/CveComparer.ts | 6 +- src/common/comparer/ObjectComparer.test.ts | 2 - src/common/comparer/ObjectComparer.ts | 8 +- src/core/Activity.ts | 6 +- src/core/ActivityLog.test.ts | 2 +- src/core/ActivityLog.ts | 4 +- src/core/Delta.test.ts | 4 +- src/core/Delta.ts | 29 +- src/core/DeltaFs.test.ts | 4 +- src/core/DeltaFs.ts | 48 +- src/core/DeltaLog.test.ts | 4 +- src/core/DeltaLog.ts | 16 +- src/core/git.test.ts | 278 +- src/core/git.ts | 8 +- src/core/gitSync.test.ts | 72 - src/core/search/BasicSearchManager.ts | 104 - src/core/search/SearchRequest.test.unit.ts | 337 - src/{core => cve}/CveCore.test.ts | 4 + src/{core => cve}/CveCore.ts | 6 +- src/{core => cve}/CveCorePlus.test.ts | 19 +- src/{core => cve}/CveCorePlus.ts | 10 +- src/{core => cve}/CveRecord.test.ts | 42 +- src/{core => cve}/CveRecord.ts | 21 +- .../generated/CveRecordV5.test.unit.ts} | 36 +- .../record/generated}/CveRecordV5.ts | 10 +- src/{core => cveId}/CveId.test.ts | 172 +- src/{core => cveId}/CveId.ts | 118 +- src/{core => date}/CveDate.test.ts | 2 +- src/{core => date}/CveDate.ts | 2 +- src/{core => deprecated}/CveListDir.test.ts | 0 src/{core => deprecated}/CveListDir.ts | 6 +- src/{core => deprecated}/fsUtils.test.ts | 0 src/{core => deprecated}/fsUtils.ts | 20 +- src/jest.setup.ts | 19 + src/net/ApiBaseService.ts | 28 - src/net/CveService.test.ts | 107 - src/net/CveService.ts | 162 - src/net/CveUpdater.test.ts | 134 - src/net/CveUpdater.ts | 198 - src/{core => }/result/CveResult.test.int.ts | 6 +- src/{core => }/result/CveResult.test.unit.ts | 1 - src/{core => }/result/CveResult.ts | 2 +- .../search/BasicSearchManager.test.e2e.ts | 90 +- src/search/BasicSearchManager.ts | 71 + src/search/SearchQueryBuilder.test.unit.ts | 79 + src/search/SearchQueryBuilder.ts | 99 + src/search/SearchRequest.test.unit.ts | 437 + src/{core => }/search/SearchRequest.ts | 341 +- src/search/SearchResultData.ts | 24 + .../BasicSearchManager.test.e2e.ts.snap | 235 +- .../SearchQueryBuilder.test.unit.ts.snap} | 158 +- .../SearchRequest.test.unit.ts.snap | 47 + .../search_wildcards.test.e2e.ts.snap | 874 + src/search/test_cases/search_ipv4.test.e2e.ts | 116 + src/search/test_cases/search_urls.test.e2e.ts | 78 + .../test_cases/search_wildcards.test.e2e.ts | 173 + ...veIdsChangedInTimeFrameUnitTestDataP1.json | 7510 ++ ...veIdsChangedInTimeFrameUnitTestDataP2.json | 7510 ++ ...IdsChangedInTimeFrameUnitTestDataP555.json | 9 + ...lCvesChangedInTimeFrameUnitTestDataP1.json | 91602 ++++++++++++++++ ...lCvesChangedInTimeFrameUnitTestDataP2.json | 85215 ++++++++++++++ ...vesChangedInTimeFrameUnitTestDataP555.json | 9 + tsconfig.json | 1 + version.txt | 2 + 113 files changed, 197622 insertions(+), 2502 deletions(-) create mode 100644 config/custom-environment-variables.jsonc create mode 100644 config/default.jsonc create mode 100644 config/devel.jsonc create mode 100644 config/prod.jsonc create mode 100644 src/adapters/config/AppConfig.test.int.ts create mode 100644 src/adapters/config/AppConfig.ts create mode 100644 src/adapters/console/ConsoleInputReader.test.unit.ts create mode 100644 src/adapters/console/ConsoleInputReader.ts create mode 100644 src/adapters/cveservice/CveService.test.unit.ts create mode 100644 src/adapters/cveservice/CveService.ts create mode 100644 src/adapters/cveservice/CveServiceBaseUrl.ts create mode 100644 src/adapters/cveservice/CveServiceCommon.test.unit.ts create mode 100644 src/adapters/cveservice/CveServiceCreds.ts create mode 100644 src/adapters/cveservice/cve/CveServiceCveReader.test.int.ts create mode 100644 src/adapters/cveservice/cve/CveServiceCveReader.test.unit.ts create mode 100644 src/adapters/cveservice/cve/CveServiceCveReader.ts create mode 100644 src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.int.ts create mode 100644 src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.unit.ts create mode 100644 src/adapters/cveservice/healthCheck/CveServiceHealthReader.ts create mode 100644 src/adapters/fs/DirectoryWalker.test.ts create mode 100644 src/adapters/fs/DirectoryWalker.ts create mode 100644 src/adapters/search/SearchAdapter.test.unit.ts create mode 100644 src/adapters/zip/Zip.test.e2e.ts create mode 100644 src/adapters/zip/Zip.ts delete mode 100644 src/commands/UpdateCommand.test.ts delete mode 100644 src/commands/UpdateCommand.ts rename src/{core => common/comparer}/CveComparer.test.ts (85%) rename src/{core => common/comparer}/CveComparer.ts (94%) delete mode 100644 src/core/gitSync.test.ts delete mode 100644 src/core/search/BasicSearchManager.ts delete mode 100644 src/core/search/SearchRequest.test.unit.ts rename src/{core => cve}/CveCore.test.ts (97%) rename src/{core => cve}/CveCore.ts (94%) rename src/{core => cve}/CveCorePlus.test.ts (80%) rename src/{core => cve}/CveCorePlus.ts (93%) rename src/{core => cve}/CveRecord.test.ts (70%) rename src/{core => cve}/CveRecord.ts (88%) rename src/{generated/quicktools/CveRecordV5.test.ts => cve/record/generated/CveRecordV5.test.unit.ts} (75%) rename src/{generated/quicktools => cve/record/generated}/CveRecordV5.ts (89%) rename src/{core => cveId}/CveId.test.ts (59%) rename src/{core => cveId}/CveId.ts (55%) rename src/{core => date}/CveDate.test.ts (97%) rename src/{core => date}/CveDate.ts (98%) rename src/{core => deprecated}/CveListDir.test.ts (100%) rename src/{core => deprecated}/CveListDir.ts (90%) rename src/{core => deprecated}/fsUtils.test.ts (100%) rename src/{core => deprecated}/fsUtils.ts (88%) create mode 100644 src/jest.setup.ts delete mode 100644 src/net/ApiBaseService.ts delete mode 100644 src/net/CveService.test.ts delete mode 100644 src/net/CveService.ts delete mode 100644 src/net/CveUpdater.test.ts delete mode 100644 src/net/CveUpdater.ts rename src/{core => }/result/CveResult.test.int.ts (96%) rename src/{core => }/result/CveResult.test.unit.ts (98%) rename src/{core => }/result/CveResult.ts (98%) rename src/{core => }/search/BasicSearchManager.test.e2e.ts (64%) create mode 100644 src/search/BasicSearchManager.ts create mode 100644 src/search/SearchQueryBuilder.test.unit.ts create mode 100644 src/search/SearchQueryBuilder.ts create mode 100644 src/search/SearchRequest.test.unit.ts rename src/{core => }/search/SearchRequest.ts (65%) create mode 100644 src/search/SearchResultData.ts rename src/{core => }/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap (70%) rename src/{core/search/__snapshots__/SearchRequest.test.unit.ts.snap => search/__snapshots__/SearchQueryBuilder.test.unit.ts.snap} (59%) create mode 100644 src/search/__snapshots__/SearchRequest.test.unit.ts.snap create mode 100644 src/search/test_cases/__snapshots__/search_wildcards.test.e2e.ts.snap create mode 100644 src/search/test_cases/search_ipv4.test.e2e.ts create mode 100644 src/search/test_cases/search_urls.test.e2e.ts create mode 100644 src/search/test_cases/search_wildcards.test.e2e.ts create mode 100644 test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP1.json create mode 100644 test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP2.json create mode 100644 test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP555.json create mode 100644 test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json create mode 100644 test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP2.json create mode 100644 test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP555.json create mode 100644 version.txt diff --git a/ChangeLog.md b/ChangeLog.md index ae36853..7e3899a 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,7 +1,12 @@ # Change Log -## 2.0.0-rc14 - - initial version of `cve-core` as a peer project to other `cve-projects`. Can be used as part of a monorepo +### 2.1.0-rc2 + - wildcard search + - AppConfig to manage hierarchical environment variables and all default values for environment variables (only environment variables for search completed in rc2) + - code refactoring: reorganizing code, general cleaning up for migration to github + +### 2.0.0-rc14 - deployed: 2025-06-05 + - initial version of `cve-core` as a peer project to other `cve-projects`. Can be used as part of a monorepo (e.g., https://github.com/CVEProject/CVE-Search-API/tree/dev) - search using `axios`, NodeJS-native `fetch` and `@opensearch-project/opensearch` libraries - CVE-, CWE-, and CAPAC- IDs - CVE YEAR @@ -12,7 +17,6 @@ - hyphenated words (e.g., "man-in-the-middle") - software names (e.g., "Node.JS", ".NET") - file extension (e.g., "matvar_struct.c") - - repeating non-language characters (e.g., "aaaaa" is ok, but "?????" is replaced by "") - can run as AWS Lambda Layer - new adapters - CVE Services reader @@ -26,18 +30,47 @@ ## Older Milestones from the older `cveUtils`/`cvelist-bulk-download` repositories -Note that the following milestones were in other repositories, which contained a superset of the source code in this npm library. The milestones below are meant only for historic reference, in case a full history of an implementation is needed. +Note that the following milestones were in multiple repositories, and together contained a superset of the source code in this npm library. The milestones below are meant only for historic reference, in case a full history of an implementation is needed. + +### 1.3.0 - deployed only on AWS in 2024-12 for initial search capability (tag `2024-12-06`) + - search using `axios` and `@opensearch-project/opensearch` libraries + - general search for tokenized strings in all fields + - CVE-ID + +### 2.0.0-rc14 + - initial version of `cve-core` as a peer project to other `cve-projects`. Can be used as part of a monorepo (e.g., https://github.com/CVEProject/CVE-Search-API/tree/dev) + - search using `axios`, NodeJS-native `fetch` and `@opensearch-project/opensearch` libraries + - CVE-, CWE-, and CAPAC- IDs + - CVE YEAR + - basic version strings (e.g., "v3.2.5", "v3.2.5-RC1") + - basic IPv4 and IPv6 + - URLs + - compound words (e.g., "docker-compose", "microsoft word") + - hyphenated words (e.g., "man-in-the-middle") + - software names (e.g., "Node.JS", ".NET") + - file extension (e.g., "matvar_struct.c") + - repeating non-language characters (e.g., "aaaaa" is ok, but "?????" is replaced by "") + - can run as AWS Lambda Layer + - new adapters + - CVE Services reader + - CVE Search reader + - CVE file reader + - file reader/writer + - console input for interacting with a user in a CLI + - CveResult class with standardized errors and messages (this version is aimed at the search service) + - object (JSON) comparer using `json-difference` library + - JSON replacer that alphabetizes keys when serializing using JSON.stringify() ### 1.2.0 - deployed 2024-07-18 (tag `2024-07-18_v1.2.0`) - baseline for the `cve-core` npm library - changes for cisa adp, reference ingest - - axios-retry for network retry - - optimized update.yml to use fetch-depth: 1 - - CVES_MAX_ALLOWABLE_CVE_YEAR environment variable set to 2025 - - GIT_MAX_FILESIZE_MB environment variable set to 100 + - `axios-retry` library for network retry + - optimized `update.yml` to use `fetch-depth: 1` + - `CVES_MAX_ALLOWABLE_CVE_YEAR` environment variable set to 2025 + - `GIT_MAX_FILESIZE_MB` environment variable set to 100 - initial refactoring of core classes to separate I/O functions from business logic classes (work in progress) - - minimized 3rd party dependency in IsoDateString class to minimize footprint for AWS Lambda - - import specific lodash functions instead of the full lodash to minimize footprint for AWS Lambda + - minimized 3rd party dependency in IsoDateString class to minimize AWS Lambda footprint + - import specific lodash functions instead of the full lodash to minimize AWS Lambda footprint - dependabot PRs defaults to develop branch - cveUtils/GitLab PR 32 @@ -46,31 +79,30 @@ Note that the following milestones were in other repositories, which contained a - tested but not used on cvelistV5 ### 1.1.0 - 2023-09-26 (tag `2023-09-26_v1.1.0`) - - Delta files in /cves (delta.json and deltaLog.json), replacing recent_activities.json + - Official support for delta files in /cves (delta.json and deltaLog.json), replacing recent_activities.json ### 1.0.0 - 2023-05-26 (tag `2023-04-25_v1.0.0`) - Official version using public domain code in https://github.com/CVEProject/cvelist-bulk-download - ### `Sprint-0` - 2023-04-20 (tag `2023-04-20_initial_cveUtils_on_github`) - - initial version selectively copied from internal MITRE gitlab to https://github.com/hkong-mitre/cvelist-bulk-download - - https://github.com/hkong-mitre/cvelist-bulk-download/commit/207b9f2b82908afbd8d9d2270969f6781f9d39e4 - - (note date is different): https://gitlab.mitre.org/hkong/cve_utils/-/tags/2023-04-25_to_github_hkong-mitre_cvelist_bulk_download + - initial version selectively copied from internal MITRE gitlab to https://github.com/CVEProject/cvelist-bulk-download + - https://github.com/CVEProject/cvelist-bulk-download/commit/207b9f2b82908afbd8d9d2270969f6781f9d39e4 + - note date is slightly different in GitLab tag in cve_utils, but the code is functionly the same: `2023-04-25_to_github_hkong-mitre_cvelist_bulk_download` ### 2023-03-29 - - official version used in GitHub actions that updated /cves when cvelistV5 was announced at CNA Summit 2023 - - https://gitlab.mitre.org/hkong/cve_utils/-/tags/2023-03-29-cveproject_cvelistV5_dist_(similar) + - official version used in GitHub actions that updated `/cves` when cvelistV5 was announced at CNA Summit 2023 + - GitLab tag in cve_utils: `2023-03-29-cveproject_cvelistV5_dist_(similar)` ### 2023-03-10 - code during team code walkthru - - https://gitlab.mitre.org/hkong/cve_utils/-/tags/2023_03_10_code_walkthrough_with_team + - GitLab tag in cve_utils: `2023_03_10_code_walkthrough_with_team` ### 2023-03-06 - first version deployed to cvelistV5 for testing (using `preview_cves` instead of `cves`) - - https://gitlab.mitre.org/hkong/cve_utils/-/tags/2023_03_06_deployed_to_cveproject_cvelistv5 + - GitLab tag in cve_utils: `2023_03_06_deployed_to_cveproject_cvelistv5` ## Additional Information diff --git a/README.md b/README.md index 6d02436..a70a7fe 100644 --- a/README.md +++ b/README.md @@ -2,26 +2,188 @@ ## Overview -This CVE project implements the `cve-core` common library containing the general purpose core classes for interacting with CVEs and CVE services. The intent is for this library to become a public npm package, where it can be used in any Typescript or Javascript (ESM) application to simplify and standardize working with CVEs and CVE services. +This CVE project implements the `cve-core` common library containing the general purpose core classes for interacting with CVEs and services related to CVEs. The intent is for this library to become a public npm package, where it can be used in any Typescript or Javascript (ESM) application to simplify and help standardize working with CVEs and CVE services. ## Versioning -The first version of this library is **version 2.0.0**. This is because the capabilities of this library have already been in use in [cvelistV5](xxxxx), and to preserve the versioning of capabilities, we decided to start this library at 2.0.0. See [the ChangeLog](./ChangeLog.md) for specific details. - -## Usage - -There are 2 ways to use this library: -1. as an npm package (note this is not yet publicly available in version 2.0.0) -2. as a "sibling project import" (this is the only way to use this library in version 2.0.0). This approach is useful when you need to both make changes to `cve-core` and your project, since it allows changing code in either repository without needing to publish a new version. - -### Pre-Requisites - -You only need the following to use or develop this library: -- a modern NodeJS (see `package.json`'s `engines.node` value for supported versions) to develop and/or run this project. The easiest way to do this is to use [nvm](https://github.com/nvm-sh/nvm). -- (optional) [`jq`](https://jqlang.github.io/jq/download/) for working with JSON files +The first version of this library is **version 2.0.0**. This is because the capabilities of this library have already been in use in [cvelistV5](https://github.com/CVEProject/cvelistV5), and to preserve the versioning of capabilities, we decided to start this library at 2.0.0. See [the ChangeLog](./ChangeLog.md) for specific details. + + +# Pre-requisites +#### All functionality is locked behind the following minimum requirements: +- `Node.js` (18+ required, 20+ reccomended.) + - You may want to use [`nvm`](https://github.com/nvm-sh/nvm) (or [nvm for windows](https://github.com/coreybutler/nvm-windows/releases)) to install Node.JS + +#### Some functionality may require additional requirements: +- `Git` + + +#### Optional reccomended requirements: +- `Docker`, for hosting local instaces of external dependencies. + - e.g. [Cve Services](#cve-services) as a local docker container. +- POSIX compliant shell, for cross compatability when running CLI scripts. + - e.g. `Bash`, (or `Git Bash` for Windows) +- [`jq`](https://jqlang.github.io/jq/download/), for working with JSON files. + + + +# Installation +Be sure to install the necessary [prequisites](#pre-requisites) before continuing here. + +There are multiple ways to install the packages. + +
+ +

Option 1: Install via npm

+ +
    +
  1. +
    + Install via npm. + 
    npm install git+https://github.com/CVEProject/[name].git
    +
    +
    2. +
  2. +
    + Setup your .env file. +
      +
    • If you already have an existing .env file:
        +
      • + 
        cat node_modules/[name]/.env-EXAMPLE >> .env
        +
        • + +
      +
    • Or you can start a new .env from scratch with:
        +
      • + 
        cp node_modules/[name]/.env-EXAMPLE .env
        +
        • + +
      +
    • +
      + Edit the variables needed. See the package's README and .env-EXAMPLE for additional comments and + details on each variable. +
      • +
        +
      • Note: You may need to come back to this step later as some variables rely on installing other CVE + Project packages.
        • +
      +
    +
+ +The CVE Project package is now installed! Double check your .env file! + + + +
+ +

Option 2: Build from source

+ +
    +
  1. +
    + Clone the source repository. + 
    git clone https://github.com/CVEProject/[name].git
    +
    +
    2. +
  2. +
    + Enter the newly cloned repository. + 
    cd [name]
    +
    +
    3. +
  3. +
    + Build the package dependencies. + 
    npm i
    +
    +
    4. +
  4. +
    + Setup your .env file. +
      +
    • If you already have an existing .env file: +
        +
      • + 
        cat node_modules/[name]/.env-EXAMPLE >> .env
        +
        • +
      • Or you can start a new .env from scratch with: +
          +
        • + 
          cp node_modules/[name]/.env-EXAMPLE .env
          +
          • +
        +
        • +
      +
      • +
    +
    +
    5. +
  5. +
    + Edit the variables needed. See the package's README and .env-EXAMPLE for additional comments and + details on each + variable. +
      +
    • Note: You may need to come back to this step later as some variables rely on installing other + CVE + Project packages.
      • +
    +
    +
    6. +
  6. +
    + [Optional] Run the tests. + Note that you may need to complete the installation process of other CVE Project packages before you can run + some of the tests. + 
    # For running asynchronously
    npm run test

    # For running synchronously
    npm run test:serial

    # Or run tests and view coverage
    npm run coverage
    # You can find the report file at /coverage/lcov-report/index.html.
    +
    +
    7. +
  7. +
    + Build the project. + 
    npm run build
    +
    +
    8. + The CVE Project package is now installed! Double check your .env file! +
+
+ + + +--- + +## Using the package in code +After installing the package: + +`const CveCore = require('cve-core');` + +or + +`import { * as CveCore } from 'cve-core';` + +then use it + +`CveCore.CveId.isValidCveId('CVE-1999-0001');` + + +## Using the package as a command line: + +Run the following in the command line after installing or building the cve-core package. +``` +npx cves --help +npx cves date +``` +or +``` +./cves.sh --help +./cves.sh date +``` +_To ensure compatability with DOS/Windows based operating systems, we have provided `./cves.bat` as an alternative for `./cves.sh`._ -### External dependencies +---- +# Additional dependencies #### [CVE Services](https://github.com/CVEProject/cve-services) To test or develop for cve-services, you will need to have an instance of CVE Services to point to. @@ -35,38 +197,16 @@ To test or develop for cve-services, you will need to have an instance of CVE Se To test against a local version of cve-services you will need to build the cve-services docker container. [See here for docker build instructions](https://github.com/CVEProject/cve-services/blob/dev/README.md#docker). Note: [If you are developing on windows you may want to check out this comment explaining why your build may not be working](https://github.com/CVEProject/cve-services/issues/1171#issuecomment-2688313720). -### As NPM Package - -This project is not yet set up to be used as an NPM package. - - -### As a "Sibling Project Import" +#### OpenSearch +TBD: Release opensearch info? +inside cve-search repo: +- `docker compose up` +- unzip 1000cves.zip +- `./prep.sh` +- ...? -This setup allows you to work on this library project and the application project simultaneously. It is currently the only way to use this library. -To use it this way, the directory location of this library and that of your application must be maintained in a strict hierarchical fashion as can be seen below. This is because when we run `npm install cve-core` later in the instructions, npm will make a soft link to the files in this repository from ``. - -```bash - -├── cve-core -└── -``` - -1. clone 2 (or more) repositories into a common parent directory (`cveProjects` as an example) - 1. `mkdir cveProjects` - 2. `cd cveProjects` - 3. `git clone git@gitlab.mitre.org:cve-projects/cve-core.git` - 4. `pushd cve-core && git checkout && npm i && popd` (sets cve-core to a modern, stable branch, but you can set to any branch in `cve-core`). Your project may contain a `cve-layers` section in the `package.json` to specify a specific branch needed. If not, use the `develop` branch for a stable version with the latest functionality - 5. `git clone ` - 6. `cd ` -2. set up tokens/secrets/environment variables by making a `.env` file in the root directory. - - Copy `.env-EXAMPLE` as a starting point - - You will need to replace the `` variables with your own credentials for this app to work -3. `npm i` to load dependencies. -4. For development, look at `package.json`'s `scripts` for available `npm` scripts - - of special interest is the `npm run build` command, which builds this project into a single `index.js` file that contains all the necessary code and libraries to run as a Github action or to be used with `cves.sh` as a CLI. This is a useful step to check that the code "compiles" -5. Run `./cves.sh --help`[^1] for help on using the commands. ### Fixtures @@ -78,32 +218,13 @@ There are several fixtures directories in this project: For `src/core/Delta.test.ts` to work properly, do not commit `pretend_github_repository/1970/0xxx/CVE-1970-0999.json`. It is intended to be copied from `fixtures` during testing to test that a new file shows up in the `new` list of an activity's delta. -### Testing - -There are 2 `npm` scripts for running tests. Most of the time, just running - -```bash -npm test -``` +There is also the cve-fixtures repo that is intended for int and e2e testing. You may add files, but you may not modify or remove files once they end up in the cve-fixtures main branch. Keep the size of the cve-fixtures repository small enough where a clone will not take a significant amount of time. -should do it. However, there are times, when tests in `git.test.ts` and `gitSync.test.ts` fail due to the way Jest runs everything in parallel, and some tests in those files will report errors because of race conditions. To mitigate this, run `npm run test` first, and if you get errors in any of the `git` test files, re-run Jest using `npm run test-serial` to run tests in "`runInBand`" (that is, one at a time in serial) mode. This approach is slower, but should solve any race conditions that may occur during testing. ## Environment Variables and Secrets There are 3 CVE-related "secret" environment variables: `CVE_API_KEY`, `CVE_API_ORG`, and `CVE_API_USER`. These need to be defined as specified in the Setup section above. -## Version Conventions - -The version for this library is specified in the `package.json`'s `version` field. The convention is: - - - follow semver for released software: Major.Minor.Patch, e.g., `2.0.4`. - - deviate from semver during development and testing, using the following syntax instead - - the version number that it branched from, appending to it `+feature_YYYY-MM-DD`, e.g., `2.0.0+search_2025-01-24`, where the date is the date that the `npm run build` command was built. For frequently updated code, you can also append `aHH` or `pHH` for AM and PM local timestamps. - - ### History -See [`ChangeLog.md](./ChangeLog.md) for a full history of this project. - -### Footnotes -[^1]: To ensure compatability with DOS/Windows based operating systems, we have provided `./cves.bat` as an alternative for `./cves.sh`. \ No newline at end of file +See [`ChangeLog.md`](./ChangeLog.md) for a full history of this project. diff --git a/config/custom-environment-variables.jsonc b/config/custom-environment-variables.jsonc new file mode 100644 index 0000000..5eb3e85 --- /dev/null +++ b/config/custom-environment-variables.jsonc @@ -0,0 +1,24 @@ +{ + // this file is used by node-config to map a node-config (AppConfig) + // hierarchy of constants to an environment variable + // Note that much of the environment variables mapped here existed for some time + // without AppConfig, this file bridges the historical uses of those with the new + // as we transition to AppConfig + "appConfig": { + // constants for search capability + "search": { + "providerEndpoint": "OpenSearchDomainEndpoint", + "index": "OpenSearchCveIndex", + // allows local development using containers that do not have SSL certs + "allowUnknownSslCerts": "OpenSearchAllowUnknownSslCerts" + }, + // constants for testing node-config + // these values are only used to test node-config in AppConfig.test.int.ts + // DO NOT USE THIS FOR ANYTHING ELSE + "test": { + "appConfigTest": { + "test": "JEST_env_config_test" + } + } + } +} \ No newline at end of file diff --git a/config/default.jsonc b/config/default.jsonc new file mode 100644 index 0000000..7ec5e20 --- /dev/null +++ b/config/default.jsonc @@ -0,0 +1,22 @@ +{ + // Default configuration + // These values are overridable using other *.jsonc (e.g., prod.jsonc) + // as well as using environment variables (e.g., in `.env`) + // - Each configuration is mapped using custom-environment-variables.jsonc to enable environment varialbe overrides. + // - For more information, see cve-core/src/adapters/config/AppConfig.ts + // NOTE for consistency, all values need to be strings for proper type when using .env overrides + "appConfig": { + // constants for search capability + "search": { + // minimum versions for servers that are compatible with current code + "minServer": [ + "elasticsearch:7.10.2", + "opensearch:2.10.0" + ], + // setting this to FALSE (recommended) requires an SSL cert to access the search server + // The only time this should be allowed to be true is when developing or testing + // using containers that do not have SSL certs + "allowUnknownSslCerts": "FALSE" + } + } +} \ No newline at end of file diff --git a/config/devel.jsonc b/config/devel.jsonc new file mode 100644 index 0000000..c2d14ba --- /dev/null +++ b/config/devel.jsonc @@ -0,0 +1,47 @@ +{ + // development configurations + // overrides values specified in default.jsonc, read additional comments there + // and in cve-core/src/adapters/config/AppConfig.ts + // NOTE for consistency, all values need to be strings for proper type when using .env overrides + "appConfig": { + // constants for search capability + "search": { + // minimum versions for servers that are compatible with current code + "minServer": [ + "opensearch:2.10.0" + ], + // URL to reach search server + "providerEndpoint": "https://admin:admin@localhost:9200", + // index on search server related to searching CVEs + "index": "e2e-cve-test-index-1109", + // setting this to FALSE (recommended) requires an SSL cert to access the search server + // The only time this should be allowed to be true is when developing or testing + // using containers that do not have SSL certs + // DO NOT USE THIS IN ANY PUBLIC OR PRODUCTION ENVIRONMENTS + "allowUnknownSslCerts": "TRUE" + }, + // constants for unit, int, e2e testing + "test": { + // constants for testing search capability + "searchTest": { + // many tests for search uses snapshots, which requires CVEs to remain unchanged + // since the live server is updated all the time, a fixture containing fixed CVEs + // is required to keep the test consistent. "fixtures" provides the link + // to the cve-fixtures repository + "fixtures": { + // @todo these constants needs to be in sync in cve-fixtures + // so that testing snapshots are consistent and valid + "name": "fixtures-search-baseline-1086", // release tag + "numCves": "1086" // possible identifier assuming we always add cves to a new release + } + }, + // constants for testing node-config + "appConfigTest": { + // these values are only used to test node-config in AppConfig.test.int.ts + // DO NOT USE THIS FOR ANYTHING ELSE + "two": "2", + "five": "5" + } + } + } +} \ No newline at end of file diff --git a/config/prod.jsonc b/config/prod.jsonc new file mode 100644 index 0000000..d2cab22 --- /dev/null +++ b/config/prod.jsonc @@ -0,0 +1,17 @@ +{ + // production (example) constants + // overrides values specified in default.jsonc, read additional comments there + // and in cve-core/src/adapters/config/AppConfig.ts + // NOTE for consistency, all values need to be strings for proper type when using .env overrides + "appConfig": { + "search": { + "minServer": [ + "elasticsearch:7.10.2", + "opensearch:2.10.0" + ], + "providerEndpoint": "", // preference is to specify this in a (secret) environment variable on production platforms + "index": "", // preference is to specify this in a (secret) environment variable on production platforms + "allowUnknownSslCerts": "FALSE" + } + } +} \ No newline at end of file diff --git a/docs/BasicSearchManager.md b/docs/BasicSearchManager.md index 424cd82..1c05a26 100644 --- a/docs/BasicSearchManager.md +++ b/docs/BasicSearchManager.md @@ -1,15 +1,14 @@ # BasicSearchManager `BasicSearchManager` provides basic facilities for working with an ElasticSearch/OpenSearch instance. It provides the following: -- `search` providing a standardized way to do a search. This method hides the details of how a search is done depending on the user's search text and other input parameters (e.g., when doing faceted search or when all matches are requested, requiring paging). When using this asynchronous method, the returned `CveResult` will contain results from the search, plus possibly notes and errors that were found during data validation and searching. -- `validateSearchText` is a synchronous method that will return a `CveResult` object potentially containing notes and errors. +- `search()` providing a standardized way to do a search. This method hides the details of the different ways a search is carried out in ElasticSearch/OpenSearch using the user's search text and other input parameters (e.g., when doing faceted search or when all matches are requested, requiring paging). When using this asynchronous method, the returned `CveResult` will contain results from the search, plus possibly notes and errors that were found during data validation and searching. In addition, the following associated classes and types are also defined: -- `SearchProviderInfo` --- an object to fully represent a specific index in an ElasticSearch/OpenSearch instance -- `SearchOptions` --- options when searching +- `SearchProviderSpec` --- an object to fully represent a specific index in an ElasticSearch/OpenSearch instance +- `SearchOptions` --- options when searching (e.g., `default_operator`) - `SearchResultData` --- a strongly typed type to facilitate working with search results -For an example of how to use the BasicSearchManager and its associated classes and types, see [BasicSearchManager Examples](#basicsearchmanager-examples). +For examples of how to use the BasicSearchManager see [Simple Search Example](#simple-search-example). ## BasicSearchManager Examples @@ -17,7 +16,8 @@ For an example of how to use the BasicSearchManager and its associated classes a ```typescript import { CveResult } from "cve-core/CveResult.js" -import { SearchResultData, BasicSearchManager } from "cve-core/BasicSearchManager.js"; +import { BasicSearchManager } from "cve-core/BasicSearchManager.js"; +import { SearchResultData } from "cve-core/SearchResultData.js"; const simpleSearch = async () => { const searchManager = new BasicSearchManager({ index: "cve-index-local", diff --git a/index.ts b/index.ts index 012858b..7965f2d 100644 --- a/index.ts +++ b/index.ts @@ -1,52 +1,61 @@ /** - * This is intended to be the main export file for cve-core. + * This is the main export file for cve-core when used as library + * Files that makes up this library should not use this, however, + * and should use relative paths */ // adapters -export * from "./src/adapters/fs/CveFsReader.js" -export * from "./src/adapters/fs/FsReader.js" -export * from "./src/adapters/fs/FsWriter.js" -export * from './src/adapters/search/SearchAdapter.js' -export * from './src/adapters/search/SearchReader.js' +export * from "./src/adapters/config/AppConfig.js"; +export * from './src/adapters/console/ConsoleInputReader.js'; +export * from './src/adapters/cveservice/CveService.js'; +export * from './src/adapters/cveservice/CveServiceBaseUrl.js'; +export * from './src/adapters/cveservice/CveServiceCreds.js'; +export * from './src/adapters/cveservice/cve/CveServiceCveReader.js'; +export * from './src/adapters/cveservice/healthCheck/CveServiceHealthReader.js'; +export * from "./src/adapters/fs/CveFsReader.js"; +export * from "./src/adapters/fs/DirectoryWalker.js"; +export * from "./src/adapters/fs/FsReader.js"; +export * from "./src/adapters/fs/FsWriter.js"; +export * from './src/adapters/search/SearchAdapter.js'; +export * from './src/adapters/search/SearchReader.js'; + // commands -export * from "./src/commands/DateCommand.js" -export * from "./src/commands/GenericCommand.js" -export * from "./src/commands/MainCommands.js" +export * from "./src/commands/DateCommand.js"; +export * from "./src/commands/GenericCommand.js"; +export * from "./src/commands/MainCommands.js"; // common -export * from "./src/common/IsoDate/IsoDateString.js" -export * from "./src/common/Json/Json.js" -export * from "./src/common/comparer/ObjectComparer.js" +export * from "./src/common/IsoDate/IsoDateString.js"; +export * from "./src/common/Json/Json.js"; +export * from "./src/common/comparer/ObjectComparer.js"; // core -export * from "./src/core/result/CveResult.js" -export * from "./src/core/CveId.js"; +export * from "./src/cveId/CveId.js"; export * from "./src/core/Activity.js"; export * from "./src/core/ActivityLog.js"; -export * from "./src/core/CveComparer.js"; -export * from "./src/core/CveCore.js"; -export * from "./src/core/CveCorePlus.js"; -export * from "./src/core/CveDate.js"; -export * from "./src/core/CveId.js"; -export * from "./src/core/CveListDir.js"; -export * from "./src/core/CveRecord.js"; +export * from "./src/common/comparer/CveComparer.js"; +export * from "./src/cve/CveCore.js"; +export * from "./src/cve/CveCorePlus.js"; +export * from "./src/date/CveDate.js"; +export * from "./src/deprecated/CveListDir.js"; +export * from "./src/cve/CveRecord.js"; export * from "./src/core/Delta.js"; export * from "./src/core/DeltaFs.js"; export * from "./src/core/DeltaLog.js"; -export * from "./src/core/fsUtils.js"; +export * from "./src/deprecated/fsUtils.js"; export * from "./src/core/git.js"; +export * from "./src/date/CveDate.js"; -//search -export * from './src/core/search/BasicSearchManager.js' +// cve result +export * from "./src/result/CveResult.js"; -// generated -export * from "./src/generated/quicktools/CveRecordV5.js"; +// search +export * from './src/search/BasicSearchManager.js'; +export * from './src/search/SearchRequest.js'; -// net -export * from "./src/net/ApiBaseService.js"; -export * from "./src/net/CveService.js"; -export * from "./src/net/CveUpdater.js"; +// generated +export * from "./src/cve/record/generated/CveRecordV5.js"; // package info import * as packageJSON from './package.json'; diff --git a/jest.config.js b/jest.config.js index 26e0a05..f22048d 100644 --- a/jest.config.js +++ b/jest.config.js @@ -1,6 +1,6 @@ export default { testEnvironment: 'node', - preset: 'ts-jest/presets/default-esm', + preset: 'ts-jest/presets/js-with-ts-esm', globals: { 'ts-jest': { useESM: true, @@ -22,4 +22,7 @@ export default { '!src/**/*.d.ts', '!src/**/*.d.mts', ], + setupFilesAfterEnv: [ + '/src/jest.setup.ts' + ] }; diff --git a/package-lock.json b/package-lock.json index 86d6671..3beab86 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,13 +1,13 @@ { "name": "cve-core", - "version": "2.0.0-rc14", + "version": "2.1.0-rc2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "cve-core", - "version": "2.0.0-rc14", - "license": "(CC0)", + "version": "2.1.0-rc2", + "license": "Apache-2.0", "dependencies": { "@commander-js/extra-typings": "^10.0.2", "@opensearch-project/opensearch": "^2.3.1", @@ -15,9 +15,12 @@ "axios": "^1.6.0", "axios-retry": "^4.4.1", "commander": "^10.0.0", + "config": "^4.0.0", "date-fns": "^2.29.3", "date-fns-tz": "^2.0.0", "dotenv": "^16.0.1", + "fetch-retry": "^6.0.0", + "glob": "^11.0.1", "json-difference": "^1.16.1", "lodash.clonedeep": "^4.5.0", "lodash.isequal": "^4.5.0", @@ -27,9 +30,11 @@ "lodash.reduce": "^4.6.0", "lodash.truncate": "^4.4.2", "lodash.unset": "^4.5.2", + "semver": "^7.7.2", "simple-git": "^3.19.1", "ts-pattern": "^4.0.5", - "tslib": "~2.4" + "tslib": "~2.4", + "validator": "^13.15.15" }, "bin": { "cves": "dist/index.js" @@ -37,6 +42,7 @@ "devDependencies": { "@types/jest": "~27.5", "@types/node": "^18.16.0", + "@types/validator": "^13.15.2", "@typescript-eslint/eslint-plugin": "~5.26", "@typescript-eslint/parser": "~5.26", "@vercel/ncc": "^0.36.1", @@ -52,7 +58,7 @@ "typescript": "~4.7" }, "engines": { - "node": ">= 16.20.2 < 21" + "node": ">= 16.20.2 < 22" } }, "node_modules/@ampproject/remapping": { @@ -1084,11 +1090,31 @@ "dev": true, "license": "BSD-3-Clause" }, + "node_modules/@isaacs/balanced-match": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/@isaacs/balanced-match/-/balanced-match-4.0.1.tgz", + "integrity": "sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==", + "license": "MIT", + "engines": { + "node": "20 || >=22" + } + }, + "node_modules/@isaacs/brace-expansion": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz", + "integrity": "sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==", + "license": "MIT", + "dependencies": { + "@isaacs/balanced-match": "^4.0.1" + }, + "engines": { + "node": "20 || >=22" + } + }, "node_modules/@isaacs/cliui": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", - "dev": true, "license": "ISC", "dependencies": { "string-width": "^5.1.2", @@ -1106,7 +1132,6 @@ "version": "6.1.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", - "dev": true, "license": "MIT", "engines": { "node": ">=12" @@ -1115,49 +1140,10 @@ "url": "https://github.com/chalk/ansi-regex?sponsor=1" } }, - "node_modules/@isaacs/cliui/node_modules/ansi-styles": { - "version": "6.2.1", - "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", - "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/chalk/ansi-styles?sponsor=1" - } - }, - "node_modules/@isaacs/cliui/node_modules/emoji-regex": { - "version": "9.2.2", - "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", - "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", - "dev": true, - "license": "MIT" - }, - "node_modules/@isaacs/cliui/node_modules/string-width": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", - "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", - "dev": true, - "license": "MIT", - "dependencies": { - "eastasianwidth": "^0.2.0", - "emoji-regex": "^9.2.2", - "strip-ansi": "^7.0.1" - }, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/@isaacs/cliui/node_modules/strip-ansi": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", - "dev": true, "license": "MIT", "dependencies": { "ansi-regex": "^6.0.1" @@ -1169,24 +1155,6 @@ "url": "https://github.com/chalk/strip-ansi?sponsor=1" } }, - "node_modules/@isaacs/cliui/node_modules/wrap-ansi": { - "version": "8.1.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", - "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "ansi-styles": "^6.1.0", - "string-width": "^5.0.1", - "strip-ansi": "^7.0.1" - }, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/chalk/wrap-ansi?sponsor=1" - } - }, "node_modules/@istanbuljs/load-nyc-config": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz", @@ -1472,6 +1440,28 @@ } } }, + "node_modules/@jest/reporters/node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/@jest/schemas": { "version": "28.1.3", "resolved": "https://registry.npmjs.org/@jest/schemas/-/schemas-28.1.3.tgz", @@ -2041,13 +2031,13 @@ } }, "node_modules/@types/babel__traverse": { - "version": "7.20.7", - "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.20.7.tgz", - "integrity": "sha512-dkO5fhS7+/oos4ciWxyEyjWe48zmG6wbCheo/G2ZnHx4fs3EU6YC6UM8rk56gAjNJ9P3MTH2jo5jb92/K6wbng==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.28.0.tgz", + "integrity": "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==", "dev": true, "license": "MIT", "dependencies": { - "@babel/types": "^7.20.7" + "@babel/types": "^7.28.2" } }, "node_modules/@types/estree": { @@ -2136,6 +2126,13 @@ "dev": true, "license": "MIT" }, + "node_modules/@types/validator": { + "version": "13.15.2", + "resolved": "https://registry.npmjs.org/@types/validator/-/validator-13.15.2.tgz", + "integrity": "sha512-y7pa/oEJJ4iGYBxOpfAKn5b9+xuihvzDVnC/OSvlVnGxVg0pOqmjiMafiJ1KVNQEaPZf9HsEp5icEwGg8uIe5Q==", + "dev": true, + "license": "MIT" + }, "node_modules/@types/yargs": { "version": "17.0.33", "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-17.0.33.tgz", @@ -2437,7 +2434,6 @@ "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", - "dev": true, "license": "MIT", "engines": { "node": ">=8" @@ -2447,7 +2443,6 @@ "version": "4.3.0", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", - "dev": true, "license": "MIT", "dependencies": { "color-convert": "^2.0.1" @@ -2886,6 +2881,46 @@ "node": ">=12" } }, + "node_modules/cliui/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true, + "license": "MIT" + }, + "node_modules/cliui/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/wrap-ansi": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, "node_modules/co": { "version": "4.6.0", "resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz", @@ -2908,7 +2943,6 @@ "version": "2.0.1", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", - "dev": true, "license": "MIT", "dependencies": { "color-name": "~1.1.4" @@ -2921,7 +2955,6 @@ "version": "1.1.4", "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", - "dev": true, "license": "MIT" }, "node_modules/combined-stream": { @@ -2959,6 +2992,18 @@ "dev": true, "license": "MIT" }, + "node_modules/config": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/config/-/config-4.1.0.tgz", + "integrity": "sha512-uxu0WQTPXwwkR9ZVNQm3ID3f39lWa9HEmppVC6q2HL6sOZszTBL/HGwIHG1dhnWW8006TkhHwZjX6yvAfkXp6Q==", + "license": "MIT", + "dependencies": { + "json5": "^2.2.3" + }, + "engines": { + "node": ">= 20.0.0" + } + }, "node_modules/consola": { "version": "3.4.2", "resolved": "https://registry.npmjs.org/consola/-/consola-3.4.2.tgz", @@ -2980,7 +3025,6 @@ "version": "7.0.6", "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", - "dev": true, "license": "MIT", "dependencies": { "path-key": "^3.1.0", @@ -3142,13 +3186,12 @@ "version": "0.2.0", "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", - "dev": true, "license": "MIT" }, "node_modules/electron-to-chromium": { - "version": "1.5.192", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.192.tgz", - "integrity": "sha512-rP8Ez0w7UNw/9j5eSXCe10o1g/8B1P5SM90PCCMVkIRQn2R0LEHWz4Eh9RnxkniuDe1W0cTSOB3MLlkTGDcuCg==", + "version": "1.5.194", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.194.tgz", + "integrity": "sha512-SdnWJwSUot04UR51I2oPD8kuP2VI37/CADR1OHsFOUzZIvfWJBO6q11k5P/uKNyTT3cdOsnyjkrZ+DDShqYqJA==", "dev": true, "license": "ISC" }, @@ -3166,10 +3209,9 @@ } }, "node_modules/emoji-regex": { - "version": "8.0.0", - "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", - "dev": true, + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", "license": "MIT" }, "node_modules/error-ex": { @@ -3589,6 +3631,13 @@ "url": "https://github.com/sindresorhus/execa?sponsor=1" } }, + "node_modules/execa/node_modules/signal-exit": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "dev": true, + "license": "ISC" + }, "node_modules/exit": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/exit/-/exit-0.1.2.tgz", @@ -3764,6 +3813,12 @@ "bser": "2.1.1" } }, + "node_modules/fetch-retry": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/fetch-retry/-/fetch-retry-6.0.0.tgz", + "integrity": "sha512-BUFj1aMubgib37I3v4q78fYo63Po7t4HUPTpQ6/QE6yK6cIQrP+W43FYToeTEyg5m2Y7eFUtijUuAv/PDlWuag==", + "license": "MIT" + }, "node_modules/file-entry-cache": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-6.0.1.tgz", @@ -3839,9 +3894,9 @@ "license": "ISC" }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", @@ -3862,7 +3917,6 @@ "version": "3.3.1", "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz", "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==", - "dev": true, "license": "ISC", "dependencies": { "cross-spawn": "^7.0.6", @@ -3875,19 +3929,6 @@ "url": "https://github.com/sponsors/isaacs" } }, - "node_modules/foreground-child/node_modules/signal-exit": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", - "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", - "dev": true, - "license": "ISC", - "engines": { - "node": ">=14" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, "node_modules/form-data": { "version": "4.0.4", "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", @@ -4023,22 +4064,23 @@ } }, "node_modules/glob": { - "version": "7.2.3", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", - "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", - "deprecated": "Glob versions prior to v9 are no longer supported", - "dev": true, + "version": "11.0.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-11.0.3.tgz", + "integrity": "sha512-2Nim7dha1KVkaiF4q6Dj+ngPPMdfvLJEOpZk/jKiUAkqKebpGAWQXAq9z1xu9HKu5lWfqw/FASuccEjyznjPaA==", "license": "ISC", "dependencies": { - "fs.realpath": "^1.0.0", - "inflight": "^1.0.4", - "inherits": "2", - "minimatch": "^3.1.1", - "once": "^1.3.0", - "path-is-absolute": "^1.0.0" + "foreground-child": "^3.3.1", + "jackspeak": "^4.1.1", + "minimatch": "^10.0.3", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^2.0.0" + }, + "bin": { + "glob": "dist/esm/bin.mjs" }, "engines": { - "node": "*" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -4057,6 +4099,21 @@ "node": ">=10.13.0" } }, + "node_modules/glob/node_modules/minimatch": { + "version": "10.0.3", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.3.tgz", + "integrity": "sha512-IPZ167aShDZZUMdRk66cyQAW3qr0WzbHkPdMYa8bzZhlHhO3jALbKdxcaak7W9FfT2rZNpQuUu4Od7ILEpXSaw==", + "license": "ISC", + "dependencies": { + "@isaacs/brace-expansion": "^5.0.0" + }, + "engines": { + "node": "20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/globals": { "version": "13.24.0", "resolved": "https://registry.npmjs.org/globals/-/globals-13.24.0.tgz", @@ -4301,7 +4358,6 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", - "dev": true, "license": "MIT", "engines": { "node": ">=8" @@ -4369,7 +4425,6 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", - "dev": true, "license": "ISC" }, "node_modules/istanbul-lib-coverage": { @@ -4454,19 +4509,18 @@ } }, "node_modules/jackspeak": { - "version": "3.4.3", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", - "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", - "dev": true, + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.1.1.tgz", + "integrity": "sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, + "engines": { + "node": "20 || >=22" + }, "funding": { "url": "https://github.com/sponsors/isaacs" - }, - "optionalDependencies": { - "@pkgjs/parseargs": "^0.11.0" } }, "node_modules/jest": { @@ -4713,6 +4767,28 @@ "url": "https://github.com/chalk/ansi-styles?sponsor=1" } }, + "node_modules/jest-config/node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/jest-config/node_modules/pretty-format": { "version": "28.1.3", "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-28.1.3.tgz", @@ -5159,6 +5235,28 @@ "node": "^12.13.0 || ^14.15.0 || ^16.10.0 || >=17.0.0" } }, + "node_modules/jest-runtime/node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/jest-snapshot": { "version": "28.1.3", "resolved": "https://registry.npmjs.org/jest-snapshot/-/jest-snapshot-28.1.3.tgz", @@ -5501,7 +5599,6 @@ "version": "2.2.3", "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz", "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==", - "dev": true, "license": "MIT", "bin": { "json5": "lib/cli.js" @@ -5809,7 +5906,6 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "dev": true, "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" @@ -6003,7 +6099,6 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", - "dev": true, "license": "BlueOak-1.0.0" }, "node_modules/parent-module": { @@ -6062,7 +6157,6 @@ "version": "3.1.1", "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", - "dev": true, "license": "MIT", "engines": { "node": ">=8" @@ -6076,28 +6170,29 @@ "license": "MIT" }, "node_modules/path-scurry": { - "version": "1.11.1", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", - "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", - "dev": true, + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", + "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", "license": "BlueOak-1.0.0", "dependencies": { - "lru-cache": "^10.2.0", - "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + "lru-cache": "^11.0.0", + "minipass": "^7.1.2" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/path-scurry/node_modules/lru-cache": { - "version": "10.4.3", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", - "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", - "dev": true, - "license": "ISC" + "version": "11.1.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.1.0.tgz", + "integrity": "sha512-QIXZUBJUx+2zHUdQujWejBkcD9+cs94tLn0+YL8UrCh+D5sCXZ4c7LaEH48pNwRY3MLDgqUFyhlCyjJPf1WP0A==", + "license": "ISC", + "engines": { + "node": "20 || >=22" + } }, "node_modules/path-type": { "version": "4.0.0", @@ -6455,6 +6550,28 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/rimraf/node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/rollup": { "version": "4.46.2", "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.46.2.tgz", @@ -6529,7 +6646,6 @@ "version": "7.7.2", "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz", "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==", - "dev": true, "license": "ISC", "bin": { "semver": "bin/semver.js" @@ -6542,7 +6658,6 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", - "dev": true, "license": "MIT", "dependencies": { "shebang-regex": "^3.0.0" @@ -6555,18 +6670,22 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", - "dev": true, "license": "MIT", "engines": { "node": ">=8" } }, "node_modules/signal-exit": { - "version": "3.0.7", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", - "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", - "dev": true, - "license": "ISC" + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "license": "ISC", + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } }, "node_modules/simple-git": { "version": "3.28.0", @@ -6666,18 +6785,20 @@ } }, "node_modules/string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", "license": "MIT", "dependencies": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" }, "engines": { - "node": ">=8" + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/string-width-cjs": { @@ -6685,7 +6806,6 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "dev": true, "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", @@ -6696,11 +6816,43 @@ "node": ">=8" } }, + "node_modules/string-width-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/string-width/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/string-width/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" @@ -6714,7 +6866,6 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "dev": true, "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" @@ -6820,6 +6971,29 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/sucrase/node_modules/jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "@isaacs/cliui": "^8.0.2" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + }, + "optionalDependencies": { + "@pkgjs/parseargs": "^0.11.0" + } + }, + "node_modules/sucrase/node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true, + "license": "ISC" + }, "node_modules/sucrase/node_modules/minimatch": { "version": "9.0.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", @@ -6836,6 +7010,23 @@ "url": "https://github.com/sponsors/isaacs" } }, + "node_modules/sucrase/node_modules/path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "engines": { + "node": ">=16 || 14 >=14.18" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/supports-color": { "version": "7.2.0", "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", @@ -6908,6 +7099,28 @@ "node": ">=8" } }, + "node_modules/test-exclude/node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/text-table": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", @@ -7327,6 +7540,15 @@ "dev": true, "license": "MIT" }, + "node_modules/validator": { + "version": "13.15.15", + "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.15.tgz", + "integrity": "sha512-BgWVbCI72aIQy937xbawcs+hrVaN/CZ2UwutgaJ36hGqRrLNM+f5LUT/YPRbo8IV/ASeFzXszezV+y2+rq3l8A==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, "node_modules/walker": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/walker/-/walker-1.0.8.tgz", @@ -7360,7 +7582,6 @@ "version": "2.0.2", "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", - "dev": true, "license": "ISC", "dependencies": { "isexe": "^2.0.0" @@ -7383,18 +7604,17 @@ } }, "node_modules/wrap-ansi": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", - "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", - "dev": true, + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", "license": "MIT", "dependencies": { - "ansi-styles": "^4.0.0", - "string-width": "^4.1.0", - "strip-ansi": "^6.0.0" + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" }, "engines": { - "node": ">=10" + "node": ">=12" }, "funding": { "url": "https://github.com/chalk/wrap-ansi?sponsor=1" @@ -7405,7 +7625,6 @@ "version": "7.0.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", - "dev": true, "license": "MIT", "dependencies": { "ansi-styles": "^4.0.0", @@ -7419,6 +7638,65 @@ "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, + "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" + }, + "node_modules/wrap-ansi-cjs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/wrap-ansi/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/wrap-ansi/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "license": "MIT", + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", @@ -7440,6 +7718,13 @@ "node": "^12.13.0 || ^14.15.0 || >=16.0.0" } }, + "node_modules/write-file-atomic/node_modules/signal-exit": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "dev": true, + "license": "ISC" + }, "node_modules/y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", @@ -7486,6 +7771,28 @@ "node": ">=12" } }, + "node_modules/yargs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true, + "license": "MIT" + }, + "node_modules/yargs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/yocto-queue": { "version": "0.1.0", "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", diff --git a/package.json b/package.json index 9f962f3..cf2c8bb 100644 --- a/package.json +++ b/package.json @@ -1,14 +1,15 @@ { "name": "cve-core", - "version": "2.0.0-rc14", + "version": "2.1.0-rc2", "description": "CVE npm package for working with CVEs", "type": "module", "engines": { - "node": ">= 16.20.2 < 21" + "node": ">= 16.20.2 < 22" }, "devDependencies": { "@types/jest": "~27.5", "@types/node": "^18.16.0", + "@types/validator": "^13.15.2", "@typescript-eslint/eslint-plugin": "~5.26", "@typescript-eslint/parser": "~5.26", "@vercel/ncc": "^0.36.1", @@ -36,14 +37,14 @@ "build:pkg:esm": "npx tsup ./index.ts --format esm --dts --clean --sourcemap --out-dir lib-esm", "build:awslayer": "npm i && npm run build:pkg && rimraf node_modules package-lock.json && npm i --omit=dev", "lint": "eslint . --ext .ts --ext .mts", - "test": "jest --watch", - "test:serial": "jest --runInBand --watch", - "test:downstream": "npm --prefix ../cve-pkg-tester run test", + "test": "NODE_CONFIG_ENV=devel jest --watch", + "test:serial": "NODE_CONFIG_ENV=devel jest --runInBand --watch", + "test:downstream": "NODE_CONFIG_ENV=devel npm --prefix ../cve-pkg-tester run test", "prettier": "prettier --config .prettierrc --write .", "prep:publish": "npm pack --dry-run", "coverage": "jest --coverage" }, - "license": "(CC0)", + "license": "Apache-2.0", "dependencies": { "@commander-js/extra-typings": "^10.0.2", "@opensearch-project/opensearch": "^2.3.1", @@ -51,9 +52,12 @@ "axios": "^1.6.0", "axios-retry": "^4.4.1", "commander": "^10.0.0", + "config": "^4.0.0", "date-fns": "^2.29.3", "date-fns-tz": "^2.0.0", "dotenv": "^16.0.1", + "fetch-retry": "^6.0.0", + "glob": "^11.0.1", "json-difference": "^1.16.1", "lodash.clonedeep": "^4.5.0", "lodash.isequal": "^4.5.0", @@ -63,9 +67,11 @@ "lodash.reduce": "^4.6.0", "lodash.truncate": "^4.4.2", "lodash.unset": "^4.5.2", + "semver": "^7.7.2", "simple-git": "^3.19.1", "ts-pattern": "^4.0.5", - "tslib": "~2.4" + "tslib": "~2.4", + "validator": "^13.15.15" }, "volta": { "node": "16.13.0" @@ -75,8 +81,8 @@ "Howard Kong ", "Noah Jaffe ", "Ann Tu Linh ", - "Andrew Foote ", - "Jeremy Daigneau " + "Jeremy T Daigneau ", + "Andrew Foote " ], "files": [ "lib-esm", diff --git a/src/adapters/config/AppConfig.test.int.ts b/src/adapters/config/AppConfig.test.int.ts new file mode 100644 index 0000000..63adc80 --- /dev/null +++ b/src/adapters/config/AppConfig.test.int.ts @@ -0,0 +1,73 @@ +/** + * tests for AppConfig and working with node-config library + */ + +import config from 'config'; +import { AppConfig } from './AppConfig.js'; +import { Json } from '../../common/Json/Json.js' + +describe(`AppConfig`, () => { + + + it(`config correctly returns proper config`, async () => { + // console.log(`config: ${JSON.stringify(config, null, 2)}`); + // this test relies on devel having appConfig.search.index + const hasIndex = config.has('appConfig.search.index'); + expect(hasIndex).toBeTruthy(); + const index = config.get('appConfig.search.index'); + // console.log(`info: ${JSON.stringify(info, null, 2)}`) + // expect(index).toBe('fixtures-search-baseline-1008'); + expect(config.get('appConfig.search.minServer').length).toBe(1); + }); + + + it(`has() correctly returns`, async () => { + // const appConfig = new AppConfig() + const hasIndex = AppConfig.has('search.index'); + expect(hasIndex).toBeTruthy(); + expect(hasIndex).toBe(config.has('appConfig.search.index')); + expect(AppConfig.has('abc')).toBeFalsy(); + }); + + + it(`get() correctly returns value when key path is defined`, async () => { + // const appConfig = new AppConfig() + const index = AppConfig.get('search.index'); + expect(index).toBe(config.get('appConfig.search.index')); + }); + + + it(`get() correctly throws when key path is not defined`, async () => { + // const appConfig = new AppConfig() + expect(() => AppConfig.get('abc')).toThrow('Configuration property "appConfig.abc" is not defined'); + }); + + + it(`get() correctly gets .env specified vars even when they are not defined anywhere else`, async () => { + // console.log(`config: ${JSON.stringify(config, Json.normalizingReplacer, 2)}`); + if (AppConfig.has('test.appConfigTest.test')) { + expect(AppConfig.has('test.appConfigTest.none')).toBeFalsy(); // purposely not defined anywhere + expect(AppConfig.has('test.appConfigTest.test')).toBeTruthy(); // should be mapped from env var if defined + expect(AppConfig.has('test.appConfigTest.JEST_env_config_test')).toBeFalsy(); // it is mapped to test + expect(AppConfig.get('test.appConfigTest.test')).toBe('111'); + expect(AppConfig.get('test.appConfigTest.two')).toBe('2'); + } + else { + console.log(`skipped 1 test because 'JEST_env_config_test' is not defined in .env`); + } + }); + + + it(`set() correctly sets a new variable`, async () => { + const concatenatedValue = `${AppConfig.get('test.appConfigTest.five')} | ${AppConfig.get('test.appConfigTest.two')}`; + AppConfig.set('abc_xyz', concatenatedValue); + AppConfig.set('abc-xyz', concatenatedValue); + // console.log(`config: ${JSON.stringify(config,null,2)}`) + // console.log(`config: ${JSON.stringify(config, Json.normalizingReplacer, 2)}`) + expect(AppConfig.has('abc_xyz')).toBeTruthy(); + expect(AppConfig.get('abc_xyz')).toBe(concatenatedValue); + expect(AppConfig.get('abc-xyz')).toBe("5 | 2"); + }); + +}) + diff --git a/src/adapters/config/AppConfig.ts b/src/adapters/config/AppConfig.ts new file mode 100644 index 0000000..e0fff52 --- /dev/null +++ b/src/adapters/config/AppConfig.ts @@ -0,0 +1,79 @@ +import 'dotenv/config'; +import config from 'config' + + +/** + * Class that handles appliation configurations in a consistent way across the devOps spectrum, + * including development, testing, and production. Default values are handled in "as low a level + * as possible" (see Order of overrides below), and the key(path) is unique across the app. + * + * Because environment variables are the "last resort" for constants, AppConfig is backwards- + * compatible with values set in older versions of cve-core (and cveUtil), which used environment + * variables exclusively. + * + * - uses the npm package node-confg + * which uses a system of file overrides + .env + * to specify constants for use in cve-core + * - adds ability to store additional key/value pairs + * so that configurations can be made up of + * manipulations of values in node-config, e.g., + * concatenate 2 values and adding a counter + * - getSecret() (not implemented) gets secrets using + * AWS SecretManager or .env. + * Order of overrides: + * 1. envionment variables (including .env and bash/AWS/GitHub environment variables) <-- mapped using `custom-environment-variables.json` + * 2. AWS SecretManager (not implemented) + * 3. .json <-- preferred over NODE_CONFIG + * 4. .json + * 5. `default.json` + * In general, set variables in as low a level as possible, moving + * up only where necessary. For example, for search + * - min server versions applies to all instances due to feature support, + * so `minVersion` is defined in `default.json` + * - `providerEndpoint` and `index` is different everywhere, so it is defined in each `.json` + */ +export class AppConfig { + + static _singleton = new AppConfig() + // static _sVariables = {} + + private constructor() { + process.env['ALLOW_CONFIG_MUTATIONS']="true"; + } + + static has(path:string): boolean { + return config.has(`appConfig.${path}`) + } + + + /** returns the appConfig.$path as a string + * the reason this function returns only strings + * is because if an appConfig is overridden + * by an environment variable in a .env file, the + * response will always be a string, even though + * it is a number in the ./config files. + */ + static get(path:string): string { + return (config.get(`appConfig.${path}`)) as string + } + + /** @todo: gets a secret from AWS SecretManager or .env (in that order) + * - does not add to config + * - it is the responsibility of the caller to keep the secret string secret + */ + // static getSecret(secretKey:string): string {} + + + /** sets `"path": "value"` to config, specifically, to `appConfig.path` + * Note this does not actually change the values in the file, but only in + * the in-memory "cache" + * @param path the path to the key in appConfig. Do not use `{}:.;` in the key name, + * as it will confuse node_config. You should only use alphanumerics + * and `_` or `-` for the key name. All keys are at the same level under + * `appConfig` + */ + static set(path:string, value: string): void { + config.appConfig[path]=value + // AppConfig._sVariables[path] = variable + } +} \ No newline at end of file diff --git a/src/adapters/console/ConsoleInputReader.test.unit.ts b/src/adapters/console/ConsoleInputReader.test.unit.ts new file mode 100644 index 0000000..c4ebdbf --- /dev/null +++ b/src/adapters/console/ConsoleInputReader.test.unit.ts @@ -0,0 +1,45 @@ +import { ConsoleInputReader } from './ConsoleInputReader.js'; + +// mock readline so that we don't need to wait for user input and we don't spam console with output. +let sendLine: (line: string) => void; +let sendClose: () => void; + +jest.mock("readline", () => { + return { + createInterface: () => { + return { + on: (event: string, callback: (...args: any) => void) => { + switch (event) { + case "line": + sendLine = callback; + break; + case "close": + sendClose = callback; + break; + } + }, + }; + }, + }; +}); + +describe(`ConsoleInputReader`, () => { + afterEach(() => { + jest.restoreAllMocks(); + }); + + it("prompt returns values restricted to the validator function", async () => { + // Note that this does not test that readline works as it requires user input and that would be annoying to test. + const ci = new ConsoleInputReader(); + const mockedAsk = jest.fn(); + const validator = (str: string) => { return new Set(['y', 'n']).has(str.toString().trim().toLowerCase()); }; + mockedAsk.mockImplementationOnce(() => 'No'); // expect to ask again after this invalid input + mockedAsk.mockImplementationOnce(() => 'hello world'); // expect to ask again after this invalid input + mockedAsk.mockImplementationOnce(() => 'Y'); // expect to return this valid input + ci['ask'] = mockedAsk; + const actualResult = await ci.prompt('\n\r> are you human? [y/n]', validator); + expect(actualResult).toEqual('Y'); + expect(validator(actualResult.toString())).toBeTruthy(); + expect(ci['ask']).toHaveBeenCalledTimes(3); + }); +}); \ No newline at end of file diff --git a/src/adapters/console/ConsoleInputReader.ts b/src/adapters/console/ConsoleInputReader.ts new file mode 100644 index 0000000..adada53 --- /dev/null +++ b/src/adapters/console/ConsoleInputReader.ts @@ -0,0 +1,60 @@ +import { createInterface, Interface as ReadlineInterface, ReadLineOptions } from 'readline'; + +/** Reader adapter for interacting with the user in a CLI application */ +export class ConsoleInputReader { + protected interactive: ReadlineInterface; + private _opts: Partial; + /** + * Creates an object that allows for user interaction. + * @param options {@link https://nodejs.org/api/readline.html#readlinecreateinterfaceoptions readline.createInterface options} + * @param opts.input {@link NodeJS.ReadableStream} an input stream. defaults to process.stdin. + * @param opts.output {@link NodeJS.WritableStream} an output stream. defaults to process.stdout. + */ + constructor(options?: Partial) { + if (!options) { + options = {}; + } + if (!options.input) { + options.input = process.stdin; + } + if (!options.output) { + options.output = process.stdout; + } + this._opts = options; + this.interactive = createInterface(options as ReadLineOptions); + } + + async prompt(question, inputValidator: Function = (s: string) => true) { + const tmp = new Object(); + let result = tmp; + while (result == tmp) { + const resp = await this.ask(question); + try { + if (inputValidator(resp)) { + result = resp; + } + } catch { + // assume it is not a valid expected value + } + } + return result; + } + + /** Print a message to the output without expecting an input action. */ + print(val: undefined | null | string | Buffer, eol: string = '\n') { + this.interactive.write(val); + this.interactive.write(eol); + } + + close() { + this.interactive.close(); + } + + private async ask(question) { + return new Promise((resolve) => { + this.interactive.question(question, (answer) => { + resolve(answer); + }); + }); + } +} \ No newline at end of file diff --git a/src/adapters/cveservice/CveService.test.unit.ts b/src/adapters/cveservice/CveService.test.unit.ts new file mode 100644 index 0000000..72a4f6b --- /dev/null +++ b/src/adapters/cveservice/CveService.test.unit.ts @@ -0,0 +1,115 @@ +import { CveService } from './CveService.js'; +import { CveServiceCreds } from './CveServiceCreds.js'; +import { CveServiceBaseUrl } from './CveServiceBaseUrl.js'; + +class CveServiceTestInstance extends CveService { }; +describe(`CveService`, () => { + + const kTestCveServicesUrl = process.env.TEST_CVE_SERVICES_URL as string; + + const kTestCveApiOrg = process.env.TEST_CVE_API_ORG as string; + const kTestCveApiUser = process.env.TEST_CVE_API_USER as string; + const kTestCveApiKey = process.env.TEST_CVE_API_KEY as string; + + const kTestCreds1 = new CveServiceCreds(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); + + // Responses + const createError = async (a: string) => new Error(a); + const createResponse = async (a: string) => ({ ok: true, status: 200, text: async () => { return a; } }) as Response; + + + it(`constructor`, async () => { + const testEndpoint = '/api-docs'; + let baseUrl = new CveServiceBaseUrl(kTestCveServicesUrl, testEndpoint); + let obj: CveServiceTestInstance | null = null; + expect(() => { obj = new CveServiceTestInstance(baseUrl, kTestCreds1); }).not.toThrowError(); + expect(obj?.['endpoint']).toMatchObject(baseUrl); + }); + + it(`fetch can be mocked properly`, async () => { + const fetchSpyGlobal = jest.spyOn(global, 'fetch'); + let result; + try { + result = await fetch('http://localhost:3000/api-docs'); + result = await result?.text(); + } catch (e) { + result = await e; + } + fetchSpyGlobal.mockRejectedValueOnce(createError('1')); + let respOkText = 'first ok'; + fetchSpyGlobal.mockResolvedValueOnce(createResponse(respOkText)); + result = null; + try { + result = await fetch('https://www.example.com/ok'); + result = await result.text(); + } catch (e) { + result = await e; + } + expect(result).toBeInstanceOf(Error); + result = null; + try { + result = await fetch('https://www.example.com/ok'); + result = await result.text(); + } catch (e) { + result = await e; + } + expect(result).toBe(respOkText); + + fetchSpyGlobal.mockRestore(); + }); + + it(`_fetchRetry can be mocked properly`, async () => { + // NOTE: we don't check the retry logic, we just check the fact that we can pretend what returns from it. + const reader = new CveServiceTestInstance(new CveServiceBaseUrl(kTestCveServicesUrl, '/api-docs'), kTestCreds1); + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + const fetchSpyGlobal = jest.spyOn(global, 'fetch'); + const retryOnFunc1 = jest.fn((attempt, error, response: any): boolean => { + // retry one more time after the first attempt + return attempt == 0; + }); + let response1; + try { + response1 = await reader._fetchRetry( + 'http://localhost:3000/api-docs', + { + method: 'GET', + retryOn: retryOnFunc1, + retryDelay: () => 1, + }); + } catch (err) { + response1 = err; + } + // we expect the retry count to be two, first for the first attempt where `attempt == 0` is true, + // then a second after the second attempt where attempt == 1 + // test that we can spy on the retry fetch and retry on funcs and + expect(fetchRetrySpy).toBeCalledTimes(1); + expect(retryOnFunc1).toBeCalledTimes(2); + expect(fetchSpyGlobal).toBeCalledTimes(0); + const retryOnFunc2 = jest.fn((attempt, error, response: any): boolean => { + // retry one more time after the first attempt + return attempt == 0; + }); + // test that we can mock the retry returns + const passingValContentStr = `"sample text"`; + const cveGetFilteredPassing = jest.fn(async () => createResponse(passingValContentStr)); + + fetchRetrySpy.mockResolvedValueOnce(cveGetFilteredPassing()); + let response2; + try { + response2 = await (await reader._fetchRetry( + 'http://localhost:3000/api-docs', + { + method: 'GET', + retryOn: retryOnFunc2, + retryDelay: () => 1, + })).text(); + } catch (err) { + response2 = err; + } + expect(response2).toBe(passingValContentStr); + expect(fetchRetrySpy).toBeCalledTimes(2); + // the retry func does not get called any more times because mocking it does not pass through to the actual retry code. + expect(retryOnFunc2).toBeCalledTimes(0); + expect(fetchSpyGlobal).toBeCalledTimes(0); + }); +}); \ No newline at end of file diff --git a/src/adapters/cveservice/CveService.ts b/src/adapters/cveservice/CveService.ts new file mode 100644 index 0000000..6b3c104 --- /dev/null +++ b/src/adapters/cveservice/CveService.ts @@ -0,0 +1,116 @@ +/** + * abstract base class for all CVE REST Service endpoints. + * It provides + * - a holder for credentials and the endpoint for CveServices + * - factories that provide the default implementation for retry capability + * See CveServiceHealthReader for an example of this being used + * + * Notes: + * - the CVE Services API URL, username, password, tokens, etc. + * should only be stored in the project's .env file, which must be defined before running + * - Reference .env.EXAMPLE for the full required set of constants + */ +// dotenv.config() should always be called in main() or wherever the earliest possible opportunity is. +// Since this code is now part of an npm package, and there is no way for us to be sure the npm user has already called dotenv.config(), we're adding it here to prevent unexpected errors. +import * as dotenv from 'dotenv'; +dotenv.config(); + +import { CveServiceCreds } from './CveServiceCreds.js'; +import { CveServiceBaseUrl } from './CveServiceBaseUrl.js'; + +import fetchBuilder from 'fetch-retry'; +export const fetchRetry = fetchBuilder(global.fetch); + +/** + * Keeps track of creds to use for some arbitrary Cve Services endpoint. + */ +export abstract class CveService { + // make fetchRetry available for testing and mocking purposes + public _fetchRetry = fetchRetry; + + /** The Cve Service Base Url for this instance. */ + endpoint: CveServiceBaseUrl; + + /** The Cve Service Credential set to use for this instance. */ + protected creds: CveServiceCreds; + + /** Default max retry attempts (after the first) for HTTP Read requests. */ + MAX_READ_RETRY: number; + + /** + * Initialize Cve Services with a specific endpoint and credential set. + * @param url The Cve Service Base Url for this instance. + * @param creds The Cve Service Credential set to use for this instance. + * @note Creds are required to be explicitly set to help prevent accidental writes to CveServices. + * @todo Seperate creds into "CredSets" so that the user would not need to worry about accidentally leaving the wrong credentials in the .env file. + * - CVE_SERVICES_URL, TEST_CVE_SERVICES_URL + * - CVE_SERVICES_SECRETARIAT_ORG, CVE_SERVICES_SECRETARIAT_USER, CVE_SERVICES_SECRETARIAT_KEY + * - CVE_SERVICES_CNA_READ_ORG, CVE_SERVICES_CNA_READ_USER, CVE_SERVICES_CNA_READ_KEY + * - CVE_SERVICES_WRITE_ORG, CVE_SERVICES_WRITE_USER, CVE_SERVICES_WRITE_KEY + * - TEST_CVE_SERVICES_SECRETARIAT_ORG, TEST_CVE_SERVICES_SECRETARIAT_USER, TEST_CVE_SERVICES_SECRETARIAT_KEY + * - ...etc + */ + constructor(url: CveServiceBaseUrl, creds: CveServiceCreds) { + this.endpoint = url; + this.creds = creds; + + const maxRetry = Number(process.env.CVE_SERVICES_GET_MAX_RETRY); + this.MAX_READ_RETRY = isNaN(maxRetry) ? 0 : Math.max(Number(process.env.CVE_SERVICES_GET_MAX_RETRY), 0); + } + + /** Dynamically generates a fetch-retry `retryOn` function that retries on 429 or 5xx status codes, or other thrown errors and logs the activity to console. + * @note uses this.MAX_READ_RETRY for the maximum number of retry attempts. + * @param url the url we attempted to get. + * @param failFast set to true if you don't want to allow any retry, false if you do want to allow for retry. + * @returns a function you can use for fetch-retry's retryOn. (See CveServiceHealthReader for an example of this being used) + */ + generateRetryOnFunc(url: string, failFast: boolean): (attempt: number, error: Error, response: Response) => Promise { + const retryOn = async (attempt, error, response): Promise => { + // retry on 429 rate limited or 5xx status codes and not over the limit + if (attempt >= this.MAX_READ_RETRY || failFast) { + return false; + } + if (error !== null) { + console.log(`RETRY: (${url}) # ${attempt + 1}/${this.MAX_READ_RETRY} --> ${error.message}`); + return true; + } else if (response.status == 429 || response.status >= 500) { + let errMsg; + try { + errMsg = await response.text(); + errMsg = JSON.parse(errMsg); + } catch (err) { + if (!errMsg) { + errMsg = errMsg; + } + } + console.log(`RETRY: (${url}) # ${attempt + 1}/${this.MAX_READ_RETRY} --> ${errMsg?.['message'] ?? errMsg ?? response.status}`); + return true; + } + return false; + }; + return retryOn; + } + + /** + * Retry delay gives the milliseconds you should wait before attempting another retry. + * When rate limited, it will wait for the rate limit to reset. + * Otherwise it will do an exponential backoff based on the attempt number. + * @returns a function you can use for fetch-retry's retryDelay. (See CveServiceHealthReader for an example of this being used) + */ + generateRetryDelayFunc() { + const retryDelay = (attempt: number, error: Error, response: Response): number => { + if (response?.status == 429) { + // cve-services is rate limited, so wait for the start of the next minute. + let now = new Date(); + now.setMinutes(now.getMinutes() + 1, 0, 100); + const timeToWait = now.getTime() - new Date().getTime(); + return timeToWait; + } else { + // exponential backoff + return 2 ** attempt * 10 * 1000; + } + }; + return retryDelay; + } + +} \ No newline at end of file diff --git a/src/adapters/cveservice/CveServiceBaseUrl.ts b/src/adapters/cveservice/CveServiceBaseUrl.ts new file mode 100644 index 0000000..848a0d0 --- /dev/null +++ b/src/adapters/cveservice/CveServiceBaseUrl.ts @@ -0,0 +1,32 @@ +/** Class that holds the information for a Cve Services endpoint. */ +export class CveServiceBaseUrl { + private hostdomain: string; + private rootpath: string; + /** + * Initialize a base url for a cve service with the given host and endpoint. + * @param url The host domain url (e.g. 'http://localhost:3000' or 'https://cveawg.mitre.org') + * @param rootpath [Optional] the root path for this url (e.g. '/api/cve', '/api/health-check') + */ + constructor(url: string, rootpath?: string) { + // we do not clean url & rootpath. assume valid. + this.hostdomain = url; + this.rootpath = rootpath; + } + /** + * We don't want the host url to ever change after being initialized, so enforce encapsulation. + * @returns the host url (full domain) + */ + getUrl(): string { + return this.hostdomain + (this.rootpath ?? ''); + } + + /** + * this function does a soft check to ensure we don't use the prod server during development + * @returns if the host domain is the production url. + */ + isProd(): boolean { + // @note: subject to change. + const KNOWN_CVEAWG_PROD_DOMAIN_REGEX = /^(https?:\/\/)?\bcveawg\.mitre\.org\/?/gmi; + return !!this.getUrl().match(KNOWN_CVEAWG_PROD_DOMAIN_REGEX); + } +} \ No newline at end of file diff --git a/src/adapters/cveservice/CveServiceCommon.test.unit.ts b/src/adapters/cveservice/CveServiceCommon.test.unit.ts new file mode 100644 index 0000000..3cf2761 --- /dev/null +++ b/src/adapters/cveservice/CveServiceCommon.test.unit.ts @@ -0,0 +1,121 @@ +/** + * Tests for multiple classes: + * CveServiceBaseUrl.ts + * CveServiceCreds.ts + * CveService.ts + * + * These tests use a common set of variables for simplicity. + */ + +import { CveServiceBaseUrl } from './CveServiceBaseUrl.js'; +import { CveServiceCreds } from './CveServiceCreds.js'; +import { CveService } from './CveService.js'; + +describe(`CveService base classes`, () => { + const kTestCveServicesUrl = `https://example.mitre.org`; + const kTestCveServiceExampleRootPath = `/api-docs`; + + const kTestCveApiOrg = 'TestOrg'; + const kTestCveApiUser = 'TestUser'; + const kTestCveApiKey = 'TestKey'; + + describe(`CveServiceBaseUrl`, () => { + + it(`constructor`, async () => { + const url = kTestCveServicesUrl; + const path = kTestCveServiceExampleRootPath; + let obj; + expect(() => { + // should accept the values + obj = new CveServiceBaseUrl(url, path); + }).not.toThrowError(); + expect(obj.rootpath).toBe(path); + expect(obj.hostdomain).toBe(url); + }); + + it(`getUrl`, async () => { + const url = `${kTestCveServicesUrl}/`; + const rootpath = `/${kTestCveServiceExampleRootPath}`; + const objNoPath = new CveServiceBaseUrl(url); + const objWithPath = new CveServiceBaseUrl(url, rootpath); + const expectedNoPath = url; + // expect no cleaning of the data + const expectedWithPath = `${url}${rootpath}`; + + expect(objNoPath.getUrl()).toBe(expectedNoPath); + expect(objWithPath.getUrl()).toBe(expectedWithPath); + }); + + it(`isProd flags 'cveawg.mitre.org' as true.`, async () => { + const expectedPublicDomain = 'cveawg.mitre.org'; + const expectedPassUrl = `https://${expectedPublicDomain}`; + const rootpath = '/api-docs'; + const objNoPath = new CveServiceBaseUrl(expectedPassUrl); + const objWithPath = new CveServiceBaseUrl(expectedPassUrl, rootpath); + expect(objNoPath.isProd()).toBeTruthy(); + expect(objWithPath.isProd()).toBeTruthy(); + + // test is designed this way to test bulk domain values and have the failed tests show the values it failed on. + const fakePublicDomains = ['examplecveawg.mitre.org', 'example-cveawg.mitre.org', 'example.org', 'cveawg.example.org', 'localhost:3000'].flatMap(e => [e, `http://${e}`, `https://${e}`, `https://${e}/`]); + const objsFakeNoPath = fakePublicDomains.map(e => new CveServiceBaseUrl(e)); + // put the expected public domain value as the root path to check for potential false positives + const objsFakeWithPath = fakePublicDomains.map(e => new CveServiceBaseUrl(e, expectedPublicDomain)); + const failedFakeNoPath = objsFakeNoPath.filter(e => e.isProd()); + const failedFakeWithPath = objsFakeWithPath.filter(e => e.isProd()); + expect(failedFakeNoPath).toHaveLength(0); + expect(failedFakeWithPath).toHaveLength(0); + }); + }); + + + describe(`CveServiceCreds`, () => { + it(`constructor`, async () => { + // use fake 'any' pointer to bypass compile time errors. + const CveServiceCredsClass: any = CveServiceCreds; + expect(() => { new CveServiceCredsClass(); }).toThrowError(); + expect(() => { new CveServiceCredsClass(kTestCveApiOrg); }).toThrowError(); + expect(() => { new CveServiceCredsClass(kTestCveApiOrg, kTestCveApiUser); }).toThrowError(); + expect(() => { new CveServiceCredsClass(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); }).not.toThrowError(); + + }); + + it(`getAsHeader`, async () => { + // headers require CVE-API-(ORG|USER|KEY) values + const requiredExpectedHeadersMapping = { + 'CVE-API-ORG': kTestCveApiOrg, + 'CVE-API-USER': kTestCveApiUser, + 'CVE-API-KEY': kTestCveApiKey + }; + const creds = new CveServiceCreds( + requiredExpectedHeadersMapping['CVE-API-ORG'], + requiredExpectedHeadersMapping['CVE-API-USER'], + requiredExpectedHeadersMapping['CVE-API-KEY']); + + const actual = creds.getAsHeader(); + // bare minimum it must require the expected key value pairs. + Object.entries(requiredExpectedHeadersMapping).forEach(([k, v]) => { + expect(actual).toHaveProperty(k); + expect(actual[k]).toBe(v); + }); + }); + }); + + + describe(`CveService`, () => { + class kTestAbstractCveService extends CveService { + getcreds() { + // for testing purposes, allow us to cleanly read the protected value + return this.creds; + } + } + + it(`constructor`, async () => { + // expects a url endpoint and a cred set + const csBaseUrl = new CveServiceBaseUrl(kTestCveServicesUrl, kTestCveServiceExampleRootPath); + const cscreds = new CveServiceCreds(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); + const cs = new kTestAbstractCveService(csBaseUrl, cscreds); + expect(cs.endpoint).toEqual(csBaseUrl); + expect(cs.getcreds()).toEqual(cscreds); + }); + }); +}); \ No newline at end of file diff --git a/src/adapters/cveservice/CveServiceCreds.ts b/src/adapters/cveservice/CveServiceCreds.ts new file mode 100644 index 0000000..76671ba --- /dev/null +++ b/src/adapters/cveservice/CveServiceCreds.ts @@ -0,0 +1,49 @@ +/** + * Keeps track of a Cve Services credential set. + */ +export class CveServiceCreds { + + /** CVE-API-ORG */ + private org: string; + /** CVE-API-USER */ + private user: string; + /** CVE-API-KEY */ + private key: string; + + /** + * Constructor to initialize an instance with the given org, user, and key. + * @param org (CVE-API-ORG) User's Org shortname + * @param user (CVE-API-USER) User's username + * @param key (CVE-API-KEY) User's key + */ + constructor(org: string, user: string, key: string) { + if (!org || !user || !key) { + // if there is ever a valid case where not all of these are required, + // then you may change this function to reflect that. + // Requiring all values to exist will allow downstream code to catch missing values. + throw new Error('Org, User, and Key are all required at initialization time, not just compile time.'); + } + this.org = org; + this.user = user; + this.key = key; + } + + /* + * @returns Formatted object mapping of headers for an api request. + */ + getAsHeader(): { + "Content-Type": "application/json", + "CVE-API-ORG": string, + "CVE-API-USER": string, + "CVE-API-KEY": string, + "redirect": "follow" + } { + return { + "Content-Type": "application/json", + "CVE-API-ORG": this.org, + "CVE-API-USER": this.user, + "CVE-API-KEY": this.key, + "redirect": "follow" + }; + } +} \ No newline at end of file diff --git a/src/adapters/cveservice/cve/CveServiceCveReader.test.int.ts b/src/adapters/cveservice/cve/CveServiceCveReader.test.int.ts new file mode 100644 index 0000000..6c41eb0 --- /dev/null +++ b/src/adapters/cveservice/cve/CveServiceCveReader.test.int.ts @@ -0,0 +1,87 @@ +import { CveRecord } from '../../../cve/CveRecord.js'; +import { CveServiceCreds } from '../CveServiceCreds.js'; +import { CveServiceCveReader } from './CveServiceCveReader.js'; + +describe(`CveServiceReader - int (${process.env.TEST_CVE_SERVICES_URL ?? process.env.CVE_SERVICES_URL})`, () => { + // We can fall back to CVE_SERVICES_URL because these are read-only tests + const kTestCveServicesUrl = (process.env.TEST_CVE_SERVICES_URL ?? process.env.CVE_SERVICES_URL) as string; + + const kTestCveApiOrg = (process.env.TEST_CVE_API_ORG ?? process.env.CVE_API_ORG) as string; + const kTestCveApiUser = (process.env.TEST_CVE_API_USER ?? process.env.CVE_API_USER) as string; + const kTestCveApiKey = (process.env.TEST_CVE_API_KEY ?? process.env.CVE_API_KEY) as string; + + const kTestCreds1 = new CveServiceCreds(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); + + const CVE_SERVICES_TEST_TIMEOUT = 1000 * 60 * 5; // 5 mins for slow networking or low compute power + + // this testing does actually try to fetch from server + afterEach(() => { jest.restoreAllMocks(); }); + afterAll(() => { jest.restoreAllMocks(); }); + + it(`Expect env vars to not be missing or undefined`, async () => { + const CVE_SERVICES_GET_MAX_RETRY = Number(process.env.CVE_SERVICES_GET_MAX_RETRY); + expect(CVE_SERVICES_GET_MAX_RETRY).not.toBeUndefined(); + expect(CVE_SERVICES_GET_MAX_RETRY).toBeGreaterThanOrEqual(0); + // used for validating test server contents. Set to the number of cves in the cves collection. + const TEST_CVE_SERVICES_URL = process.env.TEST_CVE_SERVICES_URL; + expect(TEST_CVE_SERVICES_URL).not.toBeUndefined(); + expect(() => { new URL(TEST_CVE_SERVICES_URL); }).not.toThrowError(); + // CVE_API_ORG or CVE_API_ORG; + expect(kTestCveApiOrg).not.toBeUndefined(); + // TEST_CVE_API_USER or CVE_API_USER; + expect(kTestCveApiUser).not.toBeUndefined(); + // TEST_CVE_API_KEY or CVE_API_KEY; + expect(kTestCveApiKey).not.toBeUndefined(); + + + const CVE_API_ORG = process.env.CVE_API_ORG; + const CVE_API_USER = process.env.CVE_API_USER; + const CVE_API_KEY = process.env.CVE_API_KEY; + if (!CVE_API_ORG || !CVE_API_USER || !CVE_API_KEY) { + console.warn(`Note that the 'CVE_API_ORG', 'CVE_API_USER', and 'CVE_API_KEY' environment variables need to be set for deployment!`); + } + }); + + // @todo: hk: additional test in cmc + + // @todo: hk: additional test in cmc + + it(`getCveUsingId`, async () => { + // @TODO: make independent of cve-services? need to find a way to know a CVE ID exists + const kTestCveId = `CVE-1999-0001`; + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCreds1); + let actual = await reader.getCveUsingId(kTestCveId); + // the only data that can be guaranteed is that .cveId field is set properly. + expect(actual).toBeInstanceOf(CveRecord); + expect(actual.cveId).toBe(kTestCveId); + }, CVE_SERVICES_TEST_TIMEOUT); + + // @todo: hk: additional test in cmc + + it(`cveGetSingle can get a cve by id`, async () => { + const kTestCveId = `CVE-1999-0001`; + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCreds1); + let actual = await reader.cveGetSingle(kTestCveId); + expect(actual.cveId).toBe(kTestCveId); + }, CVE_SERVICES_TEST_TIMEOUT); + + it(`cveGetSingle throws an error when it fails to get any results.`, async () => { + // mock console.log to prevent console spam + const consoleSpy = jest.spyOn(global.console, 'error'); + consoleSpy.mockImplementation((args) => { return args; }); + + const kTestCveId = `CVE-1998-0001`; + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCreds1); + let actual; + try { + actual = await reader.cveGetSingle(kTestCveId); + } catch (err) { + actual = err; + } + expect(actual?.cveId).toBeUndefined(); + expect(actual).toBeInstanceOf(Error); + }, CVE_SERVICES_TEST_TIMEOUT); + + // @todo: hk: additional test in cmc + +}); \ No newline at end of file diff --git a/src/adapters/cveservice/cve/CveServiceCveReader.test.unit.ts b/src/adapters/cveservice/cve/CveServiceCveReader.test.unit.ts new file mode 100644 index 0000000..c7e2885 --- /dev/null +++ b/src/adapters/cveservice/cve/CveServiceCveReader.test.unit.ts @@ -0,0 +1,156 @@ +import { CveId } from '../../../cveId/CveId.js'; +import { CveRecord } from '../../../cve/CveRecord.js'; +import { FsReader } from '../../fs/FsReader.js'; +import { CveServiceCreds } from '../CveServiceCreds.js'; +import { CveServiceCveReader } from './CveServiceCveReader.js'; + +describe(`CveServiceReader - unit`, () => { + /** compile time supported access to private or protected properties and methods. */ + class CveServiceReaderAccessor extends CveServiceCveReader { + public getCve = super.getCve; + public getMaxReadRetry(): number { return this.MAX_READ_RETRY; } + } + + + // unit testing, all communications with the server is mocked, so no real creds are needed. + const kTestCveServicesUrl = 'http://localhost:3000'; + + const kTestCveApiOrg = 'N/A'; + const kTestCveApiUser = 'N/A'; + const kTestCveApiKey = 'N/A'; + + const kTestCredSet1 = new CveServiceCreds(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); + + /** + * Only CveServiceReader.getCve needs to have unit tests for errors thrown while getting data. + * All other tests should just need to be testing logic of the function. + * - ensure each function handles expected valid data appropriately, + * - ensure each function handles when it receives an error appropriately? + * or should it actually throw an error and behavior determined by the caller. (outside CveServicesReader) + * or should we throw a simplifed error? + */ + + // true unit testing, do not actually fetch from server, mock the return values + afterEach(() => { jest.restoreAllMocks(); }); + afterAll(() => { jest.restoreAllMocks(); }); + + it(`Constructor`, async () => { + const hostUrl = kTestCveServicesUrl; + const unauthReader = new CveServiceCveReader(hostUrl); + expect(unauthReader.endpoint.getUrl()).toBe(`${hostUrl}/api/cve`); + + const credset = new CveServiceCreds('exampleOrg', 'exampleUser', 'exampleKey'); + const reader = new CveServiceCveReader(hostUrl, credset); + expect(reader.endpoint.getUrl()).toBe(`${hostUrl}/api/cve`); + }); + + it(`Constructor for test subclass and configured env vars`, async () => { + // ensure env vars are setup properly + const hostUrl = kTestCveServicesUrl; + const credset = new CveServiceCreds('exampleOrg', 'exampleUser', 'exampleKey'); + const readerWithAccess = new CveServiceReaderAccessor(hostUrl, credset); + expect(readerWithAccess.endpoint.getUrl()).toBe(`${hostUrl}/api/cve`); + expect(readerWithAccess.getMaxReadRetry()).not.toBeUndefined(); + // if the following line fails, check for the CVE_SERVICES_GET_MAX_RETRY env var + expect(readerWithAccess.getMaxReadRetry()).toBeGreaterThan(0); + }); + + it(`getCveUsingId returns the expected value including on errors`, async () => { + const mockedResponseFileName = 'test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json'; + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCredSet1); + // spy on fetch + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + // setup mocked return values + const failureVal = { + "error": "MOCKED_CVE_RECORD_DNE", + "message": "MOCKED: The cve record for the cve id does not exist." + }; + const sampleReturnableRecords = {}; + JSON.parse(new FsReader(mockedResponseFileName).readAll())?.cveRecords.forEach(r => sampleReturnableRecords[r.cveMetadata.cveId] = r); + // generated on successful return function + const getCveUsingIdPassing = async (expectedCveId): Promise => ({ ok: true, status: 200, text: async () => JSON.stringify(sampleReturnableRecords[expectedCveId]), json: async () => JSON.stringify(sampleReturnableRecords[expectedCveId]) }) as Response; + const getCveUsingIdFailure404 = async (): Promise => ({ ok: false, status: 404, text: async () => JSON.stringify(failureVal), json: async () => failureVal }) as Response; + + for (const expectedCveId of Object.keys(sampleReturnableRecords)) { + // make fetch return the mocked values + fetchRetrySpy.mockResolvedValueOnce(getCveUsingIdPassing(expectedCveId)); + + // call function to be tested + const actual = await reader.getCveUsingId(expectedCveId); + // verify the mocked cve services was called + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/cve/${expectedCveId}`, expect.anything()); + + // CHECK LOGIC HERE: + // the only data that can be guaranteed is that .cveId field is set properly. + expect(actual).toBeInstanceOf(CveRecord); + expect(actual.cveId).toBe(expectedCveId); + } + // validate against invalid CVE ID (invalid as year is too early) + const expectedCveId1 = `CVE-${CveId.getAllYears()[0] - 50}-49922`; + await expect(async () => await reader.getCveUsingId(expectedCveId1)).rejects.toThrow(`Invalid CVE ID: ${expectedCveId1}`); + + const expectedCveId2 = `CVE-1999-100001`; + // validate for case of cve-services failure + fetchRetrySpy.mockRejectedValueOnce(getCveUsingIdFailure404()); + const mockConsoleErrLogger = jest.spyOn(console, "error").mockImplementation(() => { /* do nothing, dont spam console with expected error messages */ }); + // expect the function to throw an error. + await expect(async () => await reader.getCveUsingId(expectedCveId2)).rejects.toThrow(expect.anything()); + mockConsoleErrLogger.mockRestore(); + // verify the mocked cve services was called + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/cve/${expectedCveId2}`, expect.anything()); + }); + + it(`cveGetSingle returns the expected value including on errors`, async () => { + const mockedResponseFileName = 'test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json'; + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCredSet1); + // spy on fetch + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + // setup mocked return values + const failureVal = { + "error": "MOCKED_CVE_RECORD_DNE", + "message": "MOCKED: The cve record for the cve id does not exist." + }; + const sampleReturnableRecords = {}; + JSON.parse(new FsReader(mockedResponseFileName).readAll())?.cveRecords.forEach(r => sampleReturnableRecords[r.cveMetadata.cveId] = r); + // generated on successful return function + const cveGetSinglePassing = async (expectedCveId: string): Promise => ({ ok: true, status: 200, text: async () => JSON.stringify(sampleReturnableRecords[expectedCveId]), json: async () => JSON.stringify(sampleReturnableRecords[expectedCveId]) }) as Response; + const cveGetSingleFailure404 = async (): Promise => ({ ok: false, status: 404, text: async () => JSON.stringify(failureVal), json: async () => failureVal }) as Response; + const mockConsoleErrLogger = jest.spyOn(console, "error").mockImplementation(() => { /* do nothing, dont spam console with expected error messages */ }); + + // eslint-disable-next-line @typescript-eslint/no-unused-vars + for (const expectedCveId of Object.keys(sampleReturnableRecords)) { + // make fetch return the mocked values + fetchRetrySpy.mockResolvedValueOnce(cveGetSinglePassing(expectedCveId)); + + // call function to be tested + const actual = await reader.cveGetSingle(expectedCveId); + // verify the mocked cve services was called + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/cve/${expectedCveId}`, expect.anything()); + + // CHECK LOGIC HERE: + // the only data that can be guaranteed is that .cveId field is set properly. + expect(actual).toBeInstanceOf(CveRecord); + expect(actual.cveId).toBe(expectedCveId); + } + + const expectedCveId2 = `CVE-1999-100001`; + // validate for case of cve-services failure + fetchRetrySpy.mockRejectedValueOnce(cveGetSingleFailure404()); + + // expect the function to throw an error. + await expect(async () => await reader.getCveUsingId(expectedCveId2)).rejects.toThrow(`Failed to retrieve CVE ID!`); + mockConsoleErrLogger.mockRestore(); + // verify the mocked cve services was called + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/cve/${expectedCveId2}`, expect.anything()); + }); + + it(`cveGetSingle with empty argument does not query for the max records.`, async () => { + const reader = new CveServiceCveReader(kTestCveServicesUrl, kTestCredSet1); + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + try { + await reader.cveGetSingle(''); + } catch (err) { } + expect(fetchRetrySpy.mock.calls.filter(e => e[1].method.toString().toLowerCase() == 'get').map(e => e[0])).not.toContain(reader.endpoint.getUrl()); + }); + +}); \ No newline at end of file diff --git a/src/adapters/cveservice/cve/CveServiceCveReader.ts b/src/adapters/cveservice/cve/CveServiceCveReader.ts new file mode 100644 index 0000000..484cf76 --- /dev/null +++ b/src/adapters/cveservice/cve/CveServiceCveReader.ts @@ -0,0 +1,135 @@ +import { CveService } from '../CveService.js'; +import { CveServiceCreds } from '../CveServiceCreds.js'; +import { CveServiceBaseUrl } from '../CveServiceBaseUrl.js'; +import { CveRecord } from '../../../cve/CveRecord.js'; +import { CveId, CveIdError } from '../../../cveId/CveId.js'; +import { CveRecordV5 } from '../../../cve/record/generated/CveRecordV5.js'; + +/** TS object mirroring the return schema from Cve Services GET /api/cve */ +export type CveServiceGETCveRawEndpointReturnSchema = { + totalCount: number, + itemsPerPage: number, + pageCount: number, + currentPage: number; + prevPage: number; + nextPage: number; + cveRecords: CveRecord[] | CveRecordV5[] | any; +}; + +/** TS object mirroring the return schema from Cve Services GET /api/cve/{cve-id}. */ +export type CveServicesGETCveWithIdArgEndpointReturnSchema = CveRecordV5; + +/** TS object mirroring the return schema from Cve Services GET /api/cve or /api/cve/{cve-id} but an error occurred. */ +export type CveServicesGETErrorEndpointReturnSchema = { message: string, error: string; }; + + +/** + * Main class that provides functional READ access to the /cve CVE Services API + * Note that the url of the CVE Services API, username, password, tokens, etc., all need to be + * set in the project's .env file. + * + * @DEV: This class requires that ALL outbound read requests be routed through the protected `getCve` function! + */ +export class CveServiceCveReader extends CveService { + /** Initialize a CVE Service Reader for the /api/cve endpoint using the given host and cred set. + * @param host The host url to use for CVE Services (Example: 'http://localhost:3000', 'https://cveawg.mitre.org') + * @param creds The credential set to use when reading from this endpoint. + */ + constructor(host: string, creds?: CveServiceCreds) { + if (!creds) { + // as we are a read only class, the creds don't need to be required. + creds = new CveServiceCreds(process.env.CVE_API_ORG ?? 'CveServiceCveReader', process.env.CVE_API_USER ?? 'CveServiceCveReader', 'N/A'); + } + const endpoint = new CveServiceBaseUrl(host, '/api/cve'); + super(endpoint, creds); + } + + + /** async method that returns the CVE Record associated with a given CVE id + * @param id the CVE id string to retrieve + * @return a CveRecord representing the record associated with a given CVE id + * @throws an error if the CVE ID is invalid as per CveId::isValidCveId. + * @deprecated use `cveGetSingle` instead. + */ + async getCveUsingId(id: string): Promise { + if (CveId.isValidCveId(id)) { + return await this.cveGetSingle(id); + } + else { + throw new CveIdError(`Invalid CVE ID: ${id}`); + } + } + + + /** + * Wrapper for `/cve/{id}` + * @param id the CVE ID to retrieve + * @returns the resulting CveRecord + * @throws Error if failure to retrieve record for any reason! + */ + async cveGetSingle(id?: string): Promise { + // we don't validate cve id here, we assume it is correct. + // we expect upstream to validate CVE ID. + // we expect if CVE ID DNE in cve services to return as an error message + if (!id) { + throw new Error(`Invalid argument.`); + } + let response = await this.getCve({ id }); + let record = new CveRecord(response); + if (record.cveId != id) { + console.error(`Error while attempting to get content from single cve record!`, response); + throw new Error(`Failed to retrieve CVE ID!`); + } + return record; + } + + /** + * The root function to send a request to the `/cve` endpoint. + * + * Note, this is where the fetch retry comes in to play. + * + * @param id optional ID if we are getting single cve record + * @param queryString query string corresponding to any of the query parameters allowed by the /cve endpoint (e.g., page=5) + * @param failFast true if it should not use retry. + * @returns parsed json of result, or the error if any occurred + */ + protected async getCve(opts: { id?: string, queryString?: string; failFast?: boolean; }): Promise { + let url = this.endpoint.getUrl(); + if (opts.id) { + url += `/${opts.id}`; + } + if (opts.queryString) { + // remove initial ? if present + url += `?${opts.queryString.match(/\??(.*)/)[1]}`; + } + let data = null; + // console.trace(`GET: ${url}`); + + const retryOn = this.generateRetryOnFunc(url, opts?.failFast); + const retryDelay = this.generateRetryDelayFunc(); + + let response; + try { + response = await this._fetchRetry( + url, + { + method: 'GET', + headers: this.creds.getAsHeader(), + retryOn: retryOn, + retryDelay: retryDelay, + }); + } catch (err) { + console.trace(`GET FAILED: ${url}`); + console.error(err); + return err; + } + try { + data = await response?.text(); + data = JSON.parse(data); + } catch (e) { + console.error(`Error parsing fetch data!`, e, data); + return e; + } + return data; + } +} \ No newline at end of file diff --git a/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.int.ts b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.int.ts new file mode 100644 index 0000000..ef22f86 --- /dev/null +++ b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.int.ts @@ -0,0 +1,28 @@ +import { CveServiceBaseUrl } from '../CveServiceBaseUrl.js'; +import { CveServiceHealthReader } from './CveServiceHealthReader.js'; + + +describe(`CveServiceHealthReader - int (${process.env.CVE_SERVICES_URL})`, () => { + const kTestCveServicesUrl = process.env.CVE_SERVICES_URL as string; + const CVE_SERVICES_TEST_TIMEOUT = 1000 * 60 * 5; // 5 mins for slow networking or low compute power + + afterEach(() => { jest.restoreAllMocks(); }); + afterAll(() => { jest.restoreAllMocks(); }); + + it(`isHealthy() successfully returns: ${kTestCveServicesUrl}`, async () => { + const reader = new CveServiceHealthReader(kTestCveServicesUrl); + const actual1 = await reader.isHealthy(); + expect(actual1).toBeTruthy(); + }, CVE_SERVICES_TEST_TIMEOUT); + + + it(`fetchRetry works with this reader`, async () => { + const reader = new CveServiceHealthReader(kTestCveServicesUrl); + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + + const actual1 = await reader.isHealthy(); + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/health-check`, expect.any(Object)); + fetchRetrySpy.mockRestore(); + }, CVE_SERVICES_TEST_TIMEOUT); + +}); \ No newline at end of file diff --git a/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.unit.ts b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.unit.ts new file mode 100644 index 0000000..b3e1f31 --- /dev/null +++ b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.test.unit.ts @@ -0,0 +1,67 @@ +import { CveServiceBaseUrl } from '../CveServiceBaseUrl.js'; +import { CveServiceHealthReader } from './CveServiceHealthReader.js'; + + +describe(`CveServiceHealthReader - unit`, () => { + const kTestCveServicesUrl = process.env.TEST_CVE_SERVICES_URL as string; + const CVE_SERVICES_TEST_TIMEOUT = 1000 * 60 * 5; // 5 mins for slow networking or low compute power + + /** + * Mocked fetch responses for the api/health-check calls. + * There was an attempt to make these errors and statuses relatively accurate to real situations seen in the wild. + */ + const mockFetchSuccess = jest.fn(() => Promise.resolve({ status: 200 })) as jest.Mock; + const mockFetchFailure = jest.fn(async () => { + try { + throw { + name: 'ECONNREFUSED', + message: 'connect ECONNREFUSED 127.0.0.1:3000', + stack: 'Error: connect ECONNREFUSED 127.0.0.1:3000 (mocked stack btw)\n at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1555:16)\n at TCPConnectWrap.callbackTrampoline (node:internal/async_hooks:128:17)', + address: '127.0.0.1', + code: 'ECONNREFUSED', + errno: -4078, + port: 3000, + syscall: 'connect', + } as Error; + } catch (err) { + let newErr = new TypeError('fetch failed'); + newErr.stack = `${(newErr.stack ?? '')}\nCaused by: ${err.stack}`; + throw newErr; + } + }) as jest.Mock; + // unit testing, do not actually fetch from server, mock the return values + + afterEach(() => { jest.restoreAllMocks(); }); + afterAll(() => { jest.restoreAllMocks(); }); + + it(`Constructor`, async () => { + expect(() => { new CveServiceHealthReader(kTestCveServicesUrl); }).not.toThrowError(); + }); + + it(`Health check function returns true on success http request`, async () => { + // validate it returns boolean based on different potential return scenarios. + const reader = new CveServiceHealthReader(kTestCveServicesUrl); + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + fetchRetrySpy.mockImplementationOnce(mockFetchSuccess); + expect(async () => { + const actual = await reader.isHealthy(); + expect(actual).toBeTruthy(); + }).not.toThrowError(); + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/health-check`, expect.any(Object)); + + fetchRetrySpy.mockReset(); + }, CVE_SERVICES_TEST_TIMEOUT); + + it(`Health check function returns false on standard http request failure`, async () => { + // validate it returns boolean based on different potential return scenarios. + const reader = new CveServiceHealthReader(kTestCveServicesUrl); + const fetchRetrySpy = jest.spyOn(reader, '_fetchRetry'); + fetchRetrySpy.mockImplementationOnce(mockFetchFailure); + + expect(async () => { + const actual = await reader.isHealthy(false); + expect(actual).toBeFalsy(); + }).not.toThrowError(); + expect(fetchRetrySpy).toHaveBeenCalledWith(`${kTestCveServicesUrl}/api/health-check`, expect.any(Object)); + }, CVE_SERVICES_TEST_TIMEOUT); +}); \ No newline at end of file diff --git a/src/adapters/cveservice/healthCheck/CveServiceHealthReader.ts b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.ts new file mode 100644 index 0000000..c26d144 --- /dev/null +++ b/src/adapters/cveservice/healthCheck/CveServiceHealthReader.ts @@ -0,0 +1,33 @@ +import { CveService } from '../CveService.js'; +import { CveServiceBaseUrl } from '../CveServiceBaseUrl.js'; +import { CveServiceCreds } from '../CveServiceCreds.js'; + +export class CveServiceHealthReader extends CveService { + constructor(host: string, creds?: CveServiceCreds) { + const endpoint = new CveServiceBaseUrl(host, '/api/health-check'); + super(endpoint, creds ?? new CveServiceCreds('N/A', 'N/A', 'N/A')); + } + /** + * @param [logError=true] optional to disable logging errors to console (when logError is false). + * @returns boolean, true if health check returned with status 200, otherwise false. + */ + async isHealthy(logError: boolean = true) { + const url = this.endpoint.getUrl(); + try { + const response = await this._fetchRetry( + url, + { + method: 'GET', + headers: this.creds.getAsHeader(), + retryOn: this.generateRetryOnFunc(url, false), + retryDelay: this.generateRetryDelayFunc() + }); + return response.status == 200; + } catch (e) { + if (logError) { + console.error(e); + } + } + return false; + } +} diff --git a/src/adapters/fs/CveFsReader.test.ts b/src/adapters/fs/CveFsReader.test.ts index e807ee4..b362e55 100644 --- a/src/adapters/fs/CveFsReader.test.ts +++ b/src/adapters/fs/CveFsReader.test.ts @@ -1,6 +1,5 @@ import { CveFsReader } from './CveFsReader.js'; -// test/fixtures/adapters/fs/cves/2024/2xxx/CVE-2024-2000.json describe(`CveFsReader`, () => { @@ -9,7 +8,7 @@ describe(`CveFsReader`, () => { // in default /cves const k0005 = `CVE-1999-0005`; - // in fixtures + // in test/fixtures/adapters/fs/cves/2024/2xxx/CVE-2024-2000.json const k2000 = `CVE-2024-2000`; // non-existent CVE diff --git a/src/adapters/fs/CveFsReader.ts b/src/adapters/fs/CveFsReader.ts index b452f01..b6e8a65 100644 --- a/src/adapters/fs/CveFsReader.ts +++ b/src/adapters/fs/CveFsReader.ts @@ -1,12 +1,12 @@ /** - * reader for CveRecords + * reader for JSON CveRecords. * */ import path from 'path'; -import { CveId } from '../../core/CveId.js'; -import { CveRecord } from '../../core/CveRecord.js'; +import { CveId } from '../../cveId/CveId.js'; +import { CveRecord } from '../../cve/CveRecord.js'; import { FsReader } from './FsReader.js'; export class CveFsReader { @@ -15,7 +15,7 @@ export class CveFsReader { // ----- static functions ----- ----- ----- ----- ----- ----- ----- ----- ----- - /** constructs a CveRecord by reading in the associateed JSON file at relpath + /** constructs a CveRecord by reading in the associated JSON file at relpath * @param relpath relative to file * @returns the hydrated CVE Record, or undefined if it does not exist in relpath */ @@ -43,7 +43,7 @@ export class CveFsReader { } - /** constructs a CveRecord by reading in the associateed JSON file for the CVE ID + /** constructs a CveRecord by reading in the associated JSON file for the CVE ID * optionally reading from a different location than the default /cves * @param cveId the CVE ID to read in * @param cvesPath optional path /cves, default is specified in environment variable diff --git a/src/adapters/fs/DirectoryWalker.test.ts b/src/adapters/fs/DirectoryWalker.test.ts new file mode 100644 index 0000000..df0105e --- /dev/null +++ b/src/adapters/fs/DirectoryWalker.test.ts @@ -0,0 +1,155 @@ +import { DirectoryWalker } from './DirectoryWalker.js'; +import { Dirent } from 'fs'; + +describe(`DirectoryWalker`, () => { + + // constants that may change as database changes + // const kFixtureFilepath1 = `./cves`; + const kFixtureFilepath2 = `./test/fixtures/cvelistdir/cves`; + const kFixtureInvalidFilepath = `./asd > " invalid file/directory chars`; + afterEach(() => { + jest.restoreAllMocks(); + }); + + it(`correctly lists all files and directories in a directory using defaults`, async () => { + const files: string[] = []; + const invisibleFiles: string[] = []; + const dirs: string[] = []; + const invisibleDirs: string[] = []; + let allFiles: Dirent[] = []; + DirectoryWalker.walkDir(kFixtureFilepath2, (file, all) => { + const fullpath = `${file.path}/${file.name}`; + allFiles = all; + if (file.isFile()) { + if (file.name.startsWith('.')) { + invisibleFiles.push(fullpath); + } + else { + files.push(fullpath); + } + } + else { + if (file.name.startsWith('.')) { + invisibleDirs.push(fullpath); + } + else { + dirs.push(fullpath); + } + } + }); + expect(files.length).toBe(27); + expect(dirs.length).toBe(9); + expect(invisibleFiles.length).toBe(0); + expect(invisibleDirs.length).toBe(0); + expect(allFiles.length).toBe(36); + }); + + + it(`correctly lists all files and directories in a directory non-recursively`, async () => { + const files: string[] = []; + const invisibleFiles: string[] = []; + const dirs: string[] = []; + const invisibleDirs: string[] = []; + DirectoryWalker.walkDir(kFixtureFilepath2, (file) => { + const fullpath = `${file.path}/${file.name}`; + if (file.isFile()) { + if (file.name.startsWith('.')) { + invisibleFiles.push(fullpath); + } + else { + files.push(fullpath); + } + } + else { + if (file.name.startsWith('.')) { + invisibleDirs.push(fullpath); + } + else { + dirs.push(fullpath); + } + } + }, { recursive: false }); + expect(files.length).toBe(1); + expect(dirs.length).toBe(4); + expect(invisibleFiles.length).toBe(0); + expect(invisibleDirs.length).toBe(0); + }); + + + it(`correctly lists all files and directories in a directory including invisibles`, async () => { + const files: string[] = []; + const invisibleFiles: string[] = []; + const dirs: string[] = []; + const invisibleDirs: string[] = []; + DirectoryWalker.walkDir(kFixtureFilepath2, (file) => { + const fullpath = `${file.path}/${file.name}`; + if (file.isFile()) { + if (file.name.startsWith('.')) { + invisibleFiles.push(fullpath); + } + else { + files.push(fullpath); + } + } + else { + if (file.name.startsWith('.')) { + invisibleDirs.push(fullpath); + } + else { + dirs.push(fullpath); + } + } + }, { recursive: true, ignoreLinuxInvisible: false }); + expect(files.length).toBe(27); + expect(dirs.length).toBe(9); + expect(invisibleFiles.length).toBeLessThanOrEqual(5); + expect(invisibleDirs.length).toBe(1); + }); + + + it(`correctly lists all files and directories in a directory non-recursively but include invisibles`, async () => { + const files: string[] = []; + const invisibleFiles: string[] = []; + const dirs: string[] = []; + const invisibleDirs: string[] = []; + DirectoryWalker.walkDir(kFixtureFilepath2, (file) => { + const fullpath = `${file.path}/${file.name}`; + if (file.isFile()) { + if (file.name.startsWith('.')) { + invisibleFiles.push(fullpath); + } + else { + files.push(fullpath); + } + } + else { + if (file.name.startsWith('.')) { + invisibleDirs.push(fullpath); + } + else { + dirs.push(fullpath); + } + } + }, { recursive: false, ignoreLinuxInvisible: false }); + expect(files.length).toBe(1); + expect(dirs.length).toBe(4); + expect(invisibleFiles.length).toBeLessThanOrEqual(2); + expect(invisibleDirs.length).toBe(1); + }); + + it(`correctly throws an error when it occurs`, async () => { + const preventConsoleSpam = jest.spyOn(global.console, 'error'); + preventConsoleSpam.mockImplementation(jest.fn()); + const callback = jest.fn(); + expect(() => { + DirectoryWalker.walkDir(kFixtureInvalidFilepath, callback, { recursive: true }); + }).toThrowError(); + + expect(() => { + for (const file of DirectoryWalker.walkDirIter(kFixtureInvalidFilepath, { recursive: true })) { + callback(file); + } + }).toThrowError(); + }) + +}); diff --git a/src/adapters/fs/DirectoryWalker.ts b/src/adapters/fs/DirectoryWalker.ts new file mode 100644 index 0000000..fb1cde2 --- /dev/null +++ b/src/adapters/fs/DirectoryWalker.ts @@ -0,0 +1,89 @@ +import fs from 'fs'; +import { FsReader } from './FsReader.js'; + +/** options for DirectoryWalker.walkDir() + * - `recursive` recursively walks down a full hierarchy, default: true + * - `ignoreLinuxInvisible` ignores Linux/MacOSX invisible files + * - default: true + * - note: DOES NOT work on Windows +*/ +export type DirectoryWalkerOptions = { + recursive?: boolean, + ignoreLinuxInvisible?: boolean; +}; + +/** + * Class for working with a directory of CVE listings + */ +export class DirectoryWalker { + + /** walks a directory hierarchy to perform operations in callback + * Note that one odd behavior right now is that if there is an invisible directory with visible files, + * it will list the visible files even though it will ignore the invisible directory + * Note on Windows: Currently, the ignoreInvisible flag is only for Linux/MacOSX, + * so all Windows files and directories will be included regardless of the ignoreLinuxInvisible setting + * @param path the path to walk + * @param callback function of the WalkDirCallback type to call for each file/dir in a directory + * @param options optional options see {@link DirectoryWalkerOptions WalkDirOptions} + * @example + * const myAcvitiy = (e: Dirent) => { console.log(path.join(dent.path, dent.name)); }; + * DirectoryWalker.walkDir('directory/path', myActivity, {recursive: true})); + */ + static walkDir = ( + path: string, + callback: (file: fs.Dirent, files: fs.Dirent[]) => void, + options: DirectoryWalkerOptions = undefined + ): void => { + try { + const recursive = (options?.recursive) ?? true; + const ignoreInvisible = (options?.ignoreLinuxInvisible) ?? true; + let files = FsReader.readdirSync(path, { + recursive, + withFileTypes: true, + }); + if (ignoreInvisible) { + files = files.filter(item => !(/(^|\/)\.[^/.]/g).test(item.name)); + } + for (const file of files) { + callback(file, files); + } + } catch (err) { + console.error(err); + throw err; + } + }; + + + /** Walks a directory hierarchy to perform operations in the form of yeilds + * Note that one odd behavior right now is that if there is an invisible directory with visible files, + * it will list the visible files even though it will ignore the invisible directory + * Note on Windows: Currently, the ignoreInvisible flag is only for Linux/MacOSX, + * so all Windows files and directories will be included regardless of the ignoreLinuxInvisible setting + * @param path the path to walk + * @param options optional options see {@link DirectoryWalkerOptions WalkDirOptions} + * @yields Dirent for each file/dir in a directory + * @example + * for (const dent of DirectoryWalker.walkDirIter('directory/path', {recursive: true})) { + * console.log(path.join(dent.path, dent.name)); + * } + */ + static * walkDirIter(path: string, options: DirectoryWalkerOptions = undefined): Generator { + try { + const recursive = (options?.recursive) ?? true; + const ignoreInvisible = (options?.ignoreLinuxInvisible) ?? true; + let files = FsReader.readdirSync(path, { + recursive, + withFileTypes: true, + }); + if (ignoreInvisible) { + files = files.filter(item => !(/(^|\/)\.[^/.]/g).test(item.name)); + } + for (const file of files) { + yield file; + } + } catch (err) { + console.error(err); + throw err; + } + }; +} \ No newline at end of file diff --git a/src/adapters/fs/FsReader.test.ts b/src/adapters/fs/FsReader.test.ts index a69f28e..11e125e 100644 --- a/src/adapters/fs/FsReader.test.ts +++ b/src/adapters/fs/FsReader.test.ts @@ -1,6 +1,10 @@ +import path from 'path'; import { FsReader } from './FsReader.js'; const kTestFixtureCve5Dir = 'test/fixtures/cve/5'; +const kTestFixtureCve0001 = './test/fixtures/cve/5/CVE-1970-0001.json'; +const kTestFixtureCve0001u = './test/fixtures/cve/5/CVE-1970-0001u.json'; +const kTestFixtureCve0002 = './test/fixtures/cve/5/CVE-1970-0002.json'; describe(`FsReader`, () => { const kSimpleLoremIpsum = `test/fixtures/adapters/fs/basicLoremIpsum.txt`; @@ -18,7 +22,7 @@ describe(`FsReader`, () => { }); - it(`read() properly reads from a file as a simple string`, async () => { + it(`read() properly reads a simple string from a file`, async () => { const fs = new FsReader(kSimpleLoremIpsum); const str = fs.readAll(); // console.log(`str=${str}`); @@ -26,4 +30,51 @@ describe(`FsReader`, () => { }); + it(`findMatchingGlobbedPaths() correctly gets from globs`, async () => { + // mock console.log to prevent console spam + const consoleSpy = jest.spyOn(global.console, 'log'); + consoleSpy.mockImplementation((args) => { return args; }); + + const globTestDirPath = "test/fixtures/cvelistdir/cves"; + const tests = { + // note this will break if someone ever changes the globTestDirPath files + "CVE-1970-0001": ["CVE-1970-0001"], + "CVE-197*-*": ['CVE-1970-0001'], + "CVE-2003-003?": ["CVE-2003-0030", "CVE-2003-0031",], // test by single digit wildcards + "CVE-2014-1???": ["CVE-2014-1201", "CVE-2014-1490"], // test for false positives (expecting it to not give "CVE-2014-10001" nor "CVE-2014-10401") + "CVE-2014-1*1": ["CVE-2014-1201", "CVE-2014-10001", "CVE-2014-10401"], // test by wacky wildcards + "1970/**/*": ["CVE-1970-0001"], // test by subdirectory + "FAKEDIR/**/CVE-1970-0001": [], // test expecting zero + }; + + for (const [pattern, expectedIds] of Object.entries(tests)) { + const actual = FsReader.findMatchingGlobbedPaths(`${pattern}{.json,}`, globTestDirPath); + const actualIds = actual.map(fp => path.parse(fp).name).sort(); + expect({ pattern: pattern, result: actualIds }).toMatchObject({ pattern: pattern, result: expectedIds.sort() }); + } + }); + + it(`isSameContent() properly compares JSON objects using optional ignore property paths`, async () => { + expect(FsReader.isSameContent( + kTestFixtureCve0001, + kTestFixtureCve0001u) + ).toBeFalsy(); + expect(FsReader.isSameContent( + kTestFixtureCve0001, + kTestFixtureCve0001u, + ["cveMetadata.state", "cveMetadata.datePublished", "cveMetadata.dateUpdated", "cveMetadata.dateReserved"]) + ).toBeTruthy(); + }); + + it(`isSameContent() returns true if 2 files are identical`, async () => { + expect(FsReader.isSameContent(kTestFixtureCve0001, kTestFixtureCve0001)).toBeTruthy(); + }); + + it(`isSameContent() returns false if 2 files are different`, async () => { + expect(FsReader.isSameContent(kTestFixtureCve0001, kTestFixtureCve0002)).toBeFalsy(); + }); + + it(`isSameContent() returns false if a file is missing`, async () => { + expect(FsReader.isSameContent('', kTestFixtureCve0002)).toBeFalsy(); + }); }); diff --git a/src/adapters/fs/FsReader.ts b/src/adapters/fs/FsReader.ts index 50f4f1d..b588f98 100644 --- a/src/adapters/fs/FsReader.ts +++ b/src/adapters/fs/FsReader.ts @@ -4,11 +4,23 @@ import fs from 'fs'; import path from 'path'; +import { Glob } from 'glob'; +import unset from 'lodash.unset'; +/** @deprecated */ export type FsAdapterType = "RO" | "Mutating"; export class FsReader { + // pointers in place of implementations + public static readdirSync = fs.readdirSync; + public static readFileSync = fs.readFileSync; + public static pathJoin = path.join; + public static isFile = (filepath: string) => { try { return fs.lstatSync(filepath).isFile(); } catch { return false; } }; + public static isDirectory = (filepath: string) => { try { return fs.lstatSync(filepath).isDirectory(); } catch { return false; } }; + public static statSync = fs.statSync; + public static dirname = path.dirname; + private _relfilepath: string; public get relFilepath(): string { return this._relfilepath; @@ -71,4 +83,64 @@ export class FsReader { return fs.existsSync(path); } + + /** + * @param pattern glob pattern or cve id to match + * @param localDir the local directory to start from + * @returns list of file paths that match the given glob. + */ + static findMatchingGlobbedPaths(pattern: string, localDir: string, getAbsolute: boolean = true): string[] { + try { + const glob = new Glob(pattern, { + cwd: localDir, // start in the location of the source + absolute: getAbsolute, // true to retrieve as absolute paths for simplicity + dot: true, // true if we wish to allow matching of hidden files + follow: false, // false to not follow symlinks for simplicity + mark: true, // mark directory values by leaving a trailing / + matchBase: true, // true if we wish to allow the pattern to match against the base name instead of the full path + nocase: true, // true to ignore case + nobrace: false, // false to allow for brace expansion (CVE-1999-{0101..0103} will be expanded into 'CVE-1999-0101', 'CVE-1999-0102', and 'CVE-1999-0103') + noext: false, // false to allow for extended glob + posix: true, // step to attempt to normalize resulting paths (windows will return as `//?/DRIVE:/path/to/file`) + realpath: true, // true to prevent passing file paths that don't actually exist + ignore: { + ignored: p => !p.isFile() // ignore non file objects + }, + }); + const matchingFilePaths = glob.walkSync(); + return matchingFilePaths; + } catch (err) { + console.error(`An error occurred while attempting to get glob for ${pattern} in ${localDir}`, err); + return []; + } + } + + + /** returns true iff the content of file at path 1 and the file at path 2 are exactly the same + * @param path1 the relative or fullpath to a file + * @param path2 the relative or fullpath to another file + * @param ignoreJsonProps optional array of json paths to ignore, e.g., ["cveMetadata.datePublished", "cveMetadata.dateUpdated", "cveMetadata.dateReserved"] + */ + static isSameContent(path1: string, path2: string, ignoreJsonProps?: string[]): boolean { + if (!FsReader.exists(path1) || !FsReader.exists(path2)) { + return false; + } + const buf1 = fs.readFileSync(path1); + const buf2 = fs.readFileSync(path2); + if (!ignoreJsonProps) { + return buf1.equals(buf2); + } + else { + let json1 = JSON.parse(buf1.toString()); + let json2 = JSON.parse(buf2.toString()); + ignoreJsonProps.forEach(item => { + unset(json1, item); + unset(json2, item); + }); + // console.log(`json1 : ${JSON.stringify(json1, null, 2)}`); + // console.log(`json2 : ${JSON.stringify(json2, null, 2)}`); + return JSON.stringify(json1) == JSON.stringify(json2); + } + } + } \ No newline at end of file diff --git a/src/adapters/fs/FsWriter.test.ts b/src/adapters/fs/FsWriter.test.ts index c50df24..94bb5a5 100644 --- a/src/adapters/fs/FsWriter.test.ts +++ b/src/adapters/fs/FsWriter.test.ts @@ -1,16 +1,20 @@ import path from 'path'; +import fs from 'fs'; import { FsReader } from './FsReader.js'; import { FsWriter } from './FsWriter.js'; describe(`FsWriter`, () => { const kSimpleLoremIpsum = `test/fixtures/adapters/fs/basicLoremIpsum.txt`; - const kOutputDir = `test/temp`; + const kOutputDir = `test/temp/fs`; const kOutputFilepath = path.join(kOutputDir, `test/temp/FsWriterTest.txt`); const kOutputFilepath2 = path.join(kOutputDir, `FsWriterTest2.txt`); + const kCondenserOutputTestPath = `test/temp/fswriter_condenser.json`; + afterAll(() => { - FsWriter.rm(kOutputFilepath); - FsWriter.rm(kOutputFilepath2); + if (fs.existsSync(kOutputFilepath)) { fs.rmSync(kOutputFilepath); } + if (fs.existsSync(kOutputFilepath2)) { fs.rmSync(kOutputFilepath2); } + if (fs.existsSync(kCondenserOutputTestPath)) { fs.rmSync(kCondenserOutputTestPath); } }); it(`canMutate() properly returns whether this adapter can mutate the file system`, async () => { @@ -42,15 +46,32 @@ describe(`FsWriter`, () => { }); - it.todo(`cp() should properly copy a directory`); + it(`cp() should properly copy a directory`, async () => { + const toDir = path.join(kOutputDir, 'testCpCopyDir'); + const fromDir = `test/pretend_github_repository`; + // If you fail here, manually remove the directory and rerun the test! + // have the check equate to the directory path so that we print the expected directory name that should not exist + if (FsReader.exists(toDir)) { + FsWriter.rmdirSync(toDir); + } + const nFilesToCopy = FsReader.readdirSync(fromDir).length; + expect(nFilesToCopy).toBeGreaterThan(0); // should not be empty + FsWriter.cp(fromDir, toDir); + expect(FsWriter.exists(toDir)).toBeTruthy(); + const nFilesCopied = FsReader.readdirSync(toDir).length; + expect(nFilesCopied).toBe(nFilesToCopy); + fs.rmdirSync(toDir, { recursive: true }); + }); + it.todo(`need more tests for working with a fsAdapter that is a directory instead of a file since it was designed to be used with a file`); it(`cp() properly copies a file`, async () => { - const str = 'Lorem ipsum'; - const fs = new FsWriter(kOutputDir); - fs.cp(kSimpleLoremIpsum, kOutputFilepath2); - expect(FsWriter.exists(kOutputFilepath2)).toBeTruthy(); - FsWriter.rm(kOutputFilepath2); + // If you fail here, manually remove the file and rerun the test! + expect(FsReader.exists(kOutputFilepath2)).toBeFalsy(); + expect(FsReader.exists(kSimpleLoremIpsum)).toBeTruthy(); + FsWriter.cp(kSimpleLoremIpsum, kOutputFilepath2); + expect(FsReader.exists(kOutputFilepath2)).toBeTruthy(); + fs.rmSync(kOutputFilepath2); }); @@ -63,5 +84,29 @@ describe(`FsWriter`, () => { expect(fs.exists()).toBeFalsy(); }); - + it(`condenseJsonDataFile condenses file without losing data`, async () => { + let data = { + "test": [ + { "f1": 1, "f2": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." }, + { "f1": 203933, "f2": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." } + ], + "hello": "world" + }; + let largestBlob = JSON.stringify(data, null, 10); + let maxCondenseLevel = 3; + const out1 = new FsWriter(kCondenserOutputTestPath); + out1.writeString(largestBlob); + let largestFileSize = FsReader.statSync(kCondenserOutputTestPath).size; + let prevSize = largestFileSize; + let cl = 0; + while (cl <= maxCondenseLevel) { + let currSize = FsWriter.condenseJsonDataFile(cl, kCondenserOutputTestPath); + let newData = JSON.parse(new FsReader(kCondenserOutputTestPath).readAll()); + expect(newData).toMatchObject(data); + // expect the resulting data to be of less than or equal size to the previous condense level + expect(currSize).toBeLessThanOrEqual(prevSize); + prevSize = currSize; + ++cl; + } + }); }); diff --git a/src/adapters/fs/FsWriter.ts b/src/adapters/fs/FsWriter.ts index 207f1f8..a5560cd 100644 --- a/src/adapters/fs/FsWriter.ts +++ b/src/adapters/fs/FsWriter.ts @@ -8,10 +8,12 @@ import path from 'path'; import { FsReader, FsAdapterType } from './FsReader.js'; // so any file importing only this file would also get FsAdapterType from FsReader -export { FsAdapterType }; +// export { FsAdapterType }; export class FsWriter { - + public static copyFileSync = fs.copyFileSync; + public static mkdirSync = fs.mkdirSync; + public static rmdirSync = fs.rmdirSync; private _relfilepath: string; public get relFilepath(): string { @@ -36,13 +38,13 @@ export class FsWriter { return true; } - /** synchronousllly writes a string to an output file, overwriting it + /** synchronously writes a string to an output file, overwriting it * @param data the data preformatted as a string (this means any formatting must be done before the call) */ writeString(data: string): FsWriter { const dirname = path.dirname(this.relFilepath); fs.mkdirSync(dirname, { recursive: true }); - fs.writeFileSync(this.relFilepath, data); + fs.writeFileSync(this.relFilepath, data, { encoding: 'utf-8' }); console.log(`data written to ${this.relFilepath}`); return this; } @@ -57,15 +59,19 @@ export class FsWriter { } - /** synchronousllly copies a file or directory to a destination + /** synchronously copies a file or directory to a destination * @param srcPath the path where the source file or directory is * @param destPath the path to copy srcPath to */ - cp(srcPath: string, destPath: string/*=null*/) { - // destPath = destPath ?? this.relFilepath - // const dirname = path.dirname(this.relFilepath); - fs.cpSync(srcPath, destPath); - console.log(`copied ${srcPath} to ${this.relFilepath}`); + static cp(srcPath: string, destPath: string/*=null*/) { + if (FsReader.exists(srcPath)) { + if (FsReader.isFile(srcPath)) { + // note this will throw an error if the destPath already exists + FsWriter.copyFileSync(srcPath, destPath); + } else if (FsReader.isDirectory(srcPath)) { + fs.cpSync(srcPath, destPath, { recursive: true }); + } + } } /** @@ -103,4 +109,50 @@ export class FsWriter { } } + + + /** + * Condense json data file. + * NOTE: Will overwrite the given file! + * condenseLevels: + * 0: pretty indent with 2 space + * 1: pretty indent with 1 space + * 2: strip leading whitespace from pretty file + * 3: minified / no whitespace + * + * @param condenseLevel level to condense to. + * @param filePath file with json data to be changed. + * @returns the new file size in bytes. + * @throws Error if invalid condenseLevel or invalid filePath argument. + */ + static condenseJsonDataFile(condenseLevel: number, filePath: string): number { + let condenserLevels = [ + { + tag: 'pretty indent with 2 space', + func: (data) => { return JSON.stringify(data, null, 2); }, + }, + { + tag: 'pretty indent with 1 space', + func: (data) => { return JSON.stringify(data, null, 1); }, + }, + { + tag: 'no whitespace indent', + func: (data) => { return JSON.stringify(data, null, 1).replaceAll(/^\s+/gm, ''); }, + }, + { + tag: 'minified', + func: (data) => { return JSON.stringify(data, null, 0); }, + } + ]; + if (condenseLevel > condenserLevels.length) { + throw new Error(`Invalid condense level: ${condenseLevel}, must be between 0 and ${condenserLevels.length}`); + } + if (!FsReader.exists(filePath)) { + throw new Error(`File not found!`); + } + let data = JSON.parse(fs.readFileSync(filePath, { encoding: 'utf8' }).toString()); + let dataToWrite = condenserLevels[condenseLevel].func(data); + fs.writeFileSync(filePath, dataToWrite); + return fs.statSync(filePath).size; + } } \ No newline at end of file diff --git a/src/adapters/search/SearchAdapter.test.unit.ts b/src/adapters/search/SearchAdapter.test.unit.ts new file mode 100644 index 0000000..28b923b --- /dev/null +++ b/src/adapters/search/SearchAdapter.test.unit.ts @@ -0,0 +1,19 @@ +import { AppConfig } from '../config/AppConfig.js'; +import { SearchProviderSpec } from './SearchAdapter.js'; + +const fixtureCve1970_0001_cveid = 'CVE-1970-0001'; + +describe(`SearchAdapter`, () => { + + const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec() + const _testPipeline = `cve_ingest_pipeline`; + + it(`minimum relevant ENV vars are set`, async () => { + expect(AppConfig.get('search')).toBeDefined() + expect(AppConfig.get('search.minServer').length).toBeGreaterThanOrEqual(1) + expect(AppConfig.get('search.providerEndpoint')).toBeDefined() + expect(AppConfig.get('search.index')).toBeDefined() + expect(AppConfig.get('test.searchTest.fixtures')).toBeDefined() + }) + +}); diff --git a/src/adapters/search/SearchAdapter.ts b/src/adapters/search/SearchAdapter.ts index 54cf51f..85ddfab 100644 --- a/src/adapters/search/SearchAdapter.ts +++ b/src/adapters/search/SearchAdapter.ts @@ -1,5 +1,43 @@ -import * as dotenv from 'dotenv'; -dotenv.config(); +import { AppConfig } from '../config/AppConfig.js'; + + +/** search provider specs + * - specified in package.json's cveCore.search + * and can be overridden using environment variables + * + */ +export class SearchProviderSpec { + // cacheEndpoint: string + providerEndpoint: string; + index: string; + allowUnknownSslCerts: boolean + + /** pretty output of spec */ + toJSON() { + return `${this.providerEndpoint}/${this.index}`; + } + + // ----- static functions ----- ----- ----- ----- ----- + + /** lazily initialized static default SearchProviderSpec + */ + private static _sDefaultSearchProviderSpec = undefined; + + /** returns the default SearchProviderSpec or throws an error if no specifications were set */ + static getDefaultSearchProviderSpec(): SearchProviderSpec { + if (!SearchProviderSpec._sDefaultSearchProviderSpec) { + const spec = new SearchProviderSpec(); + spec.providerEndpoint = AppConfig.get('search.providerEndpoint'); + spec.index = AppConfig.get('search.index'); + spec.allowUnknownSslCerts = !!AppConfig.get('search.allowUnknownSslCerts') + if (!spec.providerEndpoint || !spec.index) { + throw new Error(`No search provider is specified, expecting an OpenSearch or ElasticSearch specification but none were specified.`); + } + SearchProviderSpec._sDefaultSearchProviderSpec = spec; + } + return SearchProviderSpec._sDefaultSearchProviderSpec; + } +} export type SearchEngineInfo = { diff --git a/src/adapters/search/SearchReader.test.int.ts b/src/adapters/search/SearchReader.test.int.ts index 3a4bd35..5b0bff5 100644 --- a/src/adapters/search/SearchReader.test.int.ts +++ b/src/adapters/search/SearchReader.test.int.ts @@ -1,42 +1,45 @@ import { SearchReader } from './SearchReader.js'; +import { SearchProviderSpec } from '../../adapters/search/SearchAdapter.js'; const fixtureCve1970_0001_cveid = 'CVE-1970-0001'; describe(`SearchReader`, () => { - const _testIndex = "e2e-cve-test-index-01"; - const _domain = "https://admin:admin@localhost:9200"; + // because e2e testing is very specific to a dataset, we need to make sure we use the same opensearch dataset in cve-fixtures + // as was designed for this test. + const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec() const _testPipeline = `cve_ingest_pipeline` - it.skip(`info correctly returns information about the OpenSearch instance`, async () => { - const searchAdapter = new SearchReader(_domain, _testIndex); - const info = await searchAdapter.info(); + + it(`info() correctly returns information about the OpenSearch instance`, async () => { + const searchReader = new SearchReader(searchProviderSpec.providerEndpoint, searchProviderSpec.index); + const info = await searchReader.info(); // console.log(`info: ${JSON.stringify(info, null, 2)}`) expect(info.version.distribution).toBe('opensearch'); }); - it.skip(`info() correctly throws exception information with bad URL`, async () => { - const searchAdapter = new SearchReader("https://admin:admin@localhost:9201", "abcd"); + it(`info() correctly throws exception information with bad URL`, async () => { + console.log(`next error is expected`) + const searchReader = new SearchReader("https://admin:admin@localhost:9201", "abcd"); expect(async () => { - await searchAdapter.info(); + await searchReader.info(); }).rejects.toThrow(/**@todo 'Connection Error'*/); }); - it.skip(`get() correctly gets data from an endpoint`, async () => { - const searchAdapter = new SearchReader(_domain, _testIndex, { ignore_ssl_cert_check_errors: true }); - const resp = await searchAdapter.get(); + it(`get() correctly gets data from an endpoint`, async () => { + const searchReader = new SearchReader(searchProviderSpec.providerEndpoint, searchProviderSpec.index, { ignore_ssl_cert_check_errors: true }); + const resp = await searchReader.get(); const data = resp.data; // console.log(`data=${JSON.stringify(data, null, 2)}`); - expect(data[_testIndex].mappings).toBeDefined(); - expect(data[_testIndex].settings.index.default_pipeline).toBe(_testPipeline); + expect(data[searchProviderSpec.index].mappings).toBeDefined(); }); - it.skip(`get() correctly checks SSL certs by default`, async () => { - const searchAdapter = new SearchReader(_domain, _testIndex); + it(`get() correctly checks SSL certs by default`, async () => { + const searchReader = new SearchReader(searchProviderSpec.providerEndpoint, searchProviderSpec.index) let resp; try { - resp = await searchAdapter.get(); + resp = await searchReader.get(); } catch (err) { // console.log(`error: ${JSON.stringify(err, null, 2)}`); diff --git a/src/adapters/search/SearchReader.test.unit.ts b/src/adapters/search/SearchReader.test.unit.ts index e0c7f01..50ca710 100644 --- a/src/adapters/search/SearchReader.test.unit.ts +++ b/src/adapters/search/SearchReader.test.unit.ts @@ -1,4 +1,7 @@ +import { SearchProviderSpec } from '../../adapters/search/SearchAdapter.js'; +import { AppConfig } from '../config/AppConfig.js'; import { SearchReader } from './SearchReader.js'; + import * as dotenv from 'dotenv'; dotenv.config(); @@ -6,25 +9,19 @@ const fixtureCve1970_0001_cveid = 'CVE-1970-0001'; describe(`SearchReader`, () => { - const _testIndex = "test-index-for-jest-testing-1"; - const _domain = "https://admin:admin@localhost:9200"; - const _testPipeline = `jest_test_ingest_pipeline` - - it(`minimum relatvant ENV vars are set`, async () => { - expect(process.env.OpenSearchCveIndex).not.toBeUndefined(); - expect(process.env.OpenSearchDomainEndpoint).not.toBeUndefined(); - }) + const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec() + const _testPipeline = `cve_ingest_pipeline`; it(`constructor correctly sets up the default index name`, async () => { - const searchAdapter = new SearchReader(); - expect(searchAdapter._openSearchDomainEndpoint).toBe(process.env.OpenSearchDomainEndpoint); - expect(searchAdapter._cveIndex).toBe(process.env.OpenSearchCveIndex); + const searchReader = new SearchReader(); + expect(searchReader._openSearchDomainEndpoint).toBe(SearchProviderSpec.getDefaultSearchProviderSpec().providerEndpoint); + expect(searchReader._cveIndex).toBe(SearchProviderSpec.getDefaultSearchProviderSpec().index); }); it(`constructor correctly sets up the index name when specified`, async () => { - const searchAdapter = new SearchReader(_domain, _testIndex); - expect(searchAdapter._openSearchDomainEndpoint).toBe(_domain); - expect(searchAdapter._cveIndex).toBe(_testIndex); + const searchReader = new SearchReader(searchProviderSpec.providerEndpoint, searchProviderSpec.index); + expect(searchReader._openSearchDomainEndpoint).toBe(AppConfig.get('search.providerEndpoint')); + expect(searchReader._cveIndex).toBe(AppConfig.get('search.index')); }); }); diff --git a/src/adapters/search/SearchReader.ts b/src/adapters/search/SearchReader.ts index b156555..1feba93 100644 --- a/src/adapters/search/SearchReader.ts +++ b/src/adapters/search/SearchReader.ts @@ -7,7 +7,8 @@ dotenv.config(); import { ApiResponse, Client } from '@opensearch-project/opensearch'; import { ResponseError } from '@opensearch-project/opensearch/lib/errors.js'; -import { SearchAdapterOptions, SearchEngineInfo } from './SearchAdapter.js' +import { SearchAdapterOptions, SearchEngineInfo, SearchProviderSpec } from './SearchAdapter.js'; +import { AppConfig } from '../config/AppConfig.js'; /** Reader purpose adapter for OpenSearch @@ -18,10 +19,10 @@ import { SearchAdapterOptions, SearchEngineInfo } from './SearchAdapter.js' */ export class SearchReader { - /** the domain/endpoint for this adapter */ + /** the search domain/endpoint this adapter wraps */ _openSearchDomainEndpoint: string; - /** the index (catalog) for this adapter */ + /** the index (catalog) this adapter wraps */ _cveIndex: string; /** options for SearchAdapter */ @@ -34,19 +35,20 @@ export class SearchReader { _httpsAgent: https.Agent = null /** constructor that returns a SearchAdapter object for a specific openSearch index - * @param cveIndex optional openSearch index name (defaults to environment variable `OpenSearchCveIndex`) + * @param searchEndpoint optional openSearch endpoint (defaults to AppConfig.get(search.providerEndpoint)) + * @param cveIndex optional openSearch index name (defaults to AppConfig.get(search.index)) */ - constructor(searchNode?: string, cveIndex?: string, options?: SearchAdapterOptions) { + constructor(searchEndpoint?: string, cveIndex?: string, options?: SearchAdapterOptions) { // setup options if (options) { this._options = options } if (!options?.ignore_ssl_cert_check_errors) { - this._options.ignore_ssl_cert_check_errors = process.env.OpenSearchAllowUnknownSslCerts === 'true'; + this._options.ignore_ssl_cert_check_errors = SearchProviderSpec.getDefaultSearchProviderSpec().allowUnknownSslCerts; } - this._openSearchDomainEndpoint = searchNode ?? process.env.OpenSearchDomainEndpoint; - this._cveIndex = cveIndex ?? process.env.OpenSearchCveIndex; + this._openSearchDomainEndpoint = searchEndpoint ?? AppConfig.get('search.providerEndpoint'); + this._cveIndex = cveIndex ?? AppConfig.get('search.index') this._client = new Client({ node: this._openSearchDomainEndpoint, //this._protocol + '://' + this._auth + '@' + this._host + ':' + this._port, @@ -75,27 +77,43 @@ export class SearchReader { async info(): Promise { try { const result = await this._client.info(); - // console.log(result.body); - return result.body as SearchEngineInfo; + console.log(result.body); + const info: SearchEngineInfo = { + name: result.body.name, + cluster_name: result.body.cluster_name, + cluster_uuid: result.body.cluster_uuid, + version: { + distribution: result.body.version.distribution ?? "unknown", + number: result.body.version.number, + build_type: result.body.version.build_type, + build_hash: result.body.version.build_hash, + build_date: result.body.version.build_date, + build_snapshot: result.body.version.build_snapshot, + lucene_version: result.body.version.lucene_version, + minimum_wire_compatibility_version: result.body.version.minimum_wire_compatibility_version, + minimum_index_compatibility_version: result.body.version.minimum_index_compatibility_version + }, + tagline: result.body.tagline + }; + return info } catch (err) { - console.log(`An error occurred in SearchAdapter.info(): ${err.message}`); + console.log(`An error occurred in SearchReader.info(): ${err.message}`); throw err; } } - /** using axios, GET from a rest endpoint + /** using axios, GET from a REST endpoint * useful for inspecting properties + * @param resource the optional resource for the REST endpoint * @todo this probably should be in a RestAdapter class * @deprecated use @opensearch-project/opensearch's client utilities where possible */ - async get( - endpoint: string = undefined - ) { - if (!endpoint) { - endpoint = ''; + async get(resource: string = undefined) { + if (!resource) { + resource = ''; } - const url = `${this._openSearchDomainEndpoint}/${this._cveIndex}/${endpoint}`; + const url = `${this._openSearchDomainEndpoint}/${this._cveIndex}/${resource}`; // const agent = new https.Agent({ // rejectUnauthorized: false // }); @@ -108,7 +126,7 @@ export class SearchReader { // return response.data; // } // else { - // console.log("error in SearchAdapter.put()"); + // console.log("error in SearchReader.put()"); // // throw new SearchManagerException(`Unable to get CVE delta log: ${response.status}`); // }; } @@ -119,21 +137,23 @@ export class SearchReader { console.log(`Error details: ${JSON.stringify(err, null, 2)}`); break; default: - console.log(`An error occurred in SearchAdapter.get(): ${err}`); + console.log(`An error occurred in SearchReader.get(): ${err}`); break; } throw err; } } + + /** performs a search using the javascript client */ async search(body /*@todo*/) { - let response = await this._client + const response = await this._client .search({ index: this._cveIndex, body }) .catch(err => { - console.error(`An error occurred in SearchAdapter.search(): ${JSON.stringify(err)}`); + console.error(`An error occurred in SearchReader.search(): ${JSON.stringify(err, null, 2)}`); }); // console.log(` response=${JSON.stringify(response, null, 2)}`) return response; diff --git a/src/adapters/zip/Zip.test.e2e.ts b/src/adapters/zip/Zip.test.e2e.ts new file mode 100644 index 0000000..c376eb1 --- /dev/null +++ b/src/adapters/zip/Zip.test.e2e.ts @@ -0,0 +1,32 @@ +import { FsReader } from '../fs/FsReader.js'; +import { FsWriter } from '../fs/FsWriter.js'; +import { Zip } from './Zip.js'; + +const testDir = `test/tests/filesystem`; +const testZip = `${testDir}/test.zip`; +const kTestFixtureCve0001 = './test/fixtures/cve/5/CVE-1970-0001.json'; + +describe(`Zip`, () => { + + afterAll(() => { + if (FsReader.exists(testZip)) { + FsWriter.rm(testZip); + } + }); + + it(`generateZipfile() zips a single text file to default virtual zip dir`, async () => { + const filespath = [kTestFixtureCve0001]; + Zip.generateZipfile(filespath, testZip); + expect(FsReader.exists(testZip)).toBeTruthy(); + FsWriter.rm(testZip); + }); + + + it(`generateZipfile() zips a single text file to a specified virtual zip dir`, async () => { + const filespath = [kTestFixtureCve0001]; + Zip.generateZipfile(filespath, testZip, 'deltaCves'); + expect(FsReader.exists(testZip)).toBeTruthy(); + // @todo currently only testing manually to see that when unzipped, the resulting directory is called deltaCves + FsWriter.rm(testZip); + }); +}); \ No newline at end of file diff --git a/src/adapters/zip/Zip.ts b/src/adapters/zip/Zip.ts new file mode 100644 index 0000000..cfbb361 --- /dev/null +++ b/src/adapters/zip/Zip.ts @@ -0,0 +1,37 @@ +import AdmZip from 'adm-zip'; +import { FsReader } from '../fs/FsReader.js'; +import { FsWriter } from '../fs/FsWriter.js'; + +export class Zip { + /** + * Synchronously generate a zip file from an array of files (no directories) + * @param filepaths array of filenames to be zipped + * @param resultFilepath filepath for resulting zip file + * @param zipVirtualDir dir name in zip, defaults to `files` + * (for example, if you want to add all the files + * into a zip folder called abc, + * you would pass 'abc' here) + * @param dir path to directory where files are located + */ + static generateZipfile( + filepaths: string | string[], + resultFilepath: string, + zipVirtualDir = `files`, + dir = '' + ): void { + console.log(`generating zip file from ${filepaths} to ${resultFilepath}`); + // if path to resultFilepath does not exist, recursively make them + const dirname = FsReader.dirname(resultFilepath); + FsWriter.mkdirSync(dirname, { recursive: true }); + const zip = new AdmZip(); + if (!Array.isArray(filepaths)) { + filepaths = [filepaths]; + } + filepaths.forEach(filepath => { + const path = (dir.length > 0) ? `${dir}/${filepath}` : filepath; + zip.addLocalFile(path, zipVirtualDir); + }); + zip.writeZip(resultFilepath); + // console.log(`zip file generated at ${resultFilepath}`); + } +} \ No newline at end of file diff --git a/src/commands/DateCommand.ts b/src/commands/DateCommand.ts index ce36d96..4156515 100644 --- a/src/commands/DateCommand.ts +++ b/src/commands/DateCommand.ts @@ -1,7 +1,7 @@ import { Command } from 'commander'; import { GenericCommand } from './GenericCommand.js'; -import { CveDate } from '../core/CveDate.js'; +import { CveDate } from '../date/CveDate.js'; /** Command to print out current date in various formats */ export class DateCommand extends GenericCommand { diff --git a/src/commands/DeltaCommand.ts b/src/commands/DeltaCommand.ts index 0e8af17..3bacee8 100644 --- a/src/commands/DeltaCommand.ts +++ b/src/commands/DeltaCommand.ts @@ -3,7 +3,7 @@ import format from 'date-fns/format'; import endOfYesterday from 'date-fns/endOfYesterday'; import startOfYesterday from 'date-fns/startOfYesterday'; -import { CveDate } from '../core/CveDate.js'; +import { CveDate } from '../date/CveDate.js'; import { Delta } from '../core/Delta.js'; import { GenericCommand } from './GenericCommand.js'; import { Git } from '../core/git.js'; diff --git a/src/commands/GenericCommand.test.ts b/src/commands/GenericCommand.test.ts index 5f25675..9563b29 100644 --- a/src/commands/GenericCommand.test.ts +++ b/src/commands/GenericCommand.test.ts @@ -16,7 +16,7 @@ describe(`GenericCommand`, () => { const cmd = new SimpleTestCommand(program); expect(cmd._name).toMatch('test'); expect(cmd._program).toBe(program); - // time based issues cant garuntee deterministic runs, + // time based issues cant guarantee deterministic runs, // for now check in a more deterministic way. const before = Date.now(); const during = cmd.timerReset(); diff --git a/src/commands/GenericCommand.ts b/src/commands/GenericCommand.ts index a3206ea..e40efed 100644 --- a/src/commands/GenericCommand.ts +++ b/src/commands/GenericCommand.ts @@ -1,5 +1,5 @@ import { Command } from 'commander'; -import { CveDate } from '../core/CveDate.js'; +import { CveDate } from '../date/CveDate.js'; // read in package.json import * as packageJsonImport from '../../package.json'; diff --git a/src/commands/UpdateCommand.test.ts b/src/commands/UpdateCommand.test.ts deleted file mode 100644 index a0b8958..0000000 --- a/src/commands/UpdateCommand.test.ts +++ /dev/null @@ -1,46 +0,0 @@ -import { sub } from 'date-fns'; - -import { CveDate } from '../core/CveDate.js'; -import { UpdateCommand } from './UpdateCommand.js'; - -describe(`UpdateCommand`, () => { - - it(`properly determines start window when only minutesAgo is specified`, async () => { - const options = { - minutesAgo: '55', - stop: '2023-02-16T17:55:00.376Z', - }; - const minutesAgo = parseInt(options[`minutesAgo`]); - const now = CveDate.toISOString(); - const newOptions = UpdateCommand.determineQueryTimeOptions(options, now); - expect(newOptions.start).toEqual(sub(new Date(now), { minutes: minutesAgo }).toISOString()); - }); - - - it(`properly ignores minutesAgo when start is specified`, async () => { - const start = '2023-02-16T10:55:00.376Z'; - const options = { - // minutesAgo: '122', - start, - stop: '2023-02-16T17:55:00.376Z', - }; - const now = CveDate.toISOString(); - const newOptions = UpdateCommand.determineQueryTimeOptions(options, now); - expect(newOptions.start).toEqual(start); - }); - - - - it(`properly ignores minutesAgo when startand minutesAgo are specified`, async () => { - const start = '2023-02-16T10:55:00.376Z'; - const options = { - minutesAgo: '240', - start, - stop: '2023-02-16T17:55:00.376Z', - }; - const now = CveDate.toISOString(); - const newOptions = UpdateCommand.determineQueryTimeOptions(options, now); - expect(newOptions.start).toEqual(start); - }); - -}); diff --git a/src/commands/UpdateCommand.ts b/src/commands/UpdateCommand.ts deleted file mode 100644 index bc0ef6c..0000000 --- a/src/commands/UpdateCommand.ts +++ /dev/null @@ -1,141 +0,0 @@ -import sub from 'date-fns/sub'; // date and time subtraction -import { Command } from 'commander'; - -import { ActivityLog } from '../core/ActivityLog.js'; -import { CveDate } from '../core/CveDate.js'; -import { CveService } from '../net/CveService.js'; -import { CveUpdater } from '../net/CveUpdater.js'; -import { Delta } from '../core/Delta.js'; -import { GenericCommand } from './GenericCommand.js'; -import { Git } from '../core/git.js'; -import { DeltaLog } from '../core/DeltaLog.js'; -import { DeltaFs } from '../core/DeltaFs.js'; -import fs from 'fs'; -/** Command to update local repository using CVE REST API */ -export class UpdateCommand extends GenericCommand { - - /** default number of minutes to look back when a start date is not specified */ - static defaultMins = parseInt(process.env.CVES_DEFAULT_UPDATE_LOOKBACK_IN_MINS || "180"); - - /** Max file size is used to prevent git commit errors. Currently restricted to 100MB. **/ - static readonly MAX_FILE_SIZE = (parseInt(process.env.GIT_MAX_FILESIZE_MB) ?? 100) * 1024 * 1024; - - constructor(program: Command) { - const name = 'update'; - super(name, program); - const now = new Date(); - this._program - .command(name) - .description('update CVEs using CVE Services') - // .option('--logfile ', 'activies log filename', `${process.env.CVES_RECENT_ACTIVITIES_FILENAME}`) - .option( - '--minutes-ago ', - `start window at of minutes ago (default behavior is past ${UpdateCommand.defaultMins} mins)`, - `${UpdateCommand.defaultMins}`, - ) - .option( - '--start ', - `specific start window, overrides any specifications from --minutes-ago`, - ) - .option( - '--stop ', - 'stop window, defaults to now', - now.toISOString(), - ) - .action(this.run); - this.timerReset(); - } - - /** determines the time options (start, stop, minutesAgo) behavior */ - static determineQueryTimeOptions(options, now: string) { - const newOptions = { ...options }; - const minutesAgo = parseInt(newOptions[`minutesAgo`]); - if (options.start) { - console.log(`ignoring minutes-ago (${newOptions.minutesAgo}), starting window is set to ${newOptions.start}`); - } - else { - newOptions.start = sub(new Date(now), { minutes: minutesAgo }).toISOString(); - console.log(`starting window calculated from default --minutes-ago (${minutesAgo}): ${newOptions.start}`); - } - return newOptions; - } - - /** runs the command using user set or default/calculated options */ - async run(options) { - super.prerun(options); - super.timerReset(); - - const cveService = new CveService(); - const updater = new CveUpdater(`update command`, { - path: options.output, - filename: options.logfile, - logAlways: options.logAlways, - logKeepPrevious: true - }); - - // determine setup window from params - const newOptions = UpdateCommand.determineQueryTimeOptions(options, CveDate.toISOString()); - const activityLog = new ActivityLog({ - path: options.output, - filename: options.logfile, - logAlways: options.logAlways, - logKeepPrevious: true - }); - - // update by window - const args = process.argv; - // const countResp = await cveService.cve({ queryString: `count_only=1` }); - const countResp = await cveService.cve({ queryString: `count_only=1&time_modified.gt=${newOptions.start}&time_modified.lt=${newOptions.stop}` }); - console.log(`count=${countResp.totalCount}`); - if (countResp.totalCount > 0) { - const activity = await updater.getCvesInWindow(newOptions.start, newOptions.stop); - console.log(`activity=`, JSON.stringify(activity, null, 2)); - - // log deltas and commit to git, if there are changes - if (activity?.delta?.numberOfChanges > 0) { - - // write delta - let currentDelta = new DeltaFs(activity.delta); - currentDelta.hydrate() - currentDelta.fetchTime = activity.startTime; - // currentDelta.durationInMsecs = parseInt(activity.duration.split(' ')[0]); - currentDelta.writeFile(); - - // copy CVEs to delta directory - currentDelta.writeCves(); - - // write deltaLog - const deltaLog = DeltaLog.fromLogFile(); - // console.log(`deltaLog.length=${deltaLog.length}`) - deltaLog.prepend(currentDelta); - // console.log(`deltaLog.length=${deltaLog.length}`) - deltaLog.writeFile(); - - // validate no file size issues - // for practical reasons we only validate the DeltaLog file for now. - // 100MB default, if no git env variable or zero it will not condense at all. - if (UpdateCommand.MAX_FILE_SIZE) { - DeltaLog.fitDeltaLogToFileSize(DeltaLog.kDeltaLogFile, UpdateCommand.MAX_FILE_SIZE); - } - - - // git add/commit - const localDir = `${process.cwd()}/${process.env.CVES_BASE_DIRECTORY}`; - const git = new Git({ localDir: `${process.cwd()}` }); - let ret;//: Response - ret = await git.add(`${localDir}`); - console.log(`git add repository files completed`); - ret = await git.commit(`${activity.delta.toText()}`); - console.log(`git commit returned ${JSON.stringify(ret, null, 2)}`); - } - else { - console.log(`no new or updated CVEs`); - } - } - else { - console.log(`no new or updated CVEs`); - } - console.log(`operation completed in ${super.timerSinceStart() / 1000} seconds at ${CveDate.toISOString()}`); - super.postrun(newOptions); - } -} \ No newline at end of file diff --git a/src/common/Json/Json.test.ts b/src/common/Json/Json.test.ts index 4a6229e..2a08f1d 100644 --- a/src/common/Json/Json.test.ts +++ b/src/common/Json/Json.test.ts @@ -29,21 +29,18 @@ describe(`Json`, () => { // console.log(str); expect(str).toBe('{"1":1,"10":10,"101":101,"1000":1000,"a":[{"11":11,"100":100,"e":{"0":0,"A":4}}]}'); }); - it(`normalizingReplacer does not break on arbitrary numbers`, () => { const json = 1; const str = JSON.stringify(json, Json.normalizingReplacer); // console.log(str); expect(str).toBe('1'); }); - it(`normalizingReplacer does not break on arbitrary strings`, () => { const json = "hello world {}"; const str = JSON.stringify(json, Json.normalizingReplacer); // console.log(str); expect(str).toBe('"hello world {}"'); }); - it(`normalizingReplacer does not break on date objects`, () => { const dts = '1970-01-02T03:04:05.678Z'; const dt = new Date(dts); @@ -52,7 +49,6 @@ describe(`Json`, () => { // console.log(str); expect(str).toBe(`{"myKey":"${dts}"}`); }); - it(`normalizingReplacer does not break on ISOString objects`, () => { const dts = '1970-01-02T03:04:05.678Z'; const dt = new IsoDateString(dts); @@ -62,4 +58,6 @@ describe(`Json`, () => { expect(str).toBe(`{"myKey":"${dts}"}`); }); + + }); diff --git a/src/core/CveComparer.test.ts b/src/common/comparer/CveComparer.test.ts similarity index 85% rename from src/core/CveComparer.test.ts rename to src/common/comparer/CveComparer.test.ts index fd419c5..cab9ab4 100644 --- a/src/core/CveComparer.test.ts +++ b/src/common/comparer/CveComparer.test.ts @@ -1,15 +1,15 @@ import path from 'path'; import { CveComparer } from './CveComparer.js'; -import { CveRecord } from './CveRecord.js'; -import { CveFsReader } from '../adapters/fs/CveFsReader.js'; +import { CveRecord } from '../../cve/CveRecord.js'; +import { CveFsReader } from '../../adapters/fs/CveFsReader.js'; describe(`CveComparer for CVEs`, () => { // Note that while most of these tests are CVE specific, the fixtures - // are in adatpers/comparer since most of the tests of object comparsion + // are in adapters/comparer since most of the tests of object comparison // are in this object, but applies equally well to the generic object comparer - // minaimal, old (5.0) CVEs + // minimal, old (5.0) CVEs const kFixturesDir = `test/fixtures/adapters/comparer`; const k0100 = path.join(kFixturesDir, `CVE-1970-0100.json`); const k0100s = path.join(kFixturesDir, `CVE-1970-0100s.json`); @@ -213,38 +213,5 @@ describe(`CveComparer for CVEs`, () => { }); it.todo('more adp change tests') - // it(`compare() correctly finds a ADP change 2`, () => { - // const one = CveFsReader.readFromFile(k0007u_secretariat); - // const two = CveFsReader.readFromFile(k0007u_secretariat2); - // const diff = CveComparer.compare(one, two); - // console.log(`diff adp change 2: ${JSON.stringify(diff, null, 2)}`); - // expect(diff.edited.length).toBe(0); - // expect(diff.added[0]).toMatchObject([ - // "containers", - // "adp", - // 1, - // "references", - // 1 - // ]); - // expect(diff.added[0][1]).toBe("adp"); - // expect(diff.removed.length).toBe(0); - // }); - - // // @todo, this does not currently respond as expected: - // // if 2 ADPs are added, the current algorithm does not differentiate them - // it.skip(`compare() correctly finds multiple ADP changes`, () => { - // const one = CveFsReader.readFromFile(k0007); - // const two = CveFsReader.readFromFile(k0007u_secretariat); - // const diff = CveComparer.compare(one, two); - // console.log(`diff 1: ${JSON.stringify(diff, null, 2)}`); - // expect(diff.edited[0]).toMatchObject(["cveMetadata", "dateUpdated"]); - // expect(diff.added.length).toBe(4); - // expect(diff.added[0]).toMatchObject([ - // "containers", - // "adp" - // ]); - // expect(diff.added[0][1]).toBe("adp"); - // expect(diff.removed.length).toBe(0); - // }); }); diff --git a/src/core/CveComparer.ts b/src/common/comparer/CveComparer.ts similarity index 94% rename from src/core/CveComparer.ts rename to src/common/comparer/CveComparer.ts index b639137..a8c80a6 100644 --- a/src/core/CveComparer.ts +++ b/src/common/comparer/CveComparer.ts @@ -2,12 +2,12 @@ * for sorting and diffing CVEs */ -import { CveRecord } from './CveRecord.js'; +import { CveRecord } from '../../cve/CveRecord.js'; import { ObjectComparer, ObjectComparison, compareOptions -} from '../common/comparer/ObjectComparer.js'; +} from './ObjectComparer.js'; export class CveComparer { @@ -37,7 +37,7 @@ export class CveComparer { * Note that this is really only needed when there are adp changes, * so even though it is required, it can be undefined if you know the change * is in metadata or cna - * @param comparison the ObjectCompaison from a CveComparer.compare + * @param comparison the ObjectComparison from a CveComparer.compare * @returns a list of categories */ static findCategories(cve: CveRecord, comparison: ObjectComparison): string[] { diff --git a/src/common/comparer/ObjectComparer.test.ts b/src/common/comparer/ObjectComparer.test.ts index 11467a0..0709e04 100644 --- a/src/common/comparer/ObjectComparer.test.ts +++ b/src/common/comparer/ObjectComparer.test.ts @@ -1,6 +1,4 @@ -import { CveRecord } from '../../core/CveRecord.js'; import { ObjectComparer } from './ObjectComparer.js'; -// import { CveService } from '../net/CveService.js'; // import { FsUtils } from './fsUtils.js'; // import fs from 'fs'; // import clonedeep from 'lodash.clonedeep'; diff --git a/src/common/comparer/ObjectComparer.ts b/src/common/comparer/ObjectComparer.ts index 316eeab..04a9c1e 100644 --- a/src/common/comparer/ObjectComparer.ts +++ b/src/common/comparer/ObjectComparer.ts @@ -16,12 +16,12 @@ export type ObjectComparison = { export type compareOptions = { /** true: returns paths similar to Javascript * false: returns paths delimited by '/', which is - * ofthen easier to separate a path into separate components + * often easier to separate a path into separate components */ jsPath?: boolean; /** the current json diff library we use often will show - * a `sourcObj/...` path in addition to the normal path + * a `sourceObj/...` path in addition to the normal path * this option removes that */ filterPathRootAsDuplicates?: string; @@ -38,7 +38,7 @@ export type compareOptions = { export class ObjectComparer { - /** compares any arbitary objects + /** compares any arbitrary objects * @param lhs object to compare * @param rhs object to compare * @param options options for when @@ -69,7 +69,7 @@ export class ObjectComparer { /** the current json diff library we use often will show - * a `sourcObj/...` path in addition to the normal path + * a `sourceObj/...` path in addition to the normal path * this option removes that */ static filterDuplicatesInPlace(comparison: ObjectComparison, options: compareOptions): void { diff --git a/src/core/Activity.ts b/src/core/Activity.ts index 386a146..662f9d6 100644 --- a/src/core/Activity.ts +++ b/src/core/Activity.ts @@ -1,12 +1,11 @@ /** - * DEPRECATED: Activity object + * Activity object * This is the activity object in an ActivityLog file - * @deprecated */ import cloneDeep from 'lodash.clonedeep'; import isEqual from 'lodash.isequal'; -import { CveDate } from './CveDate.js'; +import { CveDate } from '../date/CveDate.js'; import { Delta } from '../core/Delta.js'; @@ -60,7 +59,6 @@ export interface ActivityStep { }; } -// DEPRECATED export class Activity implements ActivityProps { startTime: string = CveDate.toISOString(); diff --git a/src/core/ActivityLog.test.ts b/src/core/ActivityLog.test.ts index 556329f..daa2c2e 100644 --- a/src/core/ActivityLog.test.ts +++ b/src/core/ActivityLog.test.ts @@ -1,6 +1,6 @@ import { ActivityLog } from './ActivityLog.js'; import { activity0, activity1, activity2, activityNone } from './Activity.test.js'; -import { FsUtils } from './fsUtils.js'; +import { FsUtils } from '../deprecated/fsUtils.js'; describe(`ActivityLog`, () => { diff --git a/src/core/ActivityLog.ts b/src/core/ActivityLog.ts index 7848ef0..6bf0efd 100644 --- a/src/core/ActivityLog.ts +++ b/src/core/ActivityLog.ts @@ -1,8 +1,7 @@ /** - * DEPRECATED: ActivityLog - log of activities + * ActivityLog - log of activities * Intent is to log everything that makes changes to the repository, so key information is stored from * GitHub action to GitHub action (e.g., stopdate of last activity for re-running a command) - * @deprecated */ import fs from 'fs'; @@ -19,7 +18,6 @@ export interface ActivityLogOptions { logKeepPrevious?: boolean; } -// DEPRECATED export class ActivityLog { _options: ActivityLogOptions; diff --git a/src/core/Delta.test.ts b/src/core/Delta.test.ts index 8454431..a8d7d56 100644 --- a/src/core/Delta.test.ts +++ b/src/core/Delta.test.ts @@ -1,6 +1,6 @@ import fs from 'fs'; -import { CveCorePlus } from './CveCorePlus.js'; +import { CveCorePlus } from '../cve/CveCorePlus.js'; import { Git } from './git.js'; import { Delta, DeltaQueue } from './Delta.js'; @@ -24,7 +24,7 @@ const _kTestCve0002u2 = _kTestCve0002u2Import['default'] ?? _kTestCve0002u2Impor import * as _kTestCve9999Import from '../../test/fixtures/cve/5/CVE-1970-9999.json'; const _kTestCve9999 = _kTestCve9999Import['default'] ?? _kTestCve9999Import; -import { FsUtils } from './fsUtils.js'; +import { FsUtils } from '../deprecated/fsUtils.js'; const kFixturesDir = `test/fixtures/cve/5`; const kTestDir = `test/pretend_github_repository/1970/0xxx`; diff --git a/src/core/Delta.ts b/src/core/Delta.ts index dbe8951..f4e29e2 100644 --- a/src/core/Delta.ts +++ b/src/core/Delta.ts @@ -2,13 +2,16 @@ * This is the Delta class. A delta is a list of files in a directory whose content changed from time T1 to T2. * Changes can be a new added file, updated file, or deleted file (though currently, we do not work with deleted * files since no CVEs should ever be deleted once it is published). + * + * When making zip files, this class copies CVE JSON files from /cves to a directory, and zip that, so the /cves directory + * needs to be in the current directory */ import fs from 'fs'; import cloneDeep from 'lodash.clonedeep'; import truncate from 'lodash.truncate'; -import { CveId, CveCorePlus } from './CveCorePlus.js'; +import { CveId, CveCorePlus } from '../cve/CveCorePlus.js'; // export type IsoDate = string; // @todo make a better class // export type CveId = string; // @todo make a better class @@ -30,7 +33,7 @@ export enum DeltaQueue { * see https://github.com/CVEProject/cvelistV5/issues/23 for some additional discussions * before and after the AWG meeting on 8/22 */ -export class DeltaOutpuItem { +export class DeltaOutputItem { static _cveOrgPrefix = `https://www.cve.org/CVERecord?id=`; static _githubRawJsonPrefix = `https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/` @@ -40,12 +43,12 @@ export class DeltaOutpuItem { githubLink?: string; // url to Github raw json dateUpdated?: string; // ISO string - static fromCveCorePlus(cvep: CveCorePlus): DeltaOutpuItem { - let deltaItem = new DeltaOutpuItem(); + static fromCveCorePlus(cvep: CveCorePlus): DeltaOutputItem { + let deltaItem = new DeltaOutputItem(); const cveid = cvep.cveId.toString(); deltaItem.cveId = cveid; - deltaItem.cveOrgLink = `${DeltaOutpuItem._cveOrgPrefix}${cveid}`; - deltaItem.githubLink = `${DeltaOutpuItem._githubRawJsonPrefix}${CveId.getCveDir(cveid)}/${cveid}.json`; + deltaItem.cveOrgLink = `${DeltaOutputItem._cveOrgPrefix}${cveid}`; + deltaItem.githubLink = `${DeltaOutputItem._githubRawJsonPrefix}${CveId.getCveDir(cveid)}/${cveid}.json`; deltaItem.dateUpdated = cvep.dateUpdated; return deltaItem; } @@ -62,8 +65,8 @@ export class DeltaOutpuItem { if (cveid) { items.push({ cveId: cveid, - cveOrgLink: `${DeltaOutpuItem._cveOrgPrefix}${cveid}`, - githubLink: `${DeltaOutpuItem._githubRawJsonPrefix}${CveId.getCveDir(cveid)}/${cveid}.json`, + cveOrgLink: `${DeltaOutputItem._cveOrgPrefix}${cveid}`, + githubLink: `${DeltaOutputItem._githubRawJsonPrefix}${CveId.getCveDir(cveid)}/${cveid}.json`, dateUpdated: item.dateUpdated }); } @@ -104,8 +107,8 @@ export class Delta { // ----- constructor and factory functions ----- ----- /** constructor - * @param prevDelta a previous delta to intialize this object, essentially prepending new - * deltas to the privous ones (default is none) + * @param prevDelta a previous delta to initialize this object, essentially prepending new + * deltas to the previous ones (default is none) */ constructor(prevDelta: Partial = null) { @@ -256,8 +259,8 @@ export class Delta { this.new.forEach(item => newCves.push(item.cveId.id)); const updatedCves: string[] = []; this.updated.forEach(item => updatedCves.push(item.cveId.id)); - const unkownFiles: string[] = []; - this.error.forEach(item => unkownFiles.push(item.cveId.id)); + const unknownFiles: string[] = []; + this.error.forEach(item => unknownFiles.push(item.cveId.id)); let s = `${this.new.length} new | ${this.updated.length} updated`; if (this.error.length > 0) { s += ` | ${this.error.length} other files`; @@ -266,7 +269,7 @@ export class Delta { `${this.numberOfChanges} changes (${s}): - ${this.new.length} new CVEs: ${newCves.join(', ')} - ${this.updated.length} updated CVEs: ${updatedCves.join(', ')} - ${this.error.length > 0 ? `- ${this.error.length} other files: ${unkownFiles.join(', ')}` : ``} + ${this.error.length > 0 ? `- ${this.error.length} other files: ${unknownFiles.join(', ')}` : ``} `; if (retstr.length > Delta.kMaxGithubCommitMessageLength) { // the '- 4' in the length is to accommodate the ',...' that lodash.truncate diff --git a/src/core/DeltaFs.test.ts b/src/core/DeltaFs.test.ts index b347ab1..014c2e6 100644 --- a/src/core/DeltaFs.test.ts +++ b/src/core/DeltaFs.test.ts @@ -1,6 +1,6 @@ import fs from 'fs'; -import { CveCorePlus } from './CveCorePlus.js'; +import { CveCorePlus } from '../cve/CveCorePlus.js'; import { Git } from './git.js'; import { Delta, DeltaQueue } from './Delta.js'; @@ -30,7 +30,7 @@ const kTestFixtureCve0001 = './test/fixtures/cve/5/CVE-1970-0001.json'; const testDir = `test/tests/filesystem`; const testZip = `${testDir}/test.zip`; -import { FsUtils } from './fsUtils.js'; +import { FsUtils } from '../deprecated/fsUtils.js'; import { DeltaFs } from './DeltaFs.js'; const kFixturesDir = `test/fixtures/cve/5`; diff --git a/src/core/DeltaFs.ts b/src/core/DeltaFs.ts index 2d62e0c..e12f9fd 100644 --- a/src/core/DeltaFs.ts +++ b/src/core/DeltaFs.ts @@ -9,11 +9,10 @@ import fs from 'fs'; import path from 'path'; import process from 'process'; -import AdmZip from 'adm-zip'; - -import { CveId } from './CveCorePlus.js'; -import { DeltaOutpuItem, Delta } from './Delta.js'; -import { FsUtils } from './fsUtils.js'; +import { Zip } from '../adapters/zip/Zip.js'; +import { CveId } from '../cve/CveCorePlus.js'; +import { DeltaOutputItem, Delta } from './Delta.js'; +import { FsReader } from '../adapters/fs/FsReader.js'; export type IsoDate = string; // @todo make a better class // export type CveId = string; // @todo make a better class @@ -39,7 +38,7 @@ export class DeltaFs extends Delta { const outputJson = fs.writeFileSync(`${relFilepath}`, JSON.stringify( this, - DeltaOutpuItem.replacer, + DeltaOutputItem.replacer, 2)); console.log(`delta file written to ${relFilepath}`); } @@ -70,8 +69,8 @@ export class DeltaFs extends Delta { console.log(`${this.numberOfChanges} CVEs copied to ${relDir}`); if (zipFile) { - const listing = FsUtils.ls(relDir); - DeltaFs.generateZipfile(listing, zipFile, "deltaCves", relDir); + const listing = FsReader.readdirSync(relDir); + Zip.generateZipfile(listing, zipFile, "deltaCves", relDir); console.log(`zip file generated as ${relDir}/${zipFile}`); } } @@ -85,37 +84,10 @@ export class DeltaFs extends Delta { fs.writeFileSync(relFilepath, text); } - /** - * Synchronously generate a zip file from an array of files (no directories) - * @param filepaths array of filenames to be zipped - * @param resultFilepath filepath for resulting zip file - * @param zipVirtualDir dir name in zip, defaults to `files` - * (for example, if you want to add all the files - * into a zip folder called abc, - * you would pass 'abc' here) - * @param dir path to directory where files are located + * @todo remove pointer to replacement function and dont support backwards compatibility for simplicity. + * @deprecated use {@link Zip.generateZipfile} */ - static generateZipfile( - filepaths: string | string[], - resultFilepath: string, - zipVirtualDir = `files`, - dir = '' - ) { - console.log(`generating zip file from ${filepaths} to ${resultFilepath}`); - // if path to resultFilepath does not exist, recursively make them - const dirname = path.dirname(resultFilepath); - fs.mkdirSync(dirname, { recursive: true }); - const zip = new AdmZip; - if (!Array.isArray(filepaths)) { - filepaths = [filepaths]; - } - filepaths.forEach(filepath => { - const path = (dir.length > 0) ? `${dir}/${filepath}` : filepath; - zip.addLocalFile(path, zipVirtualDir); - }); - zip.writeZip(resultFilepath); - // console.log(`zip file generated at ${resultFilepath}`); - } + static generateZipfile = Zip.generateZipfile; } \ No newline at end of file diff --git a/src/core/DeltaLog.test.ts b/src/core/DeltaLog.test.ts index f6dd7a1..8865a7c 100644 --- a/src/core/DeltaLog.test.ts +++ b/src/core/DeltaLog.test.ts @@ -1,10 +1,10 @@ import fs from 'fs'; -import { CveId, CveCorePlus } from './CveCorePlus.js'; +import { CveId, CveCorePlus } from '../cve/CveCorePlus.js'; import { Delta, DeltaQueue } from './Delta.js'; import { DeltaLog } from './DeltaLog.js'; // import { activity0, activity1, activity2, activityNone } from './Activity.test.js'; -import { FsUtils } from './fsUtils.js'; +import { FsUtils } from '../deprecated/fsUtils.js'; import * as _kTestCve0001Import from '../../test/fixtures/cve/5/CVE-1970-0001.json'; const _kTestCve0001 = _kTestCve0001Import['default'] ?? _kTestCve0001Import; diff --git a/src/core/DeltaLog.ts b/src/core/DeltaLog.ts index 9a901f4..f170129 100644 --- a/src/core/DeltaLog.ts +++ b/src/core/DeltaLog.ts @@ -17,10 +17,10 @@ import fs from 'fs'; import path from 'path'; -import { Delta, DeltaOutpuItem } from './Delta.js'; +import { Delta, DeltaOutputItem } from './Delta.js'; import { IsoDateString } from '../common/IsoDate/IsoDateString.js'; -import { CveCorePlus } from './CveCorePlus.js'; -import { FsUtils } from './fsUtils.js'; +import { CveCorePlus } from '../cve/CveCorePlus.js'; +import { FsUtils } from '../deprecated/fsUtils.js'; export class DeltaLog extends Array{ @@ -145,7 +145,7 @@ export class DeltaLog extends Array{ } const sorted = this.sortByFetchTme(); const windowed: Delta[] = sorted.filter(delta => (delta.fetchTime > startWindow.toString() && (delta.fetchTime < stopWindow.toString()))); - // using object insteads of Set because set won't differientiate objects + // using object instead of Set because set won't differentiate objects let newList: Record = {}; let updatedList: Record = {}; windowed.forEach(delta => { @@ -182,14 +182,14 @@ export class DeltaLog extends Array{ } const dirname = path.dirname(relFilepath); fs.mkdirSync(dirname, { recursive: true }); - fs.writeFileSync(`${relFilepath}`, JSON.stringify(this, DeltaOutpuItem.replacer, 2)); + fs.writeFileSync(`${relFilepath}`, JSON.stringify(this, DeltaOutputItem.replacer, 2)); return true; } } static fitDeltaLogToFileSize(relFilePath: string, fileSizeLimitBytes: number) { - let initalFileSize = fs.statSync(relFilePath).size; - if (initalFileSize < fileSizeLimitBytes) { + let initialFileSize = fs.statSync(relFilePath).size; + if (initialFileSize < fileSizeLimitBytes) { return false; } let delta = DeltaLog.fromLogFile(relFilePath); @@ -203,7 +203,7 @@ export class DeltaLog extends Array{ while (condenseLevel <= maxCondenseLevel) { let currSize = FsUtils.condenseJsonDataFile(condenseLevel, relFilePath); if (currSize <= fileSizeLimitBytes) { - console.log(`DeltaLog file was previously ${initalFileSize} bytes, and is now ${currSize} bytes (${initalFileSize - currSize} byte diff ${Math.floor(100 * (currSize / initalFileSize))}%). DeltaLog file was condensed by cutting off the last ${numDeltas - delta.length} delta blocks, and condensing to level ${condenseLevel}.`); + console.log(`DeltaLog file was previously ${initialFileSize} bytes, and is now ${currSize} bytes (${initialFileSize - currSize} byte diff ${Math.floor(100 * (currSize / initialFileSize))}%). DeltaLog file was condensed by cutting off the last ${numDeltas - delta.length} delta blocks, and condensing to level ${condenseLevel}.`); console.log("Removed:", JSON.stringify(cutDeltas, null, 2)); return true; } diff --git a/src/core/git.test.ts b/src/core/git.test.ts index fb99fa6..3114928 100644 --- a/src/core/git.test.ts +++ b/src/core/git.test.ts @@ -1,27 +1,43 @@ +/** + * This is a special test file. + * Due to git acting as a singleton, testing multiple instances of code that utilizes git asynchronously are practically guaranteed to cause race condition issues. + * This file handles the execution of these problematic tests by running them in a synchronous sequence via describe blocks. + * + * For testing direct or indirect usage of the git "singleton": + * 1. Export said tests into an executable function. + * 1a. Include additional supporting functions, constants, [before|After][All|Each], etc. + * 1b. Exporting multiple tests to be run independently is allowed. + * 1_Example: + * See git.test.ts -> `export const GitTestsUsingGit = function () { ... }` + * 2. Import said tests into the git.test.ts file. + * 2_Example: + * import { GitTestsUsingGit } from './git.test.js'; + * 3. Run the imported executable function for said tests in its own describe block in the git.test.ts. + * 3a. Add a descriptive name for the describe block. + * 3_Example: + * describe(`Git.ts::Git class`, GitTestsUsingGit); + */ + import fs from 'fs'; import { Git } from './git.js'; -import { StatusResult } from 'simple-git'; -import { CveCore } from './CveCore.js'; -import { setup_TestGitRepository, cleanup_TestGitRepository } from './Delta.test.js'; - +import { CveCore } from '../cve/CveCore.js'; import * as _kTestCve0003Import from '../../test/pretend_github_repository/1970/0xxx/CVE-1970-0002.json'; const _kTestCve0003 = _kTestCve0003Import['default'] ?? _kTestCve0003Import; -import { FsUtils } from './fsUtils.js'; - -describe(`Git`, () => { - - const localDir: string = `test/pretend_github_repository`; +import { FsUtils } from '../deprecated/fsUtils.js'; - const kTestCve0001 = CveCore.fromCveMetadata(_kTestCve0003['cveMetadata']); +import { setup_TestGitRepository, cleanup_TestGitRepository } from './Delta.test.js'; - const srcDir = `test/fixtures/cve/5`; - const destDir = `test/pretend_github_repository/1970/0xxx`; - const destDir9 = `test/pretend_github_repository/1970/9xxx`; +describe(`Git`, () => { + describe(`main tests`, () => { + const localDir: string = `test/pretend_github_repository`; + const kTestCve0001 = CveCore.fromCveMetadata(_kTestCve0003['cveMetadata']); - describe(`main tests`, () => { + const srcDir = `test/fixtures/cve/5`; + const destDir = `test/pretend_github_repository/1970/0xxx`; + const destDir9 = `test/pretend_github_repository/1970/9xxx`; beforeAll(() => { console.log('running main tests'); fs.copyFileSync(`${srcDir}/CVE-1970-0999.json`, `${destDir}/CVE-1970-0996.json`); @@ -42,7 +58,7 @@ describe(`Git`, () => { }); afterAll(() => { console.log("done main test"); - // Teardown (cleanup) after assertions + // Teardown (cleanup) after assertions fs.copyFile(`${srcDir}/CVE-1970-0002.json`, `${destDir}/CVE-1970-0002.json`, Git.genericCallback); FsUtils.rm(`${destDir}/CVE-1970-0996.json`); FsUtils.rm(`${destDir}/CVE-1970-0997.json`); @@ -55,7 +71,7 @@ describe(`Git`, () => { }); - it(`properly builds a Git object with specified initailizers`, () => { + it(`properly builds a Git object with specified initializers`, () => { const git = new Git({ localDir }); // console.log(`git.localDir=${git.localDir}`); expect(git.localDir).toMatch(localDir); @@ -121,109 +137,135 @@ describe(`Git`, () => { expect(retval.numberOfChanges).toBe(0); }); }); - - -}); - -// Git functions that use the git class in a problematic manner to be tested synchronously: add, rm -export const GitTestsUsingGit = function () { - const localDir: string = `test/pretend_github_repository`; - const srcDir = `test/fixtures/cve/5`; - const destDir = `test/pretend_github_repository/1970/0xxx`; - const cvesToAdd = { - 'CVE-1970-0995': `CVE-1970-0999`, - 'CVE-1970-0996': `CVE-1970-0999`, - 'CVE-1970-0997': `CVE-1970-0999`, - }; - const cvesToUpdate = { - 'CVE-1970-0002': 'CVE-1970-0002u' - }; - beforeEach(async () => { - // add new cves - for (let [toFN, fromFN] of Object.entries(cvesToAdd)) { - - fs.copyFileSync(`${srcDir}/${fromFN}.json`, `${destDir}/${toFN}.json`); - } - // update existing CVE - for (let [toFN, fromFN] of Object.entries(cvesToUpdate)) { - fs.copyFileSync(`${srcDir}/${fromFN}.json`, `${destDir}/${toFN}.json`); - } - }); - afterEach(async () => { - // this should not be necessary, but it seems to clean - // up the git.lock file so that we don't get errors - // about 2 git clients trying to access the same repository - // at the same time - const git = new Git({ localDir }); - await git.status(); - }); - afterAll(() => { - // remove new cves - for (let fn of Object.keys(cvesToAdd)) { - FsUtils.rm(`${destDir}/${fn}.json`); - } - // revert existing CVE - for (let fn of Object.keys(cvesToUpdate)) { - fs.copyFileSync(`${srcDir}/${fn}.json`, `${destDir}/${fn}.json`); - } + // Delta functions that use the git class in a problematic manner to be tested synchronously: calculateDelta, toText + describe(`Delta tests using git`, () => { + it(`calculateDelta() properly calculates a Delta`, async () => { + await setup_TestGitRepository(); + const delta = await Git.calculateDelta({}, `test/pretend_github_repository`); + console.log(`delta=${JSON.stringify(delta, null, 2)}`); + console.log(`delta.toText() -> ${delta.toText()}`); + + expect(delta.numberOfChanges).toBe(2); + expect(delta.new.length).toBe(1); + expect(delta.updated.length).toBe(1); + + await cleanup_TestGitRepository(); + }); }); - it(`properly adds and rms files`, async () => { - const git = new Git({ localDir }); - // await git.initForTest(); - // test for single add - const respAdd = await git.add(`1970/0xxx/CVE-1970-0995.json`); - const status = await git.status(); - expect(status.staged).toContain(`${localDir}/1970/0xxx/CVE-1970-0995.json`); - - // cleanup single add - const resp2 = await git.rm(`${process.cwd()}/${destDir}/CVE-1970-0995.json`); - const status2 = await git.status(); - expect(status2.staged).not.toContain(`${localDir}/1970/0xxx/CVE-1970-0995.json`); - - // test for multi add - const respAddMult = await git.add([ - `${process.cwd()}/${destDir}/CVE-1970-0996.json`, - `${process.cwd()}/${destDir}/CVE-1970-0997.json` - ]); - const statusMult = await git.status(); - expect(statusMult.staged).toContain(`${destDir}/CVE-1970-0996.json`); - expect(statusMult.staged).toContain(`${destDir}/CVE-1970-0997.json`); - - // cleanup for multi add - const respMult2 = await git.rm([ - `${process.cwd()}/${destDir}/CVE-1970-0996.json`, - `${process.cwd()}/${destDir}/CVE-1970-0997.json` - ]); - const statusMult2 = await git.status(); - expect(statusMult2.staged).not.toContain(`${destDir}/CVE-1970-0996.json`); - expect(statusMult2.staged).not.toContain(`${destDir}/CVE-1970-0997.json`); + describe(`Delta test using git`, () => { + it(`toText() properly displays human readable text about this Delta`, async () => { + await setup_TestGitRepository(); + const delta = await Git.calculateDelta({}, `test/pretend_github_repository`); + // console.log(`delta=${JSON.stringify(delta, null, 2)}`); + console.log(`delta.toText() -> ${delta.toText()}`); + + expect(delta.toText()).toContain(`${delta.numberOfChanges} changes`); + expect(delta.toText()).toContain(`${delta.new.length} new`); + expect(delta.toText()).toContain(`${delta.updated.length} updated`); + + await cleanup_TestGitRepository(); + }); }); + // Git functions that use the git class in a problematic manner to be tested synchronously: add, rm + describe(`Git tests using git`, () => { + const localDir: string = `test/pretend_github_repository`; + const srcDir = `test/fixtures/cve/5`; + const destDir = `test/pretend_github_repository/1970/0xxx`; + const cvesToAdd = { + 'CVE-1970-0995': `CVE-1970-0999`, + 'CVE-1970-0996': `CVE-1970-0999`, + 'CVE-1970-0997': `CVE-1970-0999`, + }; + const cvesToUpdate = { + 'CVE-1970-0002': 'CVE-1970-0002u' + }; + beforeEach(async () => { + // add new cves + for (let [toFN, fromFN] of Object.entries(cvesToAdd)) { + + fs.copyFileSync(`${srcDir}/${fromFN}.json`, `${destDir}/${toFN}.json`); + } + // update existing CVE + for (let [toFN, fromFN] of Object.entries(cvesToUpdate)) { + fs.copyFileSync(`${srcDir}/${fromFN}.json`, `${destDir}/${toFN}.json`); + } + }); + afterEach(async () => { + // this should not be necessary, but it seems to clean + // up the git.lock file so that we don't get errors + // about 2 git clients trying to access the same repository + // at the same time + const git = new Git({ localDir }); + await git.status(); + }); + afterAll(() => { + // remove new cves + for (let fn of Object.keys(cvesToAdd)) { + FsUtils.rm(`${destDir}/${fn}.json`); + } + // revert existing CVE + for (let fn of Object.keys(cvesToUpdate)) { + fs.copyFileSync(`${srcDir}/${fn}.json`, `${destDir}/${fn}.json`); + } + }); + it(`properly adds and rms files`, async () => { + const git = new Git({ localDir }); + // await git.initForTest(); + // test for single add + const respAdd = await git.add(`1970/0xxx/CVE-1970-0995.json`); + const status = await git.status(); + expect(status.staged).toContain(`${localDir}/1970/0xxx/CVE-1970-0995.json`); + + // cleanup single add + const resp2 = await git.rm(`${process.cwd()}/${destDir}/CVE-1970-0995.json`); + const status2 = await git.status(); + expect(status2.staged).not.toContain(`${localDir}/1970/0xxx/CVE-1970-0995.json`); + + // test for multi add + const respAddMult = await git.add([ + `${process.cwd()}/${destDir}/CVE-1970-0996.json`, + `${process.cwd()}/${destDir}/CVE-1970-0997.json` + ]); + const statusMult = await git.status(); + expect(statusMult.staged).toContain(`${destDir}/CVE-1970-0996.json`); + expect(statusMult.staged).toContain(`${destDir}/CVE-1970-0997.json`); + + // cleanup for multi add + const respMult2 = await git.rm([ + `${process.cwd()}/${destDir}/CVE-1970-0996.json`, + `${process.cwd()}/${destDir}/CVE-1970-0997.json` + ]); + const statusMult2 = await git.status(); + expect(statusMult2.staged).not.toContain(`${destDir}/CVE-1970-0996.json`); + expect(statusMult2.staged).not.toContain(`${destDir}/CVE-1970-0997.json`); + }); - // @todo this currently works, but all files are "new" - // @todo needs to set up git history for this repository's pretend_github_repository - it(`newDeltaFromGitHistory() properly builds a full Delta object from the file system`, async () => { - const delta = await Git.newDeltaFromGitHistory( - '2022-01-01T00:00:00.000Z', - '2023-04-28T00:00:00.000Z', - process.env.CVES_TEST_BASE_DIRECTORY - ); - // console.log(`delta = ${JSON.stringify(delta, null, 2)}`); - expect(delta.numberOfChanges).toBe(5); - expect(delta.new.length).toBe(5); - expect(delta.updated.length).toBe(0); - expect(delta?.error?.length).toBe(0); - expect(delta.new[0].cveId.toString()).toBe(`CVE-1970-0001`); - }); - - - it(`newDeltaFromGitHistory() properly defaults to now`, async () => { - await setup_TestGitRepository(); - const startDate = "2023-08-16T00:00:00.000Z"; - const delta = await Git.newDeltaFromGitHistory(startDate, undefined, process.env.CVES_TEST_BASE_DIRECTORY); - const deltaNow = await Git.newDeltaFromGitHistory(startDate, new Date().toISOString(), process.env.CVES_TEST_BASE_DIRECTORY); - expect(delta.numberOfChanges).toBe(deltaNow.numberOfChanges); - expect(delta.error).toEqual(deltaNow.error); - await cleanup_TestGitRepository(); - }); -}; \ No newline at end of file + // @todo this currently works, but all files are "new" + // @todo needs to set up git history for this repository's pretend_github_repository + it(`newDeltaFromGitHistory() properly builds a full Delta object from the file system`, async () => { + const delta = await Git.newDeltaFromGitHistory( + '2022-01-01T00:00:00.000Z', + '2023-04-28T00:00:00.000Z', + process.env.CVES_TEST_BASE_DIRECTORY + ); + // console.log(`delta = ${JSON.stringify(delta, null, 2)}`); + expect(delta.numberOfChanges).toBe(5); + expect(delta.new.length).toBe(5); + expect(delta.updated.length).toBe(0); + expect(delta?.error?.length).toBe(0); + expect(delta.new[0].cveId.toString()).toBe(`CVE-1970-0001`); + }); + + + it(`newDeltaFromGitHistory() properly defaults to now`, async () => { + await setup_TestGitRepository(); + const startDate = "2023-08-16T00:00:00.000Z"; + const delta = await Git.newDeltaFromGitHistory(startDate, undefined, process.env.CVES_TEST_BASE_DIRECTORY); + const deltaNow = await Git.newDeltaFromGitHistory(startDate, new Date().toISOString(), process.env.CVES_TEST_BASE_DIRECTORY); + expect(delta.numberOfChanges).toBe(deltaNow.numberOfChanges); + expect(delta.error).toEqual(deltaNow.error); + await cleanup_TestGitRepository(); + }); + }); +}); \ No newline at end of file diff --git a/src/core/git.ts b/src/core/git.ts index 1ec421d..c85a68a 100644 --- a/src/core/git.ts +++ b/src/core/git.ts @@ -1,10 +1,10 @@ -/** a wrapper/fascade class to make it easier to use git libraries from within cve utils +/** a wrapper/facade class to make it easier to use git libraries from within cve utils * Note that because the git utility (and thus this class and the SimpleGit library this class * depends on) is meant to be used by one process at a time in each "clone" (i.e., each directory * that contains a `.git` subdirectory), there are operations that is not easily used or tested * in an asynchronous environment (e.g., cveUtils and jest tests). * - * Specifically, the methods `status()`, `add()`, and "rm()" can have non-deterministric behavior + * Specifically, the methods `status()`, `add()`, and "rm()" can have non-deterministic behavior * when used asynchronously in multiple places. * * To successfully test these methods, follow the style/pattern of testing described in cveUtil's @@ -18,7 +18,7 @@ import { StatusResult, } from 'simple-git'; -import { CveCore, CveCorePlus, CveId } from './CveCorePlus.js'; +import { CveCore, CveCorePlus, CveId } from '../cve/CveCorePlus.js'; import { Delta, DeltaQueue } from './Delta.js'; export class Git { @@ -67,7 +67,7 @@ export class Git { * @param dir directory to filter (note that this cannot have `./` or `../` since this is only doing a simple string match) */ static async calculateDelta(prevDelta: Partial, dir: string): Promise { - // console.log(`calcuating delta in dir=${dir}`); + // console.log(`calculating delta in dir=${dir}`); const delta = new Delta(prevDelta); const git: SimpleGit = simpleGit('./', { binary: 'git' }); diff --git a/src/core/gitSync.test.ts b/src/core/gitSync.test.ts deleted file mode 100644 index 01306c5..0000000 --- a/src/core/gitSync.test.ts +++ /dev/null @@ -1,72 +0,0 @@ -/** - * This is a special test file. - * Due to git acting as a singleton, testing multiple instances of code that utilizes git asynchronously are practically garunteed to cause race condition issues. - * This file handles the execution of these problematic tests by running them in a syncronus sequence via describe blocks. - * - * For testing direct or indirect usage of the git "singleton": - * 1. Export said tests into an executable function. - * 1a. Include additional supporting functions, constants, [before|After][All|Each], etc. - * 1b. Exporting multiple tests to be run independantly is allowed. - * 1_Example: - * See git.test.ts -> `export const GitTestsUsingGit = function () { ... }` - * 2. Import said tests into the git.test.ts file. - * 2_Example: - * import { GitTestsUsingGit } from './git.test.js'; - * 3. Run the imported executable function for said tests in its own describe block in the git.test.ts. - * 3a. Add a descriptive name for the describe block. - * 3_Example: - * describe(`Git.ts::Git class`, GitTestsUsingGit); - */ - -import { Git } from './git.js'; -import { StatusResult } from 'simple-git'; - -/** - * IMPORT EXTERNALLY DEFINED TEST FUNCTIONS HERE: - */ -import { GitTestsUsingGit } from './git.test.js'; -import { setup_TestGitRepository, cleanup_TestGitRepository } from './Delta.test.js'; - - -// Delta functions that use the git class in a problematic manner to be tested synchronously: calculateDelta, toText -export const DeltaTestsUsingGit1 = function () { - it(`calculateDelta() properly calculates a Delta`, async () => { - await setup_TestGitRepository(); - const delta = await Git.calculateDelta({}, `test/pretend_github_repository`); - console.log(`delta=${JSON.stringify(delta, null, 2)}`); - console.log(`delta.toText() -> ${delta.toText()}`); - - expect(delta.numberOfChanges).toBe(2); - expect(delta.new.length).toBe(1); - expect(delta.updated.length).toBe(1); - - await cleanup_TestGitRepository(); - }); -}; - -export const DeltaTestsUsingGit2 = function () { - it(`toText() properly displays human readable text about this Delta`, async () => { - await setup_TestGitRepository(); - const delta = await Git.calculateDelta({}, `test/pretend_github_repository`); - // console.log(`delta=${JSON.stringify(delta, null, 2)}`); - console.log(`delta.toText() -> ${delta.toText()}`); - - expect(delta.toText()).toContain(`${delta.numberOfChanges} changes`); - expect(delta.toText()).toContain(`${delta.new.length} new`); - expect(delta.toText()).toContain(`${delta.updated.length} updated`); - - await cleanup_TestGitRepository(); - }); -}; - -describe(`Syncronus Git tests`, () => { - - // @DEV: Execute the imported tests as unique describe blocks here: - - describe(`Git.ts::Git class`, GitTestsUsingGit); - - describe(`Delta.ts::Delta class`, DeltaTestsUsingGit1); - - describe(`Delta.ts::Delta class`, DeltaTestsUsingGit2); - -}); \ No newline at end of file diff --git a/src/core/search/BasicSearchManager.ts b/src/core/search/BasicSearchManager.ts deleted file mode 100644 index f97c7cb..0000000 --- a/src/core/search/BasicSearchManager.ts +++ /dev/null @@ -1,104 +0,0 @@ -// set up environment -import * as dotenv from 'dotenv'; -dotenv.config(); - -import { CveErrorCodes, CveResult } from '../result/CveResult.js'; -import { SearchReader } from '../../adapters/search/SearchReader.js'; -import { SearchRequest } from './SearchRequest.js'; - -/** specifications for the search provider - * with reasonable defaults when specified in the constructor */ -export class SearchProviderInfo { - // cacheEndpoint: string - providerEndpoint: string; - index: string; -} - -/** options when using search() - * for defaults see SearchRequest constructor where it is explicitly set -*/ -export class SearchOptions { - useCache: boolean; - track_total_hits: boolean; - default_operator: "AND" | "OR" - metadataOnly: boolean; - fields: string[]; - sort: {}[]; - from: number; - size: number; -} - -/** generic result from any search query using ElasticSearch or OpenSearch - * - same output as curl and dashboard console, but typed - * - specified here in this way to make VSCode intelliSense - * work better -*/ -export type SearchResultData = { - took: number; // e.g., 23 - timed_out: boolean; - _shards?: { - total: number; // e.g., 1 - successful: number; // e.g., 1, - skipped: number; // e.g., 0, - failed: number; // e.g., 0; - }, - hits: { - total: { - value: number, // e.g., 5 - relation: 'eq' | 'gte'; - }, - max_score: number; // e.g., 3.9779425 - hits: {}[]; // @todo - }, - aggregations?: unknown; // @todo -}; - - -/** A manager class that provides basic search capabilities - * including a flexible search() that provides consistent - * search behavior among apps (e.g., WebSearch and SearchAPI) -*/ -export class BasicSearchManager { - - _searchReader: SearchReader; - - /** constructor that sets up provider information - * @param searchProviderInfo optional specifications providing provider information - * default is to read it from environment variables - */ - constructor(searchProviderInfo: SearchProviderInfo = undefined) { - if (!searchProviderInfo) { - searchProviderInfo = { - providerEndpoint: process.env.OpenSearchDomainEndpoint, - index: process.env.OpenSearchCveIndex - }; - } - this._searchReader = new SearchReader( - searchProviderInfo.providerEndpoint, - searchProviderInfo.index); - } - - - /** search for text at provider - * @param text the text string to search for - * @param options options to specify how to search, with well-defined defaults - */ - async search(text: string, options: Partial = undefined): Promise { - let response = undefined; - const builder = new SearchRequest(text, options) - const result: CveResult = builder.buildRequest() - // console.log(`result=${JSON.stringify(result, null, 2)}`) - if (result.isOk()) { - // console.log(`q: ${JSON.stringify(result.data['q'], null, 2)}`) - response = await this._searchReader._client.search({ - index: this._searchReader._cveIndex, - body: result.data['q'] - }); - // console.log(`response: ${JSON.stringify(response, null, 2)}`); - result.data = response.body; - // return CveResult.ok(response.body as SearchResultData); - } - return result - } - -} \ No newline at end of file diff --git a/src/core/search/SearchRequest.test.unit.ts b/src/core/search/SearchRequest.test.unit.ts deleted file mode 100644 index e1f130e..0000000 --- a/src/core/search/SearchRequest.test.unit.ts +++ /dev/null @@ -1,337 +0,0 @@ -import { SearchOptions } from "./BasicSearchManager.js" -import { SearchRequestType, SearchRequest, SearchRequestTypeId } from "./SearchRequest.js"; - -describe(`SearchRequest`, () => { - - const kSimpleSearchString = 'office' - const kSimpleUnsupportedSearchString = '127.0.0.*' - - // ----- constructor - - it(`constructor(simpleString) correctly sets all fields with proper defaults for options`, async () => { - const req = new SearchRequest(kSimpleSearchString) - expect(req._searchText).toBe(kSimpleSearchString) - expect(req._searchOptions.track_total_hits).toBeTruthy() - }); - - - it(`constructor(simpleString,{track_total_hits:value}) correctly sets all fields with specified options`, async () => { - const req = new SearchRequest(kSimpleSearchString, { track_total_hits: true }) - expect(req._searchText).toBe(kSimpleSearchString) - expect(req._searchOptions.track_total_hits).toBeTruthy() - - const req2 = new SearchRequest(kSimpleSearchString, { track_total_hits: false }) - expect(req2._searchText).toBe(kSimpleSearchString) - expect(req2._searchOptions.track_total_hits).toBeFalsy() - }); - - - - it(`constructor with options for paging correctly returns the number requested`, async () => { - const req = new SearchRequest(kSimpleSearchString, - { - track_total_hits: true, - from: 200, - size: 50 - }); - const result = req.processSearchText(); - // console.log(`result: ${JSON.stringify(result, null, 2)}`); - expect(result.data['searchTextType']).toBe("SEARCH_GENERAL_TEXT"); - expect(result.data['processedSearchText']).toBe(kSimpleSearchString); - expect(result).toMatchSnapshot(); - expect(req._searchText).toBe(result.data['processedSearchText']); - expect(req).toMatchSnapshot(); - }); - - - it(`toJSON() correctly prints out an "ok" result`, async () => { - const req = new SearchRequest(kSimpleSearchString, { track_total_hits: true }); - const result = req.processSearchText(); - // console.log(`result: ${JSON.stringify(result, null, 2)}`); - expect(result.isOk()).toBeTruthy(); - expect(result.data['searchTextType']).toBe("SEARCH_GENERAL_TEXT"); - expect(result.data['processedSearchText']).toBe(kSimpleSearchString); - expect(result).toMatchSnapshot(); - expect(req._searchText).toBe(result.data['processedSearchText']); - expect(req).toMatchSnapshot(); - }); - - - it(`toJSON() correctly prints out an "errors" result`, async () => { - const req = new SearchRequest(kSimpleUnsupportedSearchString, { track_total_hits: false }); - const result = req.processSearchText(); - // console.log(`result: ${JSON.stringify(result, null, 2)}`); - expect(result.hasErrors()).toBeTruthy(); - expect(result.hasNotes()).toBeTruthy(); - expect(result.data['searchTextType']).toBe("WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED"); - expect(result.data['processedSearchText']).toBe(kSimpleUnsupportedSearchString); - expect(result).toMatchSnapshot(); - expect(req._searchText).toBe(result.data['processedSearchText']); - expect(req).toMatchSnapshot(); - }); - - - // ----- spock+snapshot testing constructor+findSearchRequestType+processSearchText() - - - [ - // ----- reserved characters in strings ----- - ["{getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{getTotal()}"], - ["{=getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{=getTotal()}"], - ["{inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{inField('description')}"], - // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', `\"CVE-2020-0001\\\" {inField('description')}"`], - // ----- disallowed strings ----- - ["CVE–1999–0001", 'SEARCH_GENERAL_TEXT', "CVE–1999–0001"], - ["127.0.0.*", 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED', "127.0.0.*"], - [".127.0.0.*", 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED', ".127.0.0.*"], - // [".127.0.0.???", 'WILDCARD_QUESTION_SEARCH_NOT_SUPPORTED', ".127.0.0.???"], - [".127.0.0.*", 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED', ".127.0.0.*"], - // ----- simple search strings ----- - ["2020", 'SEARCH_GENERAL_TEXT', "2020"], - ["office", 'SEARCH_GENERAL_TEXT', "office"], - [`"office"`, 'SEARCH_GENERAL_TEXT', "office"], - [`"office`, 'SEARCH_GENERAL_TEXT', "office"], - [`office"`, 'SEARCH_GENERAL_TEXT', "office"], - ["microsoft office", 'SEARCH_GENERAL_TEXT', "microsoft office"], - [`"man-in-the-middle Attack"`, 'SEARCH_PHRASE', `\"man-in-the-middle Attack\"`], - ["docker compose", 'SEARCH_GENERAL_TEXT', "docker compose"], - // ----- double quoted strings ----- - // [`"microsoft office"`, 'SEARCH_PHRASE', `\"microsoft office\"`], // @todo - // ----- hyphenated search strings ----- - ["CVE-2020-5422", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\"`], - ["CVE-1998-5422", 'SEARCH_AS_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such - // ["CVE-3998-5422", 'SEARCH_ERROR_INVALID_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such - ["CVE-2020-5422 CVE-2020-5423", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\"`], - ["CVE-2020-5422 CVE-2020-5423 CVE-2020-5424 CVE-2020-5425", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\" \"CVE-2020-5424\" \"CVE-2020-5425\"`], - ["CVE 2020 5422", 'SEARCH_GENERAL_TEXT', "CVE 2020 5422"], - ["CVE-2000", 'SEARCH_AS_CVE_YEAR', `\"CVE-2000\"`], - ["CWE-123", 'SEARCH_AS_CWE_ID', `\"CWE-123\"`], - ["CAPEC-63", 'SEARCH_AS_CAPEC_ID', `\"CAPEC-63\"`], - ["PAN-OS", 'SEARCH_PHRASE', `\"PAN-OS\"`], - ["-PAN-OS", 'SEARCH_STRING_NOT_SUPPORTED', "-PAN-OS"], - ["docker-compose", 'SEARCH_PHRASE', `\"docker-compose\"`], - ["-x", 'SEARCH_STRING_NOT_SUPPORTED', "-x"], - ["--x", 'SEARCH_STRING_NOT_SUPPORTED', "--x"], - ["x--", 'SEARCH_PHRASE', `\"x--\"`], - ["PAN-OS-", 'SEARCH_PHRASE', `\"PAN-OS-\"`], - ["man-in-the-middle-attack", 'SEARCH_PHRASE', `\"man-in-the-middle-attack\"`], - [`"man-in-the-middle Attack"`, 'SEARCH_PHRASE', `\"man-in-the-middle Attack\"`], - ["1-2-3-4", 'SEARCH_PHRASE', `\"1-2-3-4\"`], - // ----- periods ----- - // [`\"f8cd397...fabac6c\"`, 'SEARCH_AS_FILENAME', `\"f8cd397...fabac6c\"`],// @todo needs CVE-2019-13107 - // ["f8cd397...fabac6c", 'SEARCH_AS_FILENAME', "f8cd397...fabac6c"],// @todo needs CVE-2019-13107 - // ["Node.JS", 'SEARCH_AS_FILENAME', `\"Node.JS\"`], // @todo - // ["serial_core.c", 'SEARCH_AS_FILENAME', `\"serial_core.c\"`], // @todo - // ----- urls ----- - ["wikipedia.org", 'SEARCH_AS_URL', "\"wikipedia.org\""], - ["en.wikipedia.org", 'SEARCH_AS_URL', "\"en.wikipedia.org\""], - ["http://en.wikipedia.org", 'SEARCH_AS_URL', "\"http://en.wikipedia.org\""], - ["https://en.wikipedia.org", 'SEARCH_AS_URL', "\"https://en.wikipedia.org\""], - ["https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes", 'SEARCH_AS_URL', "\"https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes\""], - ["https://portal.microfocus.com/s/article/KM000012517?language=en_US", 'SEARCH_AS_URL', "\"https://portal.microfocus.com/s/article/KM000012517?language=en_US\""], - ["https://en.wikipedia.org/abc/def?x=123&y=234", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234\""], - ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true\""], - ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty\""], - ["http://user:pass@google.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "\"http://user:pass@google.com/?a=b&abc=1%22#25\""], - ["https://user:pass@google.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "\"https://user:pass@google.com/?a=b&abc=1%22#25\""], - ["https://user:pass@one-two-three.xyz.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "\"https://user:pass@one-two-three.xyz.com/?a=b&abc=1%22#25\""], - ["http://user:pass@127.0.0.1/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "\"http://user:pass@127.0.0.1/?a=b&abc=1%22#25\""], - ["https://user:pass@127.0.0.1/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "\"https://user:pass@127.0.0.1/?a=b&abc=1%22#25\""], - ["https://pastebin.com/kpzHKKJu", 'SEARCH_AS_URL', "\"https://pastebin.com/kpzHKKJu\""], - ["ftp://en.wikipedia.org", 'SEARCH_AS_URL', "\"ftp://en.wikipedia.org\""], - ["file://example.md", 'SEARCH_AS_URL', "\"file://example.md\""], - ["file://../example.md", 'SEARCH_AS_URL', "\"file://../example.md\""], - ["file://../../example.md", 'SEARCH_AS_URL', "\"file://../../example.md\""], - ["ws://127.0.0.1/scoreboard", 'SEARCH_AS_URL', "\"ws://127.0.0.1/scoreboard\""], - ["wss://game.example.com/scoreboard", 'SEARCH_AS_URL', "\"wss://game.example.com/scoreboard\""], - ["app://com.foo.bar/index.html", 'SEARCH_AS_URL', "\"app://com.foo.bar/index.html\""], - // ["admin:/etc/default/grub", 'SEARCH_AS_URL', "\"admin:/etc/default/grub\""], // @todo used by gnome desktops - // jdbc:sqlserver://serverName\instanceName:portNumber;params... - // msteams:/l/... @todo used by microsoft teams - // ms-excel:ofv|u| - // ... other office products, see https://en.wikipedia.org/wiki/List_of_URI_schemes - ["psns://browse?product=1234", 'SEARCH_AS_URL', "\"psns://browse?product=1234\""], - ["rdar://10198949", 'SEARCH_AS_URL', "\"rdar://10198949\""], - ["https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg", 'SEARCH_AS_URL', "\"https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg\""], - ["https://mybucket-example-com.s3.amazonaws.com", 'SEARCH_AS_URL', "\"https://mybucket-example-com.s3.amazonaws.com\""],//@todo - // ----- IPv4 search strings (some from https://jsfiddle.net/opd1v7au/2/) ----- - ["127.0.0.1", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], - [" 127.0.0.1 ", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], - // ["127.0.0.1:1234", 'SEARCH_AS_IPv4', "127.0.0.1:1234"],// @todo - // ----- IPv6 search strings(some from https://jsfiddle.net/opd1v7au/2/) ----- - ["::", 'SEARCH_AS_IPv6', `\"::\"`], - ["0000:0000:0000:0000:0000:0000:0000:0000", 'SEARCH_AS_IPv6', `\"0000:0000:0000:0000:0000:0000:0000:0000\"`], - ["2001:db8:3333:4444:5555:6666:1.2.3.4", 'SEARCH_AS_IPv6', `\"2001:db8:3333:4444:5555:6666:1.2.3.4\"`], - ["::11.22.33.44", 'SEARCH_AS_IPv6', `\"::11.22.33.44\"`], - ["2001:0000:1234:0000:0000:C1C0:ABCD:0876", 'SEARCH_AS_IPv6', `\"2001:0000:1234:0000:0000:C1C0:ABCD:0876\"`], - ["FF02:0000:0000:0000:0000:0000:0000:0000:0001", 'SEARCH_STRING_NOT_SUPPORTED', "FF02:0000:0000:0000:0000:0000:0000:0000:0001"], - ["3ffe:b00::1::a", 'SEARCH_STRING_NOT_SUPPORTED', "3ffe:b00::1::a"], - [":", 'SEARCH_STRING_NOT_SUPPORTED', ":"], - // ----- version search strings ----- - ["1.0", 'SEARCH_AS_VERSION', `\"1.0\"`], - ["1.0.1", 'SEARCH_AS_VERSION', `\"1.0.1\"`], - ["v1.0", 'SEARCH_AS_VERSION', `\"v1.0\"`], - ["v1.0.1", 'SEARCH_AS_VERSION', `\"v1.0.1\"`], - ["V1.2.0", 'SEARCH_AS_VERSION', `\"V1.2.0\"`], - ["1.2.4.6.2345.1.1.1.0.1.1.0", 'SEARCH_AS_VERSION', `\"1.2.4.6.2345.1.1.1.0.1.1.0\"`], - ["1.2.3-RC5", 'SEARCH_AS_VERSION', `\"1.2.3-RC5\"`], - ["1.2-RC5", 'SEARCH_AS_VERSION', `\"1.2-RC5\"`], - ["1.2-RC55", 'SEARCH_AS_VERSION', `\"1.2-RC55\"`], - ["1.2.3-alpha", 'SEARCH_AS_VERSION', `\"1.2.3-alpha\"`], - ["v1.2.3-alpha", 'SEARCH_AS_VERSION', `\"v1.2.3-alpha\"`], - ["1.2 GB", 'SEARCH_STRING_MULTIPLE_TYPES', `\"1.2\" GB`], - [".2.1", 'SEARCH_STRING_NOT_SUPPORTED', ".2.1"], - // ----- multiple simple strings ----- - ["CAPEC 63", 'SEARCH_GENERAL_TEXT', "CAPEC 63"], - // ----- multiple search type strings ----- - ["CVE-2020 5422", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" 5422`], - ["5422 CVE-2020", 'SEARCH_STRING_MULTIPLE_TYPES', `5422 \"CVE-2020\"`], - ["CVE-2020 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" office`], // not working - ["CWE 123", 'SEARCH_GENERAL_TEXT', "CWE 123"], - ["CWE-123 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CWE-123\" office`], // not working - ["CVE-2020-5422 CAPEC-63", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-5422\" \"CAPEC-63\"`], - ["A&P office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"A&P\" office`], - ["ATT&CK 123", 'SEARCH_STRING_MULTIPLE_TYPES', `\"ATT&CK\" 123`], - // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-0001\" {inField('description')}`], - // ----- & ----- - ["ATT&CK", 'SEARCH_PHRASE', `\"ATT&CK\"`], - ["A&P", 'SEARCH_PHRASE', `\"A&P\"`], - // ----- "fall through matches" that may be confusing ----- - ["01.102.103.104", 'SEARCH_AS_VERSION', `\"01.102.103.104\"`], // looks like ipv4, but not because of first 0 - ["127.0.0.1.1.1.1", 'SEARCH_AS_VERSION', `\"127.0.0.1.1.1.1\"`], - [".127.0.0", 'SEARCH_STRING_NOT_SUPPORTED', ".127.0.0"], - // ----- repeating characters ----- - // ["?????????", 'SEARCH_GENERAL_TEXT', ""], // @todo - ["aaaaa", 'SEARCH_GENERAL_TEXT', "aaaaa"], - ["aaaaa !!!!!!!!!!!! !!!!!!!!!", 'SEARCH_GENERAL_TEXT', "aaaaa"], - ["ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß", 'SEARCH_GENERAL_TEXT', "ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß"], - ["¿¿¿¿¿ ééééééé ????? èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß ~~~~~ üüüüüüü !!!!!!!!!!!! !!!!!!!!!", 'SEARCH_GENERAL_TEXT', "ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß üüüüüüü"], - ["microsoft ???? office ?????????", 'SEARCH_GENERAL_TEXT', "microsoft office"], - ["microsoft ##### office #####", 'SEARCH_GENERAL_TEXT', "microsoft office"], - ] - .forEach((test: [string, string, string]) => { - it(`processSearchText("${test[0]}") correctly returns the SearchRequestTypeId ${test[1]}`, async () => { - const req = new SearchRequest(test[0]) - const result = req.processSearchText() - // expect(result.isOk()).toBeTruthy() - expect(result.data['searchTextType']).toBe(test[1] as SearchRequestTypeId); - expect(result.data['processedSearchText']).toBe(test[2]) - expect(req._searchText).toBe(test[2]) - }); - }); - - // ----- spock+snapshot testing constructor+buildRequest() - - - const testCases: [string, Partial][] = [ - [`office`, { track_total_hits: true }], - [`"office"`, { track_total_hits: true }], - [`microsoft office`, { track_total_hits: false }], - [`"microsoft office"`, { track_total_hits: false }], - [`CVE-2020-5422`, { useCache: false }], - [`CVE-2000`, { metadataOnly: false }], - [`CWE-123`, { - track_total_hits: false, - default_operator: 'OR', - metadataOnly: true - }], - [`CAPEC-64`, { default_operator: 'OR' }], - ] - testCases.forEach((test: [string, Partial]) => { - it(`(${test[0]},${JSON.stringify(test[1])})..buildRequest() correctly returns the expected request`, async () => { - const builder = new SearchRequest(test[0], test[1]) - expect(builder.buildRequest()).toMatchSnapshot(); - }); - }); - - - // ----- spock+snapshot testing constructor+findSearchRequestType+processSearchText() - - [ - ["office", ["office"]], - [`"office"`, ["office"]], - [`"office`, [`"office`]], - [`office"`, [`office"`]], - ["microsoft office", ["microsoft", "office"]], - [`"microsoft office"`, ["microsoft office"]], - ["CVE-2020-5422", ["CVE-2020-5422"]], - ["CVE-2020-5422 CVE-2020-5423", ["CVE-2020-5422", "CVE-2020-5423"]], - ["CVE 2020 5422", ["CVE", "2020", "5422"]], - ["CVE-2020 5422", ["CVE-2020", "5422"]], - ["CVE-2020 office", ["CVE-2020", "office"]], - ["CVE-2020-5422 CAPEC-63", ["CVE-2020-5422", "CAPEC-63"]], - ["http://en.wikipedia.org/a/b?abc=1&xyz=2", ["http://en.wikipedia.org/a/b?abc=1&xyz=2"]], - ["1 2 3 4", ["1", "2", "3", "4"]], - [`man-in-the-middle`, ["man-in-the-middle"]], - [`"man-in-the-middle"`, [`man-in-the-middle`]], - [`"man in the middle"`, [`man in the middle`]], - [`man in the middle`, ["man", "in", "the", "middle"]], - ] - .forEach((test: [string, string[]]) => { - it(`tokenizeSearchText("${test[0]}") correctly returns a tokenized list`, async () => { - const res = SearchRequest.tokenizeSearchText(test[0]) - expect(res).toEqual(test[1]) - }); - }); - - - // ----- spock testing static functions - - [ - ["?", false], - ["??", false], - ["???", true], - ["#", false], - ["##", false], - ["###", true], - [" ", false], - [" ", false], - [" ", true], - ["\t", false], - ["\t\t", false], - ["\t\t\t", true], - ["*", false], - ["**", false], - ["***", true], - ["-", false], - ["---", true], - - ["1", false], - ["11", false], - ["1111", false], - ["11111111111111111111111", false], - ["https://abc.com", false], - - ["The quick brown fox jumps over the lazy dog ???", true], - // ["素早い茶色のキツネが怠け者の犬を飛び越える #####", true], // bug? for # in Japanese, always returns false - // ["¿¿¿ El rápido zorro marrón salta sobre el perro perezoso ?", true], // bug? for ¿¿¿ in Spanish, always returns false - ["Le renard brun rapide saute par-dessus le chien paresseux ", true], - ["敏捷的棕色狐狸跳过了懒狗", false], - ["השועל החום המהיר קופץ מעל הכלב העצלן", false], - ["الثعلب البني السريع يقفز فوق الكلب الكسول", false], - ["Быстрая коричневая лиса перепрыгивает через ленивую собаку", false], - ["Η γρήγορη καφετιά αλεπού πηδά πάνω από το τεμπέλικο σκυλί", false], - ] - .forEach((test: [string, boolean]) => { - it(`hasRepeatingSymbols("${test[0]}") correctly returns`, async () => { - const val = SearchRequest.hasRepeatingSymbols(test[0]); - expect(val).toEqual(test[1]); - }); - }); - - [ - ["The quick brown fox jumps over the lazy dog ???", "The quick brown fox jumps over the lazy dog "], - ["素早い茶色のキツネが怠け者の犬を飛び越える ###", "素早い茶色のキツネが怠け者の犬を飛び越える "], - ["Le renard !!!brun rapide saute par-dessus le chien paresseux ", "Le renard brun rapide saute par-dessus le chien paresseux"], - ["¿¿¿El rápido zorro marrón salta sobre el perro perezoso???", "El rápido zorro marrón salta sobre el perro perezoso"], - ] - .forEach((test: [string, string]) => { - it(`replaceRepeatingSymbols("${test[0]}") correctly removes repeating symbols`, async () => { - const val = SearchRequest.replaceRepeatingSymbols(test[0]); - expect(val).toEqual(test[1]); - }); - }); -}); - - - diff --git a/src/core/CveCore.test.ts b/src/cve/CveCore.test.ts similarity index 97% rename from src/core/CveCore.test.ts rename to src/cve/CveCore.test.ts index b27f43d..c58c41c 100644 --- a/src/core/CveCore.test.ts +++ b/src/cve/CveCore.test.ts @@ -43,7 +43,9 @@ describe(`CveCore`, () => { }) it(`getCveIdfromRepositoryFilePath() properly returns an empty string if path does not point to a valid CVE object`, async () => { + // @ts-ignore expect(CveCore.getCveIdfromRepositoryFilePath(undefined)).toMatch(``); + // @ts-ignore expect(CveCore.getCveIdfromRepositoryFilePath(null)).toMatch(``); expect(CveCore.getCveIdfromRepositoryFilePath('file.json')).toMatch(``); }); @@ -66,9 +68,11 @@ describe(`CveCore`, () => { it(`fromRepositoryFilePath() throws errors if improper CVE ID`, async () => { expect(() => { + // @ts-ignore CveCore.fromRepositoryFilePath(undefined); }).toThrow(CveIdError); expect(() => { + // @ts-ignore CveCore.fromRepositoryFilePath(null); }).toThrow(CveIdError); expect(() => { diff --git a/src/core/CveCore.ts b/src/cve/CveCore.ts similarity index 94% rename from src/core/CveCore.ts rename to src/cve/CveCore.ts index 26ab5e2..d2cb39f 100644 --- a/src/core/CveCore.ts +++ b/src/cve/CveCore.ts @@ -4,13 +4,13 @@ * and for that, the CveCorePlus object should be used */ -import { CveId, CveIdError } from './CveId.js'; -import { CveMetadata } from '../generated/quicktools/CveRecordV5.js'; +import { CveId, CveIdError } from '../cveId/CveId.js'; +import { CveMetadata } from './record/generated/CveRecordV5.js'; import { CveRecord } from './CveRecord.js'; // import { IsoDateString } from '../common/IsoDate/IsoDateString.js'; import fs from 'fs'; -export { CveId, CveIdError } from './CveId.js'; +export { CveId, CveIdError } from '../cveId/CveId.js'; // @todo should change IsoDate to IsoDateString type IsoDate = string; // note, not exported, not an IsoDateString yet diff --git a/src/core/CveCorePlus.test.ts b/src/cve/CveCorePlus.test.ts similarity index 80% rename from src/core/CveCorePlus.test.ts rename to src/cve/CveCorePlus.test.ts index 8e14ce1..c521404 100644 --- a/src/core/CveCorePlus.test.ts +++ b/src/cve/CveCorePlus.test.ts @@ -1,5 +1,4 @@ import { CveId, CveCore, CveCorePlus } from './CveCorePlus.js'; -import { CveRecord } from './CveRecord.js'; const kDescription = `ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.`; @@ -25,15 +24,15 @@ describe(`CveCorePlus`, () => { const cveId = new CveId(kCve1999_0001.cveId); const cp = CveCorePlus.fromJsonFile(`cves/${cveId.getCvePath()}.json`); // console.log(`cp=${JSON.stringify(cp, null, 2)}`); - expect(cp.cveId.toString()).toEqual(kCve1999_0001.cveId); - expect(cp.state).toEqual(kCve1999_0001.state); - expect(cp.assignerOrgId).toEqual(kCve1999_0001.assignerOrgId); - expect(cp.assignerShortName).toEqual(kCve1999_0001.assignerShortName); - expect(cp.dateReserved).toEqual(kCve1999_0001.dateReserved); - expect(cp.datePublished).toEqual(kCve1999_0001.datePublished); - expect(cp.dateUpdated).toEqual(kCve1999_0001.dateUpdated); - expect(cp.description).toEqual(kCve1999_0001.description); - expect(cp.githubUrl).toMatch('https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/1999/0xxx/CVE-1999-0001.json'); + expect(cp?.cveId.toString()).toEqual(kCve1999_0001.cveId); + expect(cp?.state).toEqual(kCve1999_0001.state); + expect(cp?.assignerOrgId).toEqual(kCve1999_0001.assignerOrgId); + expect(cp?.assignerShortName).toEqual(kCve1999_0001.assignerShortName); + expect(cp?.dateReserved).toEqual(kCve1999_0001.dateReserved); + expect(cp?.datePublished).toEqual(kCve1999_0001.datePublished); + expect(cp?.dateUpdated).toEqual(kCve1999_0001.dateUpdated); + expect(cp?.description).toEqual(kCve1999_0001.description); + expect(cp?.githubUrl).toMatch('https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/1999/0xxx/CVE-1999-0001.json'); }); diff --git a/src/core/CveCorePlus.ts b/src/cve/CveCorePlus.ts similarity index 93% rename from src/core/CveCorePlus.ts rename to src/cve/CveCorePlus.ts index a8d216c..4f4f041 100644 --- a/src/core/CveCorePlus.ts +++ b/src/cve/CveCorePlus.ts @@ -8,13 +8,13 @@ import fs from 'fs'; -import { CveId } from './CveId.js'; +import { CveId } from '../cveId/CveId.js'; import { CveCore } from './CveCore.js'; -import { CveMetadata } from '../generated/quicktools/CveRecordV5.js'; +import { CveMetadata } from './record/generated/CveRecordV5.js'; import { CveRecord } from './CveRecord.js'; -import { FsUtils } from './fsUtils.js'; +import { FsReader } from '../adapters/fs/FsReader.js'; -export { CveId } from './CveId.js'; +export { CveId } from '../cveId/CveId.js'; export { CveCore } from './CveCore.js'; export class CveCorePlus extends CveCore { @@ -41,7 +41,7 @@ export class CveCorePlus extends CveCore { * @returns a CveCorePlus object or undefined if the JSON file cannot be read */ static fromJsonFile(relFilepath: string): CveCorePlus | undefined { - if (FsUtils.exists(relFilepath)) { + if (FsReader.exists(relFilepath)) { const cveStr = fs.readFileSync(relFilepath, { encoding: 'utf8', flag: 'r', diff --git a/src/core/CveRecord.test.ts b/src/cve/CveRecord.test.ts similarity index 70% rename from src/core/CveRecord.test.ts rename to src/cve/CveRecord.test.ts index d85eafd..da28cf3 100644 --- a/src/core/CveRecord.test.ts +++ b/src/cve/CveRecord.test.ts @@ -1,10 +1,24 @@ import { CveRecord } from './CveRecord.js'; -import { CveService } from '../net/CveService.js'; -import { FsUtils } from './fsUtils.js'; -import { CveFsReader } from '../adapters/fs/CveFsReader.js' +import { CveFsReader } from '../adapters/fs/CveFsReader.js'; +import { CveServiceCreds } from '../adapters/cveservice/CveServiceCreds.js'; +import { CveServiceCveReader } from '../adapters/cveservice/cve/CveServiceCveReader.js'; +import { CveServiceHealthReader } from '../adapters/cveservice/healthCheck/CveServiceHealthReader.js'; +import { FsWriter } from '../adapters/fs/FsWriter.js'; +import { FsReader } from '../adapters/fs/FsReader.js'; describe(`CveRecord object`, () => { + const kTestCveServicesUrl = (process.env.TEST_CVE_SERVICES_URL ?? process.env.CVE_SERVICES_URL) as string; + const kTestCveApiOrg = (process.env.TEST_CVE_API_ORG ?? process.env.CVE_API_ORG) as string; + const kTestCveApiUser = (process.env.TEST_CVE_API_USER ?? process.env.CVE_API_USER) as string; + const kTestCveApiKey = (process.env.TEST_CVE_API_KEY ?? process.env.CVE_API_KEY) as string; + const kTestCredSet1 = new CveServiceCreds(kTestCveApiOrg, kTestCveApiUser, kTestCveApiKey); + const cveServiceReader = new CveServiceCveReader(kTestCveServicesUrl, kTestCredSet1); + const isCveServicesValid = async () => { + const isOk = await new CveServiceHealthReader(kTestCveServicesUrl, kTestCredSet1).isHealthy(); + return expect(isOk).toBeTruthy(); + }; + // common constants throughout tests const kCveId = `CVE-1999-0001`; const kFixtureCve_1999_0001 = `./cves/1999/0xxx/${kCveId}.json`; @@ -20,8 +34,8 @@ describe(`CveRecord object`, () => { const kCveDescription2c = 'French version: fichier de test'; it(`correctly represents a simple CVE in JSON 5 format`, async () => { - const cveService = new CveService(); - const cve = await cveService.getCveUsingId(kCveId); + const cveService = cveServiceReader; + const cve = await cveService.cveGetSingle(kCveId); expect(cve?.cveId).toEqual(kCveId); expect(cve?.cveMetadata?.cveId).toEqual(kCveId); expect(cve?.dataType).toEqual(kCveRecord); @@ -29,7 +43,7 @@ describe(`CveRecord object`, () => { }); it(`fromCveId() correctly builds a CVE Record from a CVE ID using fixtures in the test directory`, async () => { - const cveRecord = CveFsReader.read(kCveId) + const cveRecord = CveFsReader.read(kCveId); // console.log(`cveRecord=${cveRecord}`) expect(cveRecord?.cveId).toEqual(kCveId); expect(cveRecord?.cveMetadata?.cveId).toEqual(kCveId); @@ -39,7 +53,7 @@ describe(`CveRecord object`, () => { }); it(`fromCveId() correctly builds a CVE Record from a CVE ID using the partial /cves directory`, async () => { - const cveRecord = CveFsReader.read(kCveId) + const cveRecord = CveFsReader.read(kCveId); expect(cveRecord?.cveId).toEqual(kCveId); expect(cveRecord?.cveMetadata?.cveId).toEqual(kCveId); expect(cveRecord?.dataType).toEqual(kCveRecord); @@ -56,24 +70,24 @@ describe(`CveRecord object`, () => { }); it(`fromJsonFile() correctly reads in a simple CVE JSON 5 file and outputs it`, async () => { - const cveService = new CveService(); - const cve = await cveService.getCveUsingId(kCveId); + const cveService = cveServiceReader; + const cve = await cveService.cveGetSingle(kCveId); const filepath = './test/temp/outputFromCveRecordV5.json'; cve.writeJsonFile(filepath); const cve2 = CveFsReader.readFromFile(filepath); // console.log(`cve.toJsonString:`, cve.toJsonString()); expect(cve.toJsonString(false)).toEqual(cve2?.toJsonString(false)); expect(cve.cveId).toEqual(kCveId); - FsUtils.rm(filepath) + FsWriter.rm(filepath); }); it(`fromJsonFile() correctly reads in a simple CVE JSON 5 file and outputs it to the cve path`, async () => { - const cveService = new CveService(); - const cve = await cveService.getCveUsingId(kCveId); + const cveService = cveServiceReader; + const cve = await cveService.cveGetSingle(kCveId); const repositoryRoot = `./test/temp`; const fullPath = cve.writeToCvePath(repositoryRoot); - expect(FsUtils.exists(fullPath)).toBeTruthy(); - FsUtils.rm(fullPath) + expect(FsReader.exists(fullPath)).toBeTruthy(); + FsWriter.rm(fullPath); }); it(`fromJsonFile() correctly reads in the description when using a simple 2 letter country code `, async () => { diff --git a/src/core/CveRecord.ts b/src/cve/CveRecord.ts similarity index 88% rename from src/core/CveRecord.ts rename to src/cve/CveRecord.ts index 3f24847..8e0f121 100644 --- a/src/core/CveRecord.ts +++ b/src/cve/CveRecord.ts @@ -1,23 +1,16 @@ /** - * Object that wraps various CVE operations into a single object, including - * - read in a CVE Record JSON v5 format file - * - auto-convert CVE Record JSON v5 format string to Cve5 object - * - output as optionally prettyprinted JSON 5 string - * - write to a file or to proper repository location - * - generate a CveSignature from the repository path - * + * Object that wraps various CVE operations for a (generated) CveRecordV5 object * @todo refactoring CVE IDs from string to CveId. Currently, only using CveId class methods, but * the data member cveId is still just a string */ import fs from 'fs'; import path from 'path'; -import { CveId } from './CveId.js'; -import { CveRecordV5, CveMetadata, Containers } from '../generated/quicktools/CveRecordV5.js'; +import { CveId } from '../cveId/CveId.js'; +import { CveRecordV5, CveMetadata, Containers } from './record/generated/CveRecordV5.js'; +import { FsReader } from '../adapters/fs/FsReader.js'; -import { FsUtils } from './fsUtils.js'; - -export { CveId, CveIdError } from './CveId.js'; +export { CveId, CveIdError } from '../cveId/CveId.js'; export interface WriteFileOptions { prettyprint?: boolean; @@ -79,7 +72,7 @@ export class CveRecord implements CveRecordV5 { * @returns a CveRecord */ static fromJsonFile(relFilepath: string): CveRecord | undefined { - if (FsUtils.exists(relFilepath)) { + if (FsReader.exists(relFilepath)) { const cveStr = fs.readFileSync(relFilepath, { encoding: 'utf8', flag: 'r', @@ -94,7 +87,7 @@ export class CveRecord implements CveRecordV5 { } /** returns the description from containers.cna.descriptions that has the language specified - * @param lang the ISO 639-1 lanugage code (defaults to 'en', which will also match 'en', 'En-US', 'en-uk', etc.) + * @param lang the ISO 639-1 language code (defaults to 'en', which will also match 'en', 'En-US', 'en-uk', etc.) * @returns the description, or undefined if it can't find the description in the specified language */ getDescription(lang: string = 'en'): string | undefined { diff --git a/src/generated/quicktools/CveRecordV5.test.ts b/src/cve/record/generated/CveRecordV5.test.unit.ts similarity index 75% rename from src/generated/quicktools/CveRecordV5.test.ts rename to src/cve/record/generated/CveRecordV5.test.unit.ts index 294f909..03bac90 100644 --- a/src/generated/quicktools/CveRecordV5.test.ts +++ b/src/cve/record/generated/CveRecordV5.test.unit.ts @@ -1,11 +1,10 @@ import { Convert, CveRecordV5 } from "./CveRecordV5.js"; - // constants that may change as database changes const kCveId = `CVE-1999-0001`; const kProviderOrgId = `f972b356-145d-4b2e-9a5c-b114d0982a3b`; // const kLastCveModifiedTime = `2022-08-25T15:56:15`; - +const kCveDataVersion = `5.0`; const _jsonstr = ` { "containers": { @@ -37,47 +36,26 @@ const _jsonstr = ` "assignerOrgId": "de9616c5-7d01-43a8-bc53-ef8af45fa2f5" }, "dataType": "CVE_RECORD", - "dataVersion": "5.0" + "dataVersion": "${kCveDataVersion}" } `; describe(`CveRecordV5 class`, () => { - // // Act before assertions - // beforeAll(async () => { - // }); - - // // Teardown (cleanup) after assertions - // afterAll(() => { - // }); - it(`converts CVE5 json into CveRecordV5 class`, async () => { - const obj: CveRecordV5 = Convert.toCve5(_jsonstr); - expect( - obj.containers.cna.providerMetadata.orgId - ).toEqual( - kProviderOrgId - ); - expect( - obj.dataVersion - ).toEqual( - "5.0" - ); + expect(obj?.containers?.cna.providerMetadata.orgId).toEqual(kProviderOrgId); + expect(obj.dataVersion).toEqual("5.0"); }); - it(`converts CveRecordV5 class into CVE5 json`, async () => { const obj: CveRecordV5 = Convert.toCve5(_jsonstr); const json: string = Convert.cve5ToJson(obj); // console.log(`Convert.toCve5 -> `, json); - expect( - json - ).toEqual( - // need to do this to remove whitespace for comparison - JSON.stringify(JSON.parse(_jsonstr)) - ); + // need to do this to remove whitespace for comparison + const expectedJSON = JSON.stringify(JSON.parse(_jsonstr)); + expect(json).toEqual(expectedJSON); }); }); diff --git a/src/generated/quicktools/CveRecordV5.ts b/src/cve/record/generated/CveRecordV5.ts similarity index 89% rename from src/generated/quicktools/CveRecordV5.ts rename to src/cve/record/generated/CveRecordV5.ts index e0a932b..4cc2fbc 100644 --- a/src/generated/quicktools/CveRecordV5.ts +++ b/src/cve/record/generated/CveRecordV5.ts @@ -1,3 +1,4 @@ +/* eslint-disable @typescript-eslint/no-explicit-any, @typescript-eslint/member-ordering */ /** * This file was automatically generated https://app.quicktype.io/?l=ts. * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file, @@ -18,11 +19,12 @@ export interface CveRecordV5 { } export interface Containers { - cna: Cna; + cna: CnaContainer; + adp?: AdpContainer[]; [property: string]: any; } -export interface Cna { +export interface CnaContainer { affected: Affected[]; configurations?: any[]; credits?: any[]; @@ -45,6 +47,10 @@ export interface Cna { [property: string]: any; } +export interface AdpContainer extends Partial { + providerMetadata: ProviderMetadata; +} + export interface Affected { product?: string; vendor?: string; diff --git a/src/core/CveId.test.ts b/src/cveId/CveId.test.ts similarity index 59% rename from src/core/CveId.test.ts rename to src/cveId/CveId.test.ts index 656b282..2f4bdb4 100644 --- a/src/core/CveId.test.ts +++ b/src/cveId/CveId.test.ts @@ -7,16 +7,98 @@ import isEqual from 'lodash.isequal'; describe(`CveId`, () => { + const CveIdValidities = { + /** Syntatically invalid or logically impossible CVE IDs @example `CVE-1234-01` */ + INVALID: [ + "2021-1234", // invalid syntax, CVE- prefix missing + "CCVE-2021-1234", // invalid syntax, CVE prefix malformed + "CCVE-2021-1234C", // invalid syntax, CVE prefix malformed, chars in number part + "CE-2021-1234", // invalid syntax, CVE prefix malformed + "CV-2021-1234", // invalid syntax, CVE prefix malformed + "CVE-20-1234", // invalid syntax, invalid year + "CVE-202-1234", // invalid syntax, invalid year + "CVE-2021-000", // invalid syntax, not enough digits in number part + "CVE-2021-12", // invalid syntax, not enough digits in number part + "CVE-2021-123", // invalid syntax, not enough digits in number part + "CVE-2021-", // invalid syntax, not enough digits in number part + "CVE-2021-12 34", // invalid syntax, symbols in number part + "CVE-2021-12_34", // invalid syntax, symbols in number part + "CVE-2021-1234!", // invalid syntax, symbols in number part + "CVE-2021-1234#", // invalid syntax, symbols in number part + "CVE-2021-1234%", // invalid syntax, symbols in number part + "CVE-2021-1234$", // invalid syntax, symbols in number part + "CVE-2021-!@#$", // invalid syntax, symbols in number part + "CVE-2021-@1234", // invalid syntax, symbols in number part + "CVE-2021-1234A", // invalid syntax, chars in number part + "CVE-2021-ABCDE", // invalid syntax, chars in number part + "CVE-2021-12A34", // invalid syntax, chars in number part + "CVE-2021-1234CVE-2021-1234", // invalid syntax, chars and symbols in number part + "CVE-2021-1234.json", // invalid syntax, chars and symbols in number part + "CVE-2021-1234CVE-2021-1234", // invalid syntax, chars and symbols in number part + "CVE-20223-1234", // invalid syntax, year not currently accepted + "CVE-2021", // invalid syntax, missing number part + "CVE2021-1234", // invalid syntax, missing - + "CVE_1999_0001", // invalid syntax, missing - + "CVE-1999-12345678901234567890", // invalid syntax, number part too long + ], + + /** Syntatically valid and logically possible CVE IDs @example `CVE-1999-0001` */ + VALID: [ + "CVE-1999-0001", + "CVE-1999-9999", + "CVE-2000-0002", + "CVE-2002-1234", + "CVE-2010-4567", + "CVE-2015-0010", + "CVE-2018-76543", + "CVE-2019-87654", + "CVE-2020-22222", + "CVE-2021-34567", + "CVE-2021-99999", + "CVE-2022-98765", + "CVE-2023-0001", + "CVE-2023-11111", + "CVE-2023-12345", + "CVE-2023-54321", + "CVE-2021-12345678", + "CVE-2021-123456789", + "CVE-2021-999999999", + "CVE-1999-1234567890123456789", // max number part length is 19 as per the cve-schema regex + ], + + /** Syntatically valid, but only possible in development environments @example `CVE-1970-0001` */ + DEV: [ + "CVE-1970-0001", + "CVE-1970-12345", + "CVE-1970-9999999" + ], + + /** "Looks plausible" and would pass the {@link CveId.BasicRegexMatcher cve-schema} check, but may not neccessarily be valid. @example `CVE-1999-0000`, `CVE-1234-1234` */ + SCHEMA: [ + "CVE-1234-5678", // impossible year + "CVE-1998-1234", // impossible year + "CVE-2021-0000", // invalid number part, must be greater than zero + "CVE-2020-0000001", // too many leading zeroes + "CVE-2021-000000001", // too many leading zeroes + "CVE-2022-00001", // too many leading zeroes + "CVE-2023-0000002", // too many leading zeroes + ], + + /** Edge case where it will pass the regex checks but not the actual validity check. + * aka these are the cases that would only be correctly caught by CveId.isValidCveId() instead of a regex check. */ + EDGE_CASE_1: [ + "CVE-1999-0001000", // too many leading zeroes, but technically might count as CVE-1999-1000 + "CVE-1999-01000", // too many leading zeroes for the intended number + ] + // these should pass the regex matcher checks but should not be valid + }; // constants that may change as database changes const kCveId = `CVE-1999-0001`; - const kFixtureFilepath = `./test/fixtures/cve/5`; - // const kFixtureCve_1999_0001 = `${kFixtureFilepath}/CVE-1999-0001.json`; - // const kCveRecord = `CVE_RECORD`; - // const kCveDataVersion = "5.0"; it(`Acceptable CVES_MAX_ALLOWABLE_CVE_YEAR in .env file`, async () => { // make sure the env value exists and is valid. expect(process.env.CVES_MAX_ALLOWABLE_CVE_YEAR).not.toBeUndefined(); // CVES_MAX_ALLOWABLE_CVE_YEAR missing? + // @ts-ignore: ts(2345) ignore error to allow us to check against improper types const expectedMaxValidYear = parseInt(process.env.CVES_MAX_ALLOWABLE_CVE_YEAR); expect(expectedMaxValidYear).not.toBeNaN(); // CVES_MAX_ALLOWABLE_CVE_YEAR valid data type? let currYear = new Date().getFullYear(); @@ -47,7 +129,6 @@ describe(`CveId`, () => { expect(CveId.toCvePath(cveId)).toEqual(`1999/0xxx/${cveId}`); }); - it(`constructor correctly throws an error if an invalid ID is passed`, async () => { expect(() => { new CveId('cve'); }).toThrow(CveIdError); expect(() => { new CveId('CVE-3000-0001'); }).toThrow(CveIdError); @@ -91,8 +172,56 @@ describe(`CveId`, () => { expect(jsonStr).toEqual(`"${cveId.id}"`); }); + it(`BasicRegexMatcher matches cve ids correctly`, async () => { + CveIdValidities.VALID.forEach(cveid => { + // regex should match full string + expect(cveid.match(new RegExp(CveId.BasicRegexMatcher, 'gmi'))?.[0]).toMatch(cveid); + }); + CveIdValidities.SCHEMA.forEach(cveid => { + // regex should match full string + expect(cveid.match(new RegExp(CveId.BasicRegexMatcher, 'gmi'))?.[0]).toMatch(cveid); + }); + CveIdValidities.DEV.forEach(cveid => { + // regex should match full string + expect(cveid.match(new RegExp(CveId.BasicRegexMatcher, 'gmi'))?.[0]).toMatch(cveid); + }); - // ----- static functinos ----- ----- ----- ----- ----- + CveIdValidities.INVALID.forEach(cveid => { + // regex may match partial string, but should NOT match full string + expect(cveid?.toString().match(new RegExp(CveId.BasicRegexMatcher, 'gmi'))?.[0]).not.toEqual(cveid); + }); + }); + + it(`StrictRegexMatcher matches cve ids correctly`, async () => { + CveIdValidities.VALID.forEach(cveid => { + // regex should match full string + expect(cveid.match(new RegExp(CveId.StrictRegexMatcher, 'gmi'))?.[0]).toMatch(cveid); + }); + CveIdValidities.DEV.forEach(cveid => { + // regex should match full string + expect(cveid.match(new RegExp(CveId.StrictRegexMatcher, 'gmi'))?.[0]).toMatch(cveid); + }); + + CveIdValidities.SCHEMA.forEach(cveid => { + // regex may match partial string, but should NOT match full string + expect(cveid.match(new RegExp(CveId.StrictRegexMatcher, 'gmi'))?.[0]).not.toEqual(cveid); + }); + CveIdValidities.INVALID.forEach(cveid => { + // regex may match partial string, but should NOT match full string + expect(cveid?.toString().match(new RegExp(CveId.StrictRegexMatcher, 'gmi'))?.[0]).not.toEqual(cveid); + }); + }); + + it(`isValidCveId catches things that the regexes don't`, async () => { + // note that name of this test might be misleading, this should just test edge cases that cant be caught by simple regex + CveIdValidities.EDGE_CASE_1.forEach(cveid => { + // regex may match string, but its an edge case that cant be caught from the regexes + expect(cveid?.toString().match(new RegExp(CveId.BasicRegexMatcher, 'gmi'))?.[0]).toEqual(cveid); + expect(cveid?.toString().match(new RegExp(CveId.StrictRegexMatcher, 'gmi'))?.[0]).toEqual(cveid); + expect(CveId.isValidCveId(cveid?.toString())).toBeFalsy(); + }); + }) + // ----- static functions ----- ----- ----- ----- ----- it(`toComponents() should return proper CveIdComponents`, async () => { @@ -115,7 +244,9 @@ describe(`CveId`, () => { expect(CveId.isValidCveId('')).toBeFalsy(); expect(CveId.isValidCveId('abc')).toBeFalsy(); expect(CveId.isValidCveId('bad id')).toBeFalsy(); + // @ts-ignore: Invalid data type (2345), we test anyways expect(CveId.isValidCveId(undefined)).toBeFalsy(); + // @ts-ignore: Invalid data type (2345), we test anyways expect(CveId.isValidCveId(null)).toBeFalsy(); expect(CveId.isValidCveId('1999-0001')).toBeFalsy(); expect(CveId.isValidCveId('cve-1999-0001')).toBeFalsy(); @@ -123,19 +254,35 @@ describe(`CveId`, () => { expect(CveId.isValidCveId('CVE-1998-0001')).toBeFalsy(); expect(CveId.isValidCveId('CVE-3000-0001')).toBeFalsy(); expect(CveId.isValidCveId('CVE_1999_0001')).toBeFalsy(); + + CveIdValidities.VALID.forEach(cveid => { + expect(CveId.isValidCveId(cveid) ? cveid : `should be valid`).toEqual(cveid); + }); + CveIdValidities.DEV.forEach(cveid => { + // isValidCveId allows for dev years to be true + expect(CveId.isValidCveId(cveid) ? cveid : `should be valid`).toEqual(cveid); + }); + + CveIdValidities.SCHEMA.forEach(cveid => { + // should validate against invalid year and number part values + expect(CveId.isValidCveId(cveid) ? `should not be valid` : cveid).toEqual(cveid); + }); + CveIdValidities.INVALID.forEach(cveid => { + expect(CveId.isValidCveId(cveid) ? `should not be valid` : cveid).toEqual(cveid); + }); }); /** * @NOTE: This test is intentionally hardcoded to become out of date. * If this test starts failing because the CVES_MAX_ALLOWABLE_CVE_YEAR has changed - * (due to CVE IDs of that new year being reserved, or some other offical means), + * (due to CVE IDs of that new year being reserved, or some other official means), * then that new year may be added to the list of expected years. */ it(`getAllYears() correctly returns the list of years CVEs can been registered (plus 1970 test CVEs)`, async () => { - // const expectedMaxValidYear = parseInt(process.env.CVES_MAX_ALLOWABLE_CVE_YEAR); - // // make sure the env value is valid. - // expect(expectedMaxValidYear).not.toBeNaN(); + // const expectedMaxValidYear = parseInt(process.env.CVES_MAX_ALLOWABLE_CVE_YEAR); + // // make sure the env value is valid. + // expect(expectedMaxValidYear).not.toBeNaN(); const years = CveId.getAllYears(); // const expectingYears = [CveId.kTestYear].concat(Array(expectedMaxValidYear - CveId.kFirstYear + 1).fill(0).map((element, index) => CveId.kFirstYear + index)); // expect(years).toEqual(expectingYears); @@ -151,7 +298,7 @@ describe(`CveId`, () => { 2024, 2025, 2026 ]; if (!isEqual(years, expectedYears)) { - // this is a short hand form of the `Acceptable CVES_MAX_ALLOWABLE_CVE_YEAR in .env file` test. + // this is a short hand form of the `Acceptable CVES_MAX_ALLOWABLE_CVE_YEAR in .env file` test. console.error(`CveId.getAllYears() is expecting the environment variable, 'CVES_MAX_ALLOWABLE_CVE_YEAR', but it cannot be found`); } expect(years).toMatchObject(expectedYears); @@ -285,6 +432,5 @@ describe(`CveId`, () => { "CVE-2023-0001": { "a": "a" }, "CVE-2024-0001": true }); - }) - + }); }); diff --git a/src/core/CveId.ts b/src/cveId/CveId.ts similarity index 55% rename from src/core/CveId.ts rename to src/cveId/CveId.ts index 4199f34..72db24b 100644 --- a/src/core/CveId.ts +++ b/src/cveId/CveId.ts @@ -12,6 +12,14 @@ dotenv.config(); export class CveIdError extends Error { } +/** + * A tuple with the following values: + * - `[0]` boolean for validity of the CveId + * - `[1]` CveId prefix `CVE` + * - `[2]` year + * - `[3]` thousands group (#xxx) + * - `[4]` number id + */ export type CveIdComponents = [ boolean, string | undefined, @@ -28,9 +36,25 @@ export class CveId { /** kTestYear: An arbitrary year, that does not overlap with a valid CVE ID year, used for development and testing. */ static readonly kTestYear: number = 1970; + // @todo: dynamically parse the cve-schema for these values? + /** Max digits for the number part as defined by the {@link https://github.com/CVEProject/cve-schema/blob/main/schema/CVE_Record_Format.json cve-schema} */ + public static readonly ID_NUMBER_MAX_DIGITS = 19; + /** Min digits for the number part as defined by the {@link https://github.com/CVEProject/cve-schema/blob/main/schema/CVE_Record_Format.json cve-schema} */ + public static readonly ID_NUMBER_MIN_DIGITS = 4; + + private static readonly MaxNumberPartPadding = Math.floor(Math.log10(Math.pow(10, CveId.ID_NUMBER_MIN_DIGITS - 1))); + // lazily initialized in getAllYears() private static _years: number[] = []; + /** Basic regex matcher for a CVE ID syntax, does not validate against year or number. + * @note this follows the same regex logic as the CVE ID field from the {@link https://github.com/CVEProject/cve-schema/blob/main/schema/CVE_Record_Format.json cve-schema} + */ + static readonly BasicRegexMatcher: string = `\\bCVE-[0-9]{4}-[0-9]{${CveId.ID_NUMBER_MIN_DIGITS},${CveId.ID_NUMBER_MAX_DIGITS}}\\b`; + + /** Regex matcher for CVE ID syntax, also validates against year and number. */ + static readonly StrictRegexMatcher: string = `\\bCVE-(?:${CveId.getAllYears().join("|")})-(?!0{${CveId.ID_NUMBER_MIN_DIGITS}})[0-9]{${CveId.ID_NUMBER_MIN_DIGITS},${CveId.ID_NUMBER_MAX_DIGITS}}\\b`; + /** internal representation of the CVE ID */ id: string; @@ -87,42 +111,66 @@ export class CveId { /** * checks if a string is a valid CveID * @param id a string to test for CveID validity - * @returns a tuple: - * [0]: (boolean) true iff valid CveID - * [1]: (string) "CVE" - * [2]: (string) year - * [3]: (string) id/thousands - * [4]: (string) id - * For example, CVE-1999-12345 would return - * [true,"CVE","1999","12xxx", "12345"] + * @returns a {@link CveIdComponents} tuple. */ static toComponents(cveId: string | CveId): CveIdComponents { const id: string = (cveId instanceof CveId) ? cveId.id : cveId; // assume a tup representing an invalid CVE ID const tup: CveIdComponents = [false, undefined, undefined, undefined, undefined]; - if (id === null || id === undefined || id?.length === 0) { + // validation checks + // must at least be a non-empty string + if (typeof id != 'string' || id?.length === 0) { return tup; } + + // must split into 3 parts by '-' and prefixed with "CVE-" const parts = id.split('-'); - if (parts.length < 2) { + if (parts.length != 3) { return tup; } + tup[1] = parts[0]; // prefix part + tup[2] = parts[1]; // year part + tup[4] = parts[2]; // number part + const year = Number(parts[1]); + let num: bigint; + try { + // need to use BigInt because max number of '9' repeating 19 times can't be properly parsed with parseInt or Number + // needs to be in try catch because it throws an error instead of returning NaN on edge cases + num = BigInt(parts[2]); + tup[3] = `${(num / BigInt(1000))}xxx`; // thousands group. note that bigint operations result in integers + } catch { } - const year = parseInt(parts[1]); - const num = parseInt(parts[2]); - if (parts[0] === 'CVE' - && CveId.getAllYears().includes(year) - && num >= 1) { - parts.shift(); // removes the 'CVE' - const thousands = Math.floor(num / 1000).toFixed(0); - return [true, "CVE", parts[0], `${thousands}xxx`, parts[1]]; - } - else { - return tup; - } + // check for validity of cve id + tup[0] = ( + // must start with CVE- prefix + tup[1] == "CVE" + // year must be valid number, 'NaN' might have pass some checks + && !isNaN(year) + // year must be explicit, no 213e2 or decimal points + && year.toFixed(0) == parts[1] + // year number must be from an approved number + && CveId.getAllYears().includes(year) + // id number must be explicit, no 213e2 or decimal points and must have parsed to an integer + && parts[2].includes(num?.toString()) + // id number must be greater than zero + && num > 0 + // id number min length must be padded to CveId.ID_NUMBER_MIN_DIGITS digits + && parts[2].length >= CveId.ID_NUMBER_MIN_DIGITS + // id number max digits cap out at CveId.ID_NUMBER_MAX_DIGITS + && parts[2].length <= CveId.ID_NUMBER_MAX_DIGITS + // id number may not have leading whitespaces + && parts[2].trimStart().length == parts[2].length + // id number must have the appropriate amount of leading zeroes for the parsed value with respect to the minimum number of digits allowed + && num.toString().substring(0, CveId.ID_NUMBER_MIN_DIGITS).padStart(CveId.ID_NUMBER_MIN_DIGITS, '0') == parts[2].substring(0, CveId.ID_NUMBER_MIN_DIGITS) + ); + return tup; } + static isValidCveIdFast(id: string) { + return RegExp(CveId.StrictRegexMatcher).test(id ?? ''); + } + /** * checks if a string is a valid CveID * @param id a string to test for CveID validity @@ -145,7 +193,7 @@ export class CveId { // if the environment variable is not present, use current date + 2 const endYear = env ? parseInt(env) : new Date().getFullYear() + 2; CveId._years = [ - CveId.kTestYear // CveId.kTestYear used for testing, valiating. CVE REST services has a different method of validating the year. For this package, this is sufficent so including 1970 should not have any negative affects. + CveId.kTestYear // CveId.kTestYear used for testing, validating. CVE REST services has a different method of validating the year. For this package, this is sufficient so including 1970 should not have any negative affects. ]; for (let yr = CveId.kFirstYear; yr <= endYear; ++yr) { CveId._years.push(yr); @@ -190,7 +238,7 @@ export class CveId { static comparator(a: string, b: string): number { const [_a, aYear, aNumber] = a.split('-'); const [_b, bYear, bNumber] = b.split('-'); - const yCompare = Number(aYear) - Number(bYear); // using Number() because it is faster and more correct than parsetInt + const yCompare = Number(aYear) - Number(bYear); // using Number() because it is faster and more correct than parseInt if (yCompare === 0) { return Number(aNumber) - Number(bNumber); } @@ -199,4 +247,26 @@ export class CveId { } } + /** + * @param str the string to match against + * @returns list of all cve ids found in the string. + */ + static extractedFromString(str: string): string[] { + const ret = []; + let m; + const regex = new RegExp(CveId.StrictRegexMatcher, 'gmi'); + + while ((m = regex.exec(str)) !== null) { + // This is necessary to avoid infinite loops with zero-width matches + if (m.index === regex.lastIndex) { + regex.lastIndex++; + } + + // The result can be accessed through the `m`-variable. + m.forEach((match) => { + ret.push(match); + }); + } + return ret; + } } \ No newline at end of file diff --git a/src/core/CveDate.test.ts b/src/date/CveDate.test.ts similarity index 97% rename from src/core/CveDate.test.ts rename to src/date/CveDate.test.ts index 53b266f..7ec5e1c 100644 --- a/src/core/CveDate.test.ts +++ b/src/date/CveDate.test.ts @@ -34,7 +34,7 @@ describe(`CveDate`, () => { }); - it(`getDateComponents() should outut a tuple of the components of a date`, async () => { + it(`getDateComponents() should output a tuple of the components of a date`, async () => { const timestamp = new Date(); let iso = CveDate.toISOString(timestamp); let tuple = CveDate.getDateComponents(timestamp); diff --git a/src/core/CveDate.ts b/src/date/CveDate.ts similarity index 98% rename from src/core/CveDate.ts rename to src/date/CveDate.ts index 95a5e26..8d658a0 100644 --- a/src/core/CveDate.ts +++ b/src/date/CveDate.ts @@ -36,7 +36,7 @@ export class CveDate { private _jsDate: Date; /** the constructor only creates a new CveDate based on an ISO date string - * @param isoDateStr a string represenation of a date in ISO/UTC/Z format + * @param isoDateStr a string representation of a date in ISO/UTC/Z format * defaults to "now" */ constructor(isoDateStr?: IsoDateString | string) { diff --git a/src/core/CveListDir.test.ts b/src/deprecated/CveListDir.test.ts similarity index 100% rename from src/core/CveListDir.test.ts rename to src/deprecated/CveListDir.test.ts diff --git a/src/core/CveListDir.ts b/src/deprecated/CveListDir.ts similarity index 90% rename from src/core/CveListDir.ts rename to src/deprecated/CveListDir.ts index ac5382c..a37537f 100644 --- a/src/core/CveListDir.ts +++ b/src/deprecated/CveListDir.ts @@ -1,4 +1,5 @@ import fs from 'fs'; +import { DirectoryWalker } from '../adapters/fs/DirectoryWalker.js'; /** * Callback signature for CveListDir.walkDir() @@ -18,6 +19,7 @@ export type CveListDirWalkDirOptions = { /** * Class for working with a directory of CVE listings + * @deprecated use {@link DirectoryWalker} */ export class CveListDir { @@ -27,9 +29,9 @@ export class CveListDir { * Note on Windows: Currently, the ignoreInvisible flag is only for Linux/MacOSX, * so all Windows files and directories will be included regardless of the ignoreLinuxInvisible setting * @param path the path to walk - * @param callback function of the WalkDirCallback type to call after walking the path + * @param callback function of the WalkDirCallback type to call for each file/dir in a directory * @param options optional options (see WalkDirOptions) - * @deprecated + * @deprecated use {@link DirectoryWalker.walkDir} */ static walkDir = ( path: string, diff --git a/src/core/fsUtils.test.ts b/src/deprecated/fsUtils.test.ts similarity index 100% rename from src/core/fsUtils.test.ts rename to src/deprecated/fsUtils.test.ts diff --git a/src/core/fsUtils.ts b/src/deprecated/fsUtils.ts similarity index 88% rename from src/core/fsUtils.ts rename to src/deprecated/fsUtils.ts index eb0efb2..1822e2a 100644 --- a/src/core/fsUtils.ts +++ b/src/deprecated/fsUtils.ts @@ -1,13 +1,14 @@ -/** DEPRECATED: a wrapper/fascade class to make it easier to work with the file system SYNCRHONOUSLY - * @deprecated -*/ +/** a wrapper/facade class to make it easier to work with the file system SYNCHRONOUSLY */ import fs from 'fs'; import path from 'path'; import unset from 'lodash.unset'; - -// DEPRECATED +import { FsReader } from '../adapters/fs/FsReader.js'; +import { ObjectComparer } from '../common/comparer/ObjectComparer.js'; +/** + * @deprecated use {@link FsReader} + */ export class FsUtils { path: string; @@ -24,6 +25,7 @@ export class FsUtils { * (very thin wrapper for fs.existsSync which is NOT deprecated, unlike fs.exists) * @param path the full or partial path to test * @returns true iff the specified path exists + * @deprecated use {@link FsReader.exists} */ static exists(path: string): boolean { return fs.existsSync(path); @@ -33,6 +35,7 @@ export class FsUtils { * synchronously removes the specified file iff it exists * @param path * @returns true if the file was removed, false if it did not exist in the first place + * @deprecated use {@link FsReader.rm} */ static rm(path: string): boolean { if (FsUtils.exists(path)) { @@ -44,6 +47,9 @@ export class FsUtils { } } + /** + * @deprecated use {@link FsReader.readdirSync} or {@link DirectoryWalker} + */ static ls(path: string): string[] { const retval = []; fs.readdirSync(path).forEach(file => { @@ -53,6 +59,9 @@ export class FsUtils { return retval; } + /** + * @deprecated use {@link lodash.unset} + */ static deleteProperties(obj: unknown, propPath: string): unknown { // console.log(`deleteProperties: ${propPath}`); const propPathComponents = propPath.split('.'); @@ -70,6 +79,7 @@ export class FsUtils { * @param path1 the relative or fullpath to a file * @param path2 the relative or fullpath to another file * @param ignoreJsonProps optional array of json paths to ignore, e.g., ["cveMetadata.datePublished", "cveMetadata.dateUpdated", "cveMetadata.dateReserved"] + * @deprecated use {@link FsReader.isSameContent} */ static isSameContent(path1: string, path2: string, ignoreJsonProps?: string[]): boolean { if (!FsUtils.exists(path1) || !FsUtils.exists(path2)) { diff --git a/src/jest.setup.ts b/src/jest.setup.ts new file mode 100644 index 0000000..a22e949 --- /dev/null +++ b/src/jest.setup.ts @@ -0,0 +1,19 @@ +// this is needed because when running jest on a single file, the environment variables may not have been read in +import 'dotenv/config'; +import { AppConfig } from './adapters/config/AppConfig.js'; + +// this is run before any jest tests and is a useful "global" beforeAll +// this works even when running jest on a single file +beforeAll(() => { + // global jest notifications + console.log(`Jest testing on search provider: ${AppConfig.get('search.providerEndpoint')}/${AppConfig.get('search.index')}`); + console.log(`Jest testing search provider fixtures: ${JSON.stringify(AppConfig.get('test.searchTest.fixtures'), null, 2)}`); + + // global jest setups +}); + +// You can also include other global hooks like afterAll, beforeEach, afterEach here +afterAll(() => { + // global clean up resources + // global jest notifications +}); \ No newline at end of file diff --git a/src/net/ApiBaseService.ts b/src/net/ApiBaseService.ts deleted file mode 100644 index 96e1ae8..0000000 --- a/src/net/ApiBaseService.ts +++ /dev/null @@ -1,28 +0,0 @@ -/** - * Abstract base class providing common functions for the CveXXXServices classes - * Note that the location of the CVE Services API, username, password, tokens, etc. - * are all set in the project's .env file, which must be defined before using - */ - -export abstract class ApiBaseService { - - /** full url to CVE Service */ - _url = `${process.env.CVE_SERVICES_URL}`; // initialize to root - - /** default header when sending requests to CVE Services */ - _headers = { - "Content-Type": "application/json", - "CVE-API-ORG": `${process.env.CVE_API_ORG}`, - "CVE-API-USER": `${process.env.CVE_API_USER}`, - "CVE-API-KEY": `${process.env.CVE_API_KEY}`, - "redirect": "follow" - }; - - - /** customize ApiService for specific web service (e.g., '/api/cve') - * @param rootpath path starting with '/', (e.g., '/api/cve') - */ - constructor(rootpath: string) { - this._url = `${this._url}${rootpath}`; - } -} \ No newline at end of file diff --git a/src/net/CveService.test.ts b/src/net/CveService.test.ts deleted file mode 100644 index 03b63d8..0000000 --- a/src/net/CveService.test.ts +++ /dev/null @@ -1,107 +0,0 @@ -import { CveService } from './CveService.js'; - -describe(`CveService`, () => { - - // constants that may change as database changes - const kCveId = `CVE-1999-0001`; - const kTotalCves = 114; - const kLastCveModifiedTime = `2023-01-15T15:56:15`; - - it(`correctly sets up the CVE service required environment variables from .env`, async () => { - const cveService = new CveService(); - expect(cveService._headers) - .toEqual( - { - "Content-Type": "application/json", - "CVE-API-ORG": `${process.env.CVE_API_ORG}`, - "CVE-API-USER": `${process.env.CVE_API_USER}`, - "CVE-API-KEY": `${process.env.CVE_API_KEY}`, - "redirect": "follow" - }); - }); - - //@todo temporarily skipping until a local cve rest services instance is published - it.skip(`getCveSummary() gets summary of CVEs`, async () => { - const cveService = new CveService(); - const info = await cveService.getCveSummary(); - expect(info['totalCves']).toBeGreaterThan(200000); - }, (40 * 1000)); - - - //@todo temporarily skipping until a local cve rest services instance is published - it.skip(`getCveUsingId() gets correct CVE using a valid CVE id`, async () => { - const cveService = new CveService(); - const cve = await cveService.getCveUsingId(kCveId); - expect( - cve?.cveMetadata?.cveId - ).toEqual( - kCveId - ); - }); - - - //@todo temporarily skipping until a local cve rest services instance is published - it.skip(`getCveUsingId() correctly throws an exception for invalid CVE id`, async () => { - const cveService = new CveService(); - await expect(cveService.getCveUsingId(`bad cve id`)) - .rejects - .toThrow(`Invalid CVE ID`); - }); - - - /** Note that this test may need to be updated from time to time, because - * CVE REST Services does not store history, and if one or more of the CVEs below are updated - * subsequent to when this test was built, the results will be different. - * - */ - //@todo temporarily skipping until a local cve rest services instance is published - it.skip(`getAllCvesChangedInTimeFrame() gets correct set of CVEs`, async () => { - const cveService = new CveService(); - const cves = await cveService.getAllCvesChangedInTimeFrame('2024-08-26T20:00:00.000Z', '2024-08-26T20:16:00.000Z'); - expect(cves.length).toBe(7); - }, (20 * 1000)); - - - // ----- API wrapper - - it.skip(`cve() gets correct CVE using a CVE id`, async () => { - const cveService = new CveService(); - const response = await cveService.cve({ id: kCveId }); - expect( - response - ).toMatchObject( - { - "cveMetadata": { - "cveId": expect.stringMatching(`${kCveId}`), - }, - "dataVersion": "5.1" - } - ); - expect(response.cveMetadata).toHaveProperty("assignerOrgId"); - }); - - - it.skip(`cve() gets total number of CVEs`, async () => { - const cveService = new CveService(); - const response = await cveService.cve({ queryString: 'count_only=1' }); - expect(response.totalCount).toBeGreaterThan(100); - // console.log(`~~total number of CVEs=${response.totalCount}`); - }); - - - it.skip(`cve() correctly handles '?' in query parameter`, async () => { - const cveService = new CveService(); - const response = await cveService.cve({ queryString: '?count_only=1' }); - expect(response.totalCount).toBeGreaterThan(100); - // console.log(`~~total number of CVEs=${response.totalCount}`); - }); - - - it.skip(`cve() gets CVEs changed since ${kLastCveModifiedTime}`, async () => { - const cveService = new CveService(); - const response = await cveService.cve({ queryString: `count_only=1&time_modified.gt=${kLastCveModifiedTime}` }); - expect(response['totalCount']).toBeGreaterThanOrEqual(1); - // console.log(`~~CVEs changed since ${kLastCveModifiedTime}=${response['totalCount']}`); - }, 30 * 1000); - -}); diff --git a/src/net/CveService.ts b/src/net/CveService.ts deleted file mode 100644 index 8bade34..0000000 --- a/src/net/CveService.ts +++ /dev/null @@ -1,162 +0,0 @@ -import axios from 'axios'; -import axiosRetry, { AxiosRetry } from 'axios-retry'; - -import { ApiBaseService } from './ApiBaseService.js'; -import { CveRecord } from '../core/CveRecord.js'; -import { CveId, CveIdError } from '../core/CveRecord.js'; - -let _retryFlag = 0; -// axiosRetry has weird behavior where compiler cant resolve the proper location of the callable axiosRetry symbol. -// cjs wants 'axiosRetry.default', but ESM just wants 'axiosRetry', we implement a hacky compromise instead -const axiosRetryInitalizer: AxiosRetry = (axiosRetry['default'] as AxiosRetry ?? axiosRetry as unknown as AxiosRetry); -axiosRetryInitalizer(axios, { - /** max number of retries per a single request */ - retries: 3, - /** - * Calculate how many miliseconds to wait before the next retry. - * @param retryCount retry count - * @returns number of ms to wait before the next retry - */ - retryDelay: (retryCount: number): number => { - // uncertain how to determine the type of error, so assume all are arbitrary rate limits. - // retry based off of the cve-services rate limit behavior - let now = new Date(); - now.setMinutes(now.getMinutes() + 1, 0, 100); - const timeToWait = now.getTime() - new Date().getTime(); - if (_retryFlag < now.getTime()) { - // no need to spam console for all retries. only per minute interval that we will be waiting on. - console.debug(`Pending retries set to retry @ ${now.toISOString()}...`); - _retryFlag = now.getTime(); - } - return timeToWait; - }, - /** - * Check if we should retry based on the error received. - * @param error - * @returns boolean to retry or not - */ - retryCondition: (error): boolean => { - // if retry condition is not specified, by default idempotent requests are retried - const errCode = error.response.status || error.status; - // 429 is rate limited by cve services - // 500 is other unknown errors or cve-services - return errCode === 429 || errCode >= 500; - } -}); - -/** - * options that can be used with the generic cve() method - * Note that special CVE Services privileges on special CVE Services accounts may be needed - * to fully use all functionality - */ -export interface CveApiOptions { - /** set id to access specific CVE by CVE ID */ - id?: string, - /** a query string corresponding to any of the query parameters allowed by the /cve endpoint - * (e.g., page=5) - */ - queryString?: string; -} - -/** - * Main class that provides functional access to the /cve Services API - * Note that the url of the CVE Services API, username, password, tokens, etc., all need to be - * set in the project's .env file. - * - CVE Service endpoint specified in .env file (main.ts must call config() to set this up before this class can be used) - */ -export class CveService extends ApiBaseService { - - constructor() { - super(`/api/cve`); - } - - - /** async method that returns some information about the the CVE Services API - * Note: Avoid using this since it is expensive and can run as long as 15 seconds - * @return an object with information about the CVE Services API - */ - async getCveSummary(): Promise<{ - totalCves: number, - totalCvePages: number, - cvesPerPage: number - }> { - const response = await this.cve({ queryString: `page=1000` }); - return { - totalCves: response.totalCount, - totalCvePages: response.pageCount, - cvesPerPage: response.itemsPerPage - }; - } - - - /** async method that returns the CVE Record associated with a given CVE id - * @param id the CVE id string to retrieve - * @return a CveRecord representing the record associated with a given CVE id - */ - async getCveUsingId(id: string): Promise { - if (CveId.isValidCveId(id)) { - const response = await this.cve({ id }); - const cve = new CveRecord(response); - return cve; - } - else { - throw new CveIdError(`Invalid CVE ID: ${id}`); - } - } - - - /** returns array of CVE that has been added/modified/deleted since timestamp window */ - async getAllCvesChangedInTimeFrame(start: string, stop: string): Promise { - const cveService = new CveService(); - const queryString = `time_modified.gt=${start}&time_modified.lt=${stop}`; - const response = await cveService.cve({ queryString }); - let cves: CveRecord[] = []; - response.cveRecords.forEach(obj => { - const cve = new CveRecord(obj); - cves.push(cve); - }); - // console.log(`response number of items=`, response.cveRecords.length); - - return cves; - }; - - // ----- API wrapper - - /** wrapper for /cve - * Note: avoid using this directly if one of the methods above can provide the functionality - */ - async cve(option: CveApiOptions): Promise { - try { - let url = `${this._url}`; - if (option.id) { - url += `/${option.id}`; - } - if (option.queryString) { - // remove initial ? if present - url += `?${option.queryString.split('?')[0]}`; - } - // console.log(`cve-rest-service GET `, url); - const { data, status } = await axios.get( - url, - { - headers: this._headers - } - ); - - switch (status) { - case 200: - // console.log(`[cve]: status: `, status); - // console.log(`[cve]: data: `, JSON.stringify(data, null, 2)); - return data; - default: - console.log(`[cve]: error: `, data); - return data; - } - } - catch (e) { - console.log(`[cve]: caught error: `, e); - return e; - } - }; - -} \ No newline at end of file diff --git a/src/net/CveUpdater.test.ts b/src/net/CveUpdater.test.ts deleted file mode 100644 index efb372b..0000000 --- a/src/net/CveUpdater.test.ts +++ /dev/null @@ -1,134 +0,0 @@ -import { CveService } from './CveService.js'; -// import { CveId } from '../core/CveId.js'; -import * as dotenv from 'dotenv'; -import fs from 'fs'; -import { CveUpdater } from './CveUpdater.js'; -// import { ActivityStep } from '../core/Activity.js'; -// import { FsUtils } from '../core/fsUtils.js'; -dotenv.config(); - -describe(`CveUpdater`, () => { - - // the following tests uses the same start/end window - // note that some of the following tests may fail if any of the CVEs in kCves gets updated - const kStartWindow = "2024-08-26T20:00:00Z"; - const kEndWindow = "2024-08-26T20:16:00Z"; - const kCves = [ - "CVE-2023-32366", - "CVE-2023-41075", - "CVE-2023-51774", - "CVE-2024-25228", - "CVE-2024-31850", - "CVE-2024-3348", - "CVE-2024-3354", - ].sort(); - const kTotalRecords = kCves.length; // = 14 - const kMaxRecords = 10; - - afterAll(() => { - // cleanup test/pretend_github_repository directory - - try { - fs.rmSync(`cves/2023`, { recursive: true }); - fs.rmSync(`cves/2024`, { recursive: true }); - } - catch (err) { - console.log(`error when cleaning up: ${err}`) - } - }); - - // ----- ----- getFirstCvesFrame() - - it.skip(`getFirstCvesFrame() returns the correct set of CVEs after fetching within a time window`, async () => { - const updater = new CveUpdater(`Update CVEs`, {}); - const startWindow = kStartWindow; - const endWindow = kEndWindow; - const step = await updater.getFirstCvesFrame(startWindow, endWindow); - console.log(`step.summary.cveIds: ${step?.summary?.cveIds?.sort()}`) - expect(step?.summary.startWindow).toEqual(startWindow); - expect(step?.summary.endWindow).toEqual(endWindow); - expect(step?.summary.count).toEqual(kTotalRecords); - expect(step?.summary?.cveIds?.sort()).toEqual(kCves); - }, (60 * 1000)); - - - it.skip(`getFirstCvesFrame() returns subset of CVEs if requested time window returns too many records (>max) in requested window`, async () => { - const max = 3; - const updater = new CveUpdater(`Update CVEs`, {}); - const startWindow = kStartWindow; - const endWindow = kEndWindow; - let newStartWindow = startWindow; - let cves = []; - const step = await updater.getFirstCvesFrame(newStartWindow, endWindow, max); - console.log(`step=${JSON.stringify(step, null, 2)}`); - expect(step?.summary?.startWindow).toEqual(newStartWindow); - expect(step?.summary?.count).toBe(0); - //@todo this needs to use a better time window. it used to span multiple pages, but now the first page has 0 items - // expect(step?.summary?.cveIds?.sort()).toEqual([ - // "CVE-2023-42136" - // ]); - - }, (50 * 1000)); - - - it.skip(`by calling getFirstCvesFrame() with small max and new frames, it can properly retrieve all CVEs within window of interest`, async () => { - const max = 5; - const updater = new CveUpdater(`Update CVEs`, {}); - const startWindow = kStartWindow; - const endWindow = kEndWindow; - let newStartWindow: string | undefined = startWindow; - let total = 0; - let cves: string[] = []; - do { - const step = await updater.getFirstCvesFrame(newStartWindow, endWindow, max); - if (step) { - expect(step?.summary?.startWindow).toEqual(newStartWindow); - const count = step?.summary?.count; - expect(step?.summary?.count).toBeLessThanOrEqual(max); - total += count; - step?.summary?.cveIds?.forEach(cve => cves.push(cve)); - newStartWindow = step?.summary?.endWindow; - } - } while (newStartWindow && newStartWindow < endWindow); - expect(total).toEqual(kTotalRecords); - expect(cves.sort()).toEqual(kCves); - }, (100 * 1000)); - - - it.skip(`getFirstCvesFrame() does not narrow window if requested time window returns less than max records`, async () => { - const updater = new CveUpdater(`Update CVEs`, {}); - const startWindow = kStartWindow; - const endWindow = kEndWindow; - let newStartWindow: string | undefined = startWindow; - const max = 15; - const step = await updater.getFirstCvesFrame(newStartWindow, endWindow, max); - expect(step?.summary?.startWindow).toEqual(newStartWindow); - expect(step?.summary?.count).toBeLessThanOrEqual(max); - newStartWindow = step?.summary?.endWindow; - }, (35 * 1000)); - - - it.skip(`properly subframes a window of CVEs`, async () => { - const cveService = new CveService(); - const updater = new CveUpdater(`Update CVEs`, {}); - const startWindow = kStartWindow; - let endWindow = kEndWindow; - const max = 5; - let newStartWindow = startWindow; - const queryString = `time_modified.gt=${startWindow}&time_modified.lt=${endWindow}`; - const resp = await cveService.cve({ queryString: `count_only=1&${queryString}` }); - const totalA = parseInt(resp.totalCount); - expect(totalA).toBe(kTotalRecords); - let totalB = 0; - const activity = await updater.getCvesInWindow(startWindow, endWindow, max); - activity.steps.forEach(step => { - totalB += step?.summary?.count; - }); - // console.log(`activity=${JSON.stringify(activity, null, 2)}`); - // const filepath = `${process.env.CVES_TEST_BASE_DIRECTORY}/${CveId.toCvePath(activity.steps[0].summary.cveIds[0])}.json`; - // console.log(`persisted file at ${filepath}`); - // expect(fs.existsSync(`${filepath}`)).toBeTruthy(); - expect(totalB).toBe(totalA); - }, (120 * 1000)); - -}); diff --git a/src/net/CveUpdater.ts b/src/net/CveUpdater.ts deleted file mode 100644 index 523da87..0000000 --- a/src/net/CveUpdater.ts +++ /dev/null @@ -1,198 +0,0 @@ -/** - * Updates /cves by dates using CveService - */ - -import { - add, - differenceInSeconds, - parseISO -} from 'date-fns'; - -import { Activity, ActivityStatus, ActivityStep } from '../core/Activity.js'; -import { ActivityLogOptions, ActivityLog } from '../core/ActivityLog.js'; -import { CveRecord } from '../core/CveRecord.js'; -import { CveService } from './CveService.js'; -// import { Delta } from '../core/Delta.js'; -import { Git } from '../core/git.js' - -export const kActivity_UpdateByModificationDateWindow = 'UPDATE_BY_MODIFICATION_DATE_WINDOW'; -export const kActivity_UpdateByPage = 'UPDATE_BY_PAGE'; -export class CveUpdater { - - static _recsPerPage: number = process.env.CVE_SERVICES_RECORDS_PER_PAGE ? parseInt(process.env.CVE_SERVICES_RECORDS_PER_PAGE) : 500; - - /** repository base path */ - _repository_base = `${process.env.CVES_BASE_DIRECTORY}`; - _release_note_path = `${this._repository_base}/release_notes.md`; - _recent_activities_path = `${this._repository_base}/${process.env.CVES_RECENT_ACTIVITIES_FILENAME}`; - - _activityLog: ActivityLog; - - constructor(activity: string, logOptions: ActivityLogOptions) { - // console.log(`CveUpdater(options=${JSON.stringify(logOptions)})`) - this._activityLog = new ActivityLog(logOptions); - } - - // ----- CVE updates ----- - - /** retrieves CVEs added or updated in a window of time - * NOTE that if the number of records is > max, then the window is narrowed - * until the number of records is <= max, and only this narrowed window (called a frame) of CVEs - * is returned. It is the responsibility of the caller to repeat - * the call (with new startWindow set to previous endWindow) until - * new startWindow is >= the original endWindow. See tests for example. - * - * @param startWindow requested start window, MUST BE ISO - * @param endWindow requested end window, MUST BE ISO - * @param max max records requested (default is 500) - * if the number of records in [startWindow,endWindow] > max, then endWindow is shortened until - * number of records < max - * @param writeDir a path to write CVE JSON objects to (defaults to undefined, which will not persist any CVEs, useful when trying to query statistics about CVEs) - * @returns an Activity with data and properties OR - * null if params are detected to be a no-op - * - * @todo NOTE that there is a known bug at present, where if there were > max records that were changed in less than 1 second - * this will go into an endless loop. - * Note that this has not happened in the last few weeks (hk on 4/5/23). In the review, Thu suggested to add a sleep function, which I think may be - * a good starting point to fix this problem - */ - async getFirstCvesFrame( - startWindow: string, - endWindow: string, - max: number = CveUpdater._recsPerPage, - writeDir: string | undefined = undefined - ): Promise { - if (startWindow == endWindow) { - // no need to run - return undefined; - } - const timestampStart = Date.now(); - const actualStartWindow = startWindow; - let actualEndWindow = endWindow; - const service = new CveService(); - let queryString = ''; - let totalCount = 0; - let tries = 0; - let diff = 0; - const actualStartWindowIso = parseISO(actualStartWindow); - do { - queryString = `time_modified.gt=${actualStartWindow}&time_modified.lt=${actualEndWindow}`; - const resp = await service.cve({ queryString: `count_only=1&${queryString}` }); - totalCount = parseInt(resp.totalCount); - diff = differenceInSeconds(parseISO(actualEndWindow), actualStartWindowIso); - console.log(`try=${tries}: currentCount=${totalCount} / ${max} (diff=${diff}: [${actualStartWindow},${actualEndWindow}])`); - if (totalCount > max) { - actualEndWindow = add(actualStartWindowIso, { seconds: diff / 2 }).toISOString(); - } - tries++; - } while (totalCount > max && diff > 0 && tries < 20); - const cves = await service.cve({ queryString }); - const cveIds: string[] = []; - cves.cveRecords.forEach(record => { - cveIds.push(record.cveMetadata.cveId); - }); - - const startTime = new Date(timestampStart).toISOString(); - const timestampEnd = Date.now(); - const step = { - startTime, - stopTime: new Date(timestampEnd).toISOString(), - duration: `${timestampEnd - timestampStart} msecs`, - stepDescription: kActivity_UpdateByModificationDateWindow, - summary: { - startWindow: actualStartWindow, - endWindow: actualEndWindow, - count: cves.cveRecords.length, - cveIds, - } - }; - - // write file to repository - if (writeDir) { - cves.cveRecords.forEach(json => { - const cve = new CveRecord(json); - cve.writeToCvePath(writeDir); - }); - } - return step; - } - - - /** retrieves the CVEs in a window of time - * @param startWindow requested start window, MUST BE ISO - * @param endWindow requested end window, MUST BE ISO - * @param max max records requested - * if the number of records in [startWindow,endWindow] > max, then endWindow is shortened until - * number of records < max - * @returns an Activity with data and properties OR - * null if params are detected to be a no-op - */ - async getCvesInWindow( - startWindow: string, - endWindow: string, - max: number = CveUpdater._recsPerPage, - writeDir: string | undefined = undefined - ): Promise { - const timestampStart = Date.now(); - - // start an ActivityLog for the steps to be prepended into - const startTime = new Date(timestampStart).toISOString(); - const activity: Activity = new Activity({ - startTime, - stopTime: '', - duration: '', - name: `cves in window`, - // url: `tbd`, - status: ActivityStatus.Completed, - // errors: [{ "tbd": "tbd" }], - // notes: { - // // "function": "getCvesInWindow()", - // // "params": JSON.stringify({ startWindow, endWindow, max, writeDir }, null, 2) - // }, - delta: undefined, - steps: [] - }); - - // do window - let newStartWindow: string = startWindow; - const newEndWindow = endWindow; - let step: ActivityStep | undefined; - do { - step = await this.getFirstCvesFrame(newStartWindow, newEndWindow, max, `${process.env.CVES_BASE_DIRECTORY}`); - if (step) { - // count = activity.summary.count; - const stepEndWindow = step?.summary?.endWindow; - if (stepEndWindow) { - newStartWindow = stepEndWindow; - } - activity.prependStep(step); - // console.log(`getCvesInWindow.step.summary.count=${step.summary.count}`); - } - } while (step && newStartWindow < newEndWindow); - - - // add remainder of Activity properties - activity.delta = await Git.calculateDelta({}, `${this._repository_base}`); - // console.log(`activity after checking for delta: ${JSON.stringify(activity, null, 2)}`); - const timestampEnd = Date.now(); - activity.stopTime = new Date(timestampEnd).toISOString(); - activity.duration = `${timestampEnd - timestampStart} msecs`; - return activity; - } - - - // ----- Recent Activities log ----- - - - /** reads recent activities data */ - readRecentActivities(): Activity[] { - return this._activityLog._activities; - } - - - /** write recent activities to file */ - writeRecentActivities(): boolean { - return this._activityLog.writeRecentFile(); - } - -} \ No newline at end of file diff --git a/src/core/result/CveResult.test.int.ts b/src/result/CveResult.test.int.ts similarity index 96% rename from src/core/result/CveResult.test.int.ts rename to src/result/CveResult.test.int.ts index 73fa5e9..8e4f96c 100644 --- a/src/core/result/CveResult.test.int.ts +++ b/src/result/CveResult.test.int.ts @@ -1,6 +1,5 @@ import { isMatching, match, P } from 'ts-pattern'; import { CveErrorCodes, CveError, CveResult } from './CveResult.js'; -// import { SearchResultData } from '../search/BasicSearchManager.js'; describe(`CveResult`, () => { @@ -14,6 +13,7 @@ describe(`CveResult`, () => { ) + it(`CveResult.ok works well with switch() statements`, async () => { switch (kCveResult_OkWithString.status) { case 'ok': @@ -63,5 +63,9 @@ describe(`CveResult`, () => { .exhaustive() }); + + + + }); diff --git a/src/core/result/CveResult.test.unit.ts b/src/result/CveResult.test.unit.ts similarity index 98% rename from src/core/result/CveResult.test.unit.ts rename to src/result/CveResult.test.unit.ts index 720f1e4..c50f792 100644 --- a/src/core/result/CveResult.test.unit.ts +++ b/src/result/CveResult.test.unit.ts @@ -1,5 +1,4 @@ import { CveResultDataType, CveErrorCodes, CveError, CveResult } from './CveResult.js'; -// import { SearchResultData } from '../search/BasicSearchManager.js'; describe(`CveResult`, () => { diff --git a/src/core/result/CveResult.ts b/src/result/CveResult.ts similarity index 98% rename from src/core/result/CveResult.ts rename to src/result/CveResult.ts index db798cd..c367300 100644 --- a/src/core/result/CveResult.ts +++ b/src/result/CveResult.ts @@ -1,5 +1,5 @@ import isInteger from 'lodash.isinteger' -import { SearchResultData } from '../search/BasicSearchManager.js' +import { SearchResultData } from '../search/SearchResultData.js' /** error codes for this library */ export const CveErrorCodes = { diff --git a/src/core/search/BasicSearchManager.test.e2e.ts b/src/search/BasicSearchManager.test.e2e.ts similarity index 64% rename from src/core/search/BasicSearchManager.test.e2e.ts rename to src/search/BasicSearchManager.test.e2e.ts index bae64aa..2b3a92e 100644 --- a/src/core/search/BasicSearchManager.test.e2e.ts +++ b/src/search/BasicSearchManager.test.e2e.ts @@ -1,31 +1,43 @@ -import { SearchProviderInfo, SearchResultData, BasicSearchManager } from "./BasicSearchManager.js"; +// For a more comprehensive set of test cases, see the tests +// in test_cases/search_* + +import { BasicSearchManager } from "./BasicSearchManager.js"; +import { SearchResultData } from "./SearchResultData.js"; +import { SearchProviderSpec } from '../adapters/search/SearchAdapter.js'; describe(`BasicSearchManager (e2e)`, () => { - const searchProviderInfo: SearchProviderInfo = { - // index: "test-index-for-jest-testing-1", - index: "e2e-cve-test-index-01", - providerEndpoint: "https://admin:admin@localhost:9200" - }; + // because e2e testing is very specific to a dataset, we need to make sure we use the same opensearch dataset in cve-fixtures + // as was designed for this test. + const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec() // const _testPipeline = `jest_test_ingest_pipeline` + const numFound_office = 9 - it.skip(`search(simpleString) correctly searches across all fields`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); - const resp = await searchManager.search('office'); + it(`search(simpleString) correctly searches across all fields`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); + const resp = await searchManager.search('office', { + sort: [ + { + "cveMetadata.cveId.keyword": { + "order": "desc" + } + } + ] + }); expect(resp.isOk()).toBeTruthy(); // console.log(`resp=${JSON.stringify(resp, null, 2)}`); const searchResult: SearchResultData = resp.data as SearchResultData - expect(searchResult.hits.total.value).toBe(8); + expect(searchResult.hits.total.value).toBe(numFound_office); const hits = searchResult.hits.hits; - const expectedCveIds = ["CVE-2017-8501", "CVE-2017-8570", "CVE-2018-0804", "CVE-2018-0807", "CVE-2022-30693", "CVE-2022-38745", "CVE-2022-38756", "CVE-2022-39024"]; + const expectedCveIds = ["CVE-2017-8501", "CVE-2017-8570", "CVE-2018-0804", "CVE-2018-0807", "CVE-2022-30190", "CVE-2022-30693", "CVE-2022-38745", "CVE-2022-38756", "CVE-2022-39024"]; const hitCveIds = searchResult.hits.hits.map(e => e['_id']).sort(); expect(hitCveIds).toMatchObject(expectedCveIds); }); - it.skip(`search() correctly returns an error`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search() correctly returns an error`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); const testcases = [ undefined, null, @@ -41,8 +53,8 @@ describe(`BasicSearchManager (e2e)`, () => { }); - it.skip(`search() correctly returns data or errors as appropriate`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search() correctly returns data or errors as appropriate`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); const testcases = [ undefined, "office", @@ -66,8 +78,8 @@ describe(`BasicSearchManager (e2e)`, () => { }); - it.skip(`search() correctly handles cve ID asc sorting`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search() correctly handles cve ID asc sorting`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); const resp = await searchManager.search( 'office', @@ -82,18 +94,18 @@ describe(`BasicSearchManager (e2e)`, () => { // console.log(`resp=${JSON.stringify(resp, null, 2)}`); expect(resp.isOk()).toBeTruthy(); const hits = resp['data']['hits']; - expect(hits.total.value).toBe(8); + expect(hits.total.value).toBe(numFound_office); // for (let i = 0; i < hits.total.value; i++) { // console.log(`cveIDs: ${i}: ${hits.hits[i]._source.cveMetadata.cveId}`); // } expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2017-8501'); - expect(hits.hits[7]._source.cveMetadata.cveId).toBe('CVE-2022-39024'); + expect(hits.hits[8]._source.cveMetadata.cveId).toBe('CVE-2022-39024'); }); - it.skip(`search() correctly handles cve ID asc sorting`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search() correctly handles cve ID desc sorting`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); const resp = await searchManager.search( 'office', @@ -108,17 +120,17 @@ describe(`BasicSearchManager (e2e)`, () => { // console.log(`resp=${JSON.stringify(resp, null, 2)}`); expect(resp.isOk()).toBeTruthy(); const hits = resp['data']['hits']; - expect(hits.total.value).toBe(8); + expect(hits.total.value).toBe(numFound_office); // for (let i = 0; i < hits.total.value; i++) { // console.log(`cveIDs: ${i}: ${hits.hits[i]._source.cveMetadata.cveId}`); // } - expect(hits.hits[7]._source.cveMetadata.cveId).toBe('CVE-2017-8501'); + expect(hits.hits[8]._source.cveMetadata.cveId).toBe('CVE-2017-8501'); expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2022-39024'); }); - it.skip(`search() correctly handles simple pagination (under 10000)`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search() correctly handles simple pagination (under 10000)`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); const resp = await searchManager.search( 'office', @@ -135,18 +147,18 @@ describe(`BasicSearchManager (e2e)`, () => { // console.log(`resp=${JSON.stringify(resp, null, 2)}`); expect(resp.isOk()).toBeTruthy(); const hits = resp['data']['hits']; - expect(hits.total.value).toBe(8); + expect(hits.total.value).toBe(numFound_office); // for (let i = 0; i < hits.total.value; i++) { // console.log(`cveIDs: ${i}: ${hits.hits[i]._source.cveMetadata.cveId}`); // } expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2022-38745'); - expect(hits.hits[2]._source.cveMetadata.cveId).toBe('CVE-2018-0807'); + expect(hits.hits[2]._source.cveMetadata.cveId).toBe('CVE-2022-30190'); }); // ----- spock test for ok search() against a test opensearch instance [ - `"127.0.0.1:1234"`, + // `"127.0.0.1:1234"`, // @todo `"127.0.0.1"`, "2020", "office", @@ -161,23 +173,27 @@ describe(`BasicSearchManager (e2e)`, () => { `in-the-middle`, `"in-the-middle"`, `Node.JS`, - `"Node JS"`, - `serial_core.c`, - `https://pastebin.com/kpzHKKJu`, + // `"Node JS"`, //@todo there are no CVEs that has the phrase "Node JS" + // `serial_core.c`, // moved + // `https://pastebin.com/kpzHKKJu`, //@todo this used to work in 2.1, but now requires quotes + `"https://pastebin.com/kpzHKKJu"`, `microsoft ???? office ?????????`, // `aaaaa`, requires CVE-2019-7674 and CVE-2004-0329 // `f8cd397...fabac6c`, // this works, but requires CVE-2019-13107 // for more cases like this, see #63 + ].forEach(async (testcase) => { - it.skip(`search(${testcase}) correctly returns expected data (ok CveResult)`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search(${testcase}) correctly returns expected data (ok CveResult)`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); // testcases.forEach(async (testcase) => { const resp = await searchManager.search(testcase, { track_total_hits: true, metadataOnly: true }); + if (!resp.isOk()) { + console.log(`resp: ${JSON.stringify(resp, null, 2)}`); + } expect(resp.isOk()).toBeTruthy() - // console.log(`resp: ${JSON.stringify(resp, null, 2)}`); if (resp['data']) { const dat = resp['data']['hits']['hits'][0]; expect(dat).toMatchSnapshot({ @@ -200,11 +216,11 @@ describe(`BasicSearchManager (e2e)`, () => { undefined, null, ``, - `"127.0.0.*"`, + // `"127.0.0.*"`, // supported now `{{funct()}}` ].forEach(async (testcase) => { - it.skip(`search(${testcase}) correctly returns expected errors (error CveResult)`, async () => { - const searchManager = new BasicSearchManager(searchProviderInfo); + it(`search(${testcase}) correctly returns expected errors (error CveResult)`, async () => { + const searchManager = new BasicSearchManager(searchProviderSpec); // testcases.forEach(async (testcase) => { const resp = await searchManager.search(testcase); expect(resp.hasErrors()).toBeTruthy() diff --git a/src/search/BasicSearchManager.ts b/src/search/BasicSearchManager.ts new file mode 100644 index 0000000..94d06ed --- /dev/null +++ b/src/search/BasicSearchManager.ts @@ -0,0 +1,71 @@ +// set up environment +import * as dotenv from 'dotenv'; +dotenv.config(); + +import { CveErrorCodes, CveResult } from '../result/CveResult.js'; +import { SearchProviderSpec } from '../adapters/search/SearchAdapter.js'; +import { SearchQueryBuilder } from './SearchQueryBuilder.js'; +import { SearchReader } from '../adapters/search/SearchReader.js'; +import { SearchResultData } from "./SearchResultData.js"; + + +/** options when using search() + * for defaults see SearchRequest constructor where it is explicitly set +*/ +export class SearchOptions { + useCache: boolean; + track_total_hits: boolean; + default_operator: "AND" | "OR" + metadataOnly: boolean; // only return "cveMetadata", "containers.cna.descriptions.value" + fields: string[]; + sort: {}[]; + from: number; + size: number; +} + + +/** A manager class that provides basic search capabilities + * including a flexible search() that provides consistent + * search behavior among apps (e.g., WebSearch and SearchAPI) +*/ +export class BasicSearchManager { + + _searchReader: SearchReader; + + /** constructor that sets up provider information + * @param searchProviderSpec optional specifications providing provider information + * default is to read it from environment variables + */ + constructor(searchProviderSpec: SearchProviderSpec = undefined) { + if (!searchProviderSpec) { + searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec() + } + this._searchReader = new SearchReader( + searchProviderSpec.providerEndpoint, + searchProviderSpec.index); + } + + + /** search for text at search provider + * @param searchText the text string to search for + * @param options options to specify how to search, with well-defined defaults + */ + async search(searchText: string, options: Partial = undefined): Promise { + let response = undefined; + const builder = new SearchQueryBuilder(searchText, options); + const result: CveResult = builder.buildQuery() + // console.log(`result=${JSON.stringify(result, null, 2)}`) + if (result.isOk()) { + // console.log(`q: ${JSON.stringify(result.data['q'], null, 2)}`) + response = await this._searchReader._client.search({ + index: this._searchReader._cveIndex, + body: result.data['q'] + }); + // console.log(`response: ${JSON.stringify(response, null, 2)}`); + result.data = response.body; + // return CveResult.ok(response.body as SearchResultData); + } + return result + } + +} \ No newline at end of file diff --git a/src/search/SearchQueryBuilder.test.unit.ts b/src/search/SearchQueryBuilder.test.unit.ts new file mode 100644 index 0000000..a2ba393 --- /dev/null +++ b/src/search/SearchQueryBuilder.test.unit.ts @@ -0,0 +1,79 @@ +// For a more comprehensive set of test cases, see the tests +// in test_cases/search_* + +import { SearchOptions } from "./BasicSearchManager.js" +import { SearchRequestType, SearchRequest, SearchRequestTypeId } from "./SearchRequest.js"; +import { SearchQueryBuilder } from './SearchQueryBuilder.js'; + +describe(`SearchQueryBuilder`, () => { + + const kSimpleSearchString = 'office' + const kSimpleUnsupportedSearchString = '127.0.0.*' + + // ----- constructor + + it(`constructor(simpleString) correctly sets all fields with proper defaults for options`, async () => { + const builder = new SearchQueryBuilder(kSimpleSearchString) + expect(builder._searchText).toBe(kSimpleSearchString) + expect(builder._searchOptions.track_total_hits).toBeTruthy() + }); + + + it(`constructor(simpleString,{track_total_hits:value}) correctly sets all fields with specified options`, async () => { + const builder = new SearchQueryBuilder(kSimpleSearchString, { track_total_hits: true }) + expect(builder._searchText).toBe(kSimpleSearchString) + expect(builder._searchOptions.track_total_hits).toBeTruthy() + + const req2 = new SearchQueryBuilder(kSimpleSearchString, { track_total_hits: false }) + expect(req2._searchText).toBe(kSimpleSearchString) + expect(req2._searchOptions.track_total_hits).toBeFalsy() + }); + + + it(`constructor with options for paging correctly returns the number requested`, async () => { + const builder = new SearchQueryBuilder(kSimpleSearchString, + { + track_total_hits: true, + from: 200, + size: 50 + }); + const req = builder._searchRequest + const result = req.processSearchText(); + // console.log(`result: ${JSON.stringify(result, null, 2)}`); + expect(result.data['searchTextType']).toBe("SEARCH_GENERAL_TEXT"); + expect(result.data['processedSearchText']).toBe(kSimpleSearchString); + expect(result).toMatchSnapshot(); + expect(req._searchText).toBe(result.data['processedSearchText']); + expect(req).toMatchSnapshot(); + }); + + + // ----- spock+snapshot testing constructor+buildRequest() + + + const testCases: [string, Partial][] = [ + [`office`, { track_total_hits: true }], + [`"office"`, { track_total_hits: true }], + [`microsoft office`, { track_total_hits: false }], + [`"https://pastebin.com/kpzHKKJu"`, { track_total_hits: true }], + [`"microsoft office"`, { track_total_hits: false }], + [`CVE-2020-5422`, { useCache: false }], + [`CVE-2000`, { metadataOnly: false }], + [`CWE-123`, { + track_total_hits: false, + default_operator: 'OR', + metadataOnly: true + }], + [`CAPEC-64`, { default_operator: 'OR' }], + ] + testCases.forEach((test: [string, Partial]) => { + it(`(${test[0]},${JSON.stringify(test[1])})..buildQuery() correctly returns the expected query`, async () => { + const builder = new SearchQueryBuilder(test[0], test[1]) + expect(builder.buildQuery()).toMatchSnapshot(); + }); + }); + +}); + + + diff --git a/src/search/SearchQueryBuilder.ts b/src/search/SearchQueryBuilder.ts new file mode 100644 index 0000000..4903d51 --- /dev/null +++ b/src/search/SearchQueryBuilder.ts @@ -0,0 +1,99 @@ +import { CveResult } from '../result/CveResult.js'; +import { SearchOptions } from './BasicSearchManager.js'; +import { SearchRequest } from './SearchRequest.js'; + +/** + * a search query builder that analyzes a user's search text and builds a proper search query + * for OpenSearch + */ +export class SearchQueryBuilder { + + /** the user entered text */ + _searchText: string; + + /** search options when validating input and building query string */ + _searchOptions: SearchOptions + + /** the searchRequest based on the search term(s) from the user */ + _searchRequest: SearchRequest; + + // _query: {} + + /** + */ + constructor(searchText: string, options: Partial = undefined) { + this._searchText = searchText; + this._searchOptions = { + useCache: options?.useCache ?? true, + track_total_hits: options?.track_total_hits ?? true, + default_operator: options?.default_operator ?? "AND", + metadataOnly: options?.metadataOnly ?? false, + fields: options?.fields ?? [], + sort: options?.sort ?? [{ + "cveMetadata.cveId.keyword": { "order": "desc" } + }], + from: options?.from ?? 0, + size: options?.size ?? 25, + }; + this._searchRequest = new SearchRequest(searchText) + } + + + /** builds the proper query for openSearch */ + buildQuery(): CveResult { + const result: CveResult = this._searchRequest.processSearchText(); + // console.log(`result.data: ${JSON.stringify(result.data)}`) + + // if there are any errors, return result which already contains errors and notes + if (!result.isOk()) { + return result; + } + + let q = { + query: {} + }; + // ----- query_string + q.query['query_string'] = { + query: `${this._searchText}`, + default_operator: this._searchOptions.default_operator + }; + + // ----- _source, which specifies which CVE fields are to be returned + const source: string[] = []; + if (this._searchOptions.metadataOnly) { + source.push("cveMetadata", "containers.cna.descriptions.value"); + } + if (source.length > 0) { + q['_source'] = source; + } + // ----- search only in fields + if (this._searchOptions.fields) { + source.push(...this._searchOptions.fields); + } + + // console.log(`***${JSON.stringify(q, null, 2)}`) + // ----- track_total_hits + if (this._searchOptions.track_total_hits) { + q['track_total_hits'] = this._searchOptions.track_total_hits; + } + // ----- sort + let sort = []; + if (this._searchOptions.sort) { + this._searchOptions.sort.forEach(field => { + sort.push(field); + }); + } + if (sort.length > 0) { + q['sort'] = sort; + } + // ----- from + q['from'] = this._searchOptions.from; + // ----- size + q['size'] = this._searchOptions.size; + // ----- q + result.data['q'] = q; + + return result; + } + +} \ No newline at end of file diff --git a/src/search/SearchRequest.test.unit.ts b/src/search/SearchRequest.test.unit.ts new file mode 100644 index 0000000..d7c44b4 --- /dev/null +++ b/src/search/SearchRequest.test.unit.ts @@ -0,0 +1,437 @@ +// For a more comprehensive set of test cases, see the tests +// in test_cases/search_* + +import { SearchOptions } from "./BasicSearchManager.js" +import { SearchRequestType, SearchRequest, SearchRequestTypeId } from "./SearchRequest.js"; + +describe(`SearchRequest`, () => { + + const kSimpleSearchString = 'office' + const kSimpleUnsupportedSearchString = '{}' + + // ----- constructor + + it(`constructor(simpleString) correctly sets all fields with proper defaults for options`, async () => { + const req = new SearchRequest(kSimpleSearchString) + expect(req._searchText).toBe(kSimpleSearchString) + // expect(req._searchOptions.track_total_hits).toBeTruthy() + }); + + it(`processSearchText() correctly returns an "ok" result`, async () => { + const req = new SearchRequest(kSimpleSearchString, { track_total_hits: true }); + const result = req.processSearchText(); + // console.log(`result: ${JSON.stringify(result, null, 2)}`); + expect(result.isOk()).toBeTruthy(); + expect(result.data['searchTextType']).toBe("SEARCH_GENERAL_TEXT"); + expect(result.data['processedSearchText']).toBe(kSimpleSearchString); + expect(result).toMatchSnapshot(); + expect(req._searchText).toBe(result.data['processedSearchText']); + expect(req).toMatchSnapshot(); + }); + + + it(`processSearchText() correctly returns an "errors" result`, async () => { + const req = new SearchRequest(kSimpleUnsupportedSearchString, { track_total_hits: false }); + const result = req.processSearchText(); + // console.log(`result: ${JSON.stringify(result, null, 2)}`); + expect(result.hasErrors()).toBeTruthy(); + expect(result.hasNotes()).toBeTruthy(); + expect(result.data['searchTextType']).toBe("SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS"); + expect(result.data['processedSearchText']).toBe(kSimpleUnsupportedSearchString); + expect(result).toMatchSnapshot(); + expect(req._searchText).toBe(result.data['processedSearchText']); + expect(req).toMatchSnapshot(); + }); + + + // // ----- spock+snapshot testing constructor+findSearchRequestType+processSearchText() + + + [ + // ----- reserved characters in strings ----- + // ["{getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{getTotal()}"], + // ["{=getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{=getTotal()}"], + // ["{inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{inField('description')}"], + // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', `\"CVE-2020-0001\\\" {inField('description')}"], + // ----- simple search strings ----- + ["2020", 'SEARCH_GENERAL_TEXT', "2020"], + ["office", 'SEARCH_GENERAL_TEXT', "office"], + [`"office"`, 'SEARCH_GENERAL_TEXT', "office"], + [`"office`, 'SEARCH_GENERAL_TEXT', "office"], + [`office"`, 'SEARCH_GENERAL_TEXT', "office"], + ["microsoft office", 'SEARCH_GENERAL_TEXT', "microsoft office"], + ["docker compose", 'SEARCH_GENERAL_TEXT', "docker compose"], + // ----- double quoted strings ----- + // [`"microsoft office"`, 'SEARCH_PHRASE', `\"microsoft office\"`], // @todo + // ----- hyphenated search strings ----- + ["CVE-2020-5422", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\"`], + ["CVE-1998-5422", 'SEARCH_AS_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such + // ["CVE-3998-5422", 'SEARCH_ERROR_INVALID_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such + ["CVE-2020-5422 CVE-2020-5423", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\"`], + ["CVE-2020-5422 CVE-2020-5423 CVE-2020-5424 CVE-2020-5425", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\" \"CVE-2020-5424\" \"CVE-2020-5425\"`], + ["CVE 2020 5422", 'SEARCH_GENERAL_TEXT', "CVE 2020 5422"], + ["CVE-2000", 'SEARCH_AS_CVE_YEAR', `\"CVE-2000\"`], + ["CWE-123", 'SEARCH_AS_CWE_ID', `\"CWE-123\"`], + ["CAPEC-63", 'SEARCH_AS_CAPEC_ID', `\"CAPEC-63\"`], + // ["PAN-OS", 'SEARCH_PHRASE', `\"PAN-OS\"`], // @todo + // ["-PAN-OS", 'SEARCH_STRING_NOT_SUPPORTED', "-PAN-OS"], + // ["docker-compose", 'SEARCH_PHRASE', `\"docker-compose\"`], // @todo + // ["-x", 'SEARCH_STRING_NOT_SUPPORTED', "-x"], + // ["--x", 'SEARCH_STRING_NOT_SUPPORTED', "--x"], + // ["x--", 'SEARCH_PHRASE', `\"x--\"`], // @todo + // ["PAN-OS-", 'SEARCH_PHRASE', `\"PAN-OS-\"`], // @todo + // ["man-in-the-middle-attack", 'SEARCH_PHRASE', `\"man-in-the-middle-attack\"`], // @todo + // [`"man-in-the-middle Attack"`, 'SEARCH_PHRASE', `\"man-in-the-middle Attack\"`], // @todo + // [`"man in the middle Attack"`, 'SEARCH_PHRASE', `\"man in the middle Attack\"`], // @todo + // ["1-2-3-4", 'SEARCH_PHRASE', `\"1-2-3-4\"`], // @todo + // ----- periods ----- + // [`\"f8cd397...fabac6c\"`, 'SEARCH_AS_FILENAME', `\"f8cd397...fabac6c\"`],// @todo needs CVE-2019-13107 + // ["f8cd397...fabac6c", 'SEARCH_AS_FILENAME', "f8cd397...fabac6c"],// @todo needs CVE-2019-13107 + // ["Node.JS", 'SEARCH_AS_FILENAME', `\"Node.JS\"`], // @todo + // ["serial_core.c", 'SEARCH_AS_FILENAME', `\"serial_core.c\"`], // @todo + // ----- urls ----- + ["https://pastebin.com/kpzHKKJu", 'SEARCH_AS_URL', "\"https://pastebin.com/kpzHKKJu\""], + ["wikipedia.org", 'SEARCH_AS_URL', "\"wikipedia.org\""], + ["en.wikipedia.org", 'SEARCH_AS_URL', "\"en.wikipedia.org\""], + ["http://en.wikipedia.org", 'SEARCH_AS_URL', "\"http://en.wikipedia.org\""], + ["https://en.wikipedia.org", 'SEARCH_AS_URL', "\"https://en.wikipedia.org\""], + ["https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes", 'SEARCH_AS_URL', "\"https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes\""], + ["https://portal.microfocus.com/s/article/KM000012517?language=en_US", 'SEARCH_AS_URL', "\"https://portal.microfocus.com/s/article/KM000012517?language=en_US\""], + ["https://en.wikipedia.org/abc/def?x=123&y=234", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234\""], + ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true\""], + ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty", 'SEARCH_AS_URL', "\"https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty\""], + ["https://pastebin.com/kpzHKKJu", 'SEARCH_AS_URL', "\"https://pastebin.com/kpzHKKJu\""], + ["ftp://en.wikipedia.org", 'SEARCH_AS_URL', "\"ftp://en.wikipedia.org\""], + ["file://example.md", 'SEARCH_AS_URL', "\"file://example.md\""], + // ["file://../example.md", 'SEARCH_AS_URL', "\"file://../example.md\""], + // ["file://../../example.md", 'SEARCH_AS_URL', "\"file://../../example.md\""], + ["ws://127.0.0.1/scoreboard", 'SEARCH_AS_URL', "\"ws://127.0.0.1/scoreboard\""], + ["wss://game.example.com/scoreboard", 'SEARCH_AS_URL', "\"wss://game.example.com/scoreboard\""], + ["app://com.foo.bar/index.html", 'SEARCH_AS_URL', "\"app://com.foo.bar/index.html\""], + // ["admin:/etc/default/grub", 'SEARCH_AS_URL', "\"admin:/etc/default/grub\""], // @todo used by gnome desktops + // jdbc:sqlserver://serverName\instanceName:portNumber;params... + // msteams:/l/... @todo used by microsoft teams + // ms-excel:ofv|u| + // ... other office products, see https://en.wikipedia.org/wiki/List_of_URI_schemes + // ["psns://browse?product=1234", 'SEARCH_AS_URL', "\"psns://browse?product=1234\""], + // ["rdar://10198949", 'SEARCH_AS_URL', "\"rdar://10198949\""], + ["https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg", 'SEARCH_AS_URL', "\"https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg\""], + ["https://mybucket-example-com.s3.amazonaws.com", 'SEARCH_AS_URL', "\"https://mybucket-example-com.s3.amazonaws.com\""],//@todo + // ----- IPv4 search strings (some from https://jsfiddle.net/opd1v7au/2/) ----- + ["127.0.0.1", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], + [" 127.0.0.1 ", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], + // ["127.0.0.1:1234", 'SEARCH_AS_IPv4', "127.0.0.1:1234"],// @todo + // ----- version search strings ----- + ["1.0", 'SEARCH_AS_VERSION', `\"1.0\"`], + ["1.0.1", 'SEARCH_AS_VERSION', `\"1.0.1\"`], + ["v1.0", 'SEARCH_AS_VERSION', `\"v1.0\"`], + ["v1.0.1", 'SEARCH_AS_VERSION', `\"v1.0.1\"`], + ["V1.2.0", 'SEARCH_AS_VERSION', `\"V1.2.0\"`], + ["1.2.4.6.2345.1.1.1.0.1.1.0", 'SEARCH_AS_VERSION', `\"1.2.4.6.2345.1.1.1.0.1.1.0\"`], + ["1.2.3-RC5", 'SEARCH_AS_VERSION', `\"1.2.3-RC5\"`], + ["1.2-RC5", 'SEARCH_AS_VERSION', `\"1.2-RC5\"`], + ["1.2-RC55", 'SEARCH_AS_VERSION', `\"1.2-RC55\"`], + ["1.2.3-alpha", 'SEARCH_AS_VERSION', `\"1.2.3-alpha\"`], + ["v1.2.3-alpha", 'SEARCH_AS_VERSION', `\"v1.2.3-alpha\"`], + ["1.2 GB", 'SEARCH_STRING_MULTIPLE_TYPES', `\"1.2\" GB`], + // [".2.1", 'SEARCH_STRING_NOT_SUPPORTED', ".2.1"], + // ----- multiple simple strings ----- + ["CAPEC 63", 'SEARCH_GENERAL_TEXT', "CAPEC 63"], + // ----- multiple search type strings ----- + ["CVE-2020 5422", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" 5422`], + ["5422 CVE-2020", 'SEARCH_STRING_MULTIPLE_TYPES', `5422 \"CVE-2020\"`], + ["CVE-2020 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" office`], // not working + ["CWE 123", 'SEARCH_GENERAL_TEXT', "CWE 123"], + ["CWE-123 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CWE-123\" office`], // not working + ["CVE-2020-5422 CAPEC-63", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-5422\" \"CAPEC-63\"`], + ["A&P office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"A&P\" office`], + ["ATT&CK 123", 'SEARCH_STRING_MULTIPLE_TYPES', `\"ATT&CK\" 123`], + // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-0001\" {inField('description')}`], + // ----- & ----- + ["ATT&CK", 'SEARCH_PHRASE', `\"ATT&CK\"`], + ["A&P", 'SEARCH_PHRASE', `\"A&P\"`], + // ----- "fall through matches" that may be confusing ----- + ["01.102.103.104", 'SEARCH_AS_VERSION', `\"01.102.103.104\"`], // looks like ipv4, but not because of first 0 + ["127.0.0.1.1.1.1", 'SEARCH_AS_VERSION', `\"127.0.0.1.1.1.1\"`], + // [".127.0.0", 'SEARCH_STRING_NOT_SUPPORTED', ".127.0.0"], + // ----- repeating characters ----- + // ["?????????", 'SEARCH_GENERAL_TEXT', ""], // @todo + ["aaaaa", 'SEARCH_GENERAL_TEXT', "aaaaa"], + ["aaaaa !!!!!!!!!!!! !!!!!!!!!", 'SEARCH_GENERAL_TEXT', "aaaaa"], + ["ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß", 'SEARCH_GENERAL_TEXT', "ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß"], + ["¿¿¿¿¿ ééééééé ????? èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß ~~~~~ üüüüüüü !!!!!!!!!!!! !!!!!!!!!", 'SEARCH_GENERAL_TEXT', "ééééééé èèèèèè ÄÄÄÄÄ, ööööö, üüüüü, ßßßßß üüüüüüü"], + ["microsoft ???? office ?????????", 'SEARCH_GENERAL_TEXT', "microsoft office"], + ["microsoft ##### office #####", 'SEARCH_GENERAL_TEXT', "microsoft office"], + ] + .forEach((test: [string, string, string]) => { + it(`processSearchText("${test[0]}") correctly returns the SearchRequestTypeId ${test[1]}`, async () => { + const req = new SearchRequest(test[0]) + const result = req.processSearchText() + // expect(result.isOk()).toBeTruthy() + expect(result.data['searchTextType']).toBe(test[1] as SearchRequestTypeId); + expect(result.data['processedSearchText']).toBe(test[2]) + expect(req._searchText).toBe(test[2]) + }); + }); + + [ + // ----- reserved characters in strings ----- + ["{getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{getTotal()}"], + ["{=getTotal()}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{=getTotal()}"], + ["{inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', "{inField('description')}"], + // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS', `\"CVE-2020-0001\\\" {inField('description')}"], + // ----- disallowed strings ----- + // ["CVE–1999–0001", 'SEARCH_GENERAL_TEXT', "CVE–1999–0001"], + + ["127.0.0.*", 'SEARCH_AS_WILDCARD_ASTERISK', "127.0.0.*"], + // [".127.0.0.*", 'SEARCH_AS_WILDCARD_ASTERISK', ".127.0.0.*"], + // [".127.0.0.???", 'WILDCARD_QUESTION_SEARCH_NOT_SUPPORTED', ".127.0.0.???"], + // [".127.0.0.*", 'SEARCH_AS_WILDCARD_ASTERISK', ".127.0.0.*"], + + // // ----- simple search strings ----- + // ["2020", 'SEARCH_GENERAL_TEXT', "2020"], + // ["office", 'SEARCH_GENERAL_TEXT', "office"], + // [`"office"`, 'SEARCH_GENERAL_TEXT', "office"], + // [`"office`, 'SEARCH_GENERAL_TEXT', "office"], + // [`office"`, 'SEARCH_GENERAL_TEXT', "office"], + // ["microsoft office", 'SEARCH_GENERAL_TEXT', "microsoft office"], + // [`"man-in-the-middle Attack"`, 'SEARCH_PHRASE', `\"man-in-the-middle Attack\"`], + // ["docker compose", 'SEARCH_GENERAL_TEXT', "docker compose"], + // // ----- double quoted strings ----- + // // [`"microsoft office"`, 'SEARCH_PHRASE', `\"microsoft office\"`], // @todo + // // ----- hyphenated search strings ----- + // ["CVE-2020-5422", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\"`], + // ["CVE-1998-5422", 'SEARCH_AS_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such + // // ["CVE-3998-5422", 'SEARCH_ERROR_INVALID_CVE_ID', `\"CVE-1998-5422\"`], // @todo invalid CVE ID should detected as such + // ["CVE-2020-5422 CVE-2020-5423", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\"`], + // ["CVE-2020-5422 CVE-2020-5423 CVE-2020-5424 CVE-2020-5425", 'SEARCH_AS_CVE_ID', `\"CVE-2020-5422\" \"CVE-2020-5423\" \"CVE-2020-5424\" \"CVE-2020-5425\"`], + // ["CVE 2020 5422", 'SEARCH_GENERAL_TEXT', "CVE 2020 5422"], + // ["CVE-2000", 'SEARCH_AS_CVE_YEAR', `\"CVE-2000\"`], + // ["CWE-123", 'SEARCH_AS_CWE_ID', `\"CWE-123\"`], + // ["CAPEC-63", 'SEARCH_AS_CAPEC_ID', `\"CAPEC-63\"`], + // ["PAN-OS", 'SEARCH_PHRASE', `\"PAN-OS\"`], + // ["-PAN-OS", 'SEARCH_STRING_NOT_SUPPORTED', "-PAN-OS"], // @todo + // ["docker-compose", 'SEARCH_PHRASE', `\"docker-compose\"`], + // ["-x", 'SEARCH_STRING_NOT_SUPPORTED', "-x"], // @todo + // ["--x", 'SEARCH_STRING_NOT_SUPPORTED', "--x"], // @todo + // ["x--", 'SEARCH_PHRASE', `\"x--\"`], + // ["PAN-OS-", 'SEARCH_PHRASE', `\"PAN-OS-\"`], + // ["man-in-the-middle-attack", 'SEARCH_PHRASE', `\"man-in-the-middle-attack\"`], + // [`"man-in-the-middle Attack"`, 'SEARCH_PHRASE', `\"man-in-the-middle Attack\"`], + // // [`"man in the middle Attack"`, 'SEARCH_PHRASE', `\"man in the middle Attack\"`], // @todo + // ["1-2-3-4", 'SEARCH_PHRASE', `\"1-2-3-4\"`], + // // ----- periods ----- + // // [`\"f8cd397...fabac6c\"`, 'SEARCH_AS_FILENAME', `\"f8cd397...fabac6c\"`],// @todo needs CVE-2019-13107 + // // ["f8cd397...fabac6c", 'SEARCH_AS_FILENAME', "f8cd397...fabac6c"],// @todo needs CVE-2019-13107 + // // ["Node.JS", 'SEARCH_AS_FILENAME', `\"Node.JS\"`], // @todo + // // ["serial_core.c", 'SEARCH_AS_FILENAME', `\"serial_core.c\"`], // @todo + // // ----- urls ----- + // ["wikipedia.org", 'SEARCH_AS_URL', "wikipedia.org"], + // ["en.wikipedia.org", 'SEARCH_AS_URL', "en.wikipedia.org"], + // ["http://en.wikipedia.org", 'SEARCH_AS_URL', "http://en.wikipedia.org"], + // ["https://en.wikipedia.org", 'SEARCH_AS_URL', "https://en.wikipedia.org"], + // ["https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes", 'SEARCH_AS_URL', "https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes"], + // ["https://portal.microfocus.com/s/article/KM000012517?language=en_US", 'SEARCH_AS_URL', "https://portal.microfocus.com/s/article/KM000012517?language=en_US"], + // ["https://en.wikipedia.org/abc/def?x=123&y=234", 'SEARCH_AS_URL', "https://en.wikipedia.org/abc/def?x=123&y=234"], + // ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true", 'SEARCH_AS_URL', "https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true"], + // ["https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty", 'SEARCH_AS_URL', "https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty"], + // ["http://user:pass@google.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "http://user:pass@google.com/?a=b&abc=1%22#25"], + // ["https://user:pass@google.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "https://user:pass@google.com/?a=b&abc=1%22#25"], + // ["https://user:pass@one-two-three.xyz.com/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "https://user:pass@one-two-three.xyz.com/?a=b&abc=1%22#25"], + // ["http://user:pass@127.0.0.1/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "http://user:pass@127.0.0.1/?a=b&abc=1%22#25"], + // ["https://user:pass@127.0.0.1/?a=b&abc=1%22#25", 'SEARCH_AS_URL', "https://user:pass@127.0.0.1/?a=b&abc=1%22#25"], + // ["ftp://en.wikipedia.org", 'SEARCH_AS_URL', "ftp://en.wikipedia.org"], + // ["file://example.md", 'SEARCH_AS_URL', "file://example.md"], + // ["file://../example.md", 'SEARCH_AS_URL', "file://../example.md"], + // ["file://../../example.md", 'SEARCH_AS_URL', "file://../../example.md"], + // ["ws://127.0.0.1/scoreboard", 'SEARCH_AS_URL', "ws://127.0.0.1/scoreboard"], + // ["wss://game.example.com/scoreboard", 'SEARCH_AS_URL', "wss://game.example.com/scoreboard"], + // ["app://com.foo.bar/index.html", 'SEARCH_AS_URL', "app://com.foo.bar/index.html"], + // // ["admin:/etc/default/grub", 'SEARCH_AS_URL', "admin:/etc/default/grub"], @todo used by gnome desktops + // // jdbc:sqlserver://serverName\instanceName:portNumber;params... + // // msteams:/l/... @todo used by microsoft teams + // // ms-excel:ofv|u| + // // ... other office products, see https://en.wikipedia.org/wiki/List_of_URI_schemes + // ["psns://browse?product=1234", 'SEARCH_AS_URL', "psns://browse?product=1234"], + // ["rdar://10198949", 'SEARCH_AS_URL', "rdar://10198949"], + // ["https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg", 'SEARCH_AS_URL', "https://mybucket-example-com.s3.amazonaws.com/userid/images/test.jpg"], + // ["https://mybucket-example-com.s3.amazonaws.com", 'SEARCH_AS_URL', "https://mybucket-example-com.s3.amazonaws.com"],//@todo + // // ----- IPv4 search strings (some from https://jsfiddle.net/opd1v7au/2/) ----- + // ["127.0.0.1", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], + // [" 127.0.0.1 ", 'SEARCH_AS_IPv4', `\"127.0.0.1\"`], + // // ["127.0.0.1:1234", 'SEARCH_AS_IPv4', "127.0.0.1:1234"],// @todo + // // ----- IPv6 search strings(some from https://jsfiddle.net/opd1v7au/2/) ----- + // ["::", 'SEARCH_AS_IPv6', `\"::\"`], + // ["0000:0000:0000:0000:0000:0000:0000:0000", 'SEARCH_AS_IPv6', `\"0000:0000:0000:0000:0000:0000:0000:0000\"`], + // ["2001:db8:3333:4444:5555:6666:1.2.3.4", 'SEARCH_AS_IPv6', `\"2001:db8:3333:4444:5555:6666:1.2.3.4\"`], + // ["::11.22.33.44", 'SEARCH_AS_IPv6', `\"::11.22.33.44\"`], + // ["2001:0000:1234:0000:0000:C1C0:ABCD:0876", 'SEARCH_AS_IPv6', `\"2001:0000:1234:0000:0000:C1C0:ABCD:0876\"`], + ["FF02:0000:0000:0000:0000:0000:0000:0000:0001", 'SEARCH_STRING_NOT_SUPPORTED', "FF02:0000:0000:0000:0000:0000:0000:0000:0001"], + ["3ffe:b00::1::a", 'SEARCH_STRING_NOT_SUPPORTED', "3ffe:b00::1::a"], + [":", 'SEARCH_STRING_NOT_SUPPORTED', ":"], + // // ----- version search strings ----- + // ["1.0", 'SEARCH_AS_VERSION', `\"1.0\"`], + // ["1.0.1", 'SEARCH_AS_VERSION', `\"1.0.1\"`], + // ["v1.0", 'SEARCH_AS_VERSION', `\"v1.0\"`], + // ["v1.0.1", 'SEARCH_AS_VERSION', `\"v1.0.1\"`], + // ["V1.2.0", 'SEARCH_AS_VERSION', `\"V1.2.0\"`], + // ["1.2.4.6.2345.1.1.1.0.1.1.0", 'SEARCH_AS_VERSION', `\"1.2.4.6.2345.1.1.1.0.1.1.0\"`], + // ["1.2.3-RC5", 'SEARCH_AS_VERSION', `\"1.2.3-RC5\"`], + // ["1.2-RC5", 'SEARCH_AS_VERSION', `\"1.2-RC5\"`], + // ["1.2-RC55", 'SEARCH_AS_VERSION', `\"1.2-RC55\"`], + // ["1.2.3-alpha", 'SEARCH_AS_VERSION', `\"1.2.3-alpha\"`], + // ["v1.2.3-alpha", 'SEARCH_AS_VERSION', `\"v1.2.3-alpha\"`], + // ["1.2 GB", 'SEARCH_STRING_MULTIPLE_TYPES', `\"1.2\" GB`], + // [".2.1", 'SEARCH_STRING_NOT_SUPPORTED', ".2.1"], // @todo + // // ----- multiple simple strings ----- + // ["CAPEC 63", 'SEARCH_GENERAL_TEXT', "CAPEC 63"], + // // ----- multiple search type strings ----- + // ["CVE-2020 5422", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" 5422`], + // ["5422 CVE-2020", 'SEARCH_STRING_MULTIPLE_TYPES', `5422 \"CVE-2020\"`], + // ["CVE-2020 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020\" office`], // not working + // ["CWE 123", 'SEARCH_GENERAL_TEXT', "CWE 123"], + // ["CWE-123 office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CWE-123\" office`], // not working + // ["CVE-2020-5422 CAPEC-63", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-5422\" \"CAPEC-63\"`], + // ["A&P office", 'SEARCH_STRING_MULTIPLE_TYPES', `\"A&P\" office`], + // ["ATT&CK 123", 'SEARCH_STRING_MULTIPLE_TYPES', `\"ATT&CK\" 123`], + // // ["CVE-2020-0001 {inField('description')}", 'SEARCH_STRING_MULTIPLE_TYPES', `\"CVE-2020-0001\" {inField('description')}`], + // // ----- & ----- + // ["ATT&CK", 'SEARCH_PHRASE', `\"ATT&CK\"`], + // ["A&P", 'SEARCH_PHRASE', `\"A&P\"`], + // // ----- "fall through matches" that may be confusing ----- + // ["01.102.103.104", 'SEARCH_AS_VERSION', `\"01.102.103.104\"`], // looks like ipv4, but not because of first 0 + // ["127.0.0.1.1.1.1", 'SEARCH_AS_VERSION', `\"127.0.0.1.1.1.1\"`], + // [".127.0.0", 'SEARCH_STRING_NOT_SUPPORTED', ".127.0.0"], // @todo + ] + .forEach((test: [string, string, string]) => { + it(`processSearchText("${test[0]}") correctly returns ${test[1]} and errors`, async () => { + const req = new SearchRequest(test[0]); + const result = req.processSearchText(); + // console.log(`result: ${JSON.stringify(result, null, 2)}`); + // expect(result.hasErrors()).toBeTruthy(); + expect(result.data['searchTextType']).toBe(test[1] as SearchRequestTypeId); + expect(result.data['processedSearchText']).toBe(test[2]); + expect(req._searchText).toBe(test[2]); + }); + }); + + + // ----- spock+snapshot testing tokenizeSearchText() + + [ + ["office", ["office"]], + [`"office"`, ["office"]], + [`"office`, [`"office`]], + [`office"`, [`office"`]], + ["microsoft office", ["microsoft", "office"]], + [`"microsoft office"`, ["microsoft office"]], + ["CVE-2020-5422", ["CVE-2020-5422"]], + ["CVE-2020-5422 CVE-2020-5423", ["CVE-2020-5422", "CVE-2020-5423"]], + ["CVE 2020 5422", ["CVE", "2020", "5422"]], + ["CVE-2020 5422", ["CVE-2020", "5422"]], + ["CVE-2020 office", ["CVE-2020", "office"]], + ["CVE-2020-5422 CAPEC-63", ["CVE-2020-5422", "CAPEC-63"]], + ["CVE-2020-5422 CAPEC-63 microsoft", ["CVE-2020-5422", "CAPEC-63", "microsoft"]], + [`"CVE-2020-5422" CAPEC-63 "microsoft"`, ["CVE-2020-5422", "CAPEC-63", "microsoft"]], + [`"CVE-2020" 5422" CAPEC-63 "microsoft"`, ["CVE-2020", `5422"`, "CAPEC-63", "microsoft"]], + [`'CVE-2020' 5422" CAPEC-63 "microsoft"`, ["'CVE-2020'", `5422"`, "CAPEC-63", "microsoft"]], // single quotes + [`they've finished`, ["they've", `finished`]], // contractions + ["http://en.wikipedia.org/a/b?abc=1&xyz=2", ["http://en.wikipedia.org/a/b?abc=1&xyz=2"]], + ["1 2 3 4", ["1", "2", "3", "4"]], + [`man-in-the-middle`, ["man-in-the-middle"]], + [`"man-in-the-middle"`, [`man-in-the-middle`]], + [`"man-in-the-middle`, [`"man-in-the-middle`]], + [`"man-in" -the-middle`, [`man-in`, `-the-middle`]], + [`"man in the middle"`, [`man in the middle`]], + [`man in the middle`, ["man", "in", "the", "middle"]], + [``, []], + [`"`, [`"`]], + // [`""`, [``]], //@todo + // [`"""`, [`"`]], //@todo + // [`"micro????"`, [`"micro????"`]], // @todo + [`micro*`, [`micro*`]], + [`*micro*`, [`*micro*`]], + [`*micro**`, [`*micro**`]], + [`*micro *`, [`*micro`, `*`]], + [`micro????`, [`micro????`]], + [`micro*????`, [`micro*????`]], + // ----- UTF codes ----- + ] + .forEach((test: [string, string[]]) => { + it(`tokenizeSearchText("${test[0]}") correctly processes "regular" search terms and returns a tokenized list`, async () => { + const res = SearchRequest.tokenizeSearchText(test[0]) + expect(res).toEqual(test[1]) + }); + }); + + + [ + [`"CVE-2020" "microsoft office"`, ["CVE-2020", "microsoft office"]], + [`"CVE-2020" "microsoft" "office"`, ["CVE-2020", "microsoft", "office"]], + [`"1" "1" "2" "1"`, ["1", "1", "2", "1"]], + [`"1 1" "2 1"`, ["1 1", "2 1"]], + ] + .forEach((test: [string, string[]]) => { + it(`tokenizeSearchText("${test[0]}") correctly processes exact phrase search terms and returns a tokenized list`, async () => { + const res = SearchRequest.tokenizeSearchText(test[0]); + expect(res).toEqual(test[1]); + }); + }); + // ----- spock testing static functions + + [ + ["?", false], + ["??", false], + ["???", true], + ["#", false], + ["##", false], + ["###", true], + [" ", false], + [" ", false], + [" ", true], + ["\t", false], + ["\t\t", false], + ["\t\t\t", true], + ["*", false], + ["**", false], + ["***", true], + ["-", false], + ["---", false], + + ["1", false], + ["11", false], + ["1111", false], + ["11111111111111111111111", false], + ["https://abc.com", false], + + ["The quick brown fox jumps over the lazy dog ???", true], + // ["素早い茶色のキツネが怠け者の犬を飛び越える ###", true], // bug? for # in Japanese, always returns false + // ["¿¿¿ El rápido zorro marrón salta sobre el perro perezoso ?", true], // bug? for ¿¿¿ in Spanish, always returns false + ["Le renard brun rapide saute par-dessus le chien paresseux ", true], + ["敏捷的棕色狐狸跳过了懒狗", false], + ["השועל החום המהיר קופץ מעל הכלב העצלן", false], + ["الثعلب البني السريع يقفز فوق الكلب الكسول", false], + ["Быстрая коричневая лиса перепрыгивает через ленивую собаку", false], + ["Η γρήγορη καφετιά αλεπού πηδά πάνω από το τεμπέλικο σκυλί", false], + ] + .forEach((test: [string, boolean]) => { + it(`hasRepeatingSymbols("${test[0]}") correctly returns`, async () => { + const val = SearchRequest.hasRepeatingSymbols(test[0]); + expect(val).toEqual(test[1]); + }); + }); + + [ + ["The quick brown fox jumps over the lazy dog ???", "The quick brown fox jumps over the lazy dog "], + ["素早い茶色のキツネが怠け者の犬を飛び越える ###", "素早い茶色のキツネが怠け者の犬を飛び越える "], + ["Le renard !!!brun rapide saute par-dessus le chien paresseux ", "Le renard brun rapide saute par-dessus le chien paresseux"], + ["¿¿¿El rápido zorro marrón salta sobre el perro perezoso???", "El rápido zorro marrón salta sobre el perro perezoso"], + ] + .forEach((test: [string, string]) => { + it(`replaceRepeatingSymbols("${test[0]}") correctly removes repeating symbols`, async () => { + const val = SearchRequest.replaceRepeatingSymbols(test[0]); + expect(val).toEqual(test[1]); + }); + }); +}); + diff --git a/src/core/search/SearchRequest.ts b/src/search/SearchRequest.ts similarity index 65% rename from src/core/search/SearchRequest.ts rename to src/search/SearchRequest.ts index e8f864f..0dbc05c 100644 --- a/src/core/search/SearchRequest.ts +++ b/src/search/SearchRequest.ts @@ -1,3 +1,6 @@ +import path from 'path'; +import semver from "semver"; +import validator from 'validator'; // import { CveId } from "../CveId.js" import { CveResult, CveErrorId } from "../result/CveResult.js"; import { SearchOptions } from "./BasicSearchManager.js" @@ -9,8 +12,8 @@ export const SearchRequestType = { 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS': `search text cannot contain reserved characters ('{}', '{{}}')`, 'SEARCH_STRING_NOT_SUPPORTED': `search text cannot be used because it has an error`, 'SEARCH_STRING_ERROR': `search text cannot be used because it has a semantic error`, - 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED': `does not support wildcard character '*'`, - 'WILDCARD_QUESTION_SEARCH_NOT_SUPPORTED': `does not support wildcard character '?'`, + // 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED': `does not support wildcard character '*'`, + // 'WILDCARD_QUESTION_SEARCH_NOT_SUPPORTED': `does not support wildcard character '?'`, 'WILDCARD_PERCENT_SEARCH_NOT_SUPPORTED': `does not support wildcard character '%'`, // unchanged search text @@ -18,6 +21,8 @@ export const SearchRequestType = { 'SEARCH_AS_URL': `search text is a URL`, // requires quotes + 'SEARCH_AS_WILDCARD_ASTERISK': `search as wildcard ('*')`, + 'SEARCH_AS_WILDCARD_QUESTION': `search as wildcard ('?')`, 'SEARCH_AS_CVE_ID': `search text is a CVE ID`, 'SEARCH_AS_CVE_YEAR': `search text is a CVE ID year series`, 'SEARCH_AS_CWE_ID': `search text is a CWE ID`, @@ -25,6 +30,7 @@ export const SearchRequestType = { 'SEARCH_AS_IPv4': `search text is an IP v4 address`, 'SEARCH_AS_IPv6': `search text is an IP v6 address`, 'SEARCH_AS_VERSION': `search text is a version string`, + 'SEARCH_AS_FILESPEC': `search text is a version string`, 'SEARCH_PHRASE': `search text is a phrase (surrounded by double quotes)`, // multiple types @@ -52,9 +58,6 @@ export class SearchRequest { /** the user entered text */ _searchText: string - /** search options when validating input and building query string */ - _searchOptions: SearchOptions - // _query: {} /** constructor @@ -63,22 +66,42 @@ export class SearchRequest { */ constructor(searchText: string, options?: Partial) { this._searchText = searchText - this._searchOptions = { - useCache: options?.useCache ?? true, - track_total_hits: options?.track_total_hits ?? true, - default_operator: options?.default_operator ?? "AND", - metadataOnly: options?.metadataOnly ?? false, - fields: options?.fields ?? [], - sort: options?.sort ?? [{ - "cveMetadata.cveId.keyword": { "order": "desc" } - }], - from: options?.from ?? 0, - size: options?.size ?? 25, - } + // this._searchOptions = { + // useCache: options?.useCache ?? true, + // track_total_hits: options?.track_total_hits ?? true, + // default_operator: options?.default_operator ?? "AND", + // metadataOnly: options?.metadataOnly ?? false, + // fields: options?.fields ?? [], + // sort: options?.sort ?? [{ + // "cveMetadata.cveId.keyword": { "order": "desc" } + // }], + // from: options?.from ?? 0, + // size: options?.size ?? 25, + // } // this._query = {} } + /** separates searchText into individual tokens + * @param searchText the text to tokenize + */ + static tokenizeSearchText(searchText: string): string[] { + // based on code generated by gemini + const regex = /"([^"]*)"|\S+/g; // tokenizes all words between double quotes as well as every word outside of quotes + let tokens = []; + let match; + + while ((match = regex.exec(searchText)) !== null) { + if (match[1]) { + tokens.push(match[1]); // Add the content within quotes + } else { + tokens.push(match[0]); // Add the non-quoted token + } + } + return tokens; + } + + /** validate and process the searchText (set in constructor) * The resulting CveResult will only contain a data element * if the searchText is useable by OpenSearch. The data element @@ -93,9 +116,8 @@ export class SearchRequest { */ processSearchText(): CveResult { // console.log(`this._searchText: ${this._searchText}`) - - let result: CveResult = undefined + if (this._searchText === undefined || this._searchText === null || this._searchText.length === 0) { result = CveResult.error(9002) } @@ -120,18 +142,20 @@ export class SearchRequest { case 'SEARCH_AS_IPv6': case 'SEARCH_AS_URL': case 'SEARCH_AS_VERSION': + case 'SEARCH_AS_FILESPEC': case 'SEARCH_PHRASE': // token = `\\\"${token}\\\"` // this is what is needed for mccoy, but when using ``, it is not necessary token = `\"${token}\"` result = CveResult.ok({}, [SearchRequestType[type]]); break; + case 'SEARCH_AS_WILDCARD_ASTERISK': case 'SEARCH_GENERAL_TEXT': token = token.replaceAll(`"`, ''); result = CveResult.ok({}, [SearchRequestType[type]]); // result.pushNotes('all quotes have been removed from search text'); break; case 'SEARCH_STRING_NOT_SUPPORTED': - case 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED': + // case 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED': result = CveResult.error(9003, [SearchRequestType[type]]); break; case 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS': @@ -161,66 +185,15 @@ export class SearchRequest { } - /** - * builds an OpenSearch query after processing the search text specified in the constructor - * @returns - */ - buildRequest(): CveResult { - let result: CveResult = this.processSearchText() - // console.log(`result.data: ${JSON.stringify(result.data)}`) - if (result.isOk()) { - let q = { - query: {} - } - // ----- query_string - q.query['query_string'] = { - query: `${this._searchText}`, - default_operator: this._searchOptions.default_operator - } - // ----- _source - const source = [] - if (this._searchOptions.metadataOnly) { - source.push("cveMetadata") - source.push("containers.cna.descriptions.value") - } - if (this._searchOptions.fields) { - this._searchOptions.fields.forEach(field => { - source.push(field) - }) - } - if (source.length > 0) { - q['_source'] = source - } - // console.log(`***${JSON.stringify(q, null, 2)}`) - // ----- track_total_hits - if (this._searchOptions.track_total_hits) { - q['track_total_hits'] = this._searchOptions.track_total_hits - } - // ----- sort - let sort = []; - if (this._searchOptions.sort) { - this._searchOptions.sort.forEach(field => { - sort.push(field); - }); - } - if (sort.length > 0) { - q['sort'] = sort; - } - // ----- from - q['from'] = this._searchOptions.from; - // ----- size - q['size'] = this._searchOptions.size; - // ----- q - result.data['q'] = q - } - return result - }; - // ----- static methods // ([^0-9a-zA-Z\.])\1{1,} <-- matches repeats of anything except English characters and numbers // ([^\p{L}0-9])\1{3,} <-- matches repeats of anything except language characters and numbers - static repeatingSymbolsRegex = /([^\p{L}0-9])\1{2,}/gu; + // matches repeats of anything except language characters and numbers and ... and --- + static repeatingSymbolsRegex = /([^\p{L}0-9.\-])\1{2,}/gu; + // not greedy version /(.+?)\1+/ + static repeatingPatternsRegex = /(.+)\1+/gu + /** checks for repeating symbols and optionally removes them * @param searchText the search string @@ -253,7 +226,7 @@ export class SearchRequest { return false } if (versionRegex.test(searchText)) { - // other regex that can detect version strings, with different strenghts and weaknesses + // other regex that can detect version strings, with different strengths and weaknesses // [vV]{0,1}\d*(\.[0-9]\d*)*(-\w*)* // \s[vV]{0,1}(\d\.){1,}\d*(-\w*)* // ([vV]{0,1}\d{1,}(\.[\d-\w]{1,}){1,}) @@ -263,6 +236,87 @@ export class SearchRequest { return false }; + isRecognizedVersion(version: string): boolean { + // 1. Semantic Versioning (with optional pre-release/build) + if (semver.valid(version) || semver.valid(semver.coerce(version))) { + return true; + } + + // 2. Date-based (e.g., 2024.06.01, 20240601, 2024-06-01, 2024.06) + if ( + /^\d{4}([.\-_])\d{2}([.\-_])\d{2}$/.test(version) || // 2024.06.01, 2024-06-01, 2024_06_01 + /^\d{8}$/.test(version) || // 20240601 + /^\d{4}([.\-_])\d{2}$/.test(version) || // 2024.06 + /^\d{6}$/.test(version) // 202406 + ) { + return true; + } + + // 3. Android/iOS/macOS/Windows build numbers + if ( + /^[A-Z]{2,3}\d[A-Z]\.\d{6}\.\d{3}(\.[A-Z]\d)?$/.test(version) || // Android build ID (e.g., TP1A.220624.014) + /^[A-Z]{2,3}\d[A-Z]\.\d{6}\.\d{3}\.[A-Z]\d$/.test(version) || // Android build ID with extra part + /^\d{1,2}\.\d{1,2}(\.\d{1,2})?$/.test(version) || // iOS/macOS simple (e.g., 17.5.1, 14.8) + /^[A-Z0-9]{5,6}$/.test(version) // iOS/macOS build (e.g., 17E262, 23F79) + ) { + return true; + } + + // 4. Linux kernel/package versions + if ( + /^\d+\.\d+\.\d+(-[\w\d\.\-]+)?$/.test(version) || // 5.15.0-1067-azure, 4.19.0-18-amd64 + /^\d+\.\d+\.\d+\.\d+(-[\w\d\.\-]+)?$/.test(version) // 3.10.0-1160.99.1.el7.x86_64 + ) { + return true; + } + + // 5. Ubuntu/Windows/macOS/Android/iOS versioning + if ( + /^\d{2}\.\d{2}(\.\d+)?$/.test(version) || // Ubuntu (24.04, 22.04.4) + /^\d+\.\d+\.\d+\.\d+$/.test(version) || // Windows (10.0.19045) + /^\d+\.\d+\.\d+$/.test(version) // iOS/macOS/Android (17.5.1, 12.0.0) + ) { + return true; + } + + // 6. Firmware/hardware (e.g., FW1.0.3, BIOS v2.13, F.21, P1.20, etc.) + if ( + /^(FW|HW|MCU|BIOS|UEFI|F|P|C|R|B|D)[\.\- ]?\d+(\.\d+)*$/.test(version) || // FW1.0.3, BIOS v2.13, F.21, etc. + /^[A-Z]\.\d+\.\d+$/.test(version) // A.01.02 + ) { + return true; + } + + // 7. Alphanumeric custom (e.g., SP1, SR-3, Patch-5, v1.0b, 1.0.1a, etc.) + if ( + /^SP\d+$/.test(version) || // SP1, SP2 + /^SR-\d+$/.test(version) || // SR-3 + /^Patch-\d+$/.test(version) || // Patch-5 + /^v?\d+\.\d+[a-z]$/.test(version) || // v1.0b, 2.1a + /^\d+\.\d+\.\d+[a-z]$/.test(version) || // 1.0.1a + /^v?\d+\.\d+\.\d+[a-z]$/.test(version) // v1.0.1b + ) { + return true; + } + + // 8. Ubuntu/Debian package versioning + if ( + /^\d+\.\d+\.\d+-\d+ubuntu\d+(\.\d+)?$/.test(version) || // 1.2.3-1ubuntu2 + /^\d+\.\d+\.\d+-\d+\.el\d+$/.test(version) || // 1.0.0-1.el8 + /^\d+\.\d+\.\d+-\d+\.beta\d+$/.test(version) // 1.0.0-0.1.beta1 + ) { + return true; + } + + // 9. Feature update naming (Windows) + if (/^\d{2}H\d$/.test(version)) { // 21H2 + return true; + } + + return false; + } + + /** tests if a string is an IPv4 string * @param searchText the single word search text string (i.e., assumes that tokenizeSearchText() @@ -272,35 +326,83 @@ export class SearchRequest { * @returns true iff the search text is an IPv4 string */ static isIpV4String(searchText: string): boolean { - // original from https://jsfiddle.net/opd1v7au/2/ - // const ipRegex = /^((?!(0))\d{1,3}(.\d{1,3}){3,3})$/ - const ipRegex = /^[1-9]{1}\d{1,3}(.\d{1,3}){3,3}$/ - // const ipRegex = /((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))/; - if (searchText.indexOf('.') >= 0 && ipRegex.test(searchText)) { - return true - } - return false + return validator.isIP(searchText, 4); }; - /** tests if a string is a domain name + /** tests if a string is an IPv6 string * @param searchText the single word search text string (i.e., assumes that tokenizeSearchText() * has already been called) * Note that this is a function because there are multiple places - * where a domain name can be matched - * @returns true iff the search text is a domain name + * where an IPv6 string can be matched + * @returns true iff the search text is an IPv6 string */ - static isDomainName(searchText: string): boolean { - // original from https://regex101.com/r/wN6cZ7/365 - const domainRegex = /^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/?\n]+)/igm - searchText.trim(); - if (searchText[0] !== '.' && domainRegex.test(searchText)) { - return true - } - return false + static isIpV6String(searchText: string): boolean { + return validator.isIP(searchText, 6); }; + // default options for url search requests + private static sDefaultUrlValidationOptions = { + protocols: ['http', 'https', 'ftp', 'app', 'wss', 'ws', 'file'], + // defaults for other options + // require_tld: true, + // require_protocol: false, + // require_host: true, + // require_port: false, + // require_valid_protocol: true, + // allow_underscores: false, + // host_whitelist: [], + // host_blacklist: [], + // allow_trailing_dot: false, + // allow_protocol_relative_urls: false, + // allow_fragments: true, + // allow_query_components: true, + // disallow_auth: false, + // validate_length: true + }; + + + /** tests if a string is a URL + * Note that we treat IP addresses (which may be a URL) NOT as a URL because + * treating them as an IP is more specific + * @param searchText the single word search text string (i.e., assumes that tokenizeSearchText() + * has already been called) + * @returns true iff the search text is a URL + */ + static isUrl(searchText: string): boolean { + // if it's only an IP address (v4 or v5), then it's not really a URL + if (validator.isIP(searchText)) + return false; + const isAUrl = (validator.isURL(searchText, this.sDefaultUrlValidationOptions)); + return isAUrl; + }; + + + static isFilespec(input: string): boolean { + // if (typeof input !== 'string' || input.trim() === '') { + // return false; + // } + // @todo: hk: this may be inefficient depending on whether + // isUrl() has already been called earlier + if (SearchRequest.isUrl(input)) { + return false; + } + const spec = path.parse(input); + if (spec.ext || spec.base || spec.root || spec.dir || spec.dir) { + return true; + } + + // // Ensure the dirname is valid (not a URL or empty) + // if (dirName && !dirName.startsWith('http://') && !dirName.startsWith('https://')) { + // return true; + // } + + return false; + + } + + /** * determine the SearchReuestTypeId based on searchText * @param searchText the search text @@ -309,20 +411,22 @@ export class SearchRequest { // searchText = searchText.trim() // disallow reserved symbols - if (searchText.indexOf('{') >= 0) { + if (searchText.includes('{')) { return 'SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS' } // disallow wildcards - else if (searchText.indexOf('*') >= 0) { - return 'WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED' + else if (searchText.includes('*')) { + return 'SEARCH_AS_WILDCARD_ASTERISK' } - else if (searchText.indexOf('?') >= 0) { - if (SearchRequest.isDomainName(searchText)) { + else if (searchText.includes('?')) { + // check if it's a URL first + if (SearchRequest.isUrl(searchText)) { return 'SEARCH_AS_URL' } - return 'WILDCARD_QUESTION_SEARCH_NOT_SUPPORTED' + // if not any of the above, treat as wildcard_question search + return 'SEARCH_AS_WILDCARD_QUESTION' } - else if (searchText.indexOf('%') >= 0) { + else if (searchText.includes('%')) { return 'WILDCARD_PERCENT_SEARCH_NOT_SUPPORTED' } // else if (searchText[0] == '"' && searchText[searchText.length - 1] == '"') { @@ -331,7 +435,7 @@ export class SearchRequest { } // process urls - else if (searchText.indexOf("://") >= 0) { + else if (SearchRequest.isUrl(searchText)) { // original from https://jsfiddle.net/DanielD/8S4nq/ // const addressRegex = /((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))|(^\s*((?=.{1,255}$)(?=.*[A-Za-z].*)[0-9A-Za-z](?:(?:[0-9A-Za-z]|\b-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|\b-){0,61}[0-9A-Za-z])?)*)\s*$)/; return 'SEARCH_AS_URL' @@ -358,6 +462,9 @@ export class SearchRequest { else if (SearchRequest.isVersionString(searchText)) { return 'SEARCH_AS_VERSION' } + else if (SearchRequest.isFilespec(searchText)) { + return 'SEARCH_AS_FILESPEC'; + } else if (searchText.indexOf('-') !== 0) { return 'SEARCH_PHRASE' } @@ -373,8 +480,7 @@ export class SearchRequest { // process search text with colons else if (searchText.indexOf(':') >= 0) { // regex from https://jsfiddle.net/opd1v7au/2/ - const ipv6Regex = /((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))|(^\s*((?=.{1,255}$)(?=.*[A-Za-z].*)[0-9A-Za-z](?:(?:[0-9A-Za-z]|\b-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|\b-){0,61}[0-9A-Za-z])?)*)\s*$)/; - if (ipv6Regex.test(searchText)) { + if (SearchRequest.isIpV6String(searchText)) { return 'SEARCH_AS_IPv6' } else { @@ -392,7 +498,10 @@ export class SearchRequest { else if (SearchRequest.isVersionString(searchText)) { return 'SEARCH_AS_VERSION' } - else if (SearchRequest.isDomainName(searchText)) { + else if (SearchRequest.isFilespec(searchText)) { + return 'SEARCH_AS_FILESPEC'; + } + else if (SearchRequest.isUrl(searchText)) { return 'SEARCH_AS_URL' } else { @@ -408,22 +517,4 @@ export class SearchRequest { } - /** separates searchText into individual tokens - * @param searchText the text to tokenize - */ - static tokenizeSearchText(searchText: string): string[] { - // based on code generated by gemini - const regex = /"([^"]*)"|\S+/g; // tokenizes every word and words between double quotes - let tokens = []; - let match; - - while ((match = regex.exec(searchText)) !== null) { - if (match[1]) { - tokens.push(match[1]); // Add the content within quotes - } else { - tokens.push(match[0]); // Add the non-quoted token - } - } - return tokens; - } } \ No newline at end of file diff --git a/src/search/SearchResultData.ts b/src/search/SearchResultData.ts new file mode 100644 index 0000000..24c0988 --- /dev/null +++ b/src/search/SearchResultData.ts @@ -0,0 +1,24 @@ +/** generic result from any search query using ElasticSearch or OpenSearch + * - same output as curl and dashboard console, but typed + * - specified here in this way to make VSCode intelliSense + * work better +*/ +export type SearchResultData = { + took: number; // e.g., 23 + timed_out: boolean; + _shards?: { + total: number; // e.g., 1 + successful: number; // e.g., 1, + skipped: number; // e.g., 0, + failed: number; // e.g., 0; + }, + hits: { + total: { + value: number, // e.g., 5 + relation: 'eq' | 'gte'; + }, + max_score: number; // e.g., 3.9779425 + hits: {}[]; // @todo + }, + aggregations?: unknown; // @todo +}; \ No newline at end of file diff --git a/src/core/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap b/src/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap similarity index 70% rename from src/core/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap rename to src/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap index 7e18c81..5575f70 100644 --- a/src/core/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap +++ b/src/search/__snapshots__/BasicSearchManager.test.e2e.ts.snap @@ -1,25 +1,5 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`BasicSearchManager (e2e) search("127.0.0.*") correctly returns expected errors (error CveResult) 1`] = ` -CveResult { - "data": Object { - "processedSearchText": "127.0.0.*", - "searchTextType": "WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED", - }, - "errors": Array [ - CveError { - "errid": 9003, - "error": "Search operation was not performed because search string contains unsupported characters", - "message": "Search operation was not performed because search string contains unsupported characters", - }, - ], - "notes": Array [ - "does not support wildcard character '*'", - ], - "status": "errors", -} -`; - exports[`BasicSearchManager (e2e) search("127.0.0.1") correctly returns expected data (ok CveResult) 1`] = ` Object { "_id": "CVE-2022-30015", @@ -51,9 +31,9 @@ Object { } `; -exports[`BasicSearchManager (e2e) search("Node JS") correctly returns expected data (ok CveResult) 1`] = ` +exports[`BasicSearchManager (e2e) search("https://pastebin.com/kpzHKKJu") correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2016-10608", + "_id": "CVE-2021-28941", "_index": Any, "_score": null, "_source": Object { @@ -61,30 +41,30 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.", + "value": "Because of no validation on a curl command in MagpieRSS 0.72 in the /extlib/Snoopy.class.inc file, when you send a request to the /scripts/magpie_debug.php or /scripts/magpie_simple.php page, it's possible to request any internal page if you use a https request.", }, ], }, }, "cveMetadata": Object { - "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", - "assignerShortName": "hackerone", - "cveId": "CVE-2016-10608", - "datePublished": "2018-06-01T18:00:00Z", - "dateReserved": "2017-10-29T00:00:00", - "dateUpdated": "2024-09-17T00:10:34.045Z", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2021-28941", + "datePublished": "2021-04-02T19:08:37", + "dateReserved": "2021-03-19T00:00:00", + "dateUpdated": "2024-08-03T21:55:12.242Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2016-10608", + "CVE-2021-28941", ], } `; exports[`BasicSearchManager (e2e) search("in-the-middle") correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2024-54849", + "_id": "CVE-2025-37730", "_index": Any, "_score": null, "_source": Object { @@ -92,30 +72,61 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack.", + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", }, ], }, }, "cveMetadata": Object { - "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", - "assignerShortName": "mitre", - "cveId": "CVE-2024-54849", - "datePublished": "2025-01-10T00:00:00", - "dateReserved": "2024-12-06T00:00:00", - "dateUpdated": "2025-01-13T20:16:37.016Z", + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2024-54849", + "CVE-2025-37730", + ], +} +`; + +exports[`BasicSearchManager (e2e) search("man in the middle") correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-37730", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-37730", ], } `; exports[`BasicSearchManager (e2e) search("man-in-the-middle") correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2024-54849", + "_id": "CVE-2025-37730", "_index": Any, "_score": null, "_source": Object { @@ -123,23 +134,23 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack.", + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", }, ], }, }, "cveMetadata": Object { - "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", - "assignerShortName": "mitre", - "cveId": "CVE-2024-54849", - "datePublished": "2025-01-10T00:00:00", - "dateReserved": "2024-12-06T00:00:00", - "dateUpdated": "2025-01-13T20:16:37.016Z", + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2024-54849", + "CVE-2025-37730", ], } `; @@ -398,40 +409,9 @@ Object { } `; -exports[`BasicSearchManager (e2e) search(https://pastebin.com/kpzHKKJu) correctly returns expected data (ok CveResult) 1`] = ` -Object { - "_id": "CVE-2021-28941", - "_index": Any, - "_score": null, - "_source": Object { - "containers": Object { - "cna": Object { - "descriptions": Array [ - Object { - "value": "Because of no validation on a curl command in MagpieRSS 0.72 in the /extlib/Snoopy.class.inc file, when you send a request to the /scripts/magpie_debug.php or /scripts/magpie_simple.php page, it's possible to request any internal page if you use a https request.", - }, - ], - }, - }, - "cveMetadata": Object { - "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", - "assignerShortName": "mitre", - "cveId": "CVE-2021-28941", - "datePublished": "2021-04-02T19:08:37", - "dateReserved": "2021-03-19T00:00:00", - "dateUpdated": "2024-08-03T21:55:12.242Z", - "state": "PUBLISHED", - }, - }, - "sort": Array [ - "CVE-2021-28941", - ], -} -`; - exports[`BasicSearchManager (e2e) search(in-the-middle) correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2024-54849", + "_id": "CVE-2025-37730", "_index": Any, "_score": null, "_source": Object { @@ -439,30 +419,30 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack.", + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", }, ], }, }, "cveMetadata": Object { - "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", - "assignerShortName": "mitre", - "cveId": "CVE-2024-54849", - "datePublished": "2025-01-10T00:00:00", - "dateReserved": "2024-12-06T00:00:00", - "dateUpdated": "2025-01-13T20:16:37.016Z", + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2024-54849", + "CVE-2025-37730", ], } `; exports[`BasicSearchManager (e2e) search(man-in-the-middle) correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2024-54849", + "_id": "CVE-2025-37730", "_index": Any, "_score": null, "_source": Object { @@ -470,30 +450,30 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack.", + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", }, ], }, }, "cveMetadata": Object { - "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", - "assignerShortName": "mitre", - "cveId": "CVE-2024-54849", - "datePublished": "2025-01-10T00:00:00", - "dateReserved": "2024-12-06T00:00:00", - "dateUpdated": "2025-01-13T20:16:37.016Z", + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2024-54849", + "CVE-2025-37730", ], } `; exports[`BasicSearchManager (e2e) search(microsoft ???? office ?????????) correctly returns expected data (ok CveResult) 1`] = ` Object { - "_id": "CVE-2018-0807", + "_id": "CVE-2022-30190", "_index": Any, "_score": null, "_source": Object { @@ -501,7 +481,8 @@ Object { "cna": Object { "descriptions": Array [ Object { - "value": "Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka \\"Microsoft Word Remote Code Execution Vulnerability\\". This CVE is unique from CVE-2018-0804, CVE-2018-0805, and CVE-2018-0806.", + "value": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. +Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.", }, ], }, @@ -509,15 +490,15 @@ Object { "cveMetadata": Object { "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", - "cveId": "CVE-2018-0807", - "datePublished": "2018-01-10T01:00:00Z", - "dateReserved": "2017-12-01T00:00:00", - "dateUpdated": "2024-09-17T00:56:03.992Z", + "cveId": "CVE-2022-30190", + "datePublished": "2022-06-01T20:10:17.000Z", + "dateReserved": "2022-05-03T00:00:00.000Z", + "dateUpdated": "2025-02-04T19:04:33.929Z", "state": "PUBLISHED", }, }, "sort": Array [ - "CVE-2018-0807", + "CVE-2022-30190", ], } `; @@ -568,52 +549,6 @@ Object { } `; -exports[`BasicSearchManager (e2e) search(serial_core.c) correctly returns expected data (ok CveResult) 1`] = ` -Object { - "_id": "CVE-2024-38634", - "_index": Any, - "_score": null, - "_source": Object { - "containers": Object { - "cna": Object { - "descriptions": Array [ - Object { - "value": "In the Linux kernel, the following vulnerability has been resolved: - -serial: max3100: Lock port->lock when calling uart_handle_cts_change() - -uart_handle_cts_change() has to be called with port lock taken, -Since we run it in a separate work, the lock may not be taken at -the time of running. Make sure that it's taken by explicitly doing -that. Without it we got a splat: - - WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 - ... - Workqueue: max3100-0 max3100_work [max3100] - RIP: 0010:uart_handle_cts_change+0xa6/0xb0 - ... - max3100_handlerx+0xc5/0x110 [max3100] - max3100_work+0x12a/0x340 [max3100]", - }, - ], - }, - }, - "cveMetadata": Object { - "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", - "assignerShortName": "Linux", - "cveId": "CVE-2024-38634", - "datePublished": "2024-06-21T10:18:23.573Z", - "dateReserved": "2024-06-18T19:36:34.947Z", - "dateUpdated": "2024-12-19T09:06:07.425Z", - "state": "PUBLISHED", - }, - }, - "sort": Array [ - "CVE-2024-38634", - ], -} -`; - exports[`BasicSearchManager (e2e) search(undefined) correctly returns expected errors (error CveResult) 1`] = ` CveResult { "data": undefined, diff --git a/src/core/search/__snapshots__/SearchRequest.test.unit.ts.snap b/src/search/__snapshots__/SearchQueryBuilder.test.unit.ts.snap similarity index 59% rename from src/core/search/__snapshots__/SearchRequest.test.unit.ts.snap rename to src/search/__snapshots__/SearchQueryBuilder.test.unit.ts.snap index cb9b61a..e973999 100644 --- a/src/core/search/__snapshots__/SearchRequest.test.unit.ts.snap +++ b/src/search/__snapshots__/SearchQueryBuilder.test.unit.ts.snap @@ -1,6 +1,38 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`SearchRequest ("microsoft office",{"track_total_hits":false})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder ("https://pastebin.com/kpzHKKJu",{"track_total_hits":true})..buildQuery() correctly returns the expected query 1`] = ` +CveResult { + "data": Object { + "processedSearchText": "\\"https://pastebin.com/kpzHKKJu\\"", + "q": Object { + "from": 0, + "query": Object { + "query_string": Object { + "default_operator": "AND", + "query": "\\"https://pastebin.com/kpzHKKJu\\"", + }, + }, + "size": 25, + "sort": Array [ + Object { + "cveMetadata.cveId.keyword": Object { + "order": "desc", + }, + }, + ], + "track_total_hits": true, + }, + "searchTextType": "SEARCH_AS_URL", + }, + "errors": undefined, + "notes": Array [ + "search text is a URL", + ], + "status": "ok", +} +`; + +exports[`SearchQueryBuilder ("microsoft office",{"track_total_hits":false})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "microsoft office", @@ -9,7 +41,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "AND", - "query": "microsoft office", + "query": "\\"microsoft office\\"", }, }, "size": 25, @@ -31,7 +63,7 @@ CveResult { } `; -exports[`SearchRequest ("office",{"track_total_hits":true})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder ("office",{"track_total_hits":true})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "office", @@ -40,7 +72,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "AND", - "query": "office", + "query": "\\"office\\"", }, }, "size": 25, @@ -63,7 +95,7 @@ CveResult { } `; -exports[`SearchRequest (CAPEC-64,{"default_operator":"OR"})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (CAPEC-64,{"default_operator":"OR"})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "\\"CAPEC-64\\"", @@ -72,7 +104,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "OR", - "query": "\\"CAPEC-64\\"", + "query": "CAPEC-64", }, }, "size": 25, @@ -95,7 +127,7 @@ CveResult { } `; -exports[`SearchRequest (CVE-2000,{"metadataOnly":false})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (CVE-2000,{"metadataOnly":false})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "\\"CVE-2000\\"", @@ -104,7 +136,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "AND", - "query": "\\"CVE-2000\\"", + "query": "CVE-2000", }, }, "size": 25, @@ -127,7 +159,7 @@ CveResult { } `; -exports[`SearchRequest (CVE-2020-5422,{"useCache":false})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (CVE-2020-5422,{"useCache":false})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "\\"CVE-2020-5422\\"", @@ -136,7 +168,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "AND", - "query": "\\"CVE-2020-5422\\"", + "query": "CVE-2020-5422", }, }, "size": 25, @@ -159,7 +191,7 @@ CveResult { } `; -exports[`SearchRequest (CWE-123,{"track_total_hits":false,"default_operator":"OR","metadataOnly":true})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (CWE-123,{"track_total_hits":false,"default_operator":"OR","metadataOnly":true})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "\\"CWE-123\\"", @@ -172,7 +204,7 @@ CveResult { "query": Object { "query_string": Object { "default_operator": "OR", - "query": "\\"CWE-123\\"", + "query": "CWE-123", }, }, "size": 25, @@ -194,7 +226,7 @@ CveResult { } `; -exports[`SearchRequest (microsoft office,{"track_total_hits":false})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (microsoft office,{"track_total_hits":false})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "microsoft office", @@ -225,7 +257,7 @@ CveResult { } `; -exports[`SearchRequest (office,{"track_total_hits":true})..buildRequest() correctly returns the expected request 1`] = ` +exports[`SearchQueryBuilder (office,{"track_total_hits":true})..buildQuery() correctly returns the expected query 1`] = ` CveResult { "data": Object { "processedSearchText": "office", @@ -257,85 +289,7 @@ CveResult { } `; -exports[`SearchRequest constructor with options for paging correctly returns the number requested 1`] = ` -CveResult { - "data": Object { - "processedSearchText": "office", - "searchTextType": "SEARCH_GENERAL_TEXT", - }, - "errors": undefined, - "notes": Array [ - "general search text string", - ], - "status": "ok", -} -`; - -exports[`SearchRequest constructor with options for paging correctly returns the number requested 2`] = ` -SearchRequest { - "_searchOptions": Object { - "default_operator": "AND", - "fields": Array [], - "from": 200, - "metadataOnly": false, - "size": 50, - "sort": Array [ - Object { - "cveMetadata.cveId.keyword": Object { - "order": "desc", - }, - }, - ], - "track_total_hits": true, - "useCache": true, - }, - "_searchText": "office", -} -`; - -exports[`SearchRequest toJSON() correctly prints out an "errors" result 1`] = ` -CveResult { - "data": Object { - "processedSearchText": "127.0.0.*", - "searchTextType": "WILDCARD_ASTERISK_SEARCH_NOT_SUPPORTED", - }, - "errors": Array [ - CveError { - "errid": 9003, - "error": "Search operation was not performed because search string contains unsupported characters", - "message": "Search operation was not performed because search string contains unsupported characters", - }, - ], - "notes": Array [ - "does not support wildcard character '*'", - ], - "status": "errors", -} -`; - -exports[`SearchRequest toJSON() correctly prints out an "errors" result 2`] = ` -SearchRequest { - "_searchOptions": Object { - "default_operator": "AND", - "fields": Array [], - "from": 0, - "metadataOnly": false, - "size": 25, - "sort": Array [ - Object { - "cveMetadata.cveId.keyword": Object { - "order": "desc", - }, - }, - ], - "track_total_hits": false, - "useCache": true, - }, - "_searchText": "127.0.0.*", -} -`; - -exports[`SearchRequest toJSON() correctly prints out an "ok" result 1`] = ` +exports[`SearchQueryBuilder constructor with options for paging correctly returns the number requested 1`] = ` CveResult { "data": Object { "processedSearchText": "office", @@ -349,24 +303,8 @@ CveResult { } `; -exports[`SearchRequest toJSON() correctly prints out an "ok" result 2`] = ` +exports[`SearchQueryBuilder constructor with options for paging correctly returns the number requested 2`] = ` SearchRequest { - "_searchOptions": Object { - "default_operator": "AND", - "fields": Array [], - "from": 0, - "metadataOnly": false, - "size": 25, - "sort": Array [ - Object { - "cveMetadata.cveId.keyword": Object { - "order": "desc", - }, - }, - ], - "track_total_hits": true, - "useCache": true, - }, "_searchText": "office", } `; diff --git a/src/search/__snapshots__/SearchRequest.test.unit.ts.snap b/src/search/__snapshots__/SearchRequest.test.unit.ts.snap new file mode 100644 index 0000000..0b0585f --- /dev/null +++ b/src/search/__snapshots__/SearchRequest.test.unit.ts.snap @@ -0,0 +1,47 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`SearchRequest processSearchText() correctly returns an "errors" result 1`] = ` +CveResult { + "data": Object { + "processedSearchText": "{}", + "searchTextType": "SEARCH_STRING_CANNOT_CONTAIN_RESERVED_CHARACTERS", + }, + "errors": Array [ + CveError { + "errid": 9004, + "error": "Search operation was not performed because search string contains reserved characters", + "message": "Search operation was not performed because search string contains reserved characters", + }, + ], + "notes": Array [ + "search text cannot contain reserved characters ('{}', '{{}}')", + ], + "status": "errors", +} +`; + +exports[`SearchRequest processSearchText() correctly returns an "errors" result 2`] = ` +SearchRequest { + "_searchText": "{}", +} +`; + +exports[`SearchRequest processSearchText() correctly returns an "ok" result 1`] = ` +CveResult { + "data": Object { + "processedSearchText": "office", + "searchTextType": "SEARCH_GENERAL_TEXT", + }, + "errors": undefined, + "notes": Array [ + "general search text string", + ], + "status": "ok", +} +`; + +exports[`SearchRequest processSearchText() correctly returns an "ok" result 2`] = ` +SearchRequest { + "_searchText": "office", +} +`; diff --git a/src/search/test_cases/__snapshots__/search_wildcards.test.e2e.ts.snap b/src/search/test_cases/__snapshots__/search_wildcards.test.e2e.ts.snap new file mode 100644 index 0000000..f407d36 --- /dev/null +++ b/src/search/test_cases/__snapshots__/search_wildcards.test.e2e.ts.snap @@ -0,0 +1,874 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search("cpe:2.3:a:ivanti:connect_secure:-:*") correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2024-9420", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 + + and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", + "assignerShortName": "ivanti", + "cveId": "CVE-2024-9420", + "datePublished": "2024-11-12T15:57:24.947Z", + "dateReserved": "2024-10-01T20:04:39.852Z", + "dateUpdated": "2024-11-27T20:21:28.876Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2024-9420", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search("cpe:2.3:a:ivanti:connect_secure:-:*:*:*:*:*:*:*") correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2024-9420", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 + + and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", + "assignerShortName": "ivanti", + "cveId": "CVE-2024-9420", + "datePublished": "2024-11-12T15:57:24.947Z", + "dateReserved": "2024-10-01T20:04:39.852Z", + "dateUpdated": "2024-11-27T20:21:28.876Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2024-9420", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-37730", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-37730", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(**) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-37730", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", + "assignerShortName": "elastic", + "cveId": "CVE-2025-37730", + "datePublished": "2025-05-06T17:29:07.189Z", + "dateReserved": "2025-04-16T03:24:04.510Z", + "dateUpdated": "2025-05-06T17:51:59.631Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-37730", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(*.*.*.*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-32053", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "assignerShortName": "redhat", + "cveId": "CVE-2025-32053", + "datePublished": "2025-04-03T13:37:39.054Z", + "dateReserved": "2025-04-03T01:42:14.135Z", + "dateUpdated": "2025-05-29T06:49:29.146Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-32053", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(*27.*.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(*27.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(???.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(??7.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(?27.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(1??.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(12?.0.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(127.*.0.1) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(127.0.0.*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(127.0.0.?) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30015", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-30015", + "datePublished": "2022-05-23T20:50:00", + "dateReserved": "2022-05-02T00:00:00", + "dateUpdated": "2024-08-03T06:40:47.506Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30015", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(m*****t) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(m**t) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(m*cro*f*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(m*t) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micro* *office) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-38756", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", + "assignerShortName": "microfocus", + "cveId": "CVE-2022-38756", + "datePublished": "2022-12-16T00:00:00", + "dateReserved": "2022-08-25T00:00:00", + "dateUpdated": "2024-08-03T11:02:14.534Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-38756", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micro*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micro?*) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micro?????) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-38758", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6 allows attacker to execute malicious scripts on the user's browser. This issue affects: Micro Focus NetIQ iManager NetIQ iManager versions prior to 3.2.6 on ALL.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", + "assignerShortName": "microfocus", + "cveId": "CVE-2022-38758", + "datePublished": "2023-01-25T00:00:00", + "dateReserved": "2022-08-25T00:00:00", + "dateUpdated": "2024-08-03T11:02:14.473Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-38758", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micros???) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micros????) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2021-44228", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2021-44228", + "datePublished": "2021-12-10T00:00:00.000Z", + "dateReserved": "2021-11-26T00:00:00.000Z", + "dateUpdated": "2025-02-04T14:25:37.215Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2021-44228", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(micros?ft) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(microsoft office) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2022-30190", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. +Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-30190", + "datePublished": "2022-06-01T20:10:17.000Z", + "dateReserved": "2022-05-03T00:00:00.000Z", + "dateUpdated": "2025-02-04T19:04:33.929Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2022-30190", + ], +} +`; + +exports[`Wildcard Searches BasicSearchManager.search() BasicSearchManager.search(microsoft) correctly returns expected data (ok CveResult) 1`] = ` +Object { + "_id": "CVE-2025-23114", + "_index": Any, + "_score": null, + "_source": Object { + "containers": Object { + "cna": Object { + "descriptions": Array [ + Object { + "value": "A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server. This issue occurs due to a failure to properly validate TLS certificate.", + }, + ], + }, + }, + "cveMetadata": Object { + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "assignerShortName": "hackerone", + "cveId": "CVE-2025-23114", + "datePublished": "2025-02-05T01:45:03.336Z", + "dateReserved": "2025-01-11T01:00:00.617Z", + "dateUpdated": "2025-03-13T18:23:04.462Z", + "state": "PUBLISHED", + }, + }, + "sort": Array [ + "CVE-2025-23114", + ], +} +`; diff --git a/src/search/test_cases/search_ipv4.test.e2e.ts b/src/search/test_cases/search_ipv4.test.e2e.ts new file mode 100644 index 0000000..4cb7821 --- /dev/null +++ b/src/search/test_cases/search_ipv4.test.e2e.ts @@ -0,0 +1,116 @@ +import { SearchRequest } from '../SearchRequest.js'; + +describe('IPv4 Searches', () => { + + const testCases: Array<{ input: string; }> = [ + // these can be either a URL or an IP address, so treating them as IP addresses because that is more specific + { input: "127.0.0.1" }, // localhost + { input: "10.0.0.1" }, // class A + { input: "172.16.0.1" }, // class B + { input: "255.255.255.255" }, // broadcast + ]; + + testCases.forEach(({ input }) => { + it(`isUrl('${input}') && findSearchRequestType() --> SEARCH_AS_IPv4`, () => { + const result1 = SearchRequest.isIpV4String(input); + expect(result1).toBe(true); + const result2 = SearchRequest.findSearchRequestType(input); + expect(result2).toBe('SEARCH_AS_IPv4'); + }); + }); + + const antiCases: Array<{ counterInput: string; expectedType?: string; }> = [ + { counterInput: "wikipedia" }, // google search bar style "url" + { counterInput: "localhost" }, + { counterInput: "127.0.0.1:65535" }, // localhost with user port is treated as URL + { counterInput: "http://user:pass@127.0.0.1/?a=b&abc=1%22#25", expectedType: 'SEARCH_AS_URL'}, + { counterInput: "::", expectedType: 'SEARCH_AS_IPv6'}, + { counterInput: "2001:db8:3333:4444:5555:6666:1.2.3.4", expectedType: 'SEARCH_AS_IPv6'}, + // using ? as wildcard + { counterInput: "127.0.0.?", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + { counterInput: "127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + // using * as wildcard + { counterInput: "127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { counterInput: "*.0.0.1", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + ]; + + antiCases.forEach(({ counterInput, expectedType }) => { + it(`isUrl('${counterInput}') --> false ${expectedType ? `&& findSearchRequestType('${counterInput}') --> ${expectedType}` : ''}`, () => { + const result = SearchRequest.isIpV4String(counterInput); + expect(result).toBe(false); + if (expectedType) { + const result = SearchRequest.findSearchRequestType(counterInput); + expect(result).toBe(expectedType); + } + }); + }); + +}); + + +describe('SearchRequest testing IPv6', () => { + + const testCases: Array<{ input: string; }> = [ + // ----- IPv6 search strings(some from https://jsfiddle.net/opd1v7au/2/) ----- + { input: "0000:0000:0000:0000:0000:0000:0000:0000"}, + { input: "2001:0db8:0000:0000:0000:0000:0000:0001"}, + { input: "2001:db8:3333:4444:5555:6666:1.2.3.4"}, + { input : "::11.22.33.44"}, + { input: "2001:db8::1" }, // compressed + { input: "::" }, // unspecified + { input: "::1"}, // loopback + { input: "ff02::1"}, // multicast + { input: "2001:0000:1234:0000:0000:C1C0:ABCD:0876" }, + { input: "::ffff:192.168.1.1"}, // embedded ipv4 + { input: "2001:db8:0:0:8:800:200c:417a"}, // mixed compression + ]; + + testCases.forEach(({ input }) => { + it(`isUrl('${input}') --> true`, () => { + const result = SearchRequest.isIpV6String(input); + expect(result).toBe(true); + }); + }); + + testCases.forEach(({ input }) => { + it(`findSearchRequestType('${input}') --> SEARCH_AS_IPv4`, () => { + const result = SearchRequest.findSearchRequestType(input); + expect(result).toBe('SEARCH_AS_IPv6'); + }); + }); + + const antiCases: Array<{ counterInput: string; expectedType?: string; }> = [ + { counterInput: "wikipedia", expectedType: 'SEARCH_GENERAL_TEXT' }, // google search bar style "url" + { counterInput: "localhost", expectedType: 'SEARCH_GENERAL_TEXT' }, + { counterInput: "127.0.0.1", expectedType: 'SEARCH_AS_IPv4' }, + { counterInput: "3ffe:b00::1::a" }, + { counterInput: ":", expectedType: 'SEARCH_STRING_NOT_SUPPORTED' }, + { counterInput: "FF02:0000:0000:0000:0000:0000:0000:0000:0001" }, + { counterInput: "2001:db8:1234:5678:9abc:def0:1234:5678:9abc" }, // too many groups + { counterInput: "2001:db8:12345::1"}, // hexadecimal overflow + { counterInput: "127.0.0.1:65535", expectedType: 'SEARCH_AS_URL' }, + // using ? as wildcard + { counterInput: "127.0.0.?", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + { counterInput: "127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + // using * as wildcard + { counterInput: "127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { counterInput: "*.0.0.1", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + ]; + + antiCases.forEach(({ counterInput, expectedType }) => { + it(`isUrl('${counterInput}') --> false`, () => { + const result = SearchRequest.isIpV6String(counterInput); + expect(result).toBe(false); + }); + }); + + antiCases.forEach(({ counterInput, expectedType }) => { + if (expectedType) { + it(`findSearchRequestType('${counterInput}') --> ${expectedType}`, () => { + const result = SearchRequest.findSearchRequestType(counterInput); + expect(result).toBe(expectedType); + }); + } + }); + +}); diff --git a/src/search/test_cases/search_urls.test.e2e.ts b/src/search/test_cases/search_urls.test.e2e.ts new file mode 100644 index 0000000..cf2e6ce --- /dev/null +++ b/src/search/test_cases/search_urls.test.e2e.ts @@ -0,0 +1,78 @@ +import { SearchRequest } from '../SearchRequest.js'; + +describe.only('URL Searches', () => { + + const testCases: Array<{ input: string; }> = [ + { input: "https://pastebin.com/kpzHKKJu" }, + { input: "wikipedia.org" }, + { input: "en.wikipedia.org" }, + { input: "127.0.0.1:65535" }, // localhost with user port + { input: "[2001:db8::1]:8080"}, // ipv6 with port + // these can be either a URL or an IP address, so treating them as IP addresses because that is more specific + // { input: "127.0.0.1" }, // localhost + // { input: "10.0.0.1" }, // class A + // { input: "172.16.0.1" }, // class B + // { input: "255.255.255.255" }, // broadcast + + // additional protocols (not currently supported) + // { input: "rdar://10198949"}, + + { input: "http://en.wikipedia.org" }, + { input: "https://en.wikipedia.org" }, + { input: "http://example.com/file.txt" }, + { input: "http://example.com/file" }, + { input: "https://marketplace.microfocus.com/itom/content/operations-bridge-manager-obm-2022-05-hotfixes" }, + { input: "https://portal.microfocus.com/s/article/KM000012517?language=en_US" }, + { input: "https://portal.microfocus.com:443/s/article/KM000012517?language=en_US" }, + { input: "https://en.wikipedia.org/abc/def?x=123&y=234" }, + { input: "https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty=true" }, + { input: "https://en.wikipedia.org/abc/def?x=123&y=234&z=all&pretty" }, + { input: "http://user:pass@google.com/?a=b&abc=1%22#25" }, + { input: "https://user:pass@google.com/?a=b&abc=1%22#25" }, + { input: "https://user:pass@one-two-three.xyz.com/?a=b&abc=1%22#25" }, + { input: "http://user:pass@127.0.0.1/?a=b&abc=1%22#25" }, + { input: "https://user:pass@127.0.0.1/?a=b&abc=1%22#25" }, + { input: "https://pastebin.com/kpzHKKJu" }, + ]; + + testCases.forEach(({ input }) => { + it(`isUrl('${input}') --> true`, () => { + const result = SearchRequest.isUrl(input); + expect(result).toBe(true); + }); + }); + + testCases.forEach(({ input }) => { + it(`findSearchRequestType('${input}') --> SEARCH_AS_URL`, () => { + const result = SearchRequest.findSearchRequestType(input); + expect(result).toBe('SEARCH_AS_URL'); + }); + }); + + const antiCases: Array<{ counterInput: string; expectedType?: string; }> = [ + { counterInput: "wikipedia" }, // google search bar style "url" + { counterInput: "127.0.0.1:0" }, // localhost with bad user port + { counterInput: "127.0.0.1:123456789" }, // localhost with bad user port + // using ? as wildcard + { counterInput: "127.0.0.?", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + { counterInput: "127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + ]; + + antiCases.forEach(({ counterInput, expectedType }) => { + it(`isUrl('${counterInput}') --> false`, () => { + const result = SearchRequest.isUrl(counterInput); + expect(result).toBe(false); + }); + }); + + antiCases.forEach(({ counterInput, expectedType }) => { + if (expectedType) { + it(`findSearchRequestType('${counterInput}') --> ${expectedType}`, () => { + const result = SearchRequest.findSearchRequestType(counterInput); + expect(result).toBe(expectedType); + }); + } + }); + +}); + \ No newline at end of file diff --git a/src/search/test_cases/search_wildcards.test.e2e.ts b/src/search/test_cases/search_wildcards.test.e2e.ts new file mode 100644 index 0000000..3e588d3 --- /dev/null +++ b/src/search/test_cases/search_wildcards.test.e2e.ts @@ -0,0 +1,173 @@ +import { SearchProviderSpec } from '../../adapters/search/SearchAdapter.js'; +// import { SearchResultData } from "../SearchResultData.js"; +import { BasicSearchManager } from "../BasicSearchManager.js"; +import { SearchRequest, SearchRequestTypeId } from '../SearchRequest.js'; + +// because e2e testing is very specific to a dataset, we need to make sure we use the same opensearch dataset in cve-fixtures +// as was designed for this test. +const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec(); +// const _testPipeline = `jest_test_ingest_pipeline` + + +describe('Wildcard Searches', () => { + // ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- + // SearchRequest.tokenizeSearchText(wildcard) + + describe('SearchRequest.tokenizeSearchText()', () => { + const testCases: Array<{ input: string; expected: string[]; }> = [ + // Wildcards in 1 term + { input: `"microsoft"`, expected: ["microsoft"] }, + { input: "127.0.0.*", expected: ["127.0.0.*"] }, + { input: `"microsoft *"`, expected: ["microsoft *"] }, + // Wildcards in 2 terms + { input: `"micro* office"`, expected: ["micro* office"] }, + { input: `"microsoft off*"`, expected: ["microsoft off*"] }, + { input: `"*soft office"`, expected: ["*soft office"] }, + { input: `"*soft off*"`, expected: ["*soft off*"] }, + { input: `"CVE*" "micro*"`, expected: ["CVE*", "micro*"] }, + // Wildcards in 3 terms + { input: `"CVE*" "microsoft*" "off*"`, expected: ["CVE*", "microsoft*", "off*"] }, + // Wildcards in phrases + { input: `"microsoft off*"`, expected: ["microsoft off*"] }, + { input: `"CVE*" "*soft office"`, expected: ["CVE*", "*soft office"] }, + ]; + + testCases.forEach(({ input, expected }) => { + it(`should correctly tokenize "${input}" into ${JSON.stringify(expected)}`, () => { + const result = SearchRequest.tokenizeSearchText(input); + expect(result).toEqual(expected); + }); + }); + }); + + + describe('SearchRequest.findSearchRequestType()', () => { + const testCases: Array<{ input: string; expectedType: string; }> = [ + // using * + { input: "*soft", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "mic*soft", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "micro*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: ".127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "*.127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "*.*.*.*.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + // using ? + { input: "127.0.0.?", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + { input: "127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION' }, + // using both * and ? + { input: "127.*.0.???", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + { input: "???.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK' }, + ]; + + testCases.forEach(({ input, expectedType }) => { + it(`findSearchRequestType('${input}') --> ${expectedType}`, () => { + const result = SearchRequest.findSearchRequestType(input); + expect(result).toBe(expectedType); + }); + }); + }); + + + describe('SearchRequest.processSearchText()', () => { + const testCases: Array<{ input: string; expectedType: string; expectedProcessedText: string; }> = [ + { input: "127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK', expectedProcessedText: "127.0.0.*" }, + { input: "127.*.0.1", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK', expectedProcessedText: "127.*.0.1" }, + { input: "12?.0.0.1", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: "12?.0.0.1" }, + { input: "1??.0.0.1", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: "1??.0.0.1" }, + { input: "127.0.0.?", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: "127.0.0.?" }, + { input: "127.0.0.??", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: "127.0.0.??" }, + { input: ".127.0.0.*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK', expectedProcessedText: ".127.0.0.*" }, + // { input: ".127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: ".127.0.0.???" }, // + { input: "cpe:2.3:a:ivanti:connect_secure:-:*:*:*:*:*:*:*", expectedType: 'SEARCH_AS_WILDCARD_ASTERISK', expectedProcessedText: "cpe:2.3:a:ivanti:connect_secure:-:*:*:*:*:*:*:*" } + ]; + + testCases.forEach(({ input, expectedType, expectedProcessedText }) => { + it(`should correctly process "${input}" and return SearchRequestTypeId "${expectedType}"`, () => { + const req = new SearchRequest(input); + const result = req.processSearchText(); + + expect(result.data['searchTextType']).toBe(expectedType); + expect(result.data['processedSearchText']).toBe(expectedProcessedText); + expect(req._searchText).toBe(expectedProcessedText); + }); + }); + }); + + + describe('BasicSearchManager.search()', () => { + const testCases: Array<{ input: string; succeed: boolean, expectedNum: number; }> = [ + { input: "127.0.0.*", succeed: true, expectedNum: 2 }, + { input: "127.*.0.1", succeed: true, expectedNum: 2 }, + { input: "12?.0.0.1", succeed: true, expectedNum: 2 }, + { input: "1??.0.0.1", succeed: true, expectedNum: 2 }, + { input: "127.0.0.?", succeed: true, expectedNum: 2 }, + { input: "127.0.0.??", succeed: true, expectedNum: 0 }, + { input: "127.0.0.???", succeed: true, expectedNum: 0 }, + { input: "micro*", succeed: true, expectedNum: 65 }, + { input: "micro?*", succeed: true, expectedNum: 57 }, //@todo, expected 65, same as "micro*" + { input: "micros?ft", succeed: true, expectedNum: 45 }, + { input: "microsoft", succeed: true, expectedNum: 45 }, // for comparison + { input: "micros???", succeed: true, expectedNum: 45 }, + { input: "micros????", succeed: true, expectedNum: 1 }, + { input: "micro?????", succeed: true, expectedNum: 7 }, + { input: "micro???????????", succeed: true, expectedNum: 0 }, // @todo, should return error due to repeating ? + { input: "microsoft office", succeed: true, expectedNum: 5 }, // for comparison + { input: "m*t", succeed: true, expectedNum: 237 }, + // ----- requires exact phrases ----- + { input: `"cpe:2.3:a:ivanti:connect_secure:-:*:*:*:*:*:*:*"`, succeed: true, expectedNum: 2 }, + { input: `"cpe:2.3:a:ivanti:connect_secure:-:*"`, succeed: true, expectedNum: 2 }, + // ----- costly wildcards ----- + { input: "*", succeed: true, expectedNum: 1109 }, + { input: "**", succeed: true, expectedNum: 1109 }, + // { input: "***", succeed: false, expectedNum: 1109 }, //@todo error + { input: "?27.0.0.1", succeed: true, expectedNum: 2 }, + { input: "??7.0.0.1", succeed: true, expectedNum: 2 }, + { input: "???.0.0.1", succeed: true, expectedNum: 2 }, + { input: "*27.0.0.1", succeed: true, expectedNum: 2 }, + { input: "*27.*.0.1", succeed: true, expectedNum: 2 }, + { input: "*.*.*.*", succeed: true, expectedNum: 802 }, //@todo ??? + { input: "micro* *office", succeed: true, expectedNum: 6 }, + { input: "m*cro*f*", succeed: true, expectedNum: 52 }, //@todo, expected 65, same as "micro*" + { input: "m**t", succeed: true, expectedNum: 237 }, //@todo, should return error due to repeating * + { input: "m*****t", succeed: true, expectedNum: 237 }, //@todo, should return error due to repeating * + // ----- ????? ----- + // { input: ".127.0.0.*", expectedNum: 2 }, + // { input: ".127.0.0.???", expectedType: 'SEARCH_AS_WILDCARD_QUESTION', expectedProcessedText: ".127.0.0.???" }, // + + ]; + + testCases.forEach(({ input, succeed, expectedNum }) => { + it(`BasicSearchManager.search(${input}) correctly returns expected data (ok CveResult)`, async () => { + // const req = new SearchRequest(input); + // const result = req.processSearchText(); + + // expect(result.data['searchTextType']).toBe(expectedType); + // expect(result.data['processedSearchText']).toBe(expectedProcessedText); + // expect(req._searchText).toBe(expectedProcessedText); + + const searchManager = new BasicSearchManager(SearchProviderSpec.getDefaultSearchProviderSpec()); + // testcases.forEach(async (testcase) => { + const resp = await searchManager.search(input, { + track_total_hits: true, + metadataOnly: true + }); + expect(resp.isOk()).toBe(succeed); + if (!resp.isOk()) { + console.error(`resp: ${JSON.stringify(resp, null, 2)}`); + } + const data = resp['data']['hits']; + const num = data.total.value; + expect(num).toBe(expectedNum); + if (num > 0) { + const first = data['hits'][0]; + expect(first).toMatchSnapshot({ + // _score: expect.any(Number), // this is null when a sort is set + _index: expect.any(String) + }); + } + }); + }); + }); + + +}); \ No newline at end of file diff --git a/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP1.json b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP1.json new file mode 100644 index 0000000..c5bd2af --- /dev/null +++ b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP1.json @@ -0,0 +1,7510 @@ +{ + "cve_ids": [ + { + "cve_id": "CVE-2023-4085", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-02T04:51:23.587Z", + "state": "REJECTED", + "time": { + "created": "2023-08-02T04:51:23.588Z", + "modified": "2024-04-23T06:44:27.293Z" + } + }, + { + "cve_id": "CVE-2023-4086", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-02T04:51:24.059Z", + "state": "REJECTED", + "time": { + "created": "2023-08-02T04:51:24.059Z", + "modified": "2024-04-23T06:44:23.709Z" + } + }, + { + "cve_id": "CVE-2023-4285", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-10T09:32:48.436Z", + "state": "REJECTED", + "time": { + "created": "2023-08-10T09:32:48.437Z", + "modified": "2024-04-23T06:44:21.295Z" + } + }, + { + "cve_id": "CVE-2023-4286", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-10T09:32:48.761Z", + "state": "REJECTED", + "time": { + "created": "2023-08-10T09:32:48.762Z", + "modified": "2024-04-23T06:44:19.100Z" + } + }, + { + "cve_id": "CVE-2023-4287", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-10T09:32:48.799Z", + "state": "REJECTED", + "time": { + "created": "2023-08-10T09:32:48.800Z", + "modified": "2024-04-23T06:44:12.778Z" + } + }, + { + "cve_id": "CVE-2023-4288", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2023-08-10T09:32:49.126Z", + "state": "REJECTED", + "time": { + "created": "2023-08-10T09:32:49.127Z", + "modified": "2024-04-23T06:44:09.025Z" + } + }, + { + "cve_id": "CVE-2023-6072", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "sampatkumar.satyamurti@trellix.com" + }, + "reserved": "2023-11-10T06:32:51.689Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-10T06:32:51.690Z", + "modified": "2024-02-13T09:39:54.612Z" + } + }, + { + "cve_id": "CVE-2023-6256", + "cve_year": "2023", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "david.oxley@trellix.com" + }, + "reserved": "2023-11-22T14:22:52.679Z", + "state": "REJECTED", + "time": { + "created": "2023-11-22T14:22:52.680Z", + "modified": "2024-04-23T06:44:15.534Z" + } + }, + { + "cve_id": "CVE-2024-0206", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-03T04:30:32.801Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T04:30:32.801Z", + "modified": "2024-01-09T12:56:46.971Z" + } + }, + { + "cve_id": "CVE-2024-0213", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-03T09:31:15.680Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T09:31:15.681Z", + "modified": "2024-01-09T13:01:13.221Z" + } + }, + { + "cve_id": "CVE-2024-0310", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-08T06:20:53.953Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T06:20:53.954Z", + "modified": "2024-01-10T10:43:46.017Z" + } + }, + { + "cve_id": "CVE-2024-0311", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-08T07:55:02.516Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T07:55:02.516Z", + "modified": "2024-03-14T09:06:25.154Z" + } + }, + { + "cve_id": "CVE-2024-0312", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-08T07:55:55.985Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T07:55:55.986Z", + "modified": "2024-03-14T09:08:27.244Z" + } + }, + { + "cve_id": "CVE-2024-0313", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-01-08T08:01:23.678Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T08:01:23.679Z", + "modified": "2024-03-14T09:11:29.784Z" + } + }, + { + "cve_id": "CVE-2024-4047", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:17.268Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:17.269Z", + "modified": "2024-04-23T05:22:17.269Z" + } + }, + { + "cve_id": "CVE-2024-4048", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:17.764Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:17.765Z", + "modified": "2024-04-23T05:22:17.765Z" + } + }, + { + "cve_id": "CVE-2024-4049", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:19.085Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:19.086Z", + "modified": "2024-04-23T05:22:19.086Z" + } + }, + { + "cve_id": "CVE-2024-4050", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:20.478Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:20.478Z", + "modified": "2024-04-23T05:22:20.478Z" + } + }, + { + "cve_id": "CVE-2024-4051", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:31.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:31.774Z", + "modified": "2024-04-23T05:22:31.774Z" + } + }, + { + "cve_id": "CVE-2024-4052", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:32.193Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:32.193Z", + "modified": "2024-04-23T05:22:32.193Z" + } + }, + { + "cve_id": "CVE-2024-4053", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:33.099Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:33.099Z", + "modified": "2024-04-23T05:22:33.099Z" + } + }, + { + "cve_id": "CVE-2024-4054", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:34.312Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:34.312Z", + "modified": "2024-04-23T05:22:34.312Z" + } + }, + { + "cve_id": "CVE-2024-4055", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-04-23T05:22:35.610Z", + "state": "RESERVED", + "time": { + "created": "2024-04-23T05:22:35.610Z", + "modified": "2024-04-23T05:22:35.610Z" + } + }, + { + "cve_id": "CVE-2024-4176", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "sampatkumar.satyamurti@trellix.com" + }, + "reserved": "2024-04-25T10:01:39.233Z", + "state": "RESERVED", + "time": { + "created": "2024-04-25T10:01:39.234Z", + "modified": "2024-04-25T10:01:39.234Z" + } + }, + { + "cve_id": "CVE-2024-4843", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-05-13T17:04:36.161Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T17:04:36.161Z", + "modified": "2024-05-16T06:04:05.489Z" + } + }, + { + "cve_id": "CVE-2024-4844", + "cve_year": "2024", + "owning_cna": "trellix", + "requested_by": { + "cna": "trellix", + "user": "snehapoorniah.yelandur@trellix.com" + }, + "reserved": "2024-05-13T17:04:37.655Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T17:04:37.656Z", + "modified": "2024-05-16T06:19:47.436Z" + } + }, + { + "cve_id": "CVE-2023-4472", + "cve_year": "2023", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2023-08-21T19:42:17.822Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-21T19:42:17.823Z", + "modified": "2024-02-01T22:11:21.368Z" + } + }, + { + "cve_id": "CVE-2023-7101", + "cve_year": "2023", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2023-12-24T16:23:02.000Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-24T16:23:02.001Z", + "modified": "2024-05-05T14:52:35.322Z" + } + }, + { + "cve_id": "CVE-2024-0633", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-01-16T22:23:55.049Z", + "state": "REJECTED", + "time": { + "created": "2024-01-16T22:23:55.050Z", + "modified": "2024-02-02T16:50:05.949Z" + } + }, + { + "cve_id": "CVE-2024-0634", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-01-16T22:23:55.825Z", + "state": "RESERVED", + "time": { + "created": "2024-01-16T22:23:55.826Z", + "modified": "2024-01-16T22:23:55.826Z" + } + }, + { + "cve_id": "CVE-2024-0635", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-01-16T22:23:56.515Z", + "state": "RESERVED", + "time": { + "created": "2024-01-16T22:23:56.516Z", + "modified": "2024-01-16T22:23:56.516Z" + } + }, + { + "cve_id": "CVE-2024-0636", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-01-16T22:23:57.148Z", + "state": "RESERVED", + "time": { + "created": "2024-01-16T22:23:57.148Z", + "modified": "2024-01-16T22:23:57.148Z" + } + }, + { + "cve_id": "CVE-2024-0950", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-01-26T13:49:41.507Z", + "state": "RESERVED", + "time": { + "created": "2024-01-26T13:49:41.508Z", + "modified": "2024-01-26T13:49:41.508Z" + } + }, + { + "cve_id": "CVE-2024-1903", + "cve_year": "2024", + "owning_cna": "Mandiant", + "requested_by": { + "cna": "Mandiant", + "user": "aaron.carreras@mandiant.com" + }, + "reserved": "2024-02-26T19:37:01.630Z", + "state": "RESERVED", + "time": { + "created": "2024-02-26T19:37:01.631Z", + "modified": "2024-02-26T19:37:01.631Z" + } + }, + { + "cve_id": "CVE-2023-5138", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2023-09-22T21:13:46.220Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-22T21:13:46.221Z", + "modified": "2024-01-03T22:31:04.451Z" + } + }, + { + "cve_id": "CVE-2023-51391", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2023-12-18T20:56:24.811Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:56:24.813Z", + "modified": "2024-04-18T09:05:56.255Z" + } + }, + { + "cve_id": "CVE-2023-51392", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2023-12-18T20:56:24.812Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:56:24.813Z", + "modified": "2024-02-23T16:12:41.287Z" + } + }, + { + "cve_id": "CVE-2023-51393", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2023-12-18T20:56:24.812Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:56:24.813Z", + "modified": "2024-02-23T19:14:23.822Z" + } + }, + { + "cve_id": "CVE-2023-51394", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2023-12-18T20:56:24.812Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:56:24.813Z", + "modified": "2024-02-23T19:13:37.219Z" + } + }, + { + "cve_id": "CVE-2023-51395", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2023-12-18T20:56:24.812Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:56:24.813Z", + "modified": "2024-03-07T04:50:54.663Z" + } + }, + { + "cve_id": "CVE-2023-6387", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2023-11-29T18:05:03.426Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-29T18:05:03.427Z", + "modified": "2024-02-02T15:18:13.198Z" + } + }, + { + "cve_id": "CVE-2023-6533", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2023-12-05T18:59:45.077Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-05T18:59:45.078Z", + "modified": "2024-02-21T19:55:26.635Z" + } + }, + { + "cve_id": "CVE-2023-6640", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2023-12-08T20:21:25.231Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-08T20:21:25.232Z", + "modified": "2024-02-21T19:56:50.831Z" + } + }, + { + "cve_id": "CVE-2023-6874", + "cve_year": "2023", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2023-12-15T17:44:27.312Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-15T17:44:27.313Z", + "modified": "2024-02-05T17:39:43.301Z" + } + }, + { + "cve_id": "CVE-2024-0240", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2024-01-04T16:51:46.029Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-04T16:51:46.030Z", + "modified": "2024-02-15T20:30:45.277Z" + } + }, + { + "cve_id": "CVE-2024-22465", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.391Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22466", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22467", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22468", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22469", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22470", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22471", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.392Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-01-10T19:20:24.395Z" + } + }, + { + "cve_id": "CVE-2024-22472", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.393Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-10T19:20:24.395Z", + "modified": "2024-05-07T05:17:26.637Z" + } + }, + { + "cve_id": "CVE-2024-22473", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.393Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-10T19:20:24.396Z", + "modified": "2024-02-21T18:13:10.261Z" + } + }, + { + "cve_id": "CVE-2024-22474", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "john.hemmick@silabs.com" + }, + "reserved": "2024-01-10T19:20:24.394Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T19:20:24.396Z", + "modified": "2024-01-10T19:20:24.396Z" + } + }, + { + "cve_id": "CVE-2024-2502", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2024-03-15T13:34:41.105Z", + "state": "RESERVED", + "time": { + "created": "2024-03-15T13:34:41.105Z", + "modified": "2024-03-15T13:34:41.105Z" + } + }, + { + "cve_id": "CVE-2024-3017", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2024-03-27T15:31:21.891Z", + "state": "RESERVED", + "time": { + "created": "2024-03-27T15:31:21.892Z", + "modified": "2024-03-27T15:31:21.892Z" + } + }, + { + "cve_id": "CVE-2024-3043", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2024-03-28T14:15:10.718Z", + "state": "RESERVED", + "time": { + "created": "2024-03-28T14:15:10.719Z", + "modified": "2024-03-28T14:15:10.719Z" + } + }, + { + "cve_id": "CVE-2024-3051", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2024-03-28T19:04:58.593Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-28T19:04:58.594Z", + "modified": "2024-04-26T21:26:38.396Z" + } + }, + { + "cve_id": "CVE-2024-3052", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2024-03-28T19:05:04.219Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-28T19:05:04.219Z", + "modified": "2024-04-26T21:27:16.432Z" + } + }, + { + "cve_id": "CVE-2024-3527", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2024-04-09T16:28:53.653Z", + "state": "RESERVED", + "time": { + "created": "2024-04-09T16:28:53.653Z", + "modified": "2024-04-09T16:28:53.653Z" + } + }, + { + "cve_id": "CVE-2024-3805", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "steve.egerter@silabs.com" + }, + "reserved": "2024-04-15T13:09:15.553Z", + "state": "RESERVED", + "time": { + "created": "2024-04-15T13:09:15.553Z", + "modified": "2024-04-15T13:09:15.553Z" + } + }, + { + "cve_id": "CVE-2024-4013", + "cve_year": "2024", + "owning_cna": "Silabs", + "requested_by": { + "cna": "Silabs", + "user": "sarah.latiolais@silabs.com" + }, + "reserved": "2024-04-19T17:58:42.900Z", + "state": "RESERVED", + "time": { + "created": "2024-04-19T17:58:42.901Z", + "modified": "2024-04-19T17:58:42.901Z" + } + }, + { + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "time": { + "created": "2023-03-09T05:25:56.975Z", + "modified": "2024-02-14T16:55:41.506Z" + }, + "cve_id": "CVE-2023-27975", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "schneider", + "reserved": "2023-03-09T05:25:56.973Z" + }, + { + "cve_id": "CVE-2023-5628", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2023-10-18T06:08:56.115Z", + "state": "REJECTED", + "time": { + "created": "2023-10-18T06:08:56.115Z", + "modified": "2024-03-18T13:19:09.843Z" + } + }, + { + "cve_id": "CVE-2023-5733", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "timothy.gilbert@se.com" + }, + "reserved": "2023-10-23T17:54:24.898Z", + "state": "REJECTED", + "time": { + "created": "2023-10-23T17:54:24.899Z", + "modified": "2024-01-12T14:27:40.212Z" + } + }, + { + "cve_id": "CVE-2023-5734", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "timothy.gilbert@se.com" + }, + "reserved": "2023-10-23T17:54:25.895Z", + "state": "REJECTED", + "time": { + "created": "2023-10-23T17:54:25.895Z", + "modified": "2024-01-12T14:25:03.964Z" + } + }, + { + "cve_id": "CVE-2023-5736", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "timothy.gilbert@se.com" + }, + "reserved": "2023-10-23T17:54:27.351Z", + "state": "REJECTED", + "time": { + "created": "2023-10-23T17:54:27.352Z", + "modified": "2024-01-12T14:29:22.846Z" + } + }, + { + "cve_id": "CVE-2023-6408", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2023-11-30T09:52:30.945Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-30T09:52:30.946Z", + "modified": "2024-02-14T16:52:24.815Z" + } + }, + { + "cve_id": "CVE-2023-6409", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2023-11-30T09:53:56.413Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-30T09:53:56.413Z", + "modified": "2024-02-14T16:47:05.529Z" + } + }, + { + "cve_id": "CVE-2023-7032", + "cve_year": "2023", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "esmeralda.paz@se.com" + }, + "reserved": "2023-12-20T22:29:58.270Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-20T22:29:58.271Z", + "modified": "2024-01-09T19:30:19.846Z" + } + }, + { + "cve_id": "CVE-2024-0568", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-01-16T05:38:07.917Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-16T05:38:07.918Z", + "modified": "2024-02-14T16:58:59.822Z" + } + }, + { + "cve_id": "CVE-2024-0865", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "esmeralda.paz@se.com" + }, + "reserved": "2024-01-24T17:18:07.117Z", + "state": "RESERVED", + "time": { + "created": "2024-01-24T17:18:07.118Z", + "modified": "2024-01-24T17:18:07.118Z" + } + }, + { + "cve_id": "CVE-2024-2050", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-03-01T01:24:55.480Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-01T01:24:55.481Z", + "modified": "2024-03-18T16:04:57.385Z" + } + }, + { + "cve_id": "CVE-2024-2051", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-03-01T01:25:46.121Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-01T01:25:46.122Z", + "modified": "2024-03-18T16:03:44.999Z" + } + }, + { + "cve_id": "CVE-2024-2052", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-03-01T01:26:10.084Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-01T01:26:10.085Z", + "modified": "2024-03-18T16:05:47.736Z" + } + }, + { + "cve_id": "CVE-2024-2229", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "esmeralda.paz@se.com" + }, + "reserved": "2024-03-06T17:07:33.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-06T17:07:33.392Z", + "modified": "2024-03-18T16:08:33.784Z" + } + }, + { + "cve_id": "CVE-2024-2230", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "esmeralda.paz@se.com" + }, + "reserved": "2024-03-06T19:22:00.316Z", + "state": "RESERVED", + "time": { + "created": "2024-03-06T19:22:00.317Z", + "modified": "2024-03-06T19:22:00.317Z" + } + }, + { + "cve_id": "CVE-2024-2602", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-03-18T13:19:23.946Z", + "state": "RESERVED", + "time": { + "created": "2024-03-18T13:19:23.947Z", + "modified": "2024-03-18T13:19:23.947Z" + } + }, + { + "cve_id": "CVE-2024-2747", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "esmeralda.paz@se.com" + }, + "reserved": "2024-03-20T16:57:16.005Z", + "state": "RESERVED", + "time": { + "created": "2024-03-20T16:57:16.006Z", + "modified": "2024-03-20T16:57:16.006Z" + } + }, + { + "cve_id": "CVE-2024-37036", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:52:05.762Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:52:05.763Z", + "modified": "2024-05-31T06:52:05.763Z" + } + }, + { + "cve_id": "CVE-2024-37037", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:52:05.762Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:52:05.763Z", + "modified": "2024-05-31T06:52:05.763Z" + } + }, + { + "cve_id": "CVE-2024-37038", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:52:05.762Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:52:05.763Z", + "modified": "2024-05-31T06:52:05.763Z" + } + }, + { + "cve_id": "CVE-2024-37039", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:52:05.762Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:52:05.763Z", + "modified": "2024-05-31T06:52:05.763Z" + } + }, + { + "cve_id": "CVE-2024-37040", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:52:05.762Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:52:05.763Z", + "modified": "2024-05-31T06:52:05.763Z" + } + }, + { + "cve_id": "CVE-2024-4694", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "timothy.gilbert@se.com" + }, + "reserved": "2024-05-09T15:18:46.238Z", + "state": "RESERVED", + "time": { + "created": "2024-05-09T15:18:46.239Z", + "modified": "2024-05-09T15:18:46.239Z" + } + }, + { + "cve_id": "CVE-2024-5056", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-17T10:06:08.565Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T10:06:08.566Z", + "modified": "2024-05-17T10:06:08.566Z" + } + }, + { + "cve_id": "CVE-2024-5313", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-24T08:29:40.058Z", + "state": "RESERVED", + "time": { + "created": "2024-05-24T08:29:40.059Z", + "modified": "2024-05-24T08:29:40.059Z" + } + }, + { + "cve_id": "CVE-2024-5557", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:58:40.277Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:58:40.277Z", + "modified": "2024-05-31T06:58:40.277Z" + } + }, + { + "cve_id": "CVE-2024-5558", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:58:47.453Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:58:47.454Z", + "modified": "2024-05-31T06:58:47.454Z" + } + }, + { + "cve_id": "CVE-2024-5559", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:58:51.639Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:58:51.640Z", + "modified": "2024-05-31T06:58:51.640Z" + } + }, + { + "cve_id": "CVE-2024-5560", + "cve_year": "2024", + "owning_cna": "schneider", + "requested_by": { + "cna": "schneider", + "user": "girish.kolla@non.se.com" + }, + "reserved": "2024-05-31T06:58:55.638Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T06:58:55.638Z", + "modified": "2024-05-31T06:58:55.638Z" + } + }, + { + "cve_id": "CVE-2023-44372", + "cve_year": "2023", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-09-28T16:25:40.455Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-28T16:25:40.461Z", + "modified": "2024-02-23T19:06:13.175Z" + } + }, + { + "cve_id": "CVE-2023-51463", + "cve_year": "2023", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-19T17:03:41.382Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-19T17:03:41.383Z", + "modified": "2024-01-18T10:21:49.425Z" + } + }, + { + "cve_id": "CVE-2023-51464", + "cve_year": "2023", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-19T17:03:41.382Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-19T17:03:41.383Z", + "modified": "2024-01-18T10:21:48.642Z" + } + }, + { + "cve_id": "CVE-2024-20709", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.967Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.005Z", + "modified": "2024-01-15T12:13:10.376Z" + } + }, + { + "cve_id": "CVE-2024-20710", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.967Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.005Z", + "modified": "2024-01-10T12:25:56.523Z" + } + }, + { + "cve_id": "CVE-2024-20711", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.967Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.005Z", + "modified": "2024-01-10T12:26:00.486Z" + } + }, + { + "cve_id": "CVE-2024-20712", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.967Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.005Z", + "modified": "2024-01-10T12:25:59.634Z" + } + }, + { + "cve_id": "CVE-2024-20713", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.005Z", + "modified": "2024-01-10T12:25:58.857Z" + } + }, + { + "cve_id": "CVE-2024-20714", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-01-10T12:25:58.083Z" + } + }, + { + "cve_id": "CVE-2024-20715", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-01-10T12:25:57.302Z" + } + }, + { + "cve_id": "CVE-2024-20716", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-02-15T13:39:40.878Z" + } + }, + { + "cve_id": "CVE-2024-20717", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-02-15T13:39:40.100Z" + } + }, + { + "cve_id": "CVE-2024-20718", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-02-15T13:39:39.316Z" + } + }, + { + "cve_id": "CVE-2024-20719", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.968Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-02-15T13:39:38.551Z" + } + }, + { + "cve_id": "CVE-2024-20720", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.006Z", + "modified": "2024-02-15T13:39:37.781Z" + } + }, + { + "cve_id": "CVE-2024-20721", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-01-15T12:13:09.576Z" + } + }, + { + "cve_id": "CVE-2024-20722", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T10:12:19.280Z" + } + }, + { + "cve_id": "CVE-2024-20723", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T10:12:16.031Z" + } + }, + { + "cve_id": "CVE-2024-20724", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T10:12:20.888Z" + } + }, + { + "cve_id": "CVE-2024-20725", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T10:12:15.210Z" + } + }, + { + "cve_id": "CVE-2024-20726", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T12:18:44.686Z" + } + }, + { + "cve_id": "CVE-2024-20727", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.969Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T12:18:42.295Z" + } + }, + { + "cve_id": "CVE-2024-20728", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T12:18:38.356Z" + } + }, + { + "cve_id": "CVE-2024-20729", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T17:06:00.306Z" + } + }, + { + "cve_id": "CVE-2024-20730", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.007Z", + "modified": "2024-02-15T17:06:02.073Z" + } + }, + { + "cve_id": "CVE-2024-20731", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T17:06:03.920Z" + } + }, + { + "cve_id": "CVE-2024-20733", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T12:18:40.717Z" + } + }, + { + "cve_id": "CVE-2024-20734", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T12:18:39.143Z" + } + }, + { + "cve_id": "CVE-2024-20735", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.970Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T17:05:56.838Z" + } + }, + { + "cve_id": "CVE-2024-20736", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.971Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T12:18:37.555Z" + } + }, + { + "cve_id": "CVE-2024-20737", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.971Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-04-10T08:56:42.751Z" + } + }, + { + "cve_id": "CVE-2024-20738", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.971Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T12:22:52.036Z" + } + }, + { + "cve_id": "CVE-2024-20739", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.971Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.008Z", + "modified": "2024-02-15T12:26:42.159Z" + } + }, + { + "cve_id": "CVE-2024-20740", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.971Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T10:12:18.494Z" + } + }, + { + "cve_id": "CVE-2024-20741", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.972Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T10:12:16.884Z" + } + }, + { + "cve_id": "CVE-2024-20742", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.973Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T10:12:17.719Z" + } + }, + { + "cve_id": "CVE-2024-20743", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.974Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T10:12:20.108Z" + } + }, + { + "cve_id": "CVE-2024-20744", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.974Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T10:12:21.665Z" + } + }, + { + "cve_id": "CVE-2024-20745", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.974Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-03-18T14:59:22.408Z" + } + }, + { + "cve_id": "CVE-2024-20746", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.974Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-03-18T14:59:23.165Z" + } + }, + { + "cve_id": "CVE-2024-20747", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.975Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.009Z", + "modified": "2024-02-15T17:05:55.128Z" + } + }, + { + "cve_id": "CVE-2024-20748", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.975Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-02-15T17:06:05.595Z" + } + }, + { + "cve_id": "CVE-2024-20749", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.975Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-02-15T17:05:58.513Z" + } + }, + { + "cve_id": "CVE-2024-20750", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.975Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-02-15T12:30:32.969Z" + } + }, + { + "cve_id": "CVE-2024-20752", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.976Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-03-18T15:54:32.247Z" + } + }, + { + "cve_id": "CVE-2024-20754", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.976Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-03-18T17:12:20.118Z" + } + }, + { + "cve_id": "CVE-2024-20755", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.977Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-03-18T15:54:32.990Z" + } + }, + { + "cve_id": "CVE-2024-20756", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.977Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.010Z", + "modified": "2024-03-18T15:54:31.505Z" + } + }, + { + "cve_id": "CVE-2024-20757", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.977Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-03-18T15:54:33.727Z" + } + }, + { + "cve_id": "CVE-2024-20758", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.978Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-04-10T11:49:04.037Z" + } + }, + { + "cve_id": "CVE-2024-20759", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.978Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-04-10T11:49:02.903Z" + } + }, + { + "cve_id": "CVE-2024-20760", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.978Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-03-18T17:54:40.853Z" + } + }, + { + "cve_id": "CVE-2024-20761", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.978Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-03-18T17:34:12.829Z" + } + }, + { + "cve_id": "CVE-2024-20762", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.979Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-03-18T17:34:15.154Z" + } + }, + { + "cve_id": "CVE-2024-20763", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.979Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.011Z", + "modified": "2024-03-18T17:34:13.615Z" + } + }, + { + "cve_id": "CVE-2024-20764", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.979Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-03-18T17:34:14.387Z" + } + }, + { + "cve_id": "CVE-2024-20765", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.979Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-02-29T16:35:04.416Z" + } + }, + { + "cve_id": "CVE-2024-20766", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.987Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-04-10T12:48:34.894Z" + } + }, + { + "cve_id": "CVE-2024-20767", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.987Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-03-18T11:43:28.485Z" + } + }, + { + "cve_id": "CVE-2024-20768", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.987Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-03-18T17:54:14.247Z" + } + }, + { + "cve_id": "CVE-2024-20770", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.987Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-04-10T12:44:26.951Z" + } + }, + { + "cve_id": "CVE-2024-20771", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.987Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.012Z", + "modified": "2024-04-11T08:10:59.746Z" + } + }, + { + "cve_id": "CVE-2024-20772", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.988Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.013Z", + "modified": "2024-04-10T13:02:43.605Z" + } + }, + { + "cve_id": "CVE-2024-20778", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.988Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.014Z", + "modified": "2024-04-10T08:51:59.138Z" + } + }, + { + "cve_id": "CVE-2024-20779", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.988Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.014Z", + "modified": "2024-04-10T08:52:05.352Z" + } + }, + { + "cve_id": "CVE-2024-20780", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.989Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.014Z", + "modified": "2024-04-10T08:52:04.595Z" + } + }, + { + "cve_id": "CVE-2024-20791", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.991Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-05-16T08:08:48.467Z" + } + }, + { + "cve_id": "CVE-2024-20792", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.991Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-05-16T08:08:46.933Z" + } + }, + { + "cve_id": "CVE-2024-20793", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.991Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-05-16T08:08:47.698Z" + } + }, + { + "cve_id": "CVE-2024-20794", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.991Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-11T10:53:14.452Z" + } + }, + { + "cve_id": "CVE-2024-20795", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.992Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-11T10:53:12.925Z" + } + }, + { + "cve_id": "CVE-2024-20796", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.992Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-11T10:53:13.694Z" + } + }, + { + "cve_id": "CVE-2024-20797", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.992Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-11T10:53:15.221Z" + } + }, + { + "cve_id": "CVE-2024-20798", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.992Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-11T08:19:44.065Z" + } + }, + { + "cve_id": "CVE-2024-20799", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.992Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-02T08:04:17.448Z" + } + }, + { + "cve_id": "CVE-2024-20800", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2023-12-04T16:52:22.993Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-04T16:52:23.015Z", + "modified": "2024-04-04T08:59:26.927Z" + } + }, + { + "cve_id": "CVE-2024-26028", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.386Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.421Z", + "modified": "2024-03-18T17:54:20.015Z" + } + }, + { + "cve_id": "CVE-2024-26029", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.386Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.421Z", + "modified": "2024-02-14T17:37:23.421Z" + } + }, + { + "cve_id": "CVE-2024-26030", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.386Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:27.167Z" + } + }, + { + "cve_id": "CVE-2024-26031", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.386Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:29.932Z" + } + }, + { + "cve_id": "CVE-2024-26032", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:18.466Z" + } + }, + { + "cve_id": "CVE-2024-26033", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:41.881Z" + } + }, + { + "cve_id": "CVE-2024-26034", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:32.175Z" + } + }, + { + "cve_id": "CVE-2024-26035", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-03-18T17:54:42.660Z" + } + }, + { + "cve_id": "CVE-2024-26036", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-02-14T17:37:23.422Z" + } + }, + { + "cve_id": "CVE-2024-26037", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.422Z", + "modified": "2024-02-14T17:37:23.422Z" + } + }, + { + "cve_id": "CVE-2024-26038", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:24.880Z" + } + }, + { + "cve_id": "CVE-2024-26039", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-02-14T17:37:23.423Z" + } + }, + { + "cve_id": "CVE-2024-26040", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.387Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:22.305Z" + } + }, + { + "cve_id": "CVE-2024-26041", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:12.736Z" + } + }, + { + "cve_id": "CVE-2024-26042", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:20.770Z" + } + }, + { + "cve_id": "CVE-2024-26043", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:11.937Z" + } + }, + { + "cve_id": "CVE-2024-26044", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:25.643Z" + } + }, + { + "cve_id": "CVE-2024-26045", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-03-18T17:54:15.052Z" + } + }, + { + "cve_id": "CVE-2024-26046", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.423Z", + "modified": "2024-04-10T08:52:03.816Z" + } + }, + { + "cve_id": "CVE-2024-26047", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-04-10T08:52:00.679Z" + } + }, + { + "cve_id": "CVE-2024-26048", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.388Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-02-14T17:37:23.424Z" + } + }, + { + "cve_id": "CVE-2024-26049", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-02-14T17:37:23.424Z" + } + }, + { + "cve_id": "CVE-2024-26050", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-03-18T17:54:24.123Z" + } + }, + { + "cve_id": "CVE-2024-26051", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-03-18T17:54:35.189Z" + } + }, + { + "cve_id": "CVE-2024-26052", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-03-18T17:54:16.932Z" + } + }, + { + "cve_id": "CVE-2024-26053", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-02-14T17:37:23.424Z" + } + }, + { + "cve_id": "CVE-2024-26054", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.389Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-02-14T17:37:23.424Z" + } + }, + { + "cve_id": "CVE-2024-26055", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.424Z", + "modified": "2024-02-14T17:37:23.424Z" + } + }, + { + "cve_id": "CVE-2024-26056", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:32.927Z" + } + }, + { + "cve_id": "CVE-2024-26057", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-02-14T17:37:23.425Z" + } + }, + { + "cve_id": "CVE-2024-26058", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-02-14T17:37:23.425Z" + } + }, + { + "cve_id": "CVE-2024-26059", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:28.785Z" + } + }, + { + "cve_id": "CVE-2024-26060", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-02-14T17:37:23.425Z" + } + }, + { + "cve_id": "CVE-2024-26061", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.391Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:37.823Z" + } + }, + { + "cve_id": "CVE-2024-26062", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:43.430Z" + } + }, + { + "cve_id": "CVE-2024-26063", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:44.932Z" + } + }, + { + "cve_id": "CVE-2024-26064", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:40.094Z" + } + }, + { + "cve_id": "CVE-2024-26065", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:46.452Z" + } + }, + { + "cve_id": "CVE-2024-26066", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-02-14T17:37:23.425Z" + } + }, + { + "cve_id": "CVE-2024-26067", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.425Z", + "modified": "2024-03-18T17:54:23.065Z" + } + }, + { + "cve_id": "CVE-2024-26068", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.392Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26069", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-03-18T17:54:38.596Z" + } + }, + { + "cve_id": "CVE-2024-26070", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26071", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26072", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26073", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-03-18T17:54:27.922Z" + } + }, + { + "cve_id": "CVE-2024-26074", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26075", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26076", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.393Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-04-10T08:52:02.215Z" + } + }, + { + "cve_id": "CVE-2024-26077", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26078", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26079", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-04-10T08:51:59.905Z" + } + }, + { + "cve_id": "CVE-2024-26080", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-03-18T17:54:44.182Z" + } + }, + { + "cve_id": "CVE-2024-26081", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26082", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26083", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.394Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.426Z", + "modified": "2024-02-14T17:37:23.426Z" + } + }, + { + "cve_id": "CVE-2024-26084", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-04-10T08:52:03.000Z" + } + }, + { + "cve_id": "CVE-2024-26085", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26086", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26087", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-04-10T08:52:06.119Z" + } + }, + { + "cve_id": "CVE-2024-26088", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26089", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26090", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.395Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26091", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26092", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26093", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26094", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-03-18T17:54:21.538Z" + } + }, + { + "cve_id": "CVE-2024-26095", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26096", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-03-18T17:54:33.675Z" + } + }, + { + "cve_id": "CVE-2024-26097", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.396Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-04-10T08:52:06.888Z" + } + }, + { + "cve_id": "CVE-2024-26098", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.401Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-04-10T08:51:58.359Z" + } + }, + { + "cve_id": "CVE-2024-26099", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.401Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26100", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.401Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-02-14T17:37:23.427Z" + } + }, + { + "cve_id": "CVE-2024-26101", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.427Z", + "modified": "2024-03-18T17:54:34.433Z" + } + }, + { + "cve_id": "CVE-2024-26102", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:26.406Z" + } + }, + { + "cve_id": "CVE-2024-26103", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:35.957Z" + } + }, + { + "cve_id": "CVE-2024-26104", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:37.067Z" + } + }, + { + "cve_id": "CVE-2024-26105", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:17.687Z" + } + }, + { + "cve_id": "CVE-2024-26106", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:45.689Z" + } + }, + { + "cve_id": "CVE-2024-26107", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:15.795Z" + } + }, + { + "cve_id": "CVE-2024-26108", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.402Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26109", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26110", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26111", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26112", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26113", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26114", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26115", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.403Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26116", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26117", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-02-14T17:37:23.428Z" + } + }, + { + "cve_id": "CVE-2024-26118", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:19.227Z" + } + }, + { + "cve_id": "CVE-2024-26119", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.428Z", + "modified": "2024-03-18T17:54:30.687Z" + } + }, + { + "cve_id": "CVE-2024-26120", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-03-18T17:54:39.341Z" + } + }, + { + "cve_id": "CVE-2024-26121", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-02-14T17:37:23.429Z" + } + }, + { + "cve_id": "CVE-2024-26122", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.405Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-04-10T08:52:01.452Z" + } + }, + { + "cve_id": "CVE-2024-26123", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.406Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-02-14T17:37:23.429Z" + } + }, + { + "cve_id": "CVE-2024-26124", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.406Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-03-18T17:54:31.433Z" + } + }, + { + "cve_id": "CVE-2024-26125", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.406Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-03-18T17:54:13.510Z" + } + }, + { + "cve_id": "CVE-2024-26126", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.406Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-02-14T17:37:23.429Z" + } + }, + { + "cve_id": "CVE-2024-26127", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-02-14T17:37:23.406Z", + "state": "RESERVED", + "time": { + "created": "2024-02-14T17:37:23.429Z", + "modified": "2024-02-14T17:37:23.429Z" + } + }, + { + "cve_id": "CVE-2024-30271", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.502Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.514Z", + "modified": "2024-04-11T18:11:51.872Z" + } + }, + { + "cve_id": "CVE-2024-30272", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.502Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-04-11T18:11:50.654Z" + } + }, + { + "cve_id": "CVE-2024-30273", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.502Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-04-11T18:11:49.883Z" + } + }, + { + "cve_id": "CVE-2024-30274", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.502Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-16T08:25:54.858Z" + } + }, + { + "cve_id": "CVE-2024-30275", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-16T08:44:25.026Z" + } + }, + { + "cve_id": "CVE-2024-30276", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-03-26T16:04:09.515Z" + } + }, + { + "cve_id": "CVE-2024-30277", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-03-26T16:04:09.515Z" + } + }, + { + "cve_id": "CVE-2024-30278", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-03-26T16:04:09.515Z" + } + }, + { + "cve_id": "CVE-2024-30279", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-23T08:29:14.250Z" + } + }, + { + "cve_id": "CVE-2024-30280", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-23T08:29:10.871Z" + } + }, + { + "cve_id": "CVE-2024-30281", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.503Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-16T08:56:49.506Z" + } + }, + { + "cve_id": "CVE-2024-30282", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-16T08:59:48.658Z" + } + }, + { + "cve_id": "CVE-2024-30283", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.515Z", + "modified": "2024-05-16T11:14:26.277Z" + } + }, + { + "cve_id": "CVE-2024-30284", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-15T10:00:16.725Z" + } + }, + { + "cve_id": "CVE-2024-30285", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-03-26T16:04:09.516Z" + } + }, + { + "cve_id": "CVE-2024-30286", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:24.794Z" + } + }, + { + "cve_id": "CVE-2024-30287", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:21.766Z" + } + }, + { + "cve_id": "CVE-2024-30288", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.504Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:24.044Z" + } + }, + { + "cve_id": "CVE-2024-30289", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:22.558Z" + } + }, + { + "cve_id": "CVE-2024-30290", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:25.533Z" + } + }, + { + "cve_id": "CVE-2024-30291", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:27.760Z" + } + }, + { + "cve_id": "CVE-2024-30292", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T11:14:27.017Z" + } + }, + { + "cve_id": "CVE-2024-30293", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T08:59:49.444Z" + } + }, + { + "cve_id": "CVE-2024-30294", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T08:59:51.658Z" + } + }, + { + "cve_id": "CVE-2024-30295", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.505Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T08:59:53.161Z" + } + }, + { + "cve_id": "CVE-2024-30296", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T08:59:52.419Z" + } + }, + { + "cve_id": "CVE-2024-30297", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.516Z", + "modified": "2024-05-16T08:59:50.186Z" + } + }, + { + "cve_id": "CVE-2024-30298", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-16T08:59:50.917Z" + } + }, + { + "cve_id": "CVE-2024-30299", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-03-26T16:04:09.517Z" + } + }, + { + "cve_id": "CVE-2024-30300", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-03-26T16:04:09.517Z" + } + }, + { + "cve_id": "CVE-2024-30301", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:49.875Z" + } + }, + { + "cve_id": "CVE-2024-30302", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.506Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:51.674Z" + } + }, + { + "cve_id": "CVE-2024-30303", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:47.353Z" + } + }, + { + "cve_id": "CVE-2024-30304", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:42.890Z" + } + }, + { + "cve_id": "CVE-2024-30305", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:45.120Z" + } + }, + { + "cve_id": "CVE-2024-30306", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-02T21:04:43.610Z" + } + }, + { + "cve_id": "CVE-2024-30307", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-16T08:25:56.386Z" + } + }, + { + "cve_id": "CVE-2024-30308", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-16T08:25:55.613Z" + } + }, + { + "cve_id": "CVE-2024-30309", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-16T08:25:54.112Z" + } + }, + { + "cve_id": "CVE-2024-30310", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.507Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-15T10:00:06.306Z" + } + }, + { + "cve_id": "CVE-2024-30311", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.509Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-15T10:00:13.712Z" + } + }, + { + "cve_id": "CVE-2024-30312", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.510Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-05-15T10:00:14.437Z" + } + }, + { + "cve_id": "CVE-2024-30313", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.510Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.517Z", + "modified": "2024-03-26T16:04:09.517Z" + } + }, + { + "cve_id": "CVE-2024-30314", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.510Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-05-16T11:36:01.507Z" + } + }, + { + "cve_id": "CVE-2024-30315", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.510Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-30316", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.510Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-30317", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.511Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-30318", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.511Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-30319", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.511Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-30320", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-03-26T16:04:09.511Z", + "state": "RESERVED", + "time": { + "created": "2024-03-26T16:04:09.518Z", + "modified": "2024-03-26T16:04:09.518Z" + } + }, + { + "cve_id": "CVE-2024-34094", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.898Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.917Z", + "modified": "2024-05-15T10:00:08.014Z" + } + }, + { + "cve_id": "CVE-2024-34095", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.898Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:12.367Z" + } + }, + { + "cve_id": "CVE-2024-34096", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.898Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:10.941Z" + } + }, + { + "cve_id": "CVE-2024-34097", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.899Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:09.432Z" + } + }, + { + "cve_id": "CVE-2024-34098", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.899Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:15.996Z" + } + }, + { + "cve_id": "CVE-2024-34099", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.899Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:11.654Z" + } + }, + { + "cve_id": "CVE-2024-34100", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.899Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:18.863Z" + } + }, + { + "cve_id": "CVE-2024-34101", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.900Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-05-15T10:00:18.110Z" + } + }, + { + "cve_id": "CVE-2024-34102", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.900Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34103", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.901Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34104", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.901Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34105", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.901Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34106", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.901Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34107", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.902Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34108", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.902Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34109", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.902Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34110", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.902Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34111", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.903Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.918Z", + "modified": "2024-04-30T19:50:50.918Z" + } + }, + { + "cve_id": "CVE-2024-34112", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.903Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34113", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.903Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34114", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.903Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34115", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.904Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34116", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.904Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34117", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.904Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34118", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.905Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34119", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.905Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34120", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.905Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34121", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.905Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34122", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.908Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34123", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.908Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34124", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.908Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34125", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.909Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34126", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.909Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34127", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.909Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34128", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.909Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34129", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.910Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34130", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.911Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.919Z", + "modified": "2024-04-30T19:50:50.919Z" + } + }, + { + "cve_id": "CVE-2024-34131", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.911Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34132", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.911Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34133", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.912Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34134", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.912Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34135", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.912Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34136", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.913Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34137", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.913Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34138", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.913Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34139", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.914Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34140", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.914Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34141", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.914Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34142", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.914Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-34143", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dalwagne@adobe.com" + }, + "reserved": "2024-04-30T19:50:50.914Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T19:50:50.920Z", + "modified": "2024-04-30T19:50:50.920Z" + } + }, + { + "cve_id": "CVE-2024-36141", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.615Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36142", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.615Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36143", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.615Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36144", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.615Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36145", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36146", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36147", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.628Z", + "modified": "2024-05-21T17:04:23.628Z" + } + }, + { + "cve_id": "CVE-2024-36148", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36149", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36150", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36151", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36152", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.616Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36153", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36154", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36155", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36156", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36157", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36158", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36159", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36160", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.617Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36161", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.618Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36162", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.618Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36163", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.618Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36164", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.619Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.629Z", + "modified": "2024-05-21T17:04:23.629Z" + } + }, + { + "cve_id": "CVE-2024-36165", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.619Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36166", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.619Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36167", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.619Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36168", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.620Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36169", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.620Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36170", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.620Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36171", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.620Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36172", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36173", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36174", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36175", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36176", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36177", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36178", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36179", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.621Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36180", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.622Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36181", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.623Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.630Z", + "modified": "2024-05-21T17:04:23.630Z" + } + }, + { + "cve_id": "CVE-2024-36182", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.623Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36183", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.623Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36184", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.623Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36185", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.623Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36186", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.624Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36187", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.624Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36188", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.624Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36189", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.624Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36190", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:04:23.624Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:04:23.631Z", + "modified": "2024-05-21T17:04:23.631Z" + } + }, + { + "cve_id": "CVE-2024-36191", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.280Z", + "modified": "2024-05-21T17:07:35.280Z" + } + }, + { + "cve_id": "CVE-2024-36192", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36193", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36194", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36195", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36196", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.264Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36197", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.265Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36198", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.265Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36199", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.266Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36200", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.266Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36201", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.266Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36202", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.266Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36203", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36204", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36205", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36206", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36207", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.281Z", + "modified": "2024-05-21T17:07:35.281Z" + } + }, + { + "cve_id": "CVE-2024-36208", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36209", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36210", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.267Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36211", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36212", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36213", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36214", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36215", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36216", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36217", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.268Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36218", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36219", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36220", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36221", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36222", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36223", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.282Z", + "modified": "2024-05-21T17:07:35.282Z" + } + }, + { + "cve_id": "CVE-2024-36224", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.269Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36225", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.270Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36226", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.270Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36227", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.270Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36228", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.270Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36229", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.272Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36230", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.272Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36231", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.272Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36232", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.272Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36233", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.273Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36234", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.273Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36235", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.273Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36236", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.273Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36237", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.274Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36238", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.274Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.283Z", + "modified": "2024-05-21T17:07:35.283Z" + } + }, + { + "cve_id": "CVE-2024-36239", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.275Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.284Z", + "modified": "2024-05-21T17:07:35.284Z" + } + }, + { + "cve_id": "CVE-2024-36240", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-05-21T17:07:35.275Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T17:07:35.284Z", + "modified": "2024-05-21T17:07:35.284Z" + } + }, + { + "cve_id": "CVE-2024-4380", + "cve_year": "2024", + "owning_cna": "adobe", + "requested_by": { + "cna": "adobe", + "user": "dhenry@adobe.com" + }, + "reserved": "2024-04-30T20:23:56.953Z", + "state": "RESERVED", + "time": { + "created": "2024-04-30T20:23:56.953Z", + "modified": "2024-04-30T20:23:56.953Z" + } + }, + { + "cve_id": "CVE-2023-6451", + "cve_year": "2023", + "owning_cna": "TML", + "requested_by": { + "cna": "TML", + "user": "jmisiura@themissinglink.com.au" + }, + "reserved": "2023-11-30T22:06:55.677Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-30T22:06:55.678Z", + "modified": "2024-02-16T04:06:17.809Z" + } + }, + { + "cve_id": "CVE-2024-28094", + "cve_year": "2024", + "owning_cna": "TML", + "requested_by": { + "cna": "TML", + "user": "jmisiura@themissinglink.com.au" + }, + "reserved": "2024-03-04T04:27:20.021Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-04T04:27:20.022Z", + "modified": "2024-03-07T03:14:25.848Z" + } + }, + { + "cve_id": "CVE-2024-28095", + "cve_year": "2024", + "owning_cna": "TML", + "requested_by": { + "cna": "TML", + "user": "jmisiura@themissinglink.com.au" + }, + "reserved": "2024-03-04T04:27:20.021Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-04T04:27:20.023Z", + "modified": "2024-03-07T03:17:02.577Z" + } + }, + { + "cve_id": "CVE-2024-28096", + "cve_year": "2024", + "owning_cna": "TML", + "requested_by": { + "cna": "TML", + "user": "jmisiura@themissinglink.com.au" + }, + "reserved": "2024-03-04T04:27:20.021Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-04T04:27:20.023Z", + "modified": "2024-03-07T03:18:33.113Z" + } + }, + { + "cve_id": "CVE-2024-28097", + "cve_year": "2024", + "owning_cna": "TML", + "requested_by": { + "cna": "TML", + "user": "jmisiura@themissinglink.com.au" + }, + "reserved": "2024-03-04T04:27:20.021Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-04T04:27:20.023Z", + "modified": "2024-03-07T03:21:21.029Z" + } + }, + { + "cve_id": "CVE-2023-47170", + "cve_year": "2023", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Carolyn.farris@gallagher.com" + }, + "reserved": "2023-11-01T22:24:52.299Z", + "state": "REJECTED", + "time": { + "created": "2023-10-31T01:54:12.379Z", + "modified": "2024-02-05T04:13:54.200Z" + } + }, + { + "cve_id": "CVE-2024-21815", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:48.019Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.749Z", + "modified": "2024-03-05T03:09:52.518Z" + } + }, + { + "cve_id": "CVE-2024-21838", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.986Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.750Z", + "modified": "2024-03-05T03:11:55.598Z" + } + }, + { + "cve_id": "CVE-2024-21856", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:48.011Z", + "state": "RESERVED", + "time": { + "created": "2024-01-02T16:55:54.751Z", + "modified": "2024-02-05T04:16:48.011Z" + } + }, + { + "cve_id": "CVE-2024-22383", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.982Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-10T04:00:05.062Z", + "modified": "2024-03-05T03:12:29.594Z" + } + }, + { + "cve_id": "CVE-2024-22387", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.991Z", + "state": "RESERVED", + "time": { + "created": "2024-01-10T04:00:05.063Z", + "modified": "2024-02-05T04:16:47.991Z" + } + }, + { + "cve_id": "CVE-2024-23194", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:48.025Z", + "state": "RESERVED", + "time": { + "created": "2024-01-12T07:58:22.113Z", + "modified": "2024-02-05T04:16:48.025Z" + } + }, + { + "cve_id": "CVE-2024-23317", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.971Z", + "state": "RESERVED", + "time": { + "created": "2024-01-15T09:44:45.403Z", + "modified": "2024-02-05T04:16:47.972Z" + } + }, + { + "cve_id": "CVE-2024-23485", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:48.001Z", + "state": "RESERVED", + "time": { + "created": "2024-01-17T17:27:24.446Z", + "modified": "2024-02-05T04:16:48.001Z" + } + }, + { + "cve_id": "CVE-2024-23906", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.996Z", + "state": "RESERVED", + "time": { + "created": "2024-01-23T13:11:13.557Z", + "modified": "2024-02-05T04:16:47.996Z" + } + }, + { + "cve_id": "CVE-2024-24972", + "cve_year": "2024", + "owning_cna": "Gallagher", + "requested_by": { + "cna": "Gallagher", + "user": "Chris.orton@gallagher.com" + }, + "reserved": "2024-02-05T04:16:47.977Z", + "state": "RESERVED", + "time": { + "created": "2024-02-01T22:13:58.342Z", + "modified": "2024-02-05T04:16:47.977Z" + } + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:08.092Z" + }, + "cve_id": "CVE-2022-48403", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.577Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:29.804Z" + }, + "cve_id": "CVE-2022-48404", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.577Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:37.249Z" + }, + "cve_id": "CVE-2022-48405", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.577Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:42.033Z" + }, + "cve_id": "CVE-2022-48406", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.578Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:46.417Z" + }, + "cve_id": "CVE-2022-48407", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.578Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:50.234Z" + }, + "cve_id": "CVE-2022-48408", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.578Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:53.751Z" + }, + "cve_id": "CVE-2022-48409", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.578Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-03-14T14:33:23.579Z", + "modified": "2024-02-20T12:28:59.592Z" + }, + "cve_id": "CVE-2022-48410", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-03-14T14:33:23.578Z" + }, + { + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "time": { + "created": "2023-06-05T09:14:59.862Z", + "modified": "2024-03-13T15:01:01.579Z" + }, + "cve_id": "CVE-2023-3101", + "cve_year": "2023", + "state": "REJECTED", + "owning_cna": "INCIBE", + "reserved": "2023-06-05T09:14:59.861Z" + }, + { + "cve_id": "CVE-2023-49572", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-27T15:14:26.602Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T15:14:26.603Z", + "modified": "2024-05-24T12:39:32.551Z" + } + }, + { + "cve_id": "CVE-2023-49573", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-27T15:14:26.602Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T15:14:26.603Z", + "modified": "2024-05-24T12:39:56.961Z" + } + }, + { + "cve_id": "CVE-2023-49574", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-27T15:14:26.602Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T15:14:26.603Z", + "modified": "2024-05-24T12:40:10.840Z" + } + }, + { + "cve_id": "CVE-2023-49575", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-27T15:14:26.602Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T15:14:26.603Z", + "modified": "2024-05-24T12:40:24.405Z" + } + }, + { + "cve_id": "CVE-2023-49576", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-27T15:14:26.602Z", + "state": "REJECTED", + "time": { + "created": "2023-11-27T15:14:26.603Z", + "modified": "2024-05-24T09:13:23.605Z" + } + }, + { + "cve_id": "CVE-2023-5052", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2023-09-18T14:23:37.221Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-18T14:23:37.221Z", + "modified": "2024-05-13T06:53:44.198Z" + } + } + ], + "totalCount": 28930, + "itemsPerPage": 500, + "pageCount": 58, + "currentPage": 1, + "prevPage": null, + "nextPage": 2 +} \ No newline at end of file diff --git a/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP2.json b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP2.json new file mode 100644 index 0000000..d736054 --- /dev/null +++ b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP2.json @@ -0,0 +1,7510 @@ +{ + "cve_ids": [ + { + "cve_id": "CVE-2023-6282", + "cve_year": "2023", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2023-11-24T12:40:05.406Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-24T12:40:05.407Z", + "modified": "2024-01-25T11:37:11.303Z" + } + }, + { + "cve_id": "CVE-2024-0175", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2023-12-21T12:12:36.008Z", + "state": "REJECTED", + "time": { + "created": "2023-12-21T12:12:36.008Z", + "modified": "2024-02-02T09:07:12.961Z" + } + }, + { + "cve_id": "CVE-2024-0176", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2023-12-21T12:27:13.821Z", + "state": "REJECTED", + "time": { + "created": "2023-12-21T12:27:13.821Z", + "modified": "2024-02-02T09:07:16.249Z" + } + }, + { + "cve_id": "CVE-2024-0177", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2023-12-21T12:27:15.373Z", + "state": "REJECTED", + "time": { + "created": "2023-12-21T12:27:15.373Z", + "modified": "2024-02-02T09:07:19.441Z" + } + }, + { + "cve_id": "CVE-2024-0314", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:55:59.441Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:55:59.442Z", + "modified": "2024-01-15T16:01:02.253Z" + } + }, + { + "cve_id": "CVE-2024-0315", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:00.400Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:00.401Z", + "modified": "2024-01-15T16:02:52.899Z" + } + }, + { + "cve_id": "CVE-2024-0316", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:01.498Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:01.499Z", + "modified": "2024-01-15T16:04:50.160Z" + } + }, + { + "cve_id": "CVE-2024-0317", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:03.531Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:03.531Z", + "modified": "2024-01-15T16:23:34.733Z" + } + }, + { + "cve_id": "CVE-2024-0318", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:04.696Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:04.697Z", + "modified": "2024-01-15T16:26:50.054Z" + } + }, + { + "cve_id": "CVE-2024-0319", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:05.541Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:05.541Z", + "modified": "2024-01-15T16:27:50.803Z" + } + }, + { + "cve_id": "CVE-2024-0320", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-08T11:56:06.411Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-08T11:56:06.412Z", + "modified": "2024-01-15T16:29:31.462Z" + } + }, + { + "cve_id": "CVE-2024-0338", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-09T11:56:02.447Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-09T11:56:02.448Z", + "modified": "2024-02-02T09:13:40.412Z" + } + }, + { + "cve_id": "CVE-2024-0429", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-11T15:48:03.629Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-11T15:48:03.630Z", + "modified": "2024-01-11T16:04:27.928Z" + } + }, + { + "cve_id": "CVE-2024-0554", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-15T08:35:58.380Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-15T08:35:58.381Z", + "modified": "2024-01-16T10:08:29.940Z" + } + }, + { + "cve_id": "CVE-2024-0555", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-15T08:35:59.922Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-15T08:35:59.922Z", + "modified": "2024-01-16T10:09:58.676Z" + } + }, + { + "cve_id": "CVE-2024-0556", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-15T08:36:01.316Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-15T08:36:01.316Z", + "modified": "2024-01-16T10:10:58.448Z" + } + }, + { + "cve_id": "CVE-2024-0580", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-16T08:06:10.223Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-16T08:06:10.224Z", + "modified": "2024-01-18T08:47:16.727Z" + } + }, + { + "cve_id": "CVE-2024-0581", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-16T08:06:36.621Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-16T08:06:36.621Z", + "modified": "2024-01-16T13:14:27.799Z" + } + }, + { + "cve_id": "CVE-2024-0642", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-17T10:35:32.669Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-17T10:35:32.669Z", + "modified": "2024-01-17T13:43:28.451Z" + } + }, + { + "cve_id": "CVE-2024-0643", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-17T10:35:34.863Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-17T10:35:34.863Z", + "modified": "2024-01-17T13:44:19.800Z" + } + }, + { + "cve_id": "CVE-2024-0645", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-17T11:38:25.402Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-17T11:38:25.402Z", + "modified": "2024-01-17T13:47:48.593Z" + } + }, + { + "cve_id": "CVE-2024-0669", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-18T08:26:22.410Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-18T08:26:22.411Z", + "modified": "2024-01-18T12:26:14.739Z" + } + }, + { + "cve_id": "CVE-2024-0674", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-18T11:38:15.095Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-18T11:38:15.096Z", + "modified": "2024-01-30T12:19:00.685Z" + } + }, + { + "cve_id": "CVE-2024-0675", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-18T11:38:16.130Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-18T11:38:16.131Z", + "modified": "2024-01-30T12:20:13.376Z" + } + }, + { + "cve_id": "CVE-2024-0676", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-18T11:38:17.175Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-18T11:38:17.177Z", + "modified": "2024-01-30T12:40:12.582Z" + } + }, + { + "cve_id": "CVE-2024-1014", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-29T10:06:19.417Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-29T10:06:19.419Z", + "modified": "2024-01-29T13:44:49.979Z" + } + }, + { + "cve_id": "CVE-2024-1015", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-29T10:06:20.593Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-29T10:06:20.594Z", + "modified": "2024-01-29T13:46:32.266Z" + } + }, + { + "cve_id": "CVE-2024-1101", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-01-31T07:42:00.667Z", + "state": "REJECTED", + "time": { + "created": "2024-01-31T07:42:00.668Z", + "modified": "2024-02-02T09:22:00.678Z" + } + }, + { + "cve_id": "CVE-2024-1112", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-31T13:02:11.969Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-31T13:02:11.970Z", + "modified": "2024-01-31T13:17:59.327Z" + } + }, + { + "cve_id": "CVE-2024-1144", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-01T08:38:59.529Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-01T08:38:59.530Z", + "modified": "2024-03-19T11:32:49.272Z" + } + }, + { + "cve_id": "CVE-2024-1145", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-01T08:39:00.508Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-01T08:39:00.509Z", + "modified": "2024-03-19T11:35:46.200Z" + } + }, + { + "cve_id": "CVE-2024-1146", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-01T08:39:01.177Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-01T08:39:01.178Z", + "modified": "2024-03-19T11:37:18.325Z" + } + }, + { + "cve_id": "CVE-2024-1201", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-02T09:01:44.614Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-02T09:01:44.615Z", + "modified": "2024-02-02T12:00:51.835Z" + } + }, + { + "cve_id": "CVE-2024-1226", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-05T11:44:28.014Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-05T11:44:28.015Z", + "modified": "2024-03-12T15:07:18.546Z" + } + }, + { + "cve_id": "CVE-2024-1227", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-05T11:44:28.901Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-05T11:44:28.902Z", + "modified": "2024-03-12T15:11:26.306Z" + } + }, + { + "cve_id": "CVE-2024-1301", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-07T10:22:53.616Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-07T10:22:53.617Z", + "modified": "2024-03-12T15:24:43.076Z" + } + }, + { + "cve_id": "CVE-2024-1302", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-07T10:22:54.601Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-07T10:22:54.602Z", + "modified": "2024-03-12T15:26:52.937Z" + } + }, + { + "cve_id": "CVE-2024-1303", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-07T10:22:55.418Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-07T10:22:55.419Z", + "modified": "2024-03-12T15:28:31.599Z" + } + }, + { + "cve_id": "CVE-2024-1304", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-07T10:22:56.060Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-07T10:22:56.060Z", + "modified": "2024-03-12T15:31:02.200Z" + } + }, + { + "cve_id": "CVE-2024-1343", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-08T10:45:28.469Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-08T10:45:28.470Z", + "modified": "2024-02-19T11:17:33.237Z" + } + }, + { + "cve_id": "CVE-2024-1344", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-08T10:45:29.254Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-08T10:45:29.254Z", + "modified": "2024-02-19T11:19:39.324Z" + } + }, + { + "cve_id": "CVE-2024-1345", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-08T10:45:29.939Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-08T10:45:29.939Z", + "modified": "2024-02-19T11:20:56.183Z" + } + }, + { + "cve_id": "CVE-2024-1346", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-08T10:45:30.544Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-08T10:45:30.545Z", + "modified": "2024-02-19T11:24:08.721Z" + } + }, + { + "cve_id": "CVE-2024-1439", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-02-12T09:16:49.433Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-12T09:16:49.434Z", + "modified": "2024-02-12T10:51:44.674Z" + } + }, + { + "cve_id": "CVE-2024-1527", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-15T11:01:40.961Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-15T11:01:40.965Z", + "modified": "2024-03-12T15:19:52.726Z" + } + }, + { + "cve_id": "CVE-2024-1528", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-15T11:01:41.642Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-15T11:01:41.643Z", + "modified": "2024-03-12T15:22:11.000Z" + } + }, + { + "cve_id": "CVE-2024-1529", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-15T11:01:42.277Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-15T11:01:42.278Z", + "modified": "2024-03-12T15:25:56.212Z" + } + }, + { + "cve_id": "CVE-2024-1618", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-19T08:12:53.181Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T08:12:53.181Z", + "modified": "2024-03-12T15:04:05.081Z" + } + }, + { + "cve_id": "CVE-2024-1623", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-19T11:12:38.593Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T11:12:38.593Z", + "modified": "2024-03-14T12:47:40.635Z" + } + }, + { + "cve_id": "CVE-2024-1889", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-26T11:41:41.923Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-26T11:41:41.924Z", + "modified": "2024-02-26T13:38:46.516Z" + } + }, + { + "cve_id": "CVE-2024-1890", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-26T11:41:42.857Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-26T11:41:42.858Z", + "modified": "2024-02-26T13:40:27.369Z" + } + }, + { + "cve_id": "CVE-2024-1965", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-02-28T09:34:48.923Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-28T09:34:48.924Z", + "modified": "2024-02-28T12:19:55.070Z" + } + }, + { + "cve_id": "CVE-2024-2001", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-02-29T07:51:12.605Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-29T07:51:12.605Z", + "modified": "2024-02-29T13:30:54.181Z" + } + }, + { + "cve_id": "CVE-2024-2078", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-01T07:46:42.694Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-01T07:46:42.695Z", + "modified": "2024-03-01T11:23:05.121Z" + } + }, + { + "cve_id": "CVE-2024-2157", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-04T07:58:49.306Z", + "state": "REJECTED", + "time": { + "created": "2024-03-04T07:58:49.307Z", + "modified": "2024-04-25T11:33:40.956Z" + } + }, + { + "cve_id": "CVE-2024-2158", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-04T07:58:50.419Z", + "state": "REJECTED", + "time": { + "created": "2024-03-04T07:58:50.419Z", + "modified": "2024-04-25T11:33:43.473Z" + } + }, + { + "cve_id": "CVE-2024-2188", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-05T09:35:08.297Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-05T09:35:08.298Z", + "modified": "2024-03-05T12:15:25.312Z" + } + }, + { + "cve_id": "CVE-2024-2211", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-06T07:45:08.547Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-06T07:45:08.547Z", + "modified": "2024-03-06T10:47:03.858Z" + } + }, + { + "cve_id": "CVE-2024-2245", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-07T08:08:16.136Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-07T08:08:16.137Z", + "modified": "2024-03-07T13:10:55.960Z" + } + }, + { + "cve_id": "CVE-2024-2319", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-08T08:11:13.548Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-08T08:11:13.549Z", + "modified": "2024-03-08T13:08:52.455Z" + } + }, + { + "cve_id": "CVE-2024-2370", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-11T09:45:56.326Z", + "state": "REJECTED", + "time": { + "created": "2024-03-11T09:45:56.327Z", + "modified": "2024-03-20T15:57:50.149Z" + } + }, + { + "cve_id": "CVE-2024-2371", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-11T11:40:18.291Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-11T11:40:18.292Z", + "modified": "2024-03-12T08:49:46.029Z" + } + }, + { + "cve_id": "CVE-2024-23854", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:54:26.509Z", + "state": "REJECTED", + "time": { + "created": "2024-01-23T10:54:26.510Z", + "modified": "2024-01-23T15:25:23.790Z" + } + }, + { + "cve_id": "CVE-2024-23855", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-25T14:09:01.597Z" + } + }, + { + "cve_id": "CVE-2024-23856", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:03:53.941Z" + } + }, + { + "cve_id": "CVE-2024-23857", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:04:16.851Z" + } + }, + { + "cve_id": "CVE-2024-23858", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:04:37.112Z" + } + }, + { + "cve_id": "CVE-2024-23859", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:05:08.218Z" + } + }, + { + "cve_id": "CVE-2024-23860", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:05:45.095Z" + } + }, + { + "cve_id": "CVE-2024-23861", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.779Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:06:08.659Z" + } + }, + { + "cve_id": "CVE-2024-23862", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:06:34.054Z" + } + }, + { + "cve_id": "CVE-2024-23863", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.790Z", + "modified": "2024-01-26T09:06:53.303Z" + } + }, + { + "cve_id": "CVE-2024-23864", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:07:14.105Z" + } + }, + { + "cve_id": "CVE-2024-23865", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:07:31.082Z" + } + }, + { + "cve_id": "CVE-2024-23866", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:08:31.911Z" + } + }, + { + "cve_id": "CVE-2024-23867", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:08:49.763Z" + } + }, + { + "cve_id": "CVE-2024-23868", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:09:08.006Z" + } + }, + { + "cve_id": "CVE-2024-23869", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:09:25.653Z" + } + }, + { + "cve_id": "CVE-2024-23870", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:09:41.914Z" + } + }, + { + "cve_id": "CVE-2024-23871", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:11:29.700Z" + } + }, + { + "cve_id": "CVE-2024-23872", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:11:43.012Z" + } + }, + { + "cve_id": "CVE-2024-23873", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:12:59.568Z" + } + }, + { + "cve_id": "CVE-2024-23874", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:13:18.623Z" + } + }, + { + "cve_id": "CVE-2024-23875", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:13:35.541Z" + } + }, + { + "cve_id": "CVE-2024-23876", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.781Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:13:54.955Z" + } + }, + { + "cve_id": "CVE-2024-23877", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:14:11.523Z" + } + }, + { + "cve_id": "CVE-2024-23878", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:14:30.314Z" + } + }, + { + "cve_id": "CVE-2024-23879", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:15:23.729Z" + } + }, + { + "cve_id": "CVE-2024-23880", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.791Z", + "modified": "2024-01-26T09:16:42.845Z" + } + }, + { + "cve_id": "CVE-2024-23881", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.792Z", + "modified": "2024-01-26T09:16:57.105Z" + } + }, + { + "cve_id": "CVE-2024-23882", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.792Z", + "modified": "2024-01-26T09:17:14.836Z" + } + }, + { + "cve_id": "CVE-2024-23883", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.792Z", + "modified": "2024-01-26T09:17:31.109Z" + } + }, + { + "cve_id": "CVE-2024-23884", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.782Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.792Z", + "modified": "2024-01-26T09:17:46.711Z" + } + }, + { + "cve_id": "CVE-2024-23885", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.783Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T09:18:06.512Z" + } + }, + { + "cve_id": "CVE-2024-23886", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.783Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T09:18:21.316Z" + } + }, + { + "cve_id": "CVE-2024-23887", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.783Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T09:18:36.599Z" + } + }, + { + "cve_id": "CVE-2024-23888", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.783Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T09:18:52.250Z" + } + }, + { + "cve_id": "CVE-2024-23889", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.783Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T09:19:09.273Z" + } + }, + { + "cve_id": "CVE-2024-23890", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T10:16:26.323Z" + } + }, + { + "cve_id": "CVE-2024-23891", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.793Z", + "modified": "2024-01-26T10:16:44.482Z" + } + }, + { + "cve_id": "CVE-2024-23892", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.794Z", + "modified": "2024-01-26T10:17:19.040Z" + } + }, + { + "cve_id": "CVE-2024-23893", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.794Z", + "modified": "2024-01-26T10:17:45.911Z" + } + }, + { + "cve_id": "CVE-2024-23894", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.794Z", + "modified": "2024-01-26T10:18:03.961Z" + } + }, + { + "cve_id": "CVE-2024-23895", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.786Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.794Z", + "modified": "2024-02-02T09:18:59.394Z" + } + }, + { + "cve_id": "CVE-2024-23896", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-01-23T10:55:17.786Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T10:55:17.795Z", + "modified": "2024-01-26T10:18:48.991Z" + } + }, + { + "cve_id": "CVE-2024-2414", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-13T09:27:40.343Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-13T09:27:40.343Z", + "modified": "2024-03-13T11:15:01.851Z" + } + }, + { + "cve_id": "CVE-2024-2415", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-13T09:27:41.382Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-13T09:27:41.382Z", + "modified": "2024-03-13T11:18:38.247Z" + } + }, + { + "cve_id": "CVE-2024-2416", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-13T09:27:42.274Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-13T09:27:42.274Z", + "modified": "2024-03-13T11:17:42.531Z" + } + }, + { + "cve_id": "CVE-2024-2495", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-15T09:18:10.418Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-15T09:18:10.419Z", + "modified": "2024-03-15T13:07:05.448Z" + } + }, + { + "cve_id": "CVE-2024-2584", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:51.758Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:51.759Z", + "modified": "2024-03-18T13:52:12.866Z" + } + }, + { + "cve_id": "CVE-2024-2585", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:52.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:52.786Z", + "modified": "2024-03-18T13:52:42.035Z" + } + }, + { + "cve_id": "CVE-2024-2586", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:53.485Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:53.486Z", + "modified": "2024-03-18T13:53:16.301Z" + } + }, + { + "cve_id": "CVE-2024-2587", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:54.380Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:54.380Z", + "modified": "2024-03-18T13:53:50.050Z" + } + }, + { + "cve_id": "CVE-2024-2588", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:55.218Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:55.218Z", + "modified": "2024-03-18T13:54:35.114Z" + } + }, + { + "cve_id": "CVE-2024-2589", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:56.091Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:56.092Z", + "modified": "2024-03-18T13:56:17.437Z" + } + }, + { + "cve_id": "CVE-2024-2590", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:57.034Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:57.034Z", + "modified": "2024-03-18T13:56:46.332Z" + } + }, + { + "cve_id": "CVE-2024-2591", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:57.785Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:57.786Z", + "modified": "2024-03-18T13:57:12.995Z" + } + }, + { + "cve_id": "CVE-2024-2592", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:58.611Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:58.611Z", + "modified": "2024-03-18T13:57:36.966Z" + } + }, + { + "cve_id": "CVE-2024-2593", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:08:59.375Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:08:59.375Z", + "modified": "2024-03-18T14:00:20.321Z" + } + }, + { + "cve_id": "CVE-2024-2594", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:00.146Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:00.147Z", + "modified": "2024-03-18T14:00:56.689Z" + } + }, + { + "cve_id": "CVE-2024-2595", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:00.912Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:00.912Z", + "modified": "2024-03-18T14:01:29.376Z" + } + }, + { + "cve_id": "CVE-2024-2596", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:01.708Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:01.708Z", + "modified": "2024-03-18T14:01:50.753Z" + } + }, + { + "cve_id": "CVE-2024-2597", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:02.608Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:02.608Z", + "modified": "2024-03-18T14:02:17.444Z" + } + }, + { + "cve_id": "CVE-2024-2598", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:03.266Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:03.266Z", + "modified": "2024-03-18T14:02:40.302Z" + } + }, + { + "cve_id": "CVE-2024-2599", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:04.082Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-18T11:09:04.082Z", + "modified": "2024-03-18T14:04:15.826Z" + } + }, + { + "cve_id": "CVE-2024-2600", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:04.844Z", + "state": "REJECTED", + "time": { + "created": "2024-03-18T11:09:04.844Z", + "modified": "2024-03-18T14:04:31.216Z" + } + }, + { + "cve_id": "CVE-2024-2601", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-18T11:09:05.663Z", + "state": "REJECTED", + "time": { + "created": "2024-03-18T11:09:05.663Z", + "modified": "2024-03-18T14:04:33.709Z" + } + }, + { + "cve_id": "CVE-2024-2632", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T06:44:29.035Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T06:44:29.036Z", + "modified": "2024-03-19T11:58:39.851Z" + } + }, + { + "cve_id": "CVE-2024-2633", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T06:44:58.359Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T06:44:58.359Z", + "modified": "2024-03-19T12:03:45.376Z" + } + }, + { + "cve_id": "CVE-2024-2634", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T06:45:00.266Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T06:45:00.267Z", + "modified": "2024-03-19T12:08:21.548Z" + } + }, + { + "cve_id": "CVE-2024-2635", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T06:45:01.569Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T06:45:01.569Z", + "modified": "2024-03-19T12:09:48.244Z" + } + }, + { + "cve_id": "CVE-2024-2636", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T06:45:02.871Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T06:45:02.871Z", + "modified": "2024-03-19T12:12:13.404Z" + } + }, + { + "cve_id": "CVE-2024-2722", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:47.311Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:47.312Z", + "modified": "2024-03-22T13:33:55.397Z" + } + }, + { + "cve_id": "CVE-2024-2723", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:48.339Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:48.339Z", + "modified": "2024-03-22T13:34:14.545Z" + } + }, + { + "cve_id": "CVE-2024-2724", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:49.191Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:49.192Z", + "modified": "2024-03-22T13:34:31.417Z" + } + }, + { + "cve_id": "CVE-2024-2725", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:49.912Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:49.912Z", + "modified": "2024-03-22T13:35:12.519Z" + } + }, + { + "cve_id": "CVE-2024-2726", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:50.640Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:50.641Z", + "modified": "2024-03-22T13:36:18.844Z" + } + }, + { + "cve_id": "CVE-2024-2727", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:51.453Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:51.454Z", + "modified": "2024-03-22T13:36:35.282Z" + } + }, + { + "cve_id": "CVE-2024-2728", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-20T11:33:52.434Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T11:33:52.434Z", + "modified": "2024-03-22T13:37:23.209Z" + } + }, + { + "cve_id": "CVE-2024-2740", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-20T14:16:52.577Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T14:16:52.578Z", + "modified": "2024-03-21T11:40:25.579Z" + } + }, + { + "cve_id": "CVE-2024-2741", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-20T14:16:53.726Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T14:16:53.727Z", + "modified": "2024-03-21T11:43:05.334Z" + } + }, + { + "cve_id": "CVE-2024-2742", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-03-20T14:16:54.664Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-20T14:16:54.665Z", + "modified": "2024-03-21T11:45:41.168Z" + } + }, + { + "cve_id": "CVE-2024-29723", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.140Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29724", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.140Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29725", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.140Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29726", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.140Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29727", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.140Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29728", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.141Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29729", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.141Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29730", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.141Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29731", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.141Z", + "state": "RESERVED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-19T07:42:30.142Z" + } + }, + { + "cve_id": "CVE-2024-29732", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-03-19T07:42:30.141Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-19T07:42:30.142Z", + "modified": "2024-03-21T10:37:08.459Z" + } + }, + { + "cve_id": "CVE-2024-29870", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.100Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.103Z", + "modified": "2024-03-21T13:45:29.885Z" + } + }, + { + "cve_id": "CVE-2024-29871", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.100Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:46:02.716Z" + } + }, + { + "cve_id": "CVE-2024-29872", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.100Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:46:47.077Z" + } + }, + { + "cve_id": "CVE-2024-29873", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.101Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:47:49.010Z" + } + }, + { + "cve_id": "CVE-2024-29874", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.101Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:48:04.341Z" + } + }, + { + "cve_id": "CVE-2024-29875", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.101Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:48:16.949Z" + } + }, + { + "cve_id": "CVE-2024-29876", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.102Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:48:29.380Z" + } + }, + { + "cve_id": "CVE-2024-29877", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.102Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:50:17.305Z" + } + }, + { + "cve_id": "CVE-2024-29878", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.102Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:51:14.824Z" + } + }, + { + "cve_id": "CVE-2024-29879", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-03-21T10:29:38.102Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-21T10:29:38.104Z", + "modified": "2024-03-21T13:51:40.298Z" + } + }, + { + "cve_id": "CVE-2024-3262", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-03T09:53:11.218Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-03T09:53:11.219Z", + "modified": "2024-04-04T09:21:34.694Z" + } + }, + { + "cve_id": "CVE-2024-33957", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.771Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.782Z", + "modified": "2024-04-29T12:38:37.782Z" + } + }, + { + "cve_id": "CVE-2024-33958", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.782Z", + "modified": "2024-04-29T12:38:37.782Z" + } + }, + { + "cve_id": "CVE-2024-33959", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.782Z", + "modified": "2024-04-29T12:38:37.782Z" + } + }, + { + "cve_id": "CVE-2024-33960", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.782Z", + "modified": "2024-04-29T12:38:37.782Z" + } + }, + { + "cve_id": "CVE-2024-33961", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.782Z", + "modified": "2024-04-29T12:38:37.782Z" + } + }, + { + "cve_id": "CVE-2024-33962", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33963", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33964", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.772Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33965", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33966", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33967", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33968", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33969", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33970", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.783Z", + "modified": "2024-04-29T12:38:37.783Z" + } + }, + { + "cve_id": "CVE-2024-33971", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33972", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.773Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33973", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33974", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33975", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33976", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33977", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33978", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33979", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.774Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.784Z", + "modified": "2024-04-29T12:38:37.784Z" + } + }, + { + "cve_id": "CVE-2024-33980", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33981", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33982", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33983", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33984", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33985", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33986", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.775Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33987", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33988", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.785Z", + "modified": "2024-04-29T12:38:37.785Z" + } + }, + { + "cve_id": "CVE-2024-33989", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33990", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33991", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33992", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33993", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33994", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.776Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-33995", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T12:38:37.777Z", + "state": "RESERVED", + "time": { + "created": "2024-04-29T12:38:37.786Z", + "modified": "2024-04-29T12:38:37.786Z" + } + }, + { + "cve_id": "CVE-2024-3507", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-09T07:34:52.246Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-09T07:34:52.248Z", + "modified": "2024-05-08T10:46:23.871Z" + } + }, + { + "cve_id": "CVE-2024-3654", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-11T08:47:30.925Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-11T08:47:30.926Z", + "modified": "2024-04-19T12:38:48.905Z" + } + }, + { + "cve_id": "CVE-2024-3704", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-12T10:44:52.613Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-12T10:44:52.614Z", + "modified": "2024-04-12T13:47:03.956Z" + } + }, + { + "cve_id": "CVE-2024-3705", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-12T10:44:53.474Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-12T10:44:53.475Z", + "modified": "2024-04-12T13:50:05.048Z" + } + }, + { + "cve_id": "CVE-2024-3706", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-12T10:44:54.288Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-12T10:44:54.289Z", + "modified": "2024-04-12T13:51:26.620Z" + } + }, + { + "cve_id": "CVE-2024-3707", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-12T10:44:54.894Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-12T10:44:54.894Z", + "modified": "2024-04-12T13:52:30.367Z" + } + }, + { + "cve_id": "CVE-2024-3780", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T07:23:26.899Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T07:23:26.900Z", + "modified": "2024-04-15T11:20:26.272Z" + } + }, + { + "cve_id": "CVE-2024-3781", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:50.647Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:50.648Z", + "modified": "2024-04-15T14:03:05.632Z" + } + }, + { + "cve_id": "CVE-2024-3782", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:51.763Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:51.764Z", + "modified": "2024-04-15T14:04:18.910Z" + } + }, + { + "cve_id": "CVE-2024-3783", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:52.676Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:52.677Z", + "modified": "2024-04-15T14:05:21.657Z" + } + }, + { + "cve_id": "CVE-2024-3784", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:53.739Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:53.740Z", + "modified": "2024-04-15T14:07:12.800Z" + } + }, + { + "cve_id": "CVE-2024-3785", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:54.428Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:54.428Z", + "modified": "2024-04-15T14:07:37.558Z" + } + }, + { + "cve_id": "CVE-2024-3786", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:55.335Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:55.337Z", + "modified": "2024-04-15T14:07:54.355Z" + } + }, + { + "cve_id": "CVE-2024-3787", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:56.328Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:56.329Z", + "modified": "2024-04-15T14:08:05.805Z" + } + }, + { + "cve_id": "CVE-2024-3788", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:57.069Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:57.070Z", + "modified": "2024-04-15T14:08:16.962Z" + } + }, + { + "cve_id": "CVE-2024-3789", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:57.920Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:57.920Z", + "modified": "2024-04-15T14:09:26.909Z" + } + }, + { + "cve_id": "CVE-2024-3790", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:58.736Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:58.737Z", + "modified": "2024-04-15T14:12:58.096Z" + } + }, + { + "cve_id": "CVE-2024-3791", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:18:59.440Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:18:59.441Z", + "modified": "2024-04-15T14:13:18.036Z" + } + }, + { + "cve_id": "CVE-2024-3792", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:19:00.311Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:19:00.312Z", + "modified": "2024-04-15T14:13:31.781Z" + } + }, + { + "cve_id": "CVE-2024-3793", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:19:00.968Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:19:00.968Z", + "modified": "2024-04-15T14:13:45.380Z" + } + }, + { + "cve_id": "CVE-2024-3794", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:19:01.796Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:19:01.796Z", + "modified": "2024-04-15T14:13:58.103Z" + } + }, + { + "cve_id": "CVE-2024-3795", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:19:02.436Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:19:02.436Z", + "modified": "2024-04-15T14:14:52.828Z" + } + }, + { + "cve_id": "CVE-2024-3796", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-15T10:19:03.342Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-15T10:19:03.343Z", + "modified": "2024-04-15T14:15:20.148Z" + } + }, + { + "cve_id": "CVE-2024-4026", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-22T09:29:15.086Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-22T09:29:15.087Z", + "modified": "2024-04-22T11:51:25.216Z" + } + }, + { + "cve_id": "CVE-2024-4174", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-25T08:33:50.695Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-25T08:33:50.695Z", + "modified": "2024-04-25T11:44:30.741Z" + } + }, + { + "cve_id": "CVE-2024-4175", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-25T08:33:51.577Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-25T08:33:51.578Z", + "modified": "2024-04-25T11:51:36.480Z" + } + }, + { + "cve_id": "CVE-2024-4304", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-04-29T07:37:46.684Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T07:37:46.684Z", + "modified": "2024-04-29T11:52:57.807Z" + } + }, + { + "cve_id": "CVE-2024-4306", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T10:10:04.556Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T10:10:04.557Z", + "modified": "2024-04-29T11:56:36.439Z" + } + }, + { + "cve_id": "CVE-2024-4307", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T10:10:05.610Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T10:10:05.611Z", + "modified": "2024-04-29T12:25:38.616Z" + } + }, + { + "cve_id": "CVE-2024-4308", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T10:10:06.696Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T10:10:06.696Z", + "modified": "2024-04-29T12:23:41.198Z" + } + }, + { + "cve_id": "CVE-2024-4309", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T10:10:07.716Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T10:10:07.716Z", + "modified": "2024-04-29T12:28:01.757Z" + } + }, + { + "cve_id": "CVE-2024-4310", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-04-29T10:10:08.692Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-29T10:10:08.692Z", + "modified": "2024-04-29T12:35:48.536Z" + } + }, + { + "cve_id": "CVE-2024-4336", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-04-30T07:46:12.006Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T07:46:12.007Z", + "modified": "2024-04-30T09:34:16.175Z" + } + }, + { + "cve_id": "CVE-2024-4337", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-04-30T07:46:33.495Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-30T07:46:33.496Z", + "modified": "2024-04-30T09:33:46.202Z" + } + }, + { + "cve_id": "CVE-2024-4461", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-03T07:06:22.294Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-03T07:06:22.295Z", + "modified": "2024-05-03T10:52:25.910Z" + } + }, + { + "cve_id": "CVE-2024-4466", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-03T09:19:35.061Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-03T09:19:35.061Z", + "modified": "2024-05-03T11:44:41.281Z" + } + }, + { + "cve_id": "CVE-2024-4537", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-06T09:57:41.048Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-06T09:57:41.049Z", + "modified": "2024-05-07T11:35:25.429Z" + } + }, + { + "cve_id": "CVE-2024-4538", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-06T09:57:42.029Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-06T09:57:42.029Z", + "modified": "2024-05-07T11:35:47.631Z" + } + }, + { + "cve_id": "CVE-2024-4599", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-07T07:49:48.173Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-07T07:49:48.174Z", + "modified": "2024-05-07T10:48:39.307Z" + } + }, + { + "cve_id": "CVE-2024-4600", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-07T09:41:31.124Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-07T09:41:31.125Z", + "modified": "2024-05-07T11:30:09.055Z" + } + }, + { + "cve_id": "CVE-2024-4601", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-07T09:41:32.272Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-07T09:41:32.272Z", + "modified": "2024-05-07T11:31:41.781Z" + } + }, + { + "cve_id": "CVE-2024-4822", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-13T07:19:19.362Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T07:19:19.363Z", + "modified": "2024-05-13T11:26:27.528Z" + } + }, + { + "cve_id": "CVE-2024-4823", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-13T07:19:20.469Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T07:19:20.470Z", + "modified": "2024-05-13T11:27:26.318Z" + } + }, + { + "cve_id": "CVE-2024-4824", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-13T07:19:21.405Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T07:19:21.406Z", + "modified": "2024-05-13T11:29:37.168Z" + } + }, + { + "cve_id": "CVE-2024-4825", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T08:15:39.916Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T08:15:39.916Z", + "modified": "2024-05-13T11:23:20.429Z" + } + }, + { + "cve_id": "CVE-2024-4826", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:38.290Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-13T09:34:38.291Z", + "modified": "2024-05-16T12:07:01.634Z" + } + }, + { + "cve_id": "CVE-2024-4827", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:39.388Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:39.388Z", + "modified": "2024-05-13T09:34:39.388Z" + } + }, + { + "cve_id": "CVE-2024-4828", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:40.348Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:40.348Z", + "modified": "2024-05-13T09:34:40.348Z" + } + }, + { + "cve_id": "CVE-2024-4829", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:41.312Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:41.313Z", + "modified": "2024-05-13T09:34:41.313Z" + } + }, + { + "cve_id": "CVE-2024-4830", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:42.295Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:42.295Z", + "modified": "2024-05-13T09:34:42.295Z" + } + }, + { + "cve_id": "CVE-2024-4831", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:43.265Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:43.266Z", + "modified": "2024-05-13T09:34:43.266Z" + } + }, + { + "cve_id": "CVE-2024-4832", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:44.334Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:44.335Z", + "modified": "2024-05-13T09:34:44.335Z" + } + }, + { + "cve_id": "CVE-2024-4833", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:45.079Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:45.079Z", + "modified": "2024-05-13T09:34:45.079Z" + } + }, + { + "cve_id": "CVE-2024-4834", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-13T09:34:46.085Z", + "state": "RESERVED", + "time": { + "created": "2024-05-13T09:34:46.085Z", + "modified": "2024-05-13T09:34:46.085Z" + } + }, + { + "cve_id": "CVE-2024-4991", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-16T09:51:24.832Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-16T09:51:24.835Z", + "modified": "2024-05-16T11:42:49.375Z" + } + }, + { + "cve_id": "CVE-2024-4992", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-16T09:51:25.844Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-16T09:51:25.845Z", + "modified": "2024-05-16T11:43:19.310Z" + } + }, + { + "cve_id": "CVE-2024-4993", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-16T09:51:26.559Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-16T09:51:26.562Z", + "modified": "2024-05-16T11:44:47.601Z" + } + }, + { + "cve_id": "CVE-2024-5052", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-17T07:01:59.602Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-17T07:01:59.605Z", + "modified": "2024-05-17T09:40:02.894Z" + } + }, + { + "cve_id": "CVE-2024-5055", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-17T09:45:56.213Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-17T09:45:56.214Z", + "modified": "2024-05-17T12:03:19.764Z" + } + }, + { + "cve_id": "CVE-2024-5168", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-21T11:32:15.379Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-21T11:32:15.380Z", + "modified": "2024-05-23T13:04:19.065Z" + } + }, + { + "cve_id": "CVE-2024-5312", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-24T07:22:57.202Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-24T07:22:57.203Z", + "modified": "2024-05-24T10:38:35.866Z" + } + }, + { + "cve_id": "CVE-2024-5314", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-24T08:38:56.912Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-24T08:38:56.913Z", + "modified": "2024-05-24T10:00:45.446Z" + } + }, + { + "cve_id": "CVE-2024-5315", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-24T08:38:58.484Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-24T08:38:58.485Z", + "modified": "2024-05-24T10:06:49.128Z" + } + }, + { + "cve_id": "CVE-2024-5405", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-27T07:22:48.538Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T07:22:48.540Z", + "modified": "2024-05-27T11:50:02.250Z" + } + }, + { + "cve_id": "CVE-2024-5406", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-27T07:22:50.259Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T07:22:50.261Z", + "modified": "2024-05-27T11:50:55.497Z" + } + }, + { + "cve_id": "CVE-2024-5407", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-27T07:26:25.583Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T07:26:25.584Z", + "modified": "2024-05-27T12:13:55.130Z" + } + }, + { + "cve_id": "CVE-2024-5408", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-27T07:26:26.953Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T07:26:26.954Z", + "modified": "2024-05-27T12:16:52.105Z" + } + }, + { + "cve_id": "CVE-2024-5409", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "hugo.rodriguez@incibe.es" + }, + "reserved": "2024-05-27T07:26:28.143Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T07:26:28.144Z", + "modified": "2024-05-27T12:17:41.458Z" + } + }, + { + "cve_id": "CVE-2024-5413", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-27T09:39:18.547Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T09:39:18.548Z", + "modified": "2024-05-28T12:21:40.657Z" + } + }, + { + "cve_id": "CVE-2024-5414", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-27T09:39:19.715Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T09:39:19.716Z", + "modified": "2024-05-28T12:22:02.478Z" + } + }, + { + "cve_id": "CVE-2024-5415", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-27T09:39:20.752Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-27T09:39:20.752Z", + "modified": "2024-05-28T12:22:19.815Z" + } + }, + { + "cve_id": "CVE-2024-5520", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-30T07:36:49.072Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-30T07:36:49.073Z", + "modified": "2024-05-30T11:10:37.527Z" + } + }, + { + "cve_id": "CVE-2024-5521", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "raquel.loma@incibe.es" + }, + "reserved": "2024-05-30T07:36:50.487Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-30T07:36:50.488Z", + "modified": "2024-05-30T11:11:30.222Z" + } + }, + { + "cve_id": "CVE-2024-5523", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-30T08:48:44.536Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-30T08:48:44.537Z", + "modified": "2024-05-31T07:32:54.981Z" + } + }, + { + "cve_id": "CVE-2024-5524", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-30T08:48:45.654Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-30T08:48:45.655Z", + "modified": "2024-05-31T07:33:51.150Z" + } + }, + { + "cve_id": "CVE-2024-5525", + "cve_year": "2024", + "owning_cna": "INCIBE", + "requested_by": { + "cna": "INCIBE", + "user": "cristian.cadenas@incibe.es" + }, + "reserved": "2024-05-30T08:48:46.774Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-30T08:48:46.774Z", + "modified": "2024-05-31T07:35:15.727Z" + } + }, + { + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "time": { + "created": "2023-02-03T20:38:04.552Z", + "modified": "2024-03-04T06:18:53.582Z" + }, + "cve_id": "CVE-2023-25176", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "OpenHarmony", + "reserved": "2023-11-28T02:39:39.375Z" + }, + { + "cve_id": "CVE-2023-43756", + "cve_year": "2023", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2023-11-28T02:07:56.578Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-22T04:36:31.560Z", + "modified": "2024-02-02T06:18:38.670Z" + } + }, + { + "cve_id": "CVE-2023-45734", + "cve_year": "2023", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2023-11-28T02:39:39.359Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-12T03:00:12.047Z", + "modified": "2024-02-02T06:19:00.209Z" + } + }, + { + "cve_id": "CVE-2023-46708", + "cve_year": "2023", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2023-11-28T02:39:39.368Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-25T07:08:54.638Z", + "modified": "2024-03-04T06:19:03.490Z" + } + }, + { + "cve_id": "CVE-2023-49118", + "cve_year": "2023", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2023-11-28T02:39:39.384Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-22T11:37:35.839Z", + "modified": "2024-02-02T06:18:45.275Z" + } + }, + { + "cve_id": "CVE-2023-49602", + "cve_year": "2023", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2023-11-28T02:07:56.574Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-28T02:07:56.409Z", + "modified": "2024-03-04T06:19:09.509Z" + } + }, + { + "cve_id": "CVE-2024-0285", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:03:57.060Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-06T11:03:57.061Z", + "modified": "2024-02-02T06:19:04.697Z" + } + }, + { + "cve_id": "CVE-2024-21816", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.571Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.749Z", + "modified": "2024-03-04T06:19:14.869Z" + } + }, + { + "cve_id": "CVE-2024-21826", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.616Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.749Z", + "modified": "2024-03-04T06:19:21.669Z" + } + }, + { + "cve_id": "CVE-2024-21834", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.563Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.749Z", + "modified": "2024-04-02T06:22:31.548Z" + } + }, + { + "cve_id": "CVE-2024-21845", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.636Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.750Z", + "modified": "2024-02-02T06:18:49.982Z" + } + }, + { + "cve_id": "CVE-2024-21851", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.643Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.750Z", + "modified": "2024-02-02T06:19:09.129Z" + } + }, + { + "cve_id": "CVE-2024-21860", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.629Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.751Z", + "modified": "2024-02-02T06:18:55.551Z" + } + }, + { + "cve_id": "CVE-2024-21863", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.652Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.751Z", + "modified": "2024-02-02T06:19:13.375Z" + } + }, + { + "cve_id": "CVE-2024-22092", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.400Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T04:00:20.615Z", + "modified": "2024-04-02T06:22:58.968Z" + } + }, + { + "cve_id": "CVE-2024-22098", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.591Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T04:00:20.615Z", + "modified": "2024-04-02T06:22:41.616Z" + } + }, + { + "cve_id": "CVE-2024-22177", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.581Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T22:07:42.804Z", + "modified": "2024-04-02T06:22:37.235Z" + } + }, + { + "cve_id": "CVE-2024-22180", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-01-06T11:01:00.647Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T22:07:42.805Z", + "modified": "2024-04-02T06:22:45.563Z" + } + }, + { + "cve_id": "CVE-2024-23808", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.430Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-22T16:48:21.581Z", + "modified": "2024-05-07T06:26:57.558Z" + } + }, + { + "cve_id": "CVE-2024-24581", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.404Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-25T17:05:42.322Z", + "modified": "2024-04-02T06:23:03.146Z" + } + }, + { + "cve_id": "CVE-2024-27217", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.422Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-21T15:30:47.174Z", + "modified": "2024-05-07T06:26:51.238Z" + } + }, + { + "cve_id": "CVE-2024-28226", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.409Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-07T10:05:15.157Z", + "modified": "2024-04-02T06:23:08.005Z" + } + }, + { + "cve_id": "CVE-2024-28951", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.413Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-13T03:00:17.040Z", + "modified": "2024-04-02T06:23:12.675Z" + } + }, + { + "cve_id": "CVE-2024-29074", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.395Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-15T08:05:24.321Z", + "modified": "2024-04-02T06:22:52.049Z" + } + }, + { + "cve_id": "CVE-2024-29086", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-03-15T08:05:24.417Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-15T08:05:24.322Z", + "modified": "2024-04-02T06:23:17.626Z" + } + }, + { + "cve_id": "CVE-2024-31071", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-04-13T06:30:40.959Z", + "state": "RESERVED", + "time": { + "created": "2024-03-27T23:39:28.003Z", + "modified": "2024-04-13T06:30:40.959Z" + } + }, + { + "cve_id": "CVE-2024-31078", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-04-13T06:30:40.953Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-27T23:39:29.901Z", + "modified": "2024-05-07T06:27:02.850Z" + } + }, + { + "cve_id": "CVE-2024-3757", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-04-13T06:30:04.973Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-13T06:30:04.974Z", + "modified": "2024-05-07T06:27:07.129Z" + } + }, + { + "cve_id": "CVE-2024-3758", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-04-13T06:30:15.502Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-13T06:30:15.503Z", + "modified": "2024-05-07T06:27:11.255Z" + } + }, + { + "cve_id": "CVE-2024-3759", + "cve_year": "2024", + "owning_cna": "OpenHarmony", + "requested_by": { + "cna": "OpenHarmony", + "user": "openharmony-cna@mail.openharmony.io" + }, + "reserved": "2024-04-13T06:30:21.325Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-13T06:30:21.325Z", + "modified": "2024-05-07T06:27:19.926Z" + } + }, + { + "cve_id": "CVE-2023-5097", + "cve_year": "2023", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2023-09-20T18:19:39.334Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-20T18:19:39.335Z", + "modified": "2024-01-16T19:40:57.893Z" + } + }, + { + "cve_id": "CVE-2023-6334", + "cve_year": "2023", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2023-11-27T18:03:31.048Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T18:03:31.049Z", + "modified": "2024-01-16T19:41:52.074Z" + } + }, + { + "cve_id": "CVE-2023-6335", + "cve_year": "2023", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2023-11-27T18:04:52.332Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T18:04:52.332Z", + "modified": "2024-01-16T19:42:02.677Z" + } + }, + { + "cve_id": "CVE-2023-6336", + "cve_year": "2023", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2023-11-27T18:05:05.008Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T18:05:05.008Z", + "modified": "2024-01-16T19:42:09.055Z" + } + }, + { + "cve_id": "CVE-2024-0068", + "cve_year": "2024", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2023-11-27T18:04:01.975Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T18:04:01.975Z", + "modified": "2024-02-29T19:51:38.575Z" + } + }, + { + "cve_id": "CVE-2024-1721", + "cve_year": "2024", + "owning_cna": "HYPR", + "requested_by": { + "cna": "HYPR", + "user": "aldo.salas@hypr.com" + }, + "reserved": "2024-02-21T18:49:39.648Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-21T18:49:39.650Z", + "modified": "2024-05-21T15:41:49.181Z" + } + }, + { + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "time": { + "created": "2023-04-04T19:05:19.825Z", + "modified": "2024-02-29T05:09:14.730Z" + }, + "cve_id": "CVE-2023-1841", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Honeywell", + "reserved": "2023-04-04T19:05:19.824Z" + }, + { + "cve_id": "CVE-2023-5389", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:49:59.920Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:49:59.921Z", + "modified": "2024-01-30T20:00:50.394Z" + } + }, + { + "cve_id": "CVE-2023-5390", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:05.792Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:05.792Z", + "modified": "2024-01-31T17:46:39.822Z" + } + }, + { + "cve_id": "CVE-2023-5392", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:45.390Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:45.390Z", + "modified": "2024-04-11T19:19:19.082Z" + } + }, + { + "cve_id": "CVE-2023-5393", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:46.496Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:46.497Z", + "modified": "2024-04-11T19:20:20.571Z" + } + }, + { + "cve_id": "CVE-2023-5394", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:47.250Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:47.251Z", + "modified": "2024-04-11T19:21:52.807Z" + } + }, + { + "cve_id": "CVE-2023-5395", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:47.748Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:47.748Z", + "modified": "2024-04-17T16:37:00.879Z" + } + }, + { + "cve_id": "CVE-2023-5396", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:48.303Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:48.304Z", + "modified": "2024-04-17T16:37:41.111Z" + } + }, + { + "cve_id": "CVE-2023-5397", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:50.454Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:50.454Z", + "modified": "2024-04-17T16:38:21.539Z" + } + }, + { + "cve_id": "CVE-2023-5398", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:51.025Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:51.025Z", + "modified": "2024-04-17T16:40:10.259Z" + } + }, + { + "cve_id": "CVE-2023-5400", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:51.561Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:51.562Z", + "modified": "2024-04-17T16:41:10.942Z" + } + }, + { + "cve_id": "CVE-2023-5401", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:52.064Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:52.064Z", + "modified": "2024-04-17T16:42:00.409Z" + } + }, + { + "cve_id": "CVE-2023-5403", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:52.659Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:52.659Z", + "modified": "2024-04-17T16:43:54.047Z" + } + }, + { + "cve_id": "CVE-2023-5404", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:53.624Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:53.625Z", + "modified": "2024-04-17T16:44:37.713Z" + } + }, + { + "cve_id": "CVE-2023-5405", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:54.177Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:54.177Z", + "modified": "2024-04-17T16:46:29.961Z" + } + }, + { + "cve_id": "CVE-2023-5406", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:54.642Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:54.642Z", + "modified": "2024-04-17T16:47:50.347Z" + } + }, + { + "cve_id": "CVE-2023-5407", + "cve_year": "2023", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2023-10-04T17:50:55.299Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-04T17:50:55.299Z", + "modified": "2024-04-17T16:49:16.912Z" + } + }, + { + "cve_id": "CVE-2024-1309", + "cve_year": "2024", + "owning_cna": "Honeywell", + "requested_by": { + "cna": "Honeywell", + "user": "abigail.palacios@honeywell.com" + }, + "reserved": "2024-02-07T14:55:02.262Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-07T14:55:02.263Z", + "modified": "2024-03-19T21:05:59.558Z" + } + }, + { + "cve_id": "CVE-2023-49330", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T12:19:59.750Z" + } + }, + { + "cve_id": "CVE-2023-49331", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T17:35:49.233Z" + } + }, + { + "cve_id": "CVE-2023-49332", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T17:45:36.475Z" + } + }, + { + "cve_id": "CVE-2023-49333", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T17:51:50.733Z" + } + }, + { + "cve_id": "CVE-2023-49334", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T17:55:14.235Z" + } + }, + { + "cve_id": "CVE-2023-49335", + "cve_year": "2023", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "reserved": "2023-11-27T01:15:00.955Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-27T01:15:00.956Z", + "modified": "2024-05-20T17:55:49.826Z" + } + }, + { + "cve_id": "CVE-2024-0252", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-01-05T17:59:42.780Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T17:59:42.780Z", + "modified": "2024-01-11T07:57:12.998Z" + } + }, + { + "cve_id": "CVE-2024-0253", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-01-05T18:03:44.608Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-05T18:03:44.610Z", + "modified": "2024-02-02T12:50:35.098Z" + } + }, + { + "cve_id": "CVE-2024-0269", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-01-06T09:27:27.062Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-06T09:27:27.063Z", + "modified": "2024-02-02T13:05:35.773Z" + } + }, + { + "cve_id": "CVE-2024-21775", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-01-11T12:44:32.603Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.746Z", + "modified": "2024-02-16T14:35:11.464Z" + } + }, + { + "cve_id": "CVE-2024-21791", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-01-11T12:44:32.608Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-02T16:55:54.747Z", + "modified": "2024-05-22T18:05:23.323Z" + } + }, + { + "cve_id": "CVE-2024-27310", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-02-23T06:13:18.186Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-23T06:13:18.189Z", + "modified": "2024-05-27T17:26:14.235Z" + } + }, + { + "cve_id": "CVE-2024-27311", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-02-23T06:13:18.186Z", + "state": "RESERVED", + "time": { + "created": "2024-02-23T06:13:18.190Z", + "modified": "2024-02-23T06:13:18.190Z" + } + }, + { + "cve_id": "CVE-2024-27312", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-02-23T06:13:18.186Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-23T06:13:18.190Z", + "modified": "2024-05-20T12:38:26.198Z" + } + }, + { + "cve_id": "CVE-2024-27313", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-02-23T06:13:18.187Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-23T06:13:18.190Z", + "modified": "2024-05-29T11:01:21.283Z" + } + }, + { + "cve_id": "CVE-2024-27314", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-02-23T06:13:18.187Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-23T06:13:18.190Z", + "modified": "2024-05-27T07:03:13.457Z" + } + }, + { + "cve_id": "CVE-2024-36034", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-17T19:23:57.540Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T19:23:57.541Z", + "modified": "2024-05-17T19:23:57.541Z" + } + }, + { + "cve_id": "CVE-2024-36035", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-17T19:23:57.540Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T19:23:57.541Z", + "modified": "2024-05-17T19:23:57.541Z" + } + }, + { + "cve_id": "CVE-2024-36036", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-17T19:23:57.540Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-17T19:23:57.541Z", + "modified": "2024-05-27T17:58:16.128Z" + } + }, + { + "cve_id": "CVE-2024-36037", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-17T19:23:57.540Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-17T19:23:57.541Z", + "modified": "2024-05-27T17:59:52.726Z" + } + }, + { + "cve_id": "CVE-2024-36038", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-17T19:23:57.540Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T19:23:57.541Z", + "modified": "2024-05-17T19:23:57.541Z" + } + }, + { + "cve_id": "CVE-2024-36514", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:31:31.769Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:31:31.771Z", + "modified": "2024-05-29T19:31:31.771Z" + } + }, + { + "cve_id": "CVE-2024-36515", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:31:31.769Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:31:31.771Z", + "modified": "2024-05-29T19:31:31.771Z" + } + }, + { + "cve_id": "CVE-2024-36516", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:31:31.769Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:31:31.771Z", + "modified": "2024-05-29T19:31:31.771Z" + } + }, + { + "cve_id": "CVE-2024-36517", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:31:31.769Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:31:31.771Z", + "modified": "2024-05-29T19:31:31.771Z" + } + }, + { + "cve_id": "CVE-2024-36518", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:31:31.769Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:31:31.771Z", + "modified": "2024-05-29T19:31:31.771Z" + } + }, + { + "cve_id": "CVE-2024-5466", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T09:42:19.974Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T09:42:19.975Z", + "modified": "2024-05-29T09:42:19.975Z" + } + }, + { + "cve_id": "CVE-2024-5467", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T10:09:26.108Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T10:09:26.109Z", + "modified": "2024-05-29T10:09:26.109Z" + } + }, + { + "cve_id": "CVE-2024-5471", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T13:06:06.107Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T13:06:06.108Z", + "modified": "2024-05-29T13:06:06.108Z" + } + }, + { + "cve_id": "CVE-2024-5487", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T19:22:17.321Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T19:22:17.322Z", + "modified": "2024-05-29T19:22:17.322Z" + } + }, + { + "cve_id": "CVE-2024-5490", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-29T20:15:14.657Z", + "state": "RESERVED", + "time": { + "created": "2024-05-29T20:15:14.658Z", + "modified": "2024-05-29T20:15:14.658Z" + } + }, + { + "cve_id": "CVE-2024-5527", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-30T10:22:04.965Z", + "state": "RESERVED", + "time": { + "created": "2024-05-30T10:22:04.965Z", + "modified": "2024-05-30T10:22:04.965Z" + } + }, + { + "cve_id": "CVE-2024-5546", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-30T19:06:01.692Z", + "state": "RESERVED", + "time": { + "created": "2024-05-30T19:06:01.693Z", + "modified": "2024-05-30T19:06:01.693Z" + } + }, + { + "cve_id": "CVE-2024-5556", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-31T04:04:41.315Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T04:04:41.316Z", + "modified": "2024-05-31T04:04:41.316Z" + } + }, + { + "cve_id": "CVE-2024-5562", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-05-31T12:10:46.741Z", + "state": "RESERVED", + "time": { + "created": "2024-05-31T12:10:46.742Z", + "modified": "2024-05-31T12:10:46.742Z" + } + }, + { + "cve_id": "CVE-2024-5586", + "cve_year": "2024", + "owning_cna": "ManageEngine", + "requested_by": { + "cna": "ManageEngine", + "user": "rajesh.selvaganapathi@manageengine.com" + }, + "reserved": "2024-06-01T06:18:55.183Z", + "state": "RESERVED", + "time": { + "created": "2024-06-01T06:18:55.184Z", + "modified": "2024-06-01T06:18:55.184Z" + } + }, + { + "cve_id": "CVE-2024-1142", + "cve_year": "2024", + "owning_cna": "Sonatype", + "requested_by": { + "cna": "Sonatype", + "user": "hdam@sonatype.com" + }, + "reserved": "2024-02-01T02:16:58.949Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-01T02:16:58.950Z", + "modified": "2024-03-06T20:08:21.984Z" + } + }, + { + "cve_id": "CVE-2024-4956", + "cve_year": "2024", + "owning_cna": "Sonatype", + "requested_by": { + "cna": "Sonatype", + "user": "hdam@sonatype.com" + }, + "reserved": "2024-05-15T17:17:46.044Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-15T17:17:46.052Z", + "modified": "2024-05-16T15:31:01.825Z" + } + }, + { + "cve_id": "CVE-2024-5082", + "cve_year": "2024", + "owning_cna": "Sonatype", + "requested_by": { + "cna": "Sonatype", + "user": "hdam@sonatype.com" + }, + "reserved": "2024-05-17T19:53:08.215Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T19:53:08.216Z", + "modified": "2024-05-17T19:53:08.216Z" + } + }, + { + "cve_id": "CVE-2024-5083", + "cve_year": "2024", + "owning_cna": "Sonatype", + "requested_by": { + "cna": "Sonatype", + "user": "hdam@sonatype.com" + }, + "reserved": "2024-05-17T19:53:34.732Z", + "state": "RESERVED", + "time": { + "created": "2024-05-17T19:53:34.733Z", + "modified": "2024-05-17T19:53:34.733Z" + } + }, + { + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "time": { + "created": "2023-02-28T17:20:57.463Z", + "modified": "2024-02-05T20:35:27.533Z" + }, + "cve_id": "CVE-2023-27318", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "netapp", + "reserved": "2023-02-28T17:20:57.462Z" + }, + { + "cve_id": "CVE-2024-21982", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.345Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.349Z", + "modified": "2024-01-11T23:32:14.398Z" + } + }, + { + "cve_id": "CVE-2024-21983", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.349Z", + "modified": "2024-02-16T22:35:02.394Z" + } + }, + { + "cve_id": "CVE-2024-21984", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.349Z", + "modified": "2024-02-16T22:37:47.593Z" + } + }, + { + "cve_id": "CVE-2024-21985", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-26T16:01:48.178Z" + } + }, + { + "cve_id": "CVE-2024-21986", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21987", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-02-16T20:27:34.014Z" + } + }, + { + "cve_id": "CVE-2024-21988", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21989", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-04-17T19:32:34.608Z" + } + }, + { + "cve_id": "CVE-2024-21990", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.346Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-04-17T19:35:23.608Z" + } + }, + { + "cve_id": "CVE-2024-21991", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21992", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21993", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21994", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21995", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21996", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21997", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21998", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.347Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-21999", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.348Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-22000", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.348Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "cve_id": "CVE-2024-22001", + "cve_year": "2024", + "owning_cna": "netapp", + "requested_by": { + "cna": "netapp", + "user": "kryan@netapp.com" + }, + "reserved": "2024-01-03T19:45:25.348Z", + "state": "RESERVED", + "time": { + "created": "2024-01-03T19:45:25.350Z", + "modified": "2024-01-03T19:45:25.350Z" + } + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.200Z", + "modified": "2024-01-22T17:22:14.488Z" + }, + "cve_id": "CVE-2022-45790", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.198Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.201Z", + "modified": "2024-01-22T17:39:47.187Z" + }, + "cve_id": "CVE-2022-45791", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.198Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.201Z", + "modified": "2024-01-22T17:46:36.710Z" + }, + "cve_id": "CVE-2022-45792", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.198Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.201Z", + "modified": "2024-01-10T20:49:36.096Z" + }, + "cve_id": "CVE-2022-45793", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.199Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.201Z", + "modified": "2024-01-10T22:56:58.846Z" + }, + "cve_id": "CVE-2022-45794", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.199Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2022-11-22T17:52:43.201Z", + "modified": "2024-01-22T17:34:44.449Z" + }, + "cve_id": "CVE-2022-45795", + "cve_year": "2022", + "state": "REJECTED", + "owning_cna": "Dragos", + "reserved": "2022-11-22T17:52:43.199Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2023-04-06T17:45:40.442Z", + "modified": "2024-01-10T17:06:35.977Z" + }, + "cve_id": "CVE-2023-29444", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2023-04-06T17:45:40.441Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2023-04-06T17:45:40.442Z", + "modified": "2024-01-10T20:17:12.851Z" + }, + "cve_id": "CVE-2023-29445", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2023-04-06T17:45:40.441Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2023-04-06T17:45:40.442Z", + "modified": "2024-01-10T20:21:51.446Z" + }, + "cve_id": "CVE-2023-29446", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2023-04-06T17:45:40.441Z" + }, + { + "requested_by": { + "cna": "mitre", + "user": "cps" + }, + "time": { + "created": "2023-04-06T17:45:40.442Z", + "modified": "2024-01-10T20:24:52.994Z" + }, + "cve_id": "CVE-2023-29447", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Dragos", + "reserved": "2023-04-06T17:45:40.441Z" + }, + { + "cve_id": "CVE-2024-0785", + "cve_year": "2024", + "owning_cna": "Dragos", + "requested_by": { + "cna": "Dragos", + "user": "rwightman@dragos.com" + }, + "reserved": "2024-01-22T16:32:32.633Z", + "state": "REJECTED", + "time": { + "created": "2024-01-22T16:32:32.634Z", + "modified": "2024-01-22T16:32:41.346Z" + } + }, + { + "cve_id": "CVE-2024-1480", + "cve_year": "2024", + "owning_cna": "Dragos", + "requested_by": { + "cna": "Dragos", + "user": "rwightman@dragos.com" + }, + "reserved": "2024-02-13T18:49:36.966Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-13T18:49:36.967Z", + "modified": "2024-04-19T21:19:27.602Z" + } + }, + { + "cve_id": "CVE-2024-1583", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "sjain@beyondtrust.com" + }, + "reserved": "2024-02-16T14:37:34.727Z", + "state": "REJECTED", + "time": { + "created": "2024-02-16T14:37:34.727Z", + "modified": "2024-02-16T14:38:19.397Z" + } + }, + { + "cve_id": "CVE-2024-1591", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "smckinnon@beyondtrust.com" + }, + "reserved": "2024-02-16T17:32:29.581Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-16T17:32:29.584Z", + "modified": "2024-02-16T18:54:33.396Z" + } + }, + { + "cve_id": "CVE-2024-4015", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-19T20:17:25.958Z", + "state": "REJECTED", + "time": { + "created": "2024-04-19T20:17:25.958Z", + "modified": "2024-04-19T20:22:00.045Z" + } + }, + { + "cve_id": "CVE-2024-4016", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-19T20:21:24.806Z", + "state": "REJECTED", + "time": { + "created": "2024-04-19T20:21:24.806Z", + "modified": "2024-04-19T20:22:03.166Z" + } + }, + { + "cve_id": "CVE-2024-4017", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-19T20:23:21.302Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-19T20:23:21.304Z", + "modified": "2024-04-19T20:40:25.265Z" + } + }, + { + "cve_id": "CVE-2024-4018", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-19T20:24:20.448Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-19T20:24:20.449Z", + "modified": "2024-04-19T20:29:19.637Z" + } + }, + { + "cve_id": "CVE-2024-4219", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-25T21:45:38.683Z", + "state": "RESERVED", + "time": { + "created": "2024-04-25T21:45:38.684Z", + "modified": "2024-04-25T21:45:38.684Z" + } + }, + { + "cve_id": "CVE-2024-4220", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-25T21:45:48.412Z", + "state": "RESERVED", + "time": { + "created": "2024-04-25T21:45:48.412Z", + "modified": "2024-04-25T21:45:48.412Z" + } + }, + { + "cve_id": "CVE-2024-4221", + "cve_year": "2024", + "owning_cna": "BT", + "requested_by": { + "cna": "BT", + "user": "pblankenship@beyondtrust.com" + }, + "reserved": "2024-04-25T21:45:52.583Z", + "state": "RESERVED", + "time": { + "created": "2024-04-25T21:45:52.583Z", + "modified": "2024-04-25T21:45:52.583Z" + } + }, + { + "cve_id": "CVE-2024-0819", + "cve_year": "2024", + "owning_cna": "TV", + "requested_by": { + "cna": "TV", + "user": "michael.gillig@teamviewer.com" + }, + "reserved": "2024-01-23T12:46:32.947Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-23T12:46:32.947Z", + "modified": "2024-02-27T14:07:24.308Z" + } + }, + { + "cve_id": "CVE-2024-1933", + "cve_year": "2024", + "owning_cna": "TV", + "requested_by": { + "cna": "TV", + "user": "mael.deloth@teamviewer.com" + }, + "reserved": "2024-02-27T14:10:39.499Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-27T14:10:39.500Z", + "modified": "2024-03-26T12:47:11.249Z" + } + }, + { + "cve_id": "CVE-2024-2451", + "cve_year": "2024", + "owning_cna": "TV", + "requested_by": { + "cna": "TV", + "user": "michael.gillig@teamviewer.com" + }, + "reserved": "2024-03-14T13:47:04.908Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-14T13:47:04.909Z", + "modified": "2024-05-28T14:27:25.933Z" + } + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2022-08-25T10:24:10.466Z", + "modified": "2024-03-15T11:05:59.583Z" + }, + "cve_id": "CVE-2022-38749", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2022-08-25T10:24:10.459Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2022-08-25T10:24:10.466Z", + "modified": "2024-03-15T11:06:05.169Z" + }, + "cve_id": "CVE-2022-38750", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2022-08-25T10:24:10.460Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2022-08-25T10:24:10.467Z", + "modified": "2024-03-15T11:06:03.332Z" + }, + "cve_id": "CVE-2022-38751", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2022-08-25T10:24:10.460Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2022-08-25T10:24:10.467Z", + "modified": "2024-03-15T11:06:18.350Z" + }, + "cve_id": "CVE-2022-38752", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2022-08-25T10:24:10.461Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2022-09-30T11:31:09.428Z", + "modified": "2024-03-15T11:06:16.404Z" + }, + "cve_id": "CVE-2022-41854", + "cve_year": "2022", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2022-09-30T11:31:09.424Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2023-05-30T13:15:41.561Z", + "modified": "2024-02-13T19:05:57.927Z" + }, + "cve_id": "CVE-2023-2976", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-05-30T13:15:41.560Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2023-06-09T09:44:05.432Z", + "modified": "2024-01-25T15:22:47.841Z" + }, + "cve_id": "CVE-2023-3181", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-06-09T09:44:05.431Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "time": { + "created": "2023-06-23T13:45:16.520Z", + "modified": "2024-01-11T19:07:14.102Z" + }, + "cve_id": "CVE-2023-3390", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-06-23T13:45:16.519Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "time": { + "created": "2023-07-10T20:52:53.661Z", + "modified": "2024-01-11T19:06:26.569Z" + }, + "cve_id": "CVE-2023-3609", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-07-10T20:52:53.660Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "time": { + "created": "2023-07-10T20:52:55.366Z", + "modified": "2024-01-11T19:07:19.795Z" + }, + "cve_id": "CVE-2023-3611", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-07-10T20:52:55.365Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "time": { + "created": "2023-06-29T10:33:40.829Z", + "modified": "2024-05-02T13:21:28.239Z" + }, + "cve_id": "CVE-2023-37244", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-06-29T10:33:40.828Z" + }, + { + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "time": { + "created": "2023-07-19T15:50:20.758Z", + "modified": "2024-02-02T14:06:28.141Z" + }, + "cve_id": "CVE-2023-3776", + "cve_year": "2023", + "state": "PUBLISHED", + "owning_cna": "Google", + "reserved": "2023-07-19T15:50:20.757Z" + }, + { + "cve_id": "CVE-2023-4206", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-07T13:02:24.450Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-07T13:02:24.451Z", + "modified": "2024-01-11T19:06:39.728Z" + } + }, + { + "cve_id": "CVE-2023-4207", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-07T13:02:25.476Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-07T13:02:25.476Z", + "modified": "2024-01-11T19:07:23.151Z" + } + }, + { + "cve_id": "CVE-2023-4208", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-07T13:02:26.235Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-07T13:02:26.235Z", + "modified": "2024-01-11T19:06:59.042Z" + } + }, + { + "cve_id": "CVE-2023-4244", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-08T15:36:07.559Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-08T15:36:07.560Z", + "modified": "2024-01-11T19:06:34.945Z" + } + }, + { + "cve_id": "CVE-2023-4622", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-30T11:57:48.389Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-30T11:57:48.390Z", + "modified": "2024-01-11T19:06:42.956Z" + } + }, + { + "cve_id": "CVE-2023-4623", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-08-30T11:58:12.267Z", + "state": "PUBLISHED", + "time": { + "created": "2023-08-30T11:58:12.267Z", + "modified": "2024-01-11T19:06:57.336Z" + } + }, + { + "cve_id": "CVE-2023-4921", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-09-12T19:22:10.389Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-12T19:22:10.389Z", + "modified": "2024-01-11T19:06:29.739Z" + } + }, + { + "cve_id": "CVE-2023-5197", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-09-26T09:43:24.384Z", + "state": "PUBLISHED", + "time": { + "created": "2023-09-26T09:43:24.385Z", + "modified": "2024-01-11T21:06:45.221Z" + } + }, + { + "cve_id": "CVE-2023-5345", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-10-02T23:43:23.770Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-02T23:43:23.771Z", + "modified": "2024-02-08T16:05:56.941Z" + } + }, + { + "cve_id": "CVE-2023-5717", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-10-23T10:49:09.250Z", + "state": "PUBLISHED", + "time": { + "created": "2023-10-23T10:49:09.251Z", + "modified": "2024-01-11T21:06:41.751Z" + } + }, + { + "cve_id": "CVE-2023-6111", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-11-13T20:25:06.272Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-13T20:25:06.273Z", + "modified": "2024-02-05T07:06:08.402Z" + } + }, + { + "cve_id": "CVE-2023-6349", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "sabakia" + }, + "reserved": "2023-11-28T01:49:37.568Z", + "state": "PUBLISHED", + "time": { + "created": "2023-11-28T01:49:37.569Z", + "modified": "2024-05-27T11:26:58.222Z" + } + }, + { + "cve_id": "CVE-2023-6817", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-12-14T11:29:13.252Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-14T11:29:13.252Z", + "modified": "2024-02-08T16:05:59.017Z" + } + }, + { + "cve_id": "CVE-2023-6879", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "serb" + }, + "reserved": "2023-12-15T21:26:46.180Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-15T21:26:46.181Z", + "modified": "2024-01-07T02:06:26.737Z" + } + }, + { + "cve_id": "CVE-2023-6931", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-12-18T20:13:06.510Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:13:06.511Z", + "modified": "2024-01-11T21:06:43.525Z" + } + }, + { + "cve_id": "CVE-2023-6932", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2023-12-18T20:14:26.281Z", + "state": "PUBLISHED", + "time": { + "created": "2023-12-18T20:14:26.281Z", + "modified": "2024-02-08T16:06:03.001Z" + } + }, + { + "cve_id": "CVE-2023-7258", + "cve_year": "2023", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T11:47:43.153Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-02T11:47:43.153Z", + "modified": "2024-05-15T16:29:08.599Z" + } + }, + { + "cve_id": "CVE-2024-0228", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2024-01-03T19:55:31.792Z", + "state": "REJECTED", + "time": { + "created": "2024-01-03T19:55:31.793Z", + "modified": "2024-01-09T17:08:18.814Z" + } + }, + { + "cve_id": "CVE-2024-0894", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-01-25T15:22:28.220Z", + "state": "REJECTED", + "time": { + "created": "2024-01-25T15:22:28.221Z", + "modified": "2024-01-25T15:22:30.860Z" + } + }, + { + "cve_id": "CVE-2024-1085", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2024-01-30T20:04:08.623Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-30T20:04:08.624Z", + "modified": "2024-01-31T12:14:32.439Z" + } + }, + { + "cve_id": "CVE-2024-1086", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2024-01-30T20:04:09.704Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-30T20:04:09.705Z", + "modified": "2024-05-01T18:11:10.877Z" + } + }, + { + "cve_id": "CVE-2024-1087", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "poprdi" + }, + "reserved": "2024-01-30T20:04:10.565Z", + "state": "REJECTED", + "time": { + "created": "2024-01-30T20:04:10.565Z", + "modified": "2024-01-31T12:14:35.445Z" + } + }, + { + "cve_id": "CVE-2024-1280", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-06T16:29:44.848Z", + "state": "REJECTED", + "time": { + "created": "2024-02-06T16:29:44.848Z", + "modified": "2024-05-02T12:34:42.404Z" + } + }, + { + "cve_id": "CVE-2024-1281", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-06T16:29:45.994Z", + "state": "REJECTED", + "time": { + "created": "2024-02-06T16:29:45.994Z", + "modified": "2024-05-02T12:34:45.086Z" + } + }, + { + "cve_id": "CVE-2024-1580", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-16T12:23:14.335Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-16T12:23:14.336Z", + "modified": "2024-03-27T18:06:04.465Z" + } + }, + { + "cve_id": "CVE-2024-1713", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "rcorreadeysasi" + }, + "reserved": "2024-02-21T16:48:28.219Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-21T16:48:28.221Z", + "modified": "2024-03-14T20:14:28.623Z" + } + }, + { + "cve_id": "CVE-2024-2190", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-03-05T12:01:50.828Z", + "state": "RESERVED", + "time": { + "created": "2024-03-05T12:01:50.829Z", + "modified": "2024-03-05T12:01:50.829Z" + } + }, + { + "cve_id": "CVE-2024-2410", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "sabakia" + }, + "reserved": "2024-03-12T23:26:10.660Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-12T23:26:10.660Z", + "modified": "2024-05-03T12:58:39.458Z" + } + }, + { + "cve_id": "CVE-2024-25556", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-07T15:38:59.656Z", + "state": "REJECTED", + "time": { + "created": "2024-02-07T15:38:59.657Z", + "modified": "2024-05-02T12:32:38.813Z" + } + }, + { + "cve_id": "CVE-2024-25557", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-07T15:38:59.656Z", + "state": "RESERVED", + "time": { + "created": "2024-02-07T15:38:59.657Z", + "modified": "2024-02-07T15:38:59.657Z" + } + }, + { + "cve_id": "CVE-2024-25558", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-02-07T15:38:59.656Z", + "state": "RESERVED", + "time": { + "created": "2024-02-07T15:38:59.657Z", + "modified": "2024-02-07T15:38:59.657Z" + } + }, + { + "cve_id": "CVE-2024-3589", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "rcorreadeysasi" + }, + "reserved": "2024-04-10T14:23:58.644Z", + "state": "RESERVED", + "time": { + "created": "2024-04-10T14:23:58.644Z", + "modified": "2024-04-10T14:23:58.644Z" + } + }, + { + "cve_id": "CVE-2024-4128", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-04-24T09:25:02.333Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-24T09:25:02.334Z", + "modified": "2024-05-02T13:22:50.841Z" + } + }, + { + "cve_id": "CVE-2024-4414", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T10:10:27.424Z", + "state": "RESERVED", + "time": { + "created": "2024-05-02T10:10:27.424Z", + "modified": "2024-05-02T10:10:27.424Z" + } + }, + { + "cve_id": "CVE-2024-4415", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T10:13:23.674Z", + "state": "RESERVED", + "time": { + "created": "2024-05-02T10:13:23.675Z", + "modified": "2024-05-02T10:13:23.675Z" + } + }, + { + "cve_id": "CVE-2024-4416", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T10:14:09.373Z", + "state": "RESERVED", + "time": { + "created": "2024-05-02T10:14:09.373Z", + "modified": "2024-05-02T10:14:09.373Z" + } + }, + { + "cve_id": "CVE-2024-4420", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T11:15:28.604Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-02T11:15:28.605Z", + "modified": "2024-05-21T11:52:28.413Z" + } + }, + { + "cve_id": "CVE-2024-4421", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-02T11:47:36.177Z", + "state": "RESERVED", + "time": { + "created": "2024-05-02T11:47:36.178Z", + "modified": "2024-05-02T11:47:36.178Z" + } + }, + { + "cve_id": "CVE-2024-5166", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-21T09:50:35.869Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-21T09:50:35.870Z", + "modified": "2024-05-22T16:11:55.755Z" + } + }, + { + "cve_id": "CVE-2024-5171", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "serb" + }, + "reserved": "2024-05-21T12:53:59.515Z", + "state": "RESERVED", + "time": { + "created": "2024-05-21T12:53:59.516Z", + "modified": "2024-05-21T12:53:59.516Z" + } + }, + { + "cve_id": "CVE-2024-5197", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-22T09:42:54.906Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-22T09:42:54.907Z", + "modified": "2024-06-03T13:30:26.931Z" + } + }, + { + "cve_id": "CVE-2024-5436", + "cve_year": "2024", + "owning_cna": "Google", + "requested_by": { + "cna": "Google", + "user": "pauldev@google.com" + }, + "reserved": "2024-05-28T16:04:39.285Z", + "state": "PUBLISHED", + "time": { + "created": "2024-05-28T16:04:39.286Z", + "modified": "2024-05-31T08:11:34.584Z" + } + }, + { + "cve_id": "CVE-2024-4394", + "cve_year": "2024", + "owning_cna": "Xylem", + "requested_by": { + "cna": "Xylem", + "user": "mariesa.welcome@xylem.com" + }, + "reserved": "2024-05-01T16:09:23.346Z", + "state": "RESERVED", + "time": { + "created": "2024-05-01T16:09:23.347Z", + "modified": "2024-05-01T16:09:23.347Z" + } + }, + { + "cve_id": "CVE-2024-1486", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-13T22:34:57.386Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-13T22:34:57.387Z", + "modified": "2024-05-14T15:10:22.277Z" + } + }, + { + "cve_id": "CVE-2024-1628", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:23:20.113Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:23:20.114Z", + "modified": "2024-05-14T16:04:57.796Z" + } + }, + { + "cve_id": "CVE-2024-1629", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:23:21.436Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:23:21.437Z", + "modified": "2024-05-14T16:32:43.545Z" + } + }, + { + "cve_id": "CVE-2024-1630", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:28:03.794Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:28:03.794Z", + "modified": "2024-05-14T16:55:56.872Z" + } + }, + { + "cve_id": "CVE-2024-27106", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:22:56.572Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:22:56.574Z", + "modified": "2024-05-14T17:01:22.502Z" + } + }, + { + "cve_id": "CVE-2024-27107", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:22:56.572Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:22:56.574Z", + "modified": "2024-05-14T17:05:22.582Z" + } + }, + { + "cve_id": "CVE-2024-27108", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:22:56.572Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:22:56.574Z", + "modified": "2024-05-14T17:09:08.180Z" + } + }, + { + "cve_id": "CVE-2024-27109", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:22:56.573Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:22:56.574Z", + "modified": "2024-05-14T17:13:16.198Z" + } + }, + { + "cve_id": "CVE-2024-27110", + "cve_year": "2024", + "owning_cna": "GEHC", + "requested_by": { + "cna": "GEHC", + "user": "suraj.amasebail@gehealthcare.com" + }, + "reserved": "2024-02-19T15:22:56.573Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-19T15:22:56.574Z", + "modified": "2024-05-14T17:16:39.672Z" + } + }, + { + "cve_id": "CVE-2024-0876", + "cve_year": "2024", + "owning_cna": "GovTech CSG", + "requested_by": { + "cna": "GovTech CSG", + "user": "cve_disclosure@tech.gov.sg" + }, + "reserved": "2024-01-25T05:34:38.959Z", + "state": "RESERVED", + "time": { + "created": "2024-01-25T05:34:38.960Z", + "modified": "2024-01-25T05:34:38.960Z" + } + }, + { + "cve_id": "CVE-2024-4163", + "cve_year": "2024", + "owning_cna": "GovTech CSG", + "requested_by": { + "cna": "GovTech CSG", + "user": "cve_disclosure@tech.gov.sg" + }, + "reserved": "2024-04-25T02:38:12.253Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-25T02:38:12.253Z", + "modified": "2024-04-26T02:26:22.763Z" + } + }, + { + "cve_id": "CVE-2024-4225", + "cve_year": "2024", + "owning_cna": "GovTech CSG", + "requested_by": { + "cna": "GovTech CSG", + "user": "cve_disclosure@tech.gov.sg" + }, + "reserved": "2024-04-26T02:57:31.605Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-26T02:57:31.606Z", + "modified": "2024-04-30T06:47:30.886Z" + } + }, + { + "cve_id": "CVE-2010-10011", + "cve_year": "2010", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-01-11T12:47:38.235Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-11T12:47:38.236Z", + "modified": "2024-01-12T19:31:04.076Z" + } + }, + { + "cve_id": "CVE-2011-10005", + "cve_year": "2011", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-01-14T19:05:15.176Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-14T19:05:15.176Z", + "modified": "2024-01-16T08:00:05.866Z" + } + }, + { + "cve_id": "CVE-2011-10006", + "cve_year": "2011", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-04-07T09:40:51.546Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-07T09:40:51.546Z", + "modified": "2024-04-08T13:00:05.802Z" + } + }, + { + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "time": { + "created": "2023-02-18T12:59:37.930Z", + "modified": "2024-02-08T10:06:11.296Z" + }, + "cve_id": "CVE-2014-125087", + "cve_year": "2014", + "state": "PUBLISHED", + "owning_cna": "VulDB", + "reserved": "2023-02-18T12:59:37.929Z" + }, + { + "cve_id": "CVE-2014-125110", + "cve_year": "2014", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-03-30T11:23:38.901Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-30T11:23:38.902Z", + "modified": "2024-03-31T23:31:04.760Z" + } + }, + { + "cve_id": "CVE-2014-125111", + "cve_year": "2014", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-04-07T09:21:48.931Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-07T09:21:48.931Z", + "modified": "2024-04-08T13:00:07.736Z" + } + }, + { + "cve_id": "CVE-2015-10129", + "cve_year": "2015", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-02-02T13:35:39.022Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-02T13:35:39.022Z", + "modified": "2024-02-04T04:31:03.333Z" + } + }, + { + "cve_id": "CVE-2015-10131", + "cve_year": "2015", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-03-29T07:52:41.923Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-29T07:52:41.923Z", + "modified": "2024-03-31T06:00:04.347Z" + } + }, + { + "cve_id": "CVE-2015-10132", + "cve_year": "2015", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-04-20T15:08:00.791Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-20T15:08:00.792Z", + "modified": "2024-04-21T19:31:04.436Z" + } + }, + { + "cve_id": "CVE-2016-15037", + "cve_year": "2016", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-01-19T14:11:32.712Z", + "state": "PUBLISHED", + "time": { + "created": "2024-01-19T14:11:32.713Z", + "modified": "2024-01-21T05:00:04.975Z" + } + }, + { + "cve_id": "CVE-2016-15038", + "cve_year": "2016", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-03-30T08:07:17.252Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-30T08:07:17.252Z", + "modified": "2024-04-01T05:31:03.926Z" + } + }, + { + "cve_id": "CVE-2017-20191", + "cve_year": "2017", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-03-29T08:02:31.537Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-29T08:02:31.537Z", + "modified": "2024-03-31T08:31:04.285Z" + } + }, + { + "cve_id": "CVE-2018-25098", + "cve_year": "2018", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-02-03T10:41:23.723Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-03T10:41:23.724Z", + "modified": "2024-02-04T16:31:03.087Z" + } + }, + { + "cve_id": "CVE-2018-25101", + "cve_year": "2018", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-04-20T15:14:50.860Z", + "state": "PUBLISHED", + "time": { + "created": "2024-04-20T15:14:50.861Z", + "modified": "2024-04-22T01:31:03.762Z" + } + }, + { + "cve_id": "CVE-2019-25159", + "cve_year": "2019", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-02-02T13:41:43.602Z", + "state": "PUBLISHED", + "time": { + "created": "2024-02-02T13:41:43.603Z", + "modified": "2024-02-04T06:00:06.121Z" + } + }, + { + "cve_id": "CVE-2020-36825", + "cve_year": "2020", + "owning_cna": "VulDB", + "requested_by": { + "cna": "VulDB", + "user": "marc.ruef@vuldb.com" + }, + "reserved": "2024-03-23T09:40:01.841Z", + "state": "PUBLISHED", + "time": { + "created": "2024-03-23T09:40:01.842Z", + "modified": "2024-03-24T12:00:05.419Z" + } + } + ], + "totalCount": 28930, + "itemsPerPage": 500, + "pageCount": 58, + "currentPage": 2, + "prevPage": 1, + "nextPage": 3 +} \ No newline at end of file diff --git a/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP555.json b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP555.json new file mode 100644 index 0000000..5c76ddf --- /dev/null +++ b/test/fixtures/adapters/cveservices/getAllCveIdsChangedInTimeFrameUnitTestDataP555.json @@ -0,0 +1,9 @@ +{ + "cve_ids": [], + "totalCount": 28930, + "itemsPerPage": 500, + "pageCount": 58, + "currentPage": 555, + "prevPage": 554, + "nextPage": null +} \ No newline at end of file diff --git a/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json b/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json new file mode 100644 index 0000000..dd6aa9e --- /dev/null +++ b/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP1.json @@ -0,0 +1,91602 @@ +{ + "cveRecords": [ + { + "containers": { + "cna": { + "title": "Microsoft Graphics Component Information Disclosure Vulnerability", + "datePublic": "2019-08-13T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1703", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1803", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1803:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1803:*:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server, version 1803 (Server Core Installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_1803:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1709 for 32-bit Systems", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1709", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1903 for 32-bit Systems", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1903 for x64-based Systems", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1903 for ARM64-based Systems", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server, version 1903 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*" + ], + "platforms": [ + "32-bit Systems", + "IA64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Systems Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:itanium:*" + ], + "platforms": [ + "IA64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "publication", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.\nAn authenticated attacker could exploit this vulnerability by running a specially crafted application.\nThe update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory.\n", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T16:50:44.376Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1078" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2024-06-03T15:16:38.948390Z", + "id": "CVE-2019-1078", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-06-03T15:17:18.285Z" + } + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2019-1078", + "datePublished": "2019-08-14T20:55:02", + "dateReserved": "2018-11-26T00:00:00", + "dateUpdated": "2024-06-03T15:17:18.285Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2021-44534", + "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "state": "PUBLISHED", + "assignerShortName": "hackerone", + "dateReserved": "2021-12-02T23:52:53.969Z", + "datePublished": "2024-05-31T17:40:31.559Z", + "dateUpdated": "2024-06-03T15:33:03.134Z" + }, + "containers": { + "cna": { + "descriptions": [ + { + "lang": "en", + "value": "Insufficient user input filtering leads to arbitrary file read by non-authenticated attacker, which results in sensitive information disclosure.\r\n" + } + ], + "affected": [ + { + "vendor": "ExpressionEngine", + "product": "ExpressionEngine", + "versions": [ + { + "version": "6.0.3", + "status": "affected", + "lessThan": "6.0.3", + "versionType": "semver" + }, + { + "version": "6.0.0", + "status": "unaffected", + "lessThan": "6.0.0", + "versionType": "semver" + } + ] + } + ], + "references": [ + { + "url": "https://hackerone.com/reports/1096043" + } + ], + "providerMetadata": { + "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", + "shortName": "hackerone", + "dateUpdated": "2024-05-31T17:40:31.559Z" + } + }, + "adp": [ + { + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ], + "affected": [ + { + "vendor": "expressionengine", + "product": "expressionengine", + "cpes": [ + "cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*" + ], + "defaultStatus": "unknown", + "versions": [ + { + "version": "*", + "status": "affected", + "lessThan": "6.0.3", + "versionType": "custom" + } + ] + }, + { + "vendor": "expressionengine", + "product": "expressionengine", + "cpes": [ + "cpe:2.3:a:expressionengine:expressionengine:*:*:*:*:*:*:*:*" + ], + "defaultStatus": "unknown", + "versions": [ + { + "version": "*", + "status": "unaffected", + "lessThan": "6.0.0", + "versionType": "custom" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "scope": "UNCHANGED", + "version": "3.1", + "baseScore": 6.5, + "attackVector": "NETWORK", + "baseSeverity": "MEDIUM", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "integrityImpact": "NONE", + "userInteraction": "NONE", + "attackComplexity": "LOW", + "availabilityImpact": "NONE", + "privilegesRequired": "LOW", + "confidentialityImpact": "HIGH" + } + }, + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2024-06-03T15:25:34.277497Z", + "id": "CVE-2021-44534", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-06-03T15:33:03.134Z" + } + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing a maliciously crafted mail message may lead to running arbitrary javascript." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted mail message may lead to running arbitrary javascript", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T02:07:03", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213185" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213256" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "GLSA-202208-39", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-39" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22589", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing a maliciously crafted mail message may lead to running arbitrary javascript." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted mail message may lead to running arbitrary javascript" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/kb/HT213185", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213185" + }, + { + "name": "https://support.apple.com/en-us/HT213053", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "name": "https://support.apple.com/en-us/HT213057", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "name": "https://support.apple.com/en-us/HT213059", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "name": "https://support.apple.com/en-us/HT213058", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "name": "https://support.apple.com/kb/HT213256", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213256" + }, + { + "name": "https://support.apple.com/kb/HT213255", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "GLSA-202208-39", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-39" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:36.926Z" + }, + "references": [ + { + "name": "Test (6901/24750) [3151/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22589" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22589", + "datePublished": "2022-03-18T17:59:18", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:36.926Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T02:07:01", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "name": "GLSA-202208-39", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-39" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22590", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213053", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "name": "https://support.apple.com/en-us/HT213057", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "name": "https://support.apple.com/en-us/HT213059", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "name": "https://support.apple.com/en-us/HT213058", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "name": "GLSA-202208-39", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-39" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:37.290Z" + }, + "references": [ + { + "name": "Test (6902/24750) [3152/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22590" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22590", + "datePublished": "2022-03-18T17:59:20", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:37.290Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:19", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22591", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:37.637Z" + }, + "references": [ + { + "name": "Test (6903/24750) [3153/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22591" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22591", + "datePublished": "2022-03-18T17:59:19", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:37.637Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may prevent Content Security Policy from being enforced." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may prevent Content Security Policy from being enforced", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T02:06:58", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "name": "GLSA-202208-39", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-39" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22592", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may prevent Content Security Policy from being enforced." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may prevent Content Security Policy from being enforced" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213053", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "name": "https://support.apple.com/en-us/HT213057", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "name": "https://support.apple.com/en-us/HT213059", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "name": "https://support.apple.com/en-us/HT213058", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213058" + }, + { + "name": "GLSA-202208-39", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-39" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:37.970Z" + }, + "references": [ + { + "name": "Test (6904/24750) [3154/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22592" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22592", + "datePublished": "2022-03-18T17:59:24", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:37.970Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:21", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213055" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213056" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213059" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22593", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213055", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213055" + }, + { + "name": "https://support.apple.com/en-us/HT213053", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "name": "https://support.apple.com/en-us/HT213056", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213056" + }, + { + "name": "https://support.apple.com/en-us/HT213057", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "name": "https://support.apple.com/en-us/HT213059", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213059" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:38.380Z" + }, + "references": [ + { + "name": "Test (6905/24750) [3155/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22593" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22593", + "datePublished": "2022-03-18T17:59:21", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:38.380Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A website may be able to track sensitive user information", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:23", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213058" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22594", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A website may be able to track sensitive user information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213053", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213053" + }, + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + }, + { + "name": "https://support.apple.com/en-us/HT213057", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213057" + }, + { + "name": "https://support.apple.com/en-us/HT213059", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213059" + }, + { + "name": "https://support.apple.com/en-us/HT213058", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213058" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:38.716Z" + }, + "references": [ + { + "name": "Test (6906/24750) [3156/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22594" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22594", + "datePublished": "2022-03-18T17:59:23", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:38.716Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:21", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22596", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:39.031Z" + }, + "references": [ + { + "name": "Test (6907/24750) [3157/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22596" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22596", + "datePublished": "2022-03-18T17:59:21", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:39.031Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted file may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted file may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:25", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22597", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted file may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted file may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:39.376Z" + }, + "references": [ + { + "name": "Test (6908/24750) [3158/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22597" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22597", + "datePublished": "2022-03-18T17:59:25", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:39.376Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 15.4 and iPadOS 15.4. An app may be able to learn information about the current camera view before being granted camera access." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An app may be able to learn information about the current camera view before being granted camera access", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:22", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22598", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 15.4 and iPadOS 15.4. An app may be able to learn information about the current camera view before being granted camera access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An app may be able to learn information about the current camera view before being granted camera access" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:39.700Z" + }, + "references": [ + { + "name": "Test (6909/24750) [3159/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22598" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22598", + "datePublished": "2022-03-18T17:59:22", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:39.700Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Description: A permissions issue was addressed with improved validation. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:26", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22599", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Description: A permissions issue was addressed with improved validation. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:40.013Z" + }, + "references": [ + { + "name": "Test (6910/24750) [3160/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22599" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22599", + "datePublished": "2022-03-18T17:59:26", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:40.013Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The issue was addressed with improved permissions logic. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A malicious application may be able to bypass certain Privacy preferences." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to bypass certain Privacy preferences", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:25", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22600", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The issue was addressed with improved permissions logic. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A malicious application may be able to bypass certain Privacy preferences." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to bypass certain Privacy preferences" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:40.346Z" + }, + "references": [ + { + "name": "Test (6911/24750) [3161/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22600" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22600", + "datePublished": "2022-03-18T17:59:26", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:40.346Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:29", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22601", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:40.673Z" + }, + "references": [ + { + "name": "Test (6912/24750) [3162/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22601" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22601", + "datePublished": "2022-03-18T17:59:29", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:40.673Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:28", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22602", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:40.989Z" + }, + "references": [ + { + "name": "Test (6913/24750) [3163/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22602" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22602", + "datePublished": "2022-03-18T17:59:28", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:40.989Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:30", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22603", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:41.317Z" + }, + "references": [ + { + "name": "Test (6914/24750) [3164/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22603" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22603", + "datePublished": "2022-03-18T17:59:30", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:41.317Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:27", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22604", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:41.659Z" + }, + "references": [ + { + "name": "Test (6915/24750) [3165/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22604" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22604", + "datePublished": "2022-03-18T17:59:27", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:41.659Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:32", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22605", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:41.986Z" + }, + "references": [ + { + "name": "Test (6916/24750) [3166/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22605" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22605", + "datePublished": "2022-03-18T17:59:32", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:41.986Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:29", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22606", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:42.320Z" + }, + "references": [ + { + "name": "Test (6917/24750) [3167/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22606" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22606", + "datePublished": "2022-03-18T17:59:29", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:42.320Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:33", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22607", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:42.627Z" + }, + "references": [ + { + "name": "Test (6918/24750) [3168/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22607" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22607", + "datePublished": "2022-03-18T17:59:33", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:42.627Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Xcode", + "vendor": "Apple", + "versions": [ + { + "lessThan": "13.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:31", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213189" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22608", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Xcode", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "13.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213189", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213189" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:42.937Z" + }, + "references": [ + { + "name": "Test (6919/24750) [3169/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22608" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22608", + "datePublished": "2022-03-18T17:59:31", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:42.937Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The issue was addressed with additional permissions checks. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A malicious application may be able to read other applications' settings." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to read other applications' settings", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:37", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22609", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The issue was addressed with additional permissions checks. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A malicious application may be able to read other applications' settings." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to read other applications' settings" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:43.288Z" + }, + "references": [ + { + "name": "Test (6920/24750) [3170/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22609" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22609", + "datePublished": "2022-03-18T17:59:37", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:43.288Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T18:58:30", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22610", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:43.629Z" + }, + "references": [ + { + "name": "Test (6921/24750) [3171/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22610" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22610", + "datePublished": "2022-09-23T18:58:30", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:43.629Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.12", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted image may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:34", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213188" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22611", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.12" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted image may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213188", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213188" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:43.963Z" + }, + "references": [ + { + "name": "Test (6922/24750) [3172/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22611" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22611", + "datePublished": "2022-03-18T17:59:34", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:43.963Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.12", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory consumption issue was addressed with improved memory handling. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to heap corruption." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted image may lead to heap corruption", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:39", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213188" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22612", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.12" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory consumption issue was addressed with improved memory handling. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to heap corruption." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted image may lead to heap corruption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213188", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213188" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:44.530Z" + }, + "references": [ + { + "name": "Test (6923/24750) [3173/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22612" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22612", + "datePublished": "2022-03-18T17:59:39", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:44.530Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:35", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22613", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:44.877Z" + }, + "references": [ + { + "name": "Test (6924/24750) [3174/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22613" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22613", + "datePublished": "2022-03-18T17:59:35", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:44.877Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:38", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22614", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:45.256Z" + }, + "references": [ + { + "name": "Test (6925/24750) [3175/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22614" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22614", + "datePublished": "2022-03-18T17:59:38", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:45.256Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:36", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22615", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:45.586Z" + }, + "references": [ + { + "name": "Test (6926/24750) [3176/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22615" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22615", + "datePublished": "2022-03-18T17:59:36", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:45.586Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A maliciously crafted ZIP archive may bypass Gatekeeper checks." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A maliciously crafted ZIP archive may bypass Gatekeeper checks", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:38:59", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22616", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A maliciously crafted ZIP archive may bypass Gatekeeper checks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A maliciously crafted ZIP archive may bypass Gatekeeper checks" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:45.903Z" + }, + "references": [ + { + "name": "Test (6927/24750) [3177/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22616" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22616", + "datePublished": "2022-05-26T17:38:59", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:45.903Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to gain elevated privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to gain elevated privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-06T22:06:50", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213257" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22617", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to gain elevated privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to gain elevated privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + }, + { + "name": "https://support.apple.com/kb/HT213257", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213257" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:46.240Z" + }, + "references": [ + { + "name": "Test (6928/24750) [3178/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22617" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22617", + "datePublished": "2022-03-18T17:59:36", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:46.240Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A user may be able to bypass the Emergency SOS passcode prompt", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:41", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22618", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A user may be able to bypass the Emergency SOS passcode prompt" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:46.587Z" + }, + "references": [ + { + "name": "Test (6929/24750) [3179/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22618" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22618", + "datePublished": "2022-03-18T17:59:41", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:46.587Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari (v and )", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T02:06:59", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213091" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213092" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213093" + }, + { + "name": "GLSA-202208-39", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-39" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22620", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari (v and )", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213091", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213091" + }, + { + "name": "https://support.apple.com/en-us/HT213092", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213092" + }, + { + "name": "https://support.apple.com/en-us/HT213093", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213093" + }, + { + "name": "GLSA-202208-39", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-39" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-02-11", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-02-11T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22620 added to KEV" + }, + { + "time": "2022-02-11T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22620 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:37:03.128Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:46.935Z" + }, + "references": [ + { + "name": "Test (6930/24750) [3180/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22620" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22620", + "datePublished": "2022-03-18T17:59:40", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:46.935Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:46", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22621", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:47.340Z" + }, + "references": [ + { + "name": "Test (6931/24750) [3181/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22621" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22621", + "datePublished": "2022-03-18T17:59:46", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:47.340Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:42", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22622", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:47.680Z" + }, + "references": [ + { + "name": "Test (6932/24750) [3182/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22622" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22622", + "datePublished": "2022-03-18T17:59:42", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:47.680Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4, tvOS 15.4, Safari 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T18:58:30", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22624", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4, tvOS 15.4, Safari 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:48.476Z" + }, + "references": [ + { + "name": "Test (6934/24750) [3184/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22624" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22624", + "datePublished": "2022-09-23T18:58:30", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:48.476Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:42", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22625", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:48.788Z" + }, + "references": [ + { + "name": "Test (6935/24750) [3185/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22625" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22625", + "datePublished": "2022-03-18T17:59:42", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:48.788Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:45", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22626", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:49.102Z" + }, + "references": [ + { + "name": "Test (6936/24750) [3186/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22626" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22626", + "datePublished": "2022-03-18T17:59:45", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:49.102Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:43", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22627", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:49.428Z" + }, + "references": [ + { + "name": "Test (6937/24750) [3187/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22627" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22627", + "datePublished": "2022-03-18T17:59:43", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:49.428Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T18:58:31", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22628", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:49.744Z" + }, + "references": [ + { + "name": "Test (6938/24750) [3188/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22628" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22628", + "datePublished": "2022-09-23T18:58:31", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:49.744Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.12", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.12", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may lead to arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T19:02:49", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213188" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22629", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.12" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.12" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may lead to arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213188", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213188" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:50.060Z" + }, + "references": [ + { + "name": "Test (6939/24750) [3189/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22629" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22629", + "datePublished": "2022-09-23T19:02:49", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:50.060Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22630", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "dateUpdated": "2024-06-03T14:53:50.408Z", + "dateReserved": "2022-01-05T00:00:00", + "datePublished": "2023-06-23T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2023-06-23T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.6.6, macOS Monterey 12.3, Security Update 2022-004 Catalina. A remote user may cause an unexpected app termination or arbitrary code execution" + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "11.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "12.3", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "2022", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "url": "https://support.apple.com/en-us/HT213255" + }, + { + "url": "https://support.apple.com/en-us/HT213256" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "A remote user may cause an unexpected app termination or arbitrary code execution" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:50.408Z" + }, + "references": [ + { + "name": "Test (6940/24750) [3190/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22630" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to gain elevated privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to gain elevated privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:48", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22631", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to gain elevated privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to gain elevated privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:50.724Z" + }, + "references": [ + { + "name": "Test (6941/24750) [3191/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22631" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22631", + "datePublished": "2022-03-18T17:59:48", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:50.724Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, watchOS 8.5, macOS Monterey 12.3. A malicious application may be able to elevate privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to elevate privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:47", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22632", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, watchOS 8.5, macOS Monterey 12.3. A malicious application may be able to elevate privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to elevate privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:51.063Z" + }, + "references": [ + { + "name": "Test (6942/24750) [3192/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22632" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22632", + "datePublished": "2022-03-18T17:59:47", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:51.063Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T02:06:13", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22633", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/kb/HT213186", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:51.419Z" + }, + "references": [ + { + "name": "Test (6943/24750) [3193/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22633" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22633", + "datePublished": "2022-03-18T17:59:51", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:51.419Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A buffer overflow was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:46", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22634", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A buffer overflow was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:51.731Z" + }, + "references": [ + { + "name": "Test (6944/24750) [3194/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22634" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22634", + "datePublished": "2022-03-18T17:59:46", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:51.731Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. An application may be able to gain elevated privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to gain elevated privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:51", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22635", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. An application may be able to gain elevated privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to gain elevated privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:52.039Z" + }, + "references": [ + { + "name": "Test (6945/24750) [3195/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22635" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22635", + "datePublished": "2022-03-18T17:59:51", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:52.039Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:49", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22636", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:52.348Z" + }, + "references": [ + { + "name": "Test (6946/24750) [3196/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22636" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22636", + "datePublished": "2022-03-18T17:59:49", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:52.348Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. A malicious website may cause unexpected cross-origin behavior." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious website may cause unexpected cross-origin behavior", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T18:58:30", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22637", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. A malicious website may cause unexpected cross-origin behavior." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious website may cause unexpected cross-origin behavior" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:52.681Z" + }, + "references": [ + { + "name": "Test (6947/24750) [3197/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22637" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22637", + "datePublished": "2022-09-23T18:58:30", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:52.681Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A null pointer dereference was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An attacker in a privileged position may be able to perform a denial of service attack." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An attacker in a privileged position may be able to perform a denial of service attack", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:55", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22638", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A null pointer dereference was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, Security Update 2022-003 Catalina, watchOS 8.5, macOS Monterey 12.3. An attacker in a privileged position may be able to perform a denial of service attack." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An attacker in a privileged position may be able to perform a denial of service attack" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:52.987Z" + }, + "references": [ + { + "name": "Test (6948/24750) [3198/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22638" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22638", + "datePublished": "2022-03-18T17:59:55", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:52.987Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to gain elevated privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:50", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22639", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to gain elevated privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:53.338Z" + }, + "references": [ + { + "name": "Test (6949/24750) [3199/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22639" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22639", + "datePublished": "2022-03-18T17:59:50", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:53.338Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:53", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22640", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:53.654Z" + }, + "references": [ + { + "name": "Test (6950/24750) [3200/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22640" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22640", + "datePublished": "2022-03-18T17:59:53", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:53.654Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to gain elevated privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:52", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22641", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to gain elevated privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:53.966Z" + }, + "references": [ + { + "name": "Test (6951/24750) [3201/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22641" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22641", + "datePublished": "2022-03-18T17:59:52", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:53.966Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A user may be able to bypass the Emergency SOS passcode prompt", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:59", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22642", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A user may be able to bypass the Emergency SOS passcode prompt" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:54.280Z" + }, + "references": [ + { + "name": "Test (6952/24750) [3202/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22642" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22642", + "datePublished": "2022-03-18T17:59:59", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:54.280Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22643", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "dateUpdated": "2024-06-03T14:53:54.594Z", + "dateReserved": "2022-01-05T00:00:00", + "datePublished": "2022-03-18T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2023-03-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. A user may send audio and video in a FaceTime call without knowing that they have done so." + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "iOS and iPadOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "15.4", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "12.3", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "url": "https://support.apple.com/kb/HT213446" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "A user may send audio and video in a FaceTime call without knowing that they have done so" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:54.594Z" + }, + "references": [ + { + "name": "Test (6953/24750) [3203/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22643" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A privacy issue existed in the handling of Contact cards. This was addressed with improved state management. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to access information about a user's contacts." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to access information about a user's contacts", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:58", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22644", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A privacy issue existed in the handling of Contact cards. This was addressed with improved state management. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to access information about a user's contacts." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to access information about a user's contacts" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:54.903Z" + }, + "references": [ + { + "name": "Test (6954/24750) [3204/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22644" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22644", + "datePublished": "2022-03-18T17:59:58", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:54.903Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-22646", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "state": "PUBLISHED", + "assignerShortName": "apple", + "dateReserved": "2022-01-05T02:15:21.921Z", + "datePublished": "2023-08-14T22:40:45.183Z", + "dateUpdated": "2024-06-03T14:53:55.427Z" + }, + "containers": { + "cna": { + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "A malicious application may be able to modify protected parts of the file system" + } + ] + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "status": "affected", + "lessThan": "12.2", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Monterey 12.2. A malicious application may be able to modify protected parts of the file system." + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213054" + } + ], + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2023-08-14T22:40:45.183Z" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:55.427Z" + }, + "references": [ + { + "name": "Test (6956/24750) [3206/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22646" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A person with access to a Mac may be able to bypass Login Window." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with access to a Mac may be able to bypass Login Window", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:56", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22647", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A person with access to a Mac may be able to bypass Login Window." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with access to a Mac may be able to bypass Login Window" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:55.740Z" + }, + "references": [ + { + "name": "Test (6957/24750) [3207/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22647" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22647", + "datePublished": "2022-03-18T17:59:56", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:55.740Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to read restricted memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to read restricted memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:01", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22648", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to read restricted memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to read restricted memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:56.049Z" + }, + "references": [ + { + "name": "Test (6958/24750) [3208/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22648" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22648", + "datePublished": "2022-03-18T18:00:02", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:56.049Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application's permissions and access user data." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A plug-in may be able to inherit the application's permissions and access user data", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:56", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22650", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application's permissions and access user data." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A plug-in may be able to inherit the application's permissions and access user data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:56.647Z" + }, + "references": [ + { + "name": "Test (6960/24750) [3210/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22650" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22650", + "datePublished": "2022-03-18T17:59:56", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:56.647Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.3. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A remote attacker may be able to cause unexpected system termination or corrupt kernel memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T05:06:57", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22651", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.3. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A remote attacker may be able to cause unexpected system termination or corrupt kernel memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/kb/HT213184", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:56.975Z" + }, + "references": [ + { + "name": "Test (6961/24750) [3211/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22651" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22651", + "datePublished": "2022-03-18T18:00:12", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:56.975Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with physical access may be able to view and modify the carrier account information and settings from the lock screen", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T17:59:57", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22652", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with physical access may be able to view and modify the carrier account information and settings from the lock screen" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:57.285Z" + }, + "references": [ + { + "name": "Test (6962/24750) [3212/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22652" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22652", + "datePublished": "2022-03-18T17:59:57", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:57.285Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.4 and iPadOS 15.4. A malicious website may be able to access information about the user and their devices." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious website may be able to access information about the user and their devices", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:10", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22653", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.4 and iPadOS 15.4. A malicious website may be able to access information about the user and their devices." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious website may be able to access information about the user and their devices" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:57.604Z" + }, + "references": [ + { + "name": "Test (6963/24750) [3213/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22653" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22653", + "datePublished": "2022-03-18T18:00:10", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:57.604Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A user interface issue was addressed. This issue is fixed in watchOS 8.5, Safari 15.4. Visiting a malicious website may lead to address bar spoofing." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Visiting a malicious website may lead to address bar spoofing", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:00", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213187" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22654", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Safari", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A user interface issue was addressed. This issue is fixed in watchOS 8.5, Safari 15.4. Visiting a malicious website may lead to address bar spoofing." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Visiting a malicious website may lead to address bar spoofing" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213187", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213187" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:57.903Z" + }, + "references": [ + { + "name": "Test (6964/24750) [3214/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22654" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22654", + "datePublished": "2022-03-18T18:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:57.903Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-22655", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "state": "PUBLISHED", + "assignerShortName": "apple", + "dateReserved": "2022-01-05T02:15:21.928Z", + "datePublished": "2023-08-14T22:40:36.933Z", + "dateUpdated": "2024-06-03T14:53:58.208Z" + }, + "containers": { + "cna": { + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "An app may be able to leak sensitive user information" + } + ] + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "status": "affected", + "lessThan": "12.3", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "iOS and iPadOS", + "versions": [ + { + "version": "unspecified", + "status": "affected", + "lessThan": "15.4", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An access issue was addressed with improvements to the sandbox. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4. An app may be able to leak sensitive user information." + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2023-08-14T22:40:36.933Z" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:58.208Z" + }, + "references": [ + { + "name": "Test (6965/24750) [3215/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22655" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:11", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22656", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:58.525Z" + }, + "references": [ + { + "name": "Test (6966/24750) [3216/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22656" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22656", + "datePublished": "2022-03-18T18:00:11", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:58.525Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "10.7", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "10.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:07", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213190" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213191" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22657", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "10.7" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "10.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213190", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213190" + }, + { + "name": "https://support.apple.com/en-us/HT213191", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213191" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:58.828Z" + }, + "references": [ + { + "name": "Test (6967/24750) [3217/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22657" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22657", + "datePublished": "2022-03-18T18:00:07", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:58.828Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22658", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "dateUpdated": "2024-06-03T14:53:59.157Z", + "dateReserved": "2022-01-05T00:00:00", + "datePublished": "2022-11-01T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2022-11-01T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "An input validation issue was addressed with improved input validation. This issue is fixed in iOS 16.0.3. Processing a maliciously crafted email message may lead to a denial-of-service." + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "iOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "16.0", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213480" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Processing a maliciously crafted email message may lead to a denial-of-service" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:59.157Z" + }, + "references": [ + { + "name": "Test (6968/24750) [3218/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22658" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. An attacker in a privileged network position may be able to leak sensitive user information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An attacker in a privileged network position may be able to leak sensitive user information", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:18", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22659", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. An attacker in a privileged network position may be able to leak sensitive user information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An attacker in a privileged network position may be able to leak sensitive user information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:59.520Z" + }, + "references": [ + { + "name": "Test (6969/24750) [3219/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22659" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22659", + "datePublished": "2022-03-18T18:00:18", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:59.520Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with a new entitlement. This issue is fixed in macOS Monterey 12.3. An app may be able to spoof system notifications and UI." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An app may be able to spoof system notifications and UI", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:05", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22660", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with a new entitlement. This issue is fixed in macOS Monterey 12.3. An app may be able to spoof system notifications and UI." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An app may be able to spoof system notifications and UI" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:53:59.858Z" + }, + "references": [ + { + "name": "Test (6970/24750) [3220/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22660" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22660", + "datePublished": "2022-03-18T18:00:05", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:53:59.858Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:16", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22661", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:00.251Z" + }, + "references": [ + { + "name": "Test (6971/24750) [3221/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22661" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22661", + "datePublished": "2022-03-18T18:00:16", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:00.251Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing maliciously crafted web content may disclose sensitive user information", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T02:06:57", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + }, + { + "name": "[oss-security] 20220705 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/07/05/3" + }, + { + "name": "FEDORA-2022-fdb75e7766", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANNHXXARVBRGI74TVQNZOAG6P7AGSMUJ/" + }, + { + "name": "FEDORA-2022-6b749525f3", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33BWWAQLLBHKGSI332ZZCORTFZ2XLOIH/" + }, + { + "name": "GLSA-202208-39", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-39" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22662", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing maliciously crafted web content may disclose sensitive user information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + }, + { + "name": "[oss-security] 20220705 WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/07/05/3" + }, + { + "name": "FEDORA-2022-fdb75e7766", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANNHXXARVBRGI74TVQNZOAG6P7AGSMUJ/" + }, + { + "name": "FEDORA-2022-6b749525f3", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33BWWAQLLBHKGSI332ZZCORTFZ2XLOIH/" + }, + { + "name": "GLSA-202208-39", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-39" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:00.566Z" + }, + "references": [ + { + "name": "Test (6972/24750) [3222/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22662" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22662", + "datePublished": "2022-05-26T17:40:10", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:00.566Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in iOS 15.4 and iPadOS 15.4, Security Update 2022-004 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.6. A malicious application may bypass Gatekeeper checks." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may bypass Gatekeeper checks", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:41:12", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213255" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213256" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22663", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in iOS 15.4 and iPadOS 15.4, Security Update 2022-004 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.6. A malicious application may bypass Gatekeeper checks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may bypass Gatekeeper checks" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213255", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213255" + }, + { + "name": "https://support.apple.com/en-us/HT213256", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213256" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:00.889Z" + }, + "references": [ + { + "name": "Test (6973/24750) [3223/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22663" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22663", + "datePublished": "2022-05-26T17:41:12", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:00.889Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "10.7", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "10.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:09", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213190" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213191" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22664", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "10.7" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "10.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213190", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213190" + }, + { + "name": "https://support.apple.com/en-us/HT213191", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213191" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:01.202Z" + }, + "references": [ + { + "name": "Test (6974/24750) [3224/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22664" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22664", + "datePublished": "2022-03-18T18:00:09", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:01.202Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to gain root privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T05:06:55", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213185" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213256" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22665", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to gain root privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/kb/HT213185", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213185" + }, + { + "name": "https://support.apple.com/kb/HT213184", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/kb/HT213256", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213256" + }, + { + "name": "https://support.apple.com/kb/HT213255", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/35" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:01.536Z" + }, + "references": [ + { + "name": "Test (6975/24750) [3225/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22665" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22665", + "datePublished": "2022-03-18T18:00:13", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:01.536Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, watchOS 8.5. Processing a maliciously crafted image may lead to heap corruption." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a maliciously crafted image may lead to heap corruption", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T17:06:15", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/167144/AppleVideoDecoder-CreateHeaderBuffer-Out-Of-Bounds-Free.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22666", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, watchOS 8.5. Processing a maliciously crafted image may lead to heap corruption." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a maliciously crafted image may lead to heap corruption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + }, + { + "name": "http://packetstormsecurity.com/files/167144/AppleVideoDecoder-CreateHeaderBuffer-Out-Of-Bounds-Free.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/167144/AppleVideoDecoder-CreateHeaderBuffer-Out-Of-Bounds-Free.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:01.856Z" + }, + "references": [ + { + "name": "Test (6976/24750) [3226/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22666" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22666", + "datePublished": "2022-03-18T18:00:12", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:01.856Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:17", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22667", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.4 and iPadOS 15.4. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:02.185Z" + }, + "references": [ + { + "name": "Test (6977/24750) [3227/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22667" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22667", + "datePublished": "2022-03-18T18:00:17", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:02.185Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22668", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "dateUpdated": "2024-06-03T14:54:02.543Z", + "dateReserved": "2022-01-05T00:00:00", + "datePublished": "2023-02-27T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2023-02-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. A malicious application may be able to leak sensitive user information." + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "12.3", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "15.4", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "15.4", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "A malicious application may be able to leak sensitive user information" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:02.543Z" + }, + "references": [ + { + "name": "Test (6978/24750) [3228/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22668" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:14", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22669", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3. An application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:02.856Z" + }, + "references": [ + { + "name": "Test (6979/24750) [3229/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22669" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22669", + "datePublished": "2022-03-18T18:00:14", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:02.856Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An access issue was addressed with improved access restrictions. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, watchOS 8.5. A malicious application may be able to identify what other applications a user has installed." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to identify what other applications a user has installed", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:18", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213186" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22670", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "tvOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An access issue was addressed with improved access restrictions. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, watchOS 8.5. A malicious application may be able to identify what other applications a user has installed." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to identify what other applications a user has installed" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213193", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213193" + }, + { + "name": "https://support.apple.com/en-us/HT213186", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213186" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:03.176Z" + }, + "references": [ + { + "name": "Test (6980/24750) [3230/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22670" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22670", + "datePublished": "2022-03-18T18:00:18", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:03.176Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to access photos from the lock screen." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A person with physical access to an iOS device may be able to access photos from the lock screen", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-18T18:00:15", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22671", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An authentication issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access to an iOS device may be able to access photos from the lock screen." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A person with physical access to an iOS device may be able to access photos from the lock screen" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:03.519Z" + }, + "references": [ + { + "name": "Test (6981/24750) [3231/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22671" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22671", + "datePublished": "2022-03-18T18:00:15", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:03.519Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 15.4 and iPadOS 15.4, Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A malicious application may be able to execute arbitrary code with kernel privileges", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:42:02", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213185" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22672", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 15.4 and iPadOS 15.4, Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A malicious application may be able to execute arbitrary code with kernel privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A malicious application may be able to execute arbitrary code with kernel privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213182", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213182" + }, + { + "name": "https://support.apple.com/en-us/HT213183", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213183" + }, + { + "name": "https://support.apple.com/en-us/HT213184", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213184" + }, + { + "name": "https://support.apple.com/en-us/HT213185", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213185" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:03.835Z" + }, + "references": [ + { + "name": "Test (6982/24750) [3232/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22672" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22672", + "datePublished": "2022-05-26T17:42:02", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:03.835Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Processing a large input may lead to a denial of service", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:42:54", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213258" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22673", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.5" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was addressed with improved checks. This issue is fixed in iOS 15.5 and iPadOS 15.5. Processing a large input may lead to a denial of service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Processing a large input may lead to a denial of service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213258", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213258" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:04.149Z" + }, + "references": [ + { + "name": "Test (6983/24750) [3233/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22673" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22673", + "datePublished": "2022-05-26T17:42:54", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:04.149Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "2022", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. This issue is fixed in macOS Monterey 12.3.1, Security Update 2022-004 Catalina, macOS Big Sur 11.6.6. A local user may be able to read kernel memory." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A local user may be able to read kernel memory", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:43:37", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213255" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213256" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213220" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22674", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2022" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. This issue is fixed in macOS Monterey 12.3.1, Security Update 2022-004 Catalina, macOS Big Sur 11.6.6. A local user may be able to read kernel memory." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A local user may be able to read kernel memory" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213255", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213255" + }, + { + "name": "https://support.apple.com/en-us/HT213256", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213256" + }, + { + "name": "https://support.apple.com/en-us/HT213220", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213220" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-04", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22674 added to KEV" + }, + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22674 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:45.673Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:04.557Z" + }, + "references": [ + { + "name": "Test (6984/24750) [3234/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22674" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22674", + "datePublished": "2022-05-26T17:43:37", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:04.557Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "iOS and iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "8.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "15.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "11.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:44:27", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213256" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213220" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213219" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213253" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213254" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22675", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "iOS and iPadOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.4" + } + ] + } + }, + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.3" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "8.6" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "15.5" + } + ] + } + }, + { + "product_name": "watchOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "11.6" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.3.1, iOS 15.4.1 and iPadOS 15.4.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213256", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213256" + }, + { + "name": "https://support.apple.com/en-us/HT213220", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213220" + }, + { + "name": "https://support.apple.com/en-us/HT213219", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213219" + }, + { + "name": "https://support.apple.com/en-us/HT213253", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213253" + }, + { + "name": "https://support.apple.com/en-us/HT213254", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213254" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-04", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22675 added to KEV" + }, + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22675 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:45.362Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:04.869Z" + }, + "references": [ + { + "name": "Test (6985/24750) [3235/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22675" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22675", + "datePublished": "2022-05-26T17:44:27", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:04.869Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "12.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An event handler validation issue in the XPC Services API was addressed by removing the service. This issue is fixed in macOS Monterey 12.2. An application may be able to delete files for which it does not have permission." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "An application may be able to delete files for which it does not have permission", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-26T17:45:14", + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.apple.com/en-us/HT213054" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@apple.com", + "ID": "CVE-2022-22676", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "12.2" + } + ] + } + } + ] + }, + "vendor_name": "Apple" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An event handler validation issue in the XPC Services API was addressed by removing the service. This issue is fixed in macOS Monterey 12.2. An application may be able to delete files for which it does not have permission." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "An application may be able to delete files for which it does not have permission" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.apple.com/en-us/HT213054", + "refsource": "MISC", + "url": "https://support.apple.com/en-us/HT213054" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:05.187Z" + }, + "references": [ + { + "name": "Test (6986/24750) [3236/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22676" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "cveId": "CVE-2022-22676", + "datePublished": "2022-05-26T17:45:14", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:05.187Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22677", + "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "assignerShortName": "apple", + "dateUpdated": "2024-06-03T14:54:05.529Z", + "dateReserved": "2022-01-05T00:00:00", + "datePublished": "2022-11-01T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", + "shortName": "apple", + "dateUpdated": "2022-11-01T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A logic issue in the handling of concurrent media was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4, iOS 15.5 and iPadOS 15.5. Video self-preview in a webRTC call may be interrupted if the user answers a phone call." + } + ], + "affected": [ + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "12.4", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Apple", + "product": "macOS", + "versions": [ + { + "version": "unspecified", + "lessThan": "15.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://support.apple.com/en-us/HT213258" + }, + { + "url": "https://support.apple.com/en-us/HT213257" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Video self-preview in a webRTC call may be interrupted if the user answers a phone call" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:05.529Z" + }, + "references": [ + { + "name": "Test (6987/24750) [3237/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22677" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "DiskStation Manager (DSM)", + "vendor": "Synology", + "versions": [ + { + "lessThan": "7.0.1-42218-2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-01-19T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T02:15:36", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_22_01" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-01-19T08:04:02.170780", + "ID": "CVE-2022-22679", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DiskStation Manager (DSM)", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "7.0.1-42218-2" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.5", + "vectorString": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_22_01", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_22_01" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:05.824Z" + }, + "references": [ + { + "name": "Test (6988/24750) [3238/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22679" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22679", + "datePublished": "2022-01-19T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:05.824Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "DiskStation Manager (DSM)", + "vendor": "Synology", + "versions": [ + { + "lessThan": "7.0.1-42218-2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-01-24T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T02:10:10", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_22_01" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-01-24T07:19:59.841801", + "ID": "CVE-2022-22680", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DiskStation Manager (DSM)", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "7.0.1-42218-2" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "5.3", + "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_22_01", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_22_01" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:06.135Z" + }, + "references": [ + { + "name": "Test (6989/24750) [3239/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22680" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22680", + "datePublished": "2022-01-24T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:06.135Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Photo Station", + "vendor": "Synology", + "versions": [ + { + "lessThan": "6.8.16-3506", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-04T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-384", + "description": "CWE-384: Session Fixation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-06T07:35:10", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_21_26" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-04T14:57:41.410632", + "ID": "CVE-2022-22681", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Photo Station", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "6.8.16-3506" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "8.1", + "vectorString": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-384: Session Fixation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_21_26", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_21_26" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:06.467Z" + }, + "references": [ + { + "name": "Test (6990/24750) [3240/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22681" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22681", + "datePublished": "2022-07-04T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:06.467Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Synology Calendar", + "vendor": "Synology", + "versions": [ + { + "lessThan": "2.4.5-10930", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-12T06:20:10", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_22_07" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-11T18:24:33.470924", + "ID": "CVE-2022-22682", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Synology Calendar", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "2.4.5-10930" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.5", + "vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_22_07", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_22_07" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:06.760Z" + }, + "references": [ + { + "name": "Test (6991/24750) [3241/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22682" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22682", + "datePublished": "2022-07-11T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:06.760Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Media Server", + "vendor": "Synology", + "versions": [ + { + "lessThan": "1.8.1-2876", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-25T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary code via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 10, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-28T07:00:13", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_20_24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-25T12:00:39.524533", + "ID": "CVE-2022-22683", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Media Server", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "1.8.1-2876" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary code via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "10.0", + "vectorString": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_20_24", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_20_24" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:07.072Z" + }, + "references": [ + { + "name": "Test (6992/24750) [3242/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22683" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22683", + "datePublished": "2022-07-25T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:07.072Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "DiskStation Manager (DSM)", + "vendor": "Synology", + "versions": [ + { + "lessThan": "6.2.4-25553", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-29T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "availabilityRequirement": "NOT_DEFINED", + "baseScore": 7.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "confidentialityRequirement": "NOT_DEFINED", + "environmentalScore": 6.7, + "environmentalSeverity": "HIGH", + "integrityImpact": "HIGH", + "integrityRequirement": "NOT_DEFINED", + "modifiedAttackComplexity": "LOW", + "modifiedAttackVector": "LOCAL", + "modifiedAvailabilityImpact": "HIGH", + "modifiedConfidentialityImpact": "HIGH", + "modifiedIntegrityImpact": "HIGH", + "modifiedPrivilegesRequired": "HIGH", + "modifiedScope": "NOT_DEFINED", + "modifiedUserInteraction": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-78", + "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-29T10:00:54", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_21_03" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-29T17:54:41.046006", + "ID": "CVE-2022-22684", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DiskStation Manager (DSM)", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "6.2.4-25553" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "7.2", + "vectorString": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_21_03", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_21_03" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:07.400Z" + }, + "references": [ + { + "name": "Test (6993/24750) [3243/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22684" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22684", + "datePublished": "2022-07-29T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:07.400Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "WebDAV Server", + "vendor": "Synology", + "versions": [ + { + "lessThan": "2.4.0-0062", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-25T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-28T06:45:12", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_21_09" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-25T14:34:31.518384", + "ID": "CVE-2022-22685", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WebDAV Server", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "2.4.0-0062" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "8.7", + "vectorString": "AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_21_09", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_21_09" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:07.714Z" + }, + "references": [ + { + "name": "Test (6994/24750) [3244/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22685" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22685", + "datePublished": "2022-07-25T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:07.714Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Synology Calendar", + "vendor": "Synology", + "versions": [ + { + "lessThan": "2.3.4-0631", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-25T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-352", + "description": "CWE-352: Cross-Site Request Forgery (CSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-26T01:30:14", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_20_07" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-07-25T14:48:00.847460", + "ID": "CVE-2022-22686", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Synology Calendar", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "2.3.4-0631" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "6.5", + "vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_20_07", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_20_07" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:08.035Z" + }, + "references": [ + { + "name": "Test (6995/24750) [3245/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22686" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22686", + "datePublished": "2022-07-25T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:08.035Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "DiskStation Manager (DSM)", + "vendor": "Synology", + "versions": [ + { + "lessThan": "6.2.3-25426-3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-03-21T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-25T06:55:17", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_20_26" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-03-21T11:11:11.929865", + "ID": "CVE-2022-22687", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DiskStation Manager (DSM)", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "6.2.3-25426-3" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "9.8", + "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_20_26", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_20_26" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:08.386Z" + }, + "references": [ + { + "name": "Test (6996/24750) [3246/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22687" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22687", + "datePublished": "2022-03-21T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:08.386Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "DiskStation Manager (DSM)", + "vendor": "Synology", + "versions": [ + { + "lessThan": "6.2.4-25556-2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-03-21T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-77", + "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-25T06:55:11", + "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "shortName": "synology" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.synology.com/security/advisory/Synology_SA_21_22" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@synology.com", + "DATE_PUBLIC": "2022-03-21T11:16:35.131196", + "ID": "CVE-2022-22688", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "DiskStation Manager (DSM)", + "version": { + "version_data": [ + { + "affected": "<", + "version_affected": "<", + "version_value": "6.2.4-25556-2" + } + ] + } + } + ] + }, + "vendor_name": "Synology" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors." + } + ] + }, + "impact": { + "cvss": { + "baseScore": "8.8", + "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.synology.com/security/advisory/Synology_SA_21_22", + "refsource": "CONFIRM", + "url": "https://www.synology.com/security/advisory/Synology_SA_21_22" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:08.711Z" + }, + "references": [ + { + "name": "Test (6997/24750) [3247/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22688" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", + "assignerShortName": "synology", + "cveId": "CVE-2022-22688", + "datePublished": "2022-03-21T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:08.711Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CA Harvest Software Change Manager", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "13.0.3, 13.0.4, 14.0.0, 14.0.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-1236", + "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:27", + "orgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", + "shortName": "ca" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.broadcom.com/security-advisory/content/security-advisories/CA20220203-01-Security-Notice-for-CA-Harvest-Software-Change-Manager/ESDSA20297" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vuln@ca.com", + "ID": "CVE-2022-22689", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CA Harvest Software Change Manager", + "version": { + "version_data": [ + { + "version_value": "13.0.3, 13.0.4, 14.0.0, 14.0.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.broadcom.com/security-advisory/content/security-advisories/CA20220203-01-Security-Notice-for-CA-Harvest-Software-Change-Manager/ESDSA20297", + "refsource": "MISC", + "url": "https://support.broadcom.com/security-advisory/content/security-advisories/CA20220203-01-Security-Notice-for-CA-Harvest-Software-Change-Manager/ESDSA20297" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:09.021Z" + }, + "references": [ + { + "name": "Test (6998/24750) [3248/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22689" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", + "assignerShortName": "ca", + "cveId": "CVE-2022-22689", + "datePublished": "2022-02-04T22:29:27", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:09.021Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Umbraco CMS", + "vendor": "Umbraco", + "versions": [ + { + "lessThan": "9.2.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "AppCheck Ltd" + } + ], + "datePublic": "2022-01-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Unauthorised runtime configuration manipulation", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-18T16:52:21", + "orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", + "shortName": "AppCheck" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Umbraco Remote ApplicationURL Overwrite", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "info@appcheck-ng.com", + "DATE_PUBLIC": "2022-01-18T14:26:00.000Z", + "ID": "CVE-2022-22690", + "STATE": "PUBLIC", + "TITLE": "Umbraco Remote ApplicationURL Overwrite" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Umbraco CMS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "9.2.0" + } + ] + } + } + ] + }, + "vendor_name": "Umbraco" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "AppCheck Ltd" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Unauthorised runtime configuration manipulation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/", + "refsource": "MISC", + "url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:09.376Z" + }, + "references": [ + { + "name": "Test (6999/24750) [3249/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22690" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", + "assignerShortName": "AppCheck", + "cveId": "CVE-2022-22690", + "datePublished": "2022-01-18T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:09.376Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Umbraco CMS", + "vendor": "Umbraco", + "versions": [ + { + "lessThan": "9.2.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "AppCheck Ltd" + } + ], + "datePublic": "2022-01-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-640", + "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-18T16:52:20", + "orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", + "shortName": "AppCheck" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Umbraco Password Reset URL Poison", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "info@appcheck-ng.com", + "DATE_PUBLIC": "2022-01-18T14:26:00.000Z", + "ID": "CVE-2022-22691", + "STATE": "PUBLIC", + "TITLE": "Umbraco Password Reset URL Poison" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Umbraco CMS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "9.2.0" + } + ] + } + } + ] + }, + "vendor_name": "Umbraco" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "AppCheck Ltd" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/", + "refsource": "MISC", + "url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:09.689Z" + }, + "references": [ + { + "name": "Test (7000/24750) [3250/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22691" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", + "assignerShortName": "AppCheck", + "cveId": "CVE-2022-22691", + "datePublished": "2022-01-18T00:00:00", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:09.689Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CyberArk Identity", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "22.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "User enumeration", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-03T18:20:21", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/porter/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-22700", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CyberArk Identity", + "version": { + "version_data": [ + { + "version_value": "22.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "User enumeration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/porter/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/porter/" + }, + { + "name": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm", + "refsource": "MISC", + "url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:33.560Z" + }, + "references": [ + { + "name": "Test (7001/24750) [3251/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22700" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-22700", + "datePublished": "2022-03-03T18:20:21", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:33.560Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PartKeepr", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "1.4.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PartKeepr versions up to v1.4.0, loads attachments using a URL while creating a part and allows the use of the 'file://' URI scheme, allowing an authenticated user to read local files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local file inclusion", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-07T21:59:38", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/hendrix/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/partkeepr/PartKeepr/issues/1229" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-22701", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PartKeepr", + "version": { + "version_data": [ + { + "version_value": "1.4.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PartKeepr versions up to v1.4.0, loads attachments using a URL while creating a part and allows the use of the 'file://' URI scheme, allowing an authenticated user to read local files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local file inclusion" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/hendrix/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/hendrix/" + }, + { + "name": "https://github.com/partkeepr/PartKeepr/issues/1229", + "refsource": "MISC", + "url": "https://github.com/partkeepr/PartKeepr/issues/1229" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:33.889Z" + }, + "references": [ + { + "name": "Test (7002/24750) [3252/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22701" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-22701", + "datePublished": "2022-01-07T21:59:38", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:33.889Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PartKeepr", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "1.4.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Server-side request forgery", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-07T22:00:52", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/joplin/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/partkeepr/PartKeepr/issues/1230" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-22702", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PartKeepr", + "version": { + "version_data": [ + { + "version_value": "1.4.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Server-side request forgery" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/joplin/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/joplin/" + }, + { + "name": "https://github.com/partkeepr/PartKeepr/issues/1230", + "refsource": "MISC", + "url": "https://github.com/partkeepr/PartKeepr/issues/1230" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:34.200Z" + }, + "references": [ + { + "name": "Test (7003/24750) [3253/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22702" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-22702", + "datePublished": "2022-01-07T22:00:52", + "dateReserved": "2022-01-05T00:00:00", + "dateUpdated": "2024-06-03T14:54:34.200Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-17T20:04:02", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://advisories.stormshield.eu/2022-001" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22703", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://advisories.stormshield.eu/2022-001", + "refsource": "MISC", + "url": "https://advisories.stormshield.eu/2022-001" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:34.542Z" + }, + "references": [ + { + "name": "Test (7004/24750) [3254/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22703" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22703", + "datePublished": "2022-01-17T20:04:02", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:34.542Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-06T04:23:28", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22704", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368", + "refsource": "MISC", + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:34.850Z" + }, + "references": [ + { + "name": "Test (7005/24750) [3255/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22704" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22704", + "datePublished": "2022-01-06T04:23:28", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:34.850Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost r0p0 through r35p0, and Valhall r19p0 through r35p0." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-22T13:58:40", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://developer.arm.com/support/arm-security-updates" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22706", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost r0p0 through r35p0, and Valhall r19p0 through r35p0." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://developer.arm.com/support/arm-security-updates", + "refsource": "MISC", + "url": "https://developer.arm.com/support/arm-security-updates" + }, + { + "name": "https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver", + "refsource": "MISC", + "url": "https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2023-03-30", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2023-03-30T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22706 added to KEV" + }, + { + "time": "2023-03-30T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22706 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:48:41.297Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:35.178Z" + }, + "references": [ + { + "name": "Test (7006/24750) [3256/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22706" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22706", + "datePublished": "2022-03-03T14:27:54", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:35.178Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-12T10:06:30", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://redmine.lighttpd.net/issues/3134" + }, + { + "name": "DSA-5040", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5040" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22707", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://redmine.lighttpd.net/issues/3134", + "refsource": "MISC", + "url": "https://redmine.lighttpd.net/issues/3134" + }, + { + "name": "DSA-5040", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5040" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:35.512Z" + }, + "references": [ + { + "name": "Test (7007/24750) [3257/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22707" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22707", + "datePublished": "2022-01-06T05:55:30", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:35.512Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "VP9 Video Extensions Remote Code Execution Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "VP9 Video Extensions", + "cpes": [ + "cpe:2.3:a:microsoft:vp9_video_extensions:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "1.0.42791.0", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "VP9 Video Extensions Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:15.775Z" + }, + "references": [ + { + "name": "VP9 Video Extensions Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22709" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:35.823Z" + }, + "references": [ + { + "name": "Test (7008/24750) [3258/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22709" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22709", + "datePublished": "2022-02-09T16:37:00", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:35.823Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Common Log File System Driver Denial of Service Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2094:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2094", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.524:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.525:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.524", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.525", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1526:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.493", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19204", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20269:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Common Log File System Driver Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:16.308Z" + }, + "references": [ + { + "name": "Windows Common Log File System Driver Denial of Service Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22710" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:36.147Z" + }, + "references": [ + { + "name": "Test (7009/24750) [3259/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22710" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22710", + "datePublished": "2022-02-09T16:37:02", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:36.147Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows BitLocker Information Disclosure Vulnerability", + "datePublic": "2022-07-12T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.3165:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.3165:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.3165:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.3165", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.3165:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.3165", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.3165:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.3165", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1826:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1826:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1826:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1826", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.825:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.825", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1826:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1826:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1826", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1826:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1826", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.795:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.795:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.795", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1826:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1826:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1826:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1826", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19360:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19360:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19360", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5246:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5246:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5246", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5246:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5246", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5246:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5246", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows BitLocker Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:22:23.302Z" + }, + "references": [ + { + "name": "Windows BitLocker Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22711" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2024-05-30T14:29:18.284364Z", + "id": "CVE-2022-22711", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-30T14:29:24.228Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:36.527Z" + }, + "references": [ + { + "name": "Test (7010/24750) [3260/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22711" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22711", + "datePublished": "2022-07-12T22:37:21", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:36.527Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Hyper-V Denial of Service Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2094", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.524:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.525:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.524", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.525", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1526:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.493", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1526", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Hyper-V Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:16.855Z" + }, + "references": [ + { + "name": "Windows Hyper-V Denial of Service Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22712" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.6, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:36.851Z" + }, + "references": [ + { + "name": "Test (7011/24750) [3261/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22712" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22712", + "datePublished": "2022-02-09T16:37:03", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:36.851Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Hyper-V Denial of Service Vulnerability", + "datePublic": "2022-05-10T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1706:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1706:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1706", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Hyper-V Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:27:18.722Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22713" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.6, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:37.160Z" + }, + "references": [ + { + "name": "Test (7012/24750) [3262/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22713" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22713", + "datePublished": "2022-05-10T20:33:31", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:37.160Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Named Pipe File System Elevation of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2094:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2094", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.524:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.525:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.524", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.525", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1526:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.493", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1526", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Named Pipe File System Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:22.756Z" + }, + "references": [ + { + "name": "Named Pipe File System Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22715" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:37.509Z" + }, + "references": [ + { + "name": "Test (7013/24750) [3263/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22715" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22715", + "datePublished": "2022-02-09T16:37:05", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:37.509Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Excel Information Disclosure Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft SharePoint Enterprise Server 2013 Service Pack 1", + "cpes": [ + "cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:enterprise:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.0.0", + "lessThan": "15.0.5423.1000", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office 2019", + "cpes": [ + "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "19.0.0", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office 2019 for Mac", + "cpes": [ + "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "16.0.0", + "lessThan": "16.58.22021501", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office Online Server", + "cpes": [ + "cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "16.0.10383.20001", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft 365 Apps for Enterprise", + "cpes": [ + "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office LTSC for Mac 2021", + "cpes": [ + "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "16.58.22021501", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office LTSC 2021", + "cpes": [ + "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Excel 2016", + "cpes": [ + "cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*", + "cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "16.0.0.0", + "lessThan": "16.0.5278.1000", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Excel 2013 Service Pack 1", + "cpes": [ + "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*", + "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:*", + "cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "ARM64-based Systems", + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "15.0.0.0", + "lessThan": "15.0.5423.1000", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office Web Apps Server 2013 Service Pack 1", + "cpes": [ + "cpe:2.3:a:microsoft:office_web_apps_server:2013:sp1:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "15.0.1", + "lessThan": "15.0.5423.1000", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Excel Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:23.328Z" + }, + "references": [ + { + "name": "Microsoft Excel Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22716" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:37.832Z" + }, + "references": [ + { + "name": "Test (7014/24750) [3264/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22716" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22716", + "datePublished": "2022-02-09T16:37:06", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:37.832Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Print Spooler Elevation of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2094:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2094", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.524:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.525:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.524", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.525", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1526:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.493", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19204", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20269:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Print Spooler Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:23.881Z" + }, + "references": [ + { + "name": "Windows Print Spooler Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22717" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:38.149Z" + }, + "references": [ + { + "name": "Test (7015/24750) [3265/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22717" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22717", + "datePublished": "2022-02-09T16:37:07", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:38.149Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Print Spooler Elevation of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2565:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2565:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2565", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2094:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2094:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2094", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1526:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.524:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.525:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.524", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.525", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1526:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1526:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.493:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.493", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1526:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1526", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19204:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19204", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.4946:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4946:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.4946", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25860:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20269:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20269:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21374:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21372:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21374", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.0.0", + "lessThan": "6.0.6003.21372", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25860:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25860", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23605:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23605", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20269:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20269", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Print Spooler Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:24.442Z" + }, + "references": [ + { + "name": "Windows Print Spooler Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22718" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-19", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-19T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22718 added to KEV" + }, + { + "time": "2022-04-19T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22718 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:55.638Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:38.494Z" + }, + "references": [ + { + "name": "Test (7016/24750) [3266/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22718" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-22718", + "datePublished": "2022-02-09T16:37:09", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:38.494Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "2.4.52", + "status": "affected", + "version": "Apache HTTP Server 2.4", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Chamal De Silva" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "moderate" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-665", + "description": "CWE-665 Improper Initialization", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T01:07:27", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/4" + }, + { + "name": "FEDORA-2022-b4103753e9", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213257" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213256" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "name": "GLSA-202208-20", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-20" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "timeline": [ + { + "lang": "en", + "time": "2021-12-18T00:00:00", + "value": "Reported to security team" + } + ], + "title": "mod_lua Use of uninitialized value of in r:parsebody", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22719", + "STATE": "PUBLIC", + "TITLE": "mod_lua Use of uninitialized value of in r:parsebody" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache HTTP Server", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "Apache HTTP Server 2.4", + "version_value": "2.4.52" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Chamal De Silva" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "moderate" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-665 Improper Initialization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://httpd.apache.org/security/vulnerabilities_24.html", + "refsource": "MISC", + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/4" + }, + { + "name": "FEDORA-2022-b4103753e9", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220321-0001/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "name": "https://support.apple.com/kb/HT213257", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213257" + }, + { + "name": "https://support.apple.com/kb/HT213256", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213256" + }, + { + "name": "https://support.apple.com/kb/HT213255", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "name": "GLSA-202208-20", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-20" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "timeline": [ + { + "lang": "en", + "time": "2021-12-18T00:00:00", + "value": "Reported to security team" + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:38.825Z" + }, + "references": [ + { + "name": "Test (7017/24750) [3267/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22719" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22719", + "datePublished": "2022-03-14T10:15:16", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:38.825Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "2.4.52", + "status": "affected", + "version": "Apache HTTP Server 2.4", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "James Kettle " + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling" + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "important" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-444", + "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T01:07:14", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/3" + }, + { + "name": "FEDORA-2022-b4103753e9", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213257" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213256" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "GLSA-202208-20", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-20" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22720", + "STATE": "PUBLIC", + "TITLE": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache HTTP Server", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "Apache HTTP Server 2.4", + "version_value": "2.4.52" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "James Kettle " + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "important" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://httpd.apache.org/security/vulnerabilities_24.html", + "refsource": "MISC", + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/3" + }, + { + "name": "FEDORA-2022-b4103753e9", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220321-0001/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://support.apple.com/kb/HT213257", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213257" + }, + { + "name": "https://support.apple.com/kb/HT213256", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213256" + }, + { + "name": "https://support.apple.com/kb/HT213255", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "GLSA-202208-20", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-20" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:39.145Z" + }, + "references": [ + { + "name": "Test (7018/24750) [3268/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22720" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22720", + "datePublished": "2022-03-14T10:15:29", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:39.145Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "2.4.52", + "status": "affected", + "version": "Apache HTTP Server 2.4", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Anonymous working with Trend Micro Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "low" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-190", + "description": "CWE-190 Integer Overflow or Wraparound", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T01:07:45", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/2" + }, + { + "name": "FEDORA-2022-b4103753e9", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213257" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213256" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "GLSA-202208-20", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-20" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "timeline": [ + { + "lang": "en", + "time": "2021-12-16T00:00:00", + "value": "Reported to security team" + } + ], + "title": "core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22721", + "STATE": "PUBLIC", + "TITLE": "core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache HTTP Server", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "Apache HTTP Server 2.4", + "version_value": "2.4.52" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Anonymous working with Trend Micro Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "low" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-190 Integer Overflow or Wraparound" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://httpd.apache.org/security/vulnerabilities_24.html", + "refsource": "MISC", + "url": "https://httpd.apache.org/security/vulnerabilities_24.html" + }, + { + "name": "[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/03/14/2" + }, + { + "name": "FEDORA-2022-b4103753e9", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/" + }, + { + "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html" + }, + { + "name": "FEDORA-2022-21264ec6db", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/" + }, + { + "name": "FEDORA-2022-78e3211c55", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220321-0001/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220321-0001/" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://support.apple.com/kb/HT213257", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213257" + }, + { + "name": "https://support.apple.com/kb/HT213256", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213256" + }, + { + "name": "https://support.apple.com/kb/HT213255", + "refsource": "CONFIRM", + "url": "https://support.apple.com/kb/HT213255" + }, + { + "name": "GLSA-202208-20", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-20" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "timeline": [ + { + "lang": "en", + "time": "2021-12-16T00:00:00", + "value": "Reported to security team" + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:39.493Z" + }, + "references": [ + { + "name": "Test (7019/24750) [3269/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22721" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22721", + "datePublished": "2022-03-14T10:15:40", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:39.493Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Easergy P5", + "vendor": "Schneider Electric", + "versions": [ + { + "lessThan": "01.401.101", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-798", + "description": "CWE-798: Use of Hard-coded Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:34", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22722", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Easergy P5", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "01.401.101" + } + ] + } + } + ] + }, + "vendor_name": "Schneider Electric" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101)" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798: Use of Hard-coded Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:39.811Z" + }, + "references": [ + { + "name": "Test (7020/24750) [3270/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22722" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22722", + "datePublished": "2022-02-04T22:29:34", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:39.811Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Easergy P5 (All firmware versions prior to V01.401.101)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Easergy P5 (All firmware versions prior to V01.401.101)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120: Buffer Copy without Checking Size of Input", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:35", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22723", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Easergy P5 (All firmware versions prior to V01.401.101)", + "version": { + "version_data": [ + { + "version_value": "Easergy P5 (All firmware versions prior to V01.401.101)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120: Buffer Copy without Checking Size of Input" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:40.119Z" + }, + "references": [ + { + "name": "Test (7021/24750) [3271/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22723" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22723", + "datePublished": "2022-02-04T22:29:35", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:40.119Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Modicon M340 CPUs: BMXP34 (All Versions) ", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Modicon M340 CPUs: BMXP34 (All Versions)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "description": "CWE-400: Uncontrolled Resource Consumption", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:36", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22724", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Modicon M340 CPUs: BMXP34 (All Versions) ", + "version": { + "version_data": [ + { + "version_value": "Modicon M340 CPUs: BMXP34 (All Versions)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:40.439Z" + }, + "references": [ + { + "name": "Test (7022/24750) [3272/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22724" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22724", + "datePublished": "2022-02-04T22:29:36", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:40.439Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Easergy P3 (All versions prior to V30.205)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Easergy P3 (All versions prior to V30.205)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P3 (All versions prior to V30.205)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120: Buffer Copy without Checking Size of Input", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:37", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22725", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Easergy P3 (All versions prior to V30.205)", + "version": { + "version_data": [ + { + "version_value": "Easergy P3 (All versions prior to V30.205)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could lead to a buffer overflow causing program crashes and arbitrary code execution when specially crafted packets are sent to the device over the network. Protection functions and tripping function via GOOSE can be impacted. Affected Product: Easergy P3 (All versions prior to V30.205)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120: Buffer Copy without Checking Size of Input" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:40.748Z" + }, + "references": [ + { + "name": "Test (7023/24750) [3273/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22725" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22725", + "datePublished": "2022-02-04T22:29:37", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:40.748Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:38", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22726", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "version": { + "version_data": [ + { + "version_value": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:41.051Z" + }, + "references": [ + { + "name": "Test (7024/24750) [3274/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22726" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22726", + "datePublished": "2022-02-04T22:29:38", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:41.051Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user�s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:38", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22727", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "version": { + "version_data": [ + { + "version_value": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user�s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:41.428Z" + }, + "references": [ + { + "name": "Test (7025/24750) [3275/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22727" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22727", + "datePublished": "2022-02-04T22:29:38", + "dateReserved": "2022-01-06T00:00:00", + "dateUpdated": "2024-06-03T14:54:41.428Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22728", + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "dateUpdated": "2024-06-03T14:54:41.727Z", + "dateReserved": "2022-01-06T00:00:00", + "datePublished": "2022-08-25T00:00:00" + }, + "containers": { + "cna": { + "title": "libapreq2 multipart form parse memory corruption", + "providerMetadata": { + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache", + "dateUpdated": "2023-05-03T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack." + } + ], + "affected": [ + { + "vendor": "Apache Software Foundation", + "product": "libapreq2", + "versions": [ + { + "version": "unspecified", + "lessThanOrEqual": "2.16", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/2fsjoor96d47vtkpf76x4yo06nccvy1y" + }, + { + "name": "[oss-security] 20220825 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/08/25/4" + }, + { + "name": "[oss-security] 20220825 CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/08/25/3" + }, + { + "name": "[oss-security] 20220826 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/08/26/4" + }, + { + "name": "FEDORA-2022-9e5046934e", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PUUS3JL44UUSLJTSXE46HVKZIW7E7PE/" + }, + { + "name": "FEDORA-2022-cf658a432f", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE5MEHGIQUEIISBCVHM43IN2NBDXBFOJ/" + }, + { + "name": "FEDORA-2022-61f5b492b7", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HZZKVHYYWACPWONPEFRNPIRE3HYLV4T/" + }, + { + "name": "[oss-security] 20221229 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/12/29/1" + }, + { + "name": "[oss-security] 20221230 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/12/30/4" + }, + { + "name": "[oss-security] 20221231 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/12/31/1" + }, + { + "name": "[oss-security] 20221231 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/12/31/5" + }, + { + "name": "[oss-security] 20230102 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2023/01/02/1" + }, + { + "name": "[oss-security] 20230102 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2023/01/02/2" + }, + { + "name": "[oss-security] 20230103 Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2023/01/03/2" + }, + { + "name": "[debian-lts-announce] 20230114 [SECURITY] [DLA 3269-1] libapreq2 security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00009.html" + }, + { + "name": "GLSA-202305-20", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202305-20" + } + ], + "metrics": [ + { + "other": { + "type": "unknown", + "content": { + "other": "important" + } + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "cweId": "CWE-120" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:41.727Z" + }, + "references": [ + { + "name": "Test (7026/24750) [3276/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22728" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CENTUM CS 3000", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R3.08.10 to R3.09.00" + } + ] + }, + { + "product": "CENTUM VP", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R4.01.00 to R4.03.00" + }, + { + "status": "affected", + "version": "versions from R5.01.00 to R5.04.20" + }, + { + "status": "affected", + "version": "versions from R6.01.00 to R6.08.00" + } + ] + }, + { + "product": "Exaopc", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R3.72.00 to R3.79.00" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. The authentication may be bypassed via some crafted packets: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-302", + "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-11T09:10:50", + "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "shortName": "jpcert" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vultures@jpcert.or.jp", + "ID": "CVE-2022-22729", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CENTUM CS 3000", + "version": { + "version_data": [ + { + "version_value": "versions from R3.08.10 to R3.09.00" + } + ] + } + }, + { + "product_name": "CENTUM VP", + "version": { + "version_data": [ + { + "version_value": "versions from R4.01.00 to R4.03.00" + }, + { + "version_value": "versions from R5.01.00 to R5.04.20" + }, + { + "version_value": "versions from R6.01.00 to R6.08.00" + } + ] + } + }, + { + "product_name": "Exaopc", + "version": { + "version_data": [ + { + "version_value": "versions from R3.72.00 to R3.79.00" + } + ] + } + } + ] + }, + "vendor_name": "Yokogawa Electric Corporation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. The authentication may be bypassed via some crafted packets: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-302: Authentication Bypass by Assumed-Immutable Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf", + "refsource": "CONFIRM", + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:42.039Z" + }, + "references": [ + { + "name": "Test (7027/24750) [3277/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22729" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "assignerShortName": "jpcert", + "cveId": "CVE-2022-22729", + "datePublished": "2022-03-11T09:10:50", + "dateReserved": "2022-02-03T00:00:00", + "dateUpdated": "2024-06-03T14:54:42.039Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Intel(R) Edge Insights for Industrial software", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "before version 2.6.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "escalation of privilege", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-18T19:44:53", + "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "shortName": "intel" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00653.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@intel.com", + "ID": "CVE-2022-22730", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Intel(R) Edge Insights for Industrial software", + "version": { + "version_data": [ + { + "version_value": "before version 2.6.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "escalation of privilege" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00653.html", + "refsource": "MISC", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00653.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:42.371Z" + }, + "references": [ + { + "name": "Test (7028/24750) [3278/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22730" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "assignerShortName": "intel", + "cveId": "CVE-2022-22730", + "datePublished": "2022-08-18T19:44:53", + "dateReserved": "2022-02-03T00:00:00", + "dateUpdated": "2024-06-03T14:54:42.371Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22731", + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "dateUpdated": "2024-06-03T14:54:42.694Z", + "dateReserved": "2022-01-06T00:00:00", + "datePublished": "2023-01-30T00:00:00" + }, + "containers": { + "cna": { + "datePublic": "2022-06-14T00:00:00", + "providerMetadata": { + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider", + "dateUpdated": "2023-01-30T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)" + } + ], + "affected": [ + { + "vendor": "Schneider Electric", + "product": "EcoStruxure Power Commission", + "versions": [ + { + "version": "All", + "status": "affected", + "lessThan": "V2.22", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "cweId": "CWE-22" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:42.694Z" + }, + "references": [ + { + "name": "Test (7029/24750) [3279/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22731" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22732", + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "dateUpdated": "2024-06-03T14:54:43.005Z", + "dateReserved": "2022-01-06T00:00:00", + "datePublished": "2023-01-30T00:00:00" + }, + "containers": { + "cna": { + "datePublic": "2022-06-14T00:00:00", + "providerMetadata": { + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider", + "dateUpdated": "2023-01-30T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources (data) supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)" + } + ], + "affected": [ + { + "vendor": "Schneider Electric", + "product": "EcoStruxure Power Commission", + "versions": [ + { + "version": "All", + "status": "affected", + "lessThan": "V2.22", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 3.9, + "baseSeverity": "LOW" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-668 Exposure of Resource to Wrong Sphere", + "cweId": "CWE-668" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:43.005Z" + }, + "references": [ + { + "name": "Test (7030/24750) [3280/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22732" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache ShardingSphere ElasticJob-UI", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "3.0.0", + "status": "affected", + "version": "Apache ShardingSphere ElasticJob-UI 3.x", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "moderate" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T15:06:07", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/qpdsm936n9bhksb0rzn6bq1h7ord2nm6" + }, + { + "name": "[oss-security] 20220120 CVE-2022-22733: Apache ShardingSphere ElasticJob-UI: Access-Token in ElasticJob UI causes password disclosure", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/20/2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Access-Token in ElasticJob UI causes password disclosure", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22733", + "STATE": "PUBLIC", + "TITLE": "Access-Token in ElasticJob UI causes password disclosure" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache ShardingSphere ElasticJob-UI", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "Apache ShardingSphere ElasticJob-UI 3.x", + "version_value": "3.0.0" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "moderate" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://lists.apache.org/thread/qpdsm936n9bhksb0rzn6bq1h7ord2nm6", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/qpdsm936n9bhksb0rzn6bq1h7ord2nm6" + }, + { + "name": "[oss-security] 20220120 CVE-2022-22733: Apache ShardingSphere ElasticJob-UI: Access-Token in ElasticJob UI causes password disclosure", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/20/2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:43.329Z" + }, + "references": [ + { + "name": "Test (7031/24750) [3281/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22733" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22733", + "datePublished": "2022-01-20T10:25:12", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:43.329Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "shortName": "WPScan", + "dateUpdated": "2023-07-04T09:28:07.970Z" + }, + "title": "Simple Quotation <= 1.3.2 - Quote Creation/Edition via CSRF to Stored Cross-Site Scripting", + "problemTypes": [ + { + "descriptions": [ + { + "description": "CWE-116 Improper Encoding or Escaping of Output", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "affected": [ + { + "vendor": "Unknown", + "product": "Simple Quotation", + "versions": [ + { + "status": "affected", + "versionType": "custom", + "version": "0", + "lessThanOrEqual": "1.3.2" + } + ], + "defaultStatus": "affected", + "collectionURL": "https://wordpress.org/plugins" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arbitrary quote, and put Cross-Site Scripting payloads in them" + } + ], + "references": [ + { + "url": "https://wpscan.com/vulnerability/f6e15a23-8f8c-47c2-8227-e277856d8251", + "tags": [ + "exploit", + "vdb-entry", + "technical-description" + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Abhishek Bhoir", + "type": "finder" + }, + { + "lang": "en", + "value": "WPScan", + "type": "coordinator" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "x_generator": { + "engine": "WPScan CVE Generator" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:43.631Z" + }, + "references": [ + { + "name": "Test (7032/24750) [3282/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22734" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "assignerShortName": "WPScan", + "cveId": "CVE-2022-22734", + "datePublished": "2022-03-14T14:41:53", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:43.631Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Simple Quotation", + "vendor": "Unknown", + "versions": [ + { + "lessThanOrEqual": "1.3.2", + "status": "affected", + "version": "1.3.2", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "abhishek bhoir" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-89", + "description": "CWE-89 SQL Injection", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-14T14:41:54", + "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "shortName": "WPScan" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Simple Quotation <= 1.3.2 - Subscriber+ SQL injection", + "x_generator": "WPScan CVE Generator", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "contact@wpscan.com", + "ID": "CVE-2022-22735", + "STATE": "PUBLIC", + "TITLE": "Simple Quotation <= 1.3.2 - Subscriber+ SQL injection" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Simple Quotation", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "1.3.2", + "version_value": "1.3.2" + } + ] + } + } + ] + }, + "vendor_name": "Unknown" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "abhishek bhoir" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks" + } + ] + }, + "generator": "WPScan CVE Generator", + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 SQL Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00", + "refsource": "MISC", + "url": "https://wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:43.983Z" + }, + "references": [ + { + "name": "Test (7033/24750) [3283/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22735" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "assignerShortName": "WPScan", + "cveId": "CVE-2022-22735", + "datePublished": "2022-03-14T14:41:54", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:43.983Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22736", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:44.413Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.
*This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1742692" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Potential local privilege escalation when loading modules from the install directory." + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:44.413Z" + }, + "references": [ + { + "name": "Test (7034/24750) [3284/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22736" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22737", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:44.727Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1745874" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Race condition when playing audio files" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:44.727Z" + }, + "references": [ + { + "name": "Test (7035/24750) [3285/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22737" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22738", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:45.066Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1742382" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Heap-buffer-overflow in blendGaussianBlur" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:45.066Z" + }, + "references": [ + { + "name": "Test (7036/24750) [3286/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22738" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22739", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:45.408Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1744158" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Missing throttling on external protocol launch dialog" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:45.408Z" + }, + "references": [ + { + "name": "Test (7037/24750) [3287/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22739" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22740", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:45.711Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1742334" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Use-after-free of ChannelEventQueue::mOwner" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:45.711Z" + }, + "references": [ + { + "name": "Test (7038/24750) [3288/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22740" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22741", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:46.029Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1740389" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Browser window spoof using fullscreen mode" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:46.029Z" + }, + "references": [ + { + "name": "Test (7039/24750) [3289/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22741" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22742", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:46.374Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1739923" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Out-of-bounds memory access when inserting text in edit mode" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:46.374Z" + }, + "references": [ + { + "name": "Test (7040/24750) [3290/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22742" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22743", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:46.720Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1739220" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Browser window spoof using fullscreen mode" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:46.720Z" + }, + "references": [ + { + "name": "Test (7041/24750) [3291/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22743" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22744", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:47.023Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The constructed curl command from the \"Copy as curl\" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.
*This bug only affects Thunderbird for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1737252" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:47.023Z" + }, + "references": [ + { + "name": "Test (7042/24750) [3292/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22744" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22745", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:47.345Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735856" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Leaking cross-origin URLs through securitypolicyviolation event" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:47.345Z" + }, + "references": [ + { + "name": "Test (7043/24750) [3293/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22745" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22746", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:47.647Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.
*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735071" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Calling into reportValidity could have lead to fullscreen window spoof" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:47.647Z" + }, + "references": [ + { + "name": "Test (7044/24750) [3294/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22746" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22747", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:47.954Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1735028" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Crash when handling empty pkcs7 sequence" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:47.954Z" + }, + "references": [ + { + "name": "Test (7045/24750) [3295/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22747" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22748", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:48.315Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1705211" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Spoofed origin on external protocol launch dialog" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:48.315Z" + }, + "references": [ + { + "name": "Test (7046/24750) [3296/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22748" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22749", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:48.778Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.
*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1705094" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Lack of URL restrictions when scanning QR codes" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:48.778Z" + }, + "references": [ + { + "name": "Test (7047/24750) [3297/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22749" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22750", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:49.201Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.
*This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1566608" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "IPC passing of resource handles could have lead to sandbox bypass" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:49.201Z" + }, + "references": [ + { + "name": "Test (7048/24750) [3298/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22750" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22751", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:49.610Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.5", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-02/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-03/" + }, + { + "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1664149%2C1737816%2C1739366%2C1740274%2C1740797%2C1741201%2C1741869%2C1743221%2C1743515%2C1745373%2C1746011" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Memory safety bugs fixed in Thunderbird 91.5" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:49.610Z" + }, + "references": [ + { + "name": "Test (7049/24750) [3299/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22751" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22752", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:49.972Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 96." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1741210%2C1742770" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Memory safety bugs fixed in Firefox 96" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:49.972Z" + }, + "references": [ + { + "name": "Test (7050/24750) [3300/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22752" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22753", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:50.504Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.
*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1732435" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Privilege Escalation to SYSTEM on Windows via Maintenance Service" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:50.504Z" + }, + "references": [ + { + "name": "Test (7051/24750) [3301/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22753" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22754", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:50.893Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1750565" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Extensions could have bypassed permission confirmation during update" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:50.893Z" + }, + "references": [ + { + "name": "Test (7052/24750) [3302/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22754" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22755", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:51.298Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1309630" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "XSL could have allowed JavaScript execution after a tab was closed" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:51.298Z" + }, + "references": [ + { + "name": "Test (7053/24750) [3303/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22755" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22756", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:51.756Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1317873" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Drag and dropping an image could have resulted in the dropped object being an executable" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:51.756Z" + }, + "references": [ + { + "name": "Test (7054/24750) [3304/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22756" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22757", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:52.132Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it.
*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1720098" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Remote Agent did not prevent local websites from connecting" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:52.132Z" + }, + "references": [ + { + "name": "Test (7055/24750) [3305/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22757" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22758", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:52.547Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When clicking on a tel: link, USSD codes, specified after a \\* character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.
*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1728742" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "tel: links could have sent USSD codes to the dialer on Firefox for Android" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:52.547Z" + }, + "references": [ + { + "name": "Test (7056/24750) [3306/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22758" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22759", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:52.912Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1739957" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Sandboxed iframes could have executed script if the parent appended elements" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:52.912Z" + }, + "references": [ + { + "name": "Test (7057/24750) [3307/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22759" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22760", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:53.336Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1740985" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1748503" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Cross-Origin responses could be distinguished between script and non-script content-types" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:53.336Z" + }, + "references": [ + { + "name": "Test (7058/24750) [3308/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22760" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22761", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:53.744Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1745566" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "frame-ancestors Content Security Policy directive was not enforced for framed extension pages" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:53.744Z" + }, + "references": [ + { + "name": "Test (7059/24750) [3309/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22761" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22762", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:54.142Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Under certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. This could have been abused to trick the user.
*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1743931" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "JavaScript Dialogs could have been displayed over other domains on Firefox for Android" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:54.142Z" + }, + "references": [ + { + "name": "Test (7060/24750) [3310/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22762" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22763", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:54.584Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "96", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-01/" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1740534" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Script Execution during invalid object state" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:54.584Z" + }, + "references": [ + { + "name": "Test (7061/24750) [3311/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22763" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22764", + "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "assignerShortName": "mozilla", + "dateUpdated": "2024-06-03T14:54:55.028Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-12-22T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", + "shortName": "mozilla", + "dateUpdated": "2022-12-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6." + } + ], + "affected": [ + { + "vendor": "Mozilla", + "product": "Firefox", + "versions": [ + { + "version": "unspecified", + "lessThan": "97", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Thunderbird", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "Mozilla", + "product": "Firefox ESR", + "versions": [ + { + "version": "unspecified", + "lessThan": "91.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-05/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-04/" + }, + { + "url": "https://www.mozilla.org/security/advisories/mfsa2022-06/" + }, + { + "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:55.028Z" + }, + "references": [ + { + "name": "Test (7062/24750) [3312/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22764" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BD Viper LT System", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "next of 2.0", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-798", + "description": "CWE-798 Use of Hard-coded Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-09T15:26:14", + "orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "shortName": "BD" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02" + } + ], + "solutions": [ + { + "lang": "en", + "value": "The fix is expected in BD Viper LT system version 4.80 software release." + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "BD Viper LT System - Hardcoded Credentials", + "workarounds": [ + { + "lang": "en", + "value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viperâ„¢ LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@bd.com", + "DATE_PUBLIC": "2022-02-11T21:00:00.000Z", + "ID": "CVE-2022-22765", + "STATE": "PUBLIC", + "TITLE": "BD Viper LT System - Hardcoded Credentials" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BD Viper LT System", + "version": { + "version_data": [ + { + "version_affected": ">", + "version_value": "2.0" + } + ] + } + } + ] + }, + "vendor_name": "Becton Dickinson (BD)" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798 Use of Hard-coded Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials", + "refsource": "CONFIRM", + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials" + }, + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02", + "refsource": "MISC", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "The fix is expected in BD Viper LT system version 4.80 software release." + } + ], + "source": { + "discovery": "INTERNAL" + }, + "work_around": [ + { + "lang": "en", + "value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viperâ„¢ LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:55.442Z" + }, + "references": [ + { + "name": "Test (7063/24750) [3313/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22765" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "assignerShortName": "BD", + "cveId": "CVE-2022-22765", + "datePublished": "2022-02-11T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:55.442Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BD Pyxis Anesthesia Station ES", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Anesthesia Station 4000", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis CATO", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis CIISafe", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Inventory Connect", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis IV Prep", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis JITrBUD", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis KanBan RF", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Logistics", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Med Link Family", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis MedBank", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis MedStation 4000", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis MedStation ES", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis MedStation ES Server", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis ParAssist", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis PharmoPack", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis ProcedureStation (including EC)", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Rapid Rx", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis StockStation", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis SupplyCenter", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis SupplyRoller", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis SupplyStation (including RF, EC, CP)", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Pyxis Track and Deliver", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + }, + { + "product": "BD Rowa Pouch Packaging Systems", + "vendor": "Becton Dickinson (BD) ", + "versions": [ + { + "status": "affected", + "version": "All" + } + ] + } + ], + "datePublic": "2022-02-12T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-798", + "description": "CWE-798 Use of Hard-coded Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-09T15:28:22", + "orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "shortName": "BD" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "BD Pyxis Products - Hardcoded Credentials", + "workarounds": [ + { + "lang": "en", + "value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@bd.com", + "DATE_PUBLIC": "2022-02-12T04:00:00.000Z", + "ID": "CVE-2022-22766", + "STATE": "PUBLIC", + "TITLE": "BD Pyxis Products - Hardcoded Credentials" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BD Pyxis Anesthesia Station ES", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Anesthesia Station 4000", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis CATO", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis CIISafe", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Inventory Connect", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis IV Prep", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis JITrBUD", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis KanBan RF", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Logistics", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Med Link Family", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis MedBank", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis MedStation 4000", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis MedStation ES", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis MedStation ES Server", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis ParAssist", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis PharmoPack", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis ProcedureStation (including EC)", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Rapid Rx", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis StockStation", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis SupplyCenter", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis SupplyRoller", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis SupplyStation (including RF, EC, CP)", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Pyxis Track and Deliver", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + }, + { + "product_name": "BD Rowa Pouch Packaging Systems", + "version": { + "version_data": [ + { + "version_value": "All" + } + ] + } + } + ] + }, + "vendor_name": "Becton Dickinson (BD) " + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798 Use of Hard-coded Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials", + "refsource": "CONFIRM", + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials" + }, + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01", + "refsource": "MISC", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01" + } + ] + }, + "source": { + "discovery": "INTERNAL" + }, + "work_around": [ + { + "lang": "en", + "value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:55.891Z" + }, + "references": [ + { + "name": "Test (7064/24750) [3314/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22766" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "assignerShortName": "BD", + "cveId": "CVE-2022-22766", + "datePublished": "2022-02-12T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:55.891Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BD Pyxis™ Anesthesia ES Station", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ CIISafe", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ Logistics", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ MedBank", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ MedStation™ 4000", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ MedStation™ ES", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ MedStation™ ES Server", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ ParAssist", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ Rapid Rx", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ StockStation", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ SupplyCenter", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ SupplyRoller", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ SupplyStation™", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ SupplyStation™ EC", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Pyxis™ SupplyStation™ RF auxiliary", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + }, + { + "product": "BD Rowa™ Pouch Packaging Systems", + "vendor": "Becton Dickinson (BD)", + "versions": [ + { + "status": "affected", + "version": "All versions" + } + ] + } + ], + "configurations": [ + { + "lang": "en", + "value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility’s network, and gain access to individual devices and/or servers." + } + ], + "datePublic": "2022-05-31T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-262", + "description": "CWE-262: Not Using Password Aging", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-01T16:35:38", + "orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "shortName": "BD" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials" + } + ], + "solutions": [ + { + "lang": "en", + "value": "BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation.\n" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "BD Pyxis™ Products – Default Credentials", + "workarounds": [ + { + "lang": "en", + "value": "Limit physical access to only authorized personnel.\n" + }, + { + "lang": "en", + "value": "Tightly control management of system passwords provided to authorized users." + }, + { + "lang": "en", + "value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed." + }, + { + "lang": "en", + "value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@bd.com", + "DATE_PUBLIC": "2022-05-31T15:00:00.000Z", + "ID": "CVE-2022-22767", + "STATE": "PUBLIC", + "TITLE": "BD Pyxis™ Products – Default Credentials" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BD Pyxis™ Anesthesia ES Station", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ CIISafe", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ Logistics", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ MedBank", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ MedStation™ 4000", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ MedStation™ ES", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ MedStation™ ES Server", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ ParAssist", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ Rapid Rx", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ StockStation", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ SupplyCenter", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ SupplyRoller", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ SupplyStation™", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ SupplyStation™ EC", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Pyxis™ SupplyStation™ RF auxiliary", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + }, + { + "product_name": "BD Rowa™ Pouch Packaging Systems", + "version": { + "version_data": [ + { + "version_value": "All versions" + } + ] + } + } + ] + }, + "vendor_name": "Becton Dickinson (BD)" + } + ] + } + }, + "configuration": [ + { + "lang": "en", + "value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility’s network, and gain access to individual devices and/or servers." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-262: Not Using Password Aging" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials", + "refsource": "CONFIRM", + "url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation.\n" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "work_around": [ + { + "lang": "en", + "value": "Limit physical access to only authorized personnel.\n" + }, + { + "lang": "en", + "value": "Tightly control management of system passwords provided to authorized users." + }, + { + "lang": "en", + "value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed." + }, + { + "lang": "en", + "value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:56.375Z" + }, + "references": [ + { + "name": "Test (7065/24750) [3315/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22767" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18", + "assignerShortName": "BD", + "cveId": "CVE-2022-22767", + "datePublished": "2022-05-31T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:56.375Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO EBX", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "5.8.124", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO EBX", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "5.9.3" + }, + { + "status": "affected", + "version": "5.9.4" + }, + { + "status": "affected", + "version": "5.9.5" + }, + { + "status": "affected", + "version": "5.9.6" + }, + { + "status": "affected", + "version": "5.9.7" + }, + { + "status": "affected", + "version": "5.9.8" + }, + { + "status": "affected", + "version": "5.9.9" + }, + { + "status": "affected", + "version": "5.9.10" + }, + { + "status": "affected", + "version": "5.9.11" + }, + { + "status": "affected", + "version": "5.9.12" + }, + { + "status": "affected", + "version": "5.9.13" + }, + { + "status": "affected", + "version": "5.9.14" + }, + { + "status": "affected", + "version": "5.9.15" + } + ] + }, + { + "product": "TIBCO EBX", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "6.0.0" + }, + { + "status": "affected", + "version": "6.0.1" + }, + { + "status": "affected", + "version": "6.0.2" + }, + { + "status": "affected", + "version": "6.0.3" + } + ] + }, + { + "product": "TIBCO EBX Add-ons", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "3.20.18", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO EBX Add-ons", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "4.1.0" + }, + { + "status": "affected", + "version": "4.2.0" + }, + { + "status": "affected", + "version": "4.2.1" + }, + { + "status": "affected", + "version": "4.2.2" + }, + { + "status": "affected", + "version": "4.3.0" + }, + { + "status": "affected", + "version": "4.3.1" + }, + { + "status": "affected", + "version": "4.3.2" + }, + { + "status": "affected", + "version": "4.3.3" + }, + { + "status": "affected", + "version": "4.3.4" + }, + { + "status": "affected", + "version": "4.4.0" + }, + { + "status": "affected", + "version": "4.4.1" + }, + { + "status": "affected", + "version": "4.4.2" + }, + { + "status": "affected", + "version": "4.4.3" + }, + { + "status": "affected", + "version": "4.5.0" + }, + { + "status": "affected", + "version": "4.5.1" + }, + { + "status": "affected", + "version": "4.5.2" + }, + { + "status": "affected", + "version": "4.5.3" + }, + { + "status": "affected", + "version": "4.5.4" + }, + { + "status": "affected", + "version": "4.5.5" + }, + { + "status": "affected", + "version": "4.5.6" + } + ] + }, + { + "product": "TIBCO EBX Add-ons", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "5.0.0" + }, + { + "status": "affected", + "version": "5.0.1" + }, + { + "status": "affected", + "version": "5.1.0" + }, + { + "status": "affected", + "version": "5.1.1" + }, + { + "status": "affected", + "version": "5.2.0" + } + ] + }, + { + "product": "TIBCO Product and Service Catalog powered by TIBCO EBX", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "1.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-01-19T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-19T20:06:15", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-19-2022-tibco-ebx-2022-22769" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX versions 5.8.124 and below update to version 5.8.125 or later\nTIBCO EBX versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15 update to version 5.9.16 or later\nTIBCO EBX versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3 update to version 6.0.4 or later\nTIBCO EBX Add-ons versions 3.20.18 and below update to version 3.20.19 or later\nTIBCO EBX Add-ons versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6 update to version 4.5.7 or later\nTIBCO EBX Add-ons versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0 update to version 5.2.1 or later\nTIBCO Product and Service Catalog powered by TIBCO EBX versions 1.1.0 and below update to version 1.2.0 or later" + } + ], + "source": { + "discovery": "USER" + }, + "title": "TIBCO EBX vulnerabilities", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-01-19T17:00:00Z", + "ID": "CVE-2022-22769", + "STATE": "PUBLIC", + "TITLE": "TIBCO EBX vulnerabilities" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO EBX", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "5.8.124" + } + ] + } + }, + { + "product_name": "TIBCO EBX", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "5.9.3" + }, + { + "version_affected": "=", + "version_value": "5.9.4" + }, + { + "version_affected": "=", + "version_value": "5.9.5" + }, + { + "version_affected": "=", + "version_value": "5.9.6" + }, + { + "version_affected": "=", + "version_value": "5.9.7" + }, + { + "version_affected": "=", + "version_value": "5.9.8" + }, + { + "version_affected": "=", + "version_value": "5.9.9" + }, + { + "version_affected": "=", + "version_value": "5.9.10" + }, + { + "version_affected": "=", + "version_value": "5.9.11" + }, + { + "version_affected": "=", + "version_value": "5.9.12" + }, + { + "version_affected": "=", + "version_value": "5.9.13" + }, + { + "version_affected": "=", + "version_value": "5.9.14" + }, + { + "version_affected": "=", + "version_value": "5.9.15" + } + ] + } + }, + { + "product_name": "TIBCO EBX", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "6.0.0" + }, + { + "version_affected": "=", + "version_value": "6.0.1" + }, + { + "version_affected": "=", + "version_value": "6.0.2" + }, + { + "version_affected": "=", + "version_value": "6.0.3" + } + ] + } + }, + { + "product_name": "TIBCO EBX Add-ons", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "3.20.18" + } + ] + } + }, + { + "product_name": "TIBCO EBX Add-ons", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.1.0" + }, + { + "version_affected": "=", + "version_value": "4.2.0" + }, + { + "version_affected": "=", + "version_value": "4.2.1" + }, + { + "version_affected": "=", + "version_value": "4.2.2" + }, + { + "version_affected": "=", + "version_value": "4.3.0" + }, + { + "version_affected": "=", + "version_value": "4.3.1" + }, + { + "version_affected": "=", + "version_value": "4.3.2" + }, + { + "version_affected": "=", + "version_value": "4.3.3" + }, + { + "version_affected": "=", + "version_value": "4.3.4" + }, + { + "version_affected": "=", + "version_value": "4.4.0" + }, + { + "version_affected": "=", + "version_value": "4.4.1" + }, + { + "version_affected": "=", + "version_value": "4.4.2" + }, + { + "version_affected": "=", + "version_value": "4.4.3" + }, + { + "version_affected": "=", + "version_value": "4.5.0" + }, + { + "version_affected": "=", + "version_value": "4.5.1" + }, + { + "version_affected": "=", + "version_value": "4.5.2" + }, + { + "version_affected": "=", + "version_value": "4.5.3" + }, + { + "version_affected": "=", + "version_value": "4.5.4" + }, + { + "version_affected": "=", + "version_value": "4.5.5" + }, + { + "version_affected": "=", + "version_value": "4.5.6" + } + ] + } + }, + { + "product_name": "TIBCO EBX Add-ons", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "5.0.0" + }, + { + "version_affected": "=", + "version_value": "5.0.1" + }, + { + "version_affected": "=", + "version_value": "5.1.0" + }, + { + "version_affected": "=", + "version_value": "5.1.1" + }, + { + "version_affected": "=", + "version_value": "5.2.0" + } + ] + } + }, + { + "product_name": "TIBCO Product and Service Catalog powered by TIBCO EBX", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-19-2022-tibco-ebx-2022-22769", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-19-2022-tibco-ebx-2022-22769" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO EBX versions 5.8.124 and below update to version 5.8.125 or later\nTIBCO EBX versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15 update to version 5.9.16 or later\nTIBCO EBX versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3 update to version 6.0.4 or later\nTIBCO EBX Add-ons versions 3.20.18 and below update to version 3.20.19 or later\nTIBCO EBX Add-ons versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6 update to version 4.5.7 or later\nTIBCO EBX Add-ons versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0 update to version 5.2.1 or later\nTIBCO Product and Service Catalog powered by TIBCO EBX versions 1.1.0 and below update to version 1.2.0 or later" + } + ], + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:56.741Z" + }, + "references": [ + { + "name": "Test (7066/24750) [3316/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22769" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22769", + "datePublished": "2022-01-19T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:56.741Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO AuditSafe", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "1.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-15T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO AuditSafe contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute API methods on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO AuditSafe: versions 1.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the API methods of the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T18:07:41", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO AuditSafe versions 1.1.0 and below update to version 1.1.1 or later" + } + ], + "source": { + "discovery": "USER" + }, + "title": "TIBCO AuditSafe API Authentication vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-02-15T17:00:00Z", + "ID": "CVE-2022-22770", + "STATE": "PUBLIC", + "TITLE": "TIBCO AuditSafe API Authentication vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO AuditSafe", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO AuditSafe contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute API methods on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO AuditSafe: versions 1.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the API methods of the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO AuditSafe versions 1.1.0 and below update to version 1.1.1 or later" + } + ], + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:57.114Z" + }, + "references": [ + { + "name": "Test (7067/24750) [3317/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22770" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22770", + "datePublished": "2022-02-15T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:57.114Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO JasperReports Library", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.0" + } + ] + }, + { + "product": "TIBCO JasperReports Library for ActiveMatrix BPM", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.0" + } + ] + }, + { + "product": "TIBCO JasperReports Server", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.0" + }, + { + "status": "affected", + "version": "7.9.1" + } + ] + }, + { + "product": "TIBCO JasperReports Server for AWS Marketplace", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.0" + }, + { + "status": "affected", + "version": "7.9.1" + } + ] + }, + { + "product": "TIBCO JasperReports Server for ActiveMatrix BPM", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.0" + }, + { + "status": "affected", + "version": "7.9.1" + } + ] + }, + { + "product": "TIBCO JasperReports Server for Microsoft Azure", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "7.9.1" + } + ] + } + ], + "datePublic": "2022-03-15T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: version 7.9.0, TIBCO JasperReports Library for ActiveMatrix BPM: version 7.9.0, TIBCO JasperReports Server: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and 7.9.1, and TIBCO JasperReports Server for Microsoft Azure: version 7.9.1." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "The impact of this vulnerability includes the theoretical possibility that a web server using the provided DefaultWebResourceHandler could expose details of the host system. The disclosed data could include credentials to access other systems.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-15T18:06:14", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-15-2022-tibco-jasperreports-library-2022-22771" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO JasperReports Library version 7.9.0 update to version 7.9.2 or later\nTIBCO JasperReports Library for ActiveMatrix BPM version 7.9.0 update to version 7.9.2 or later\nTIBCO JasperReports Server versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for Microsoft Azure version 7.9.1 update to version 7.9.2 or later" + } + ], + "source": { + "discovery": "USER" + }, + "title": "TIBCO JasperReports Library Directory Traversal Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-03-15T17:00:00Z", + "ID": "CVE-2022-22771", + "STATE": "PUBLIC", + "TITLE": "TIBCO JasperReports Library Directory Traversal Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO JasperReports Library", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.0" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Library for ActiveMatrix BPM", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.0" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.0" + }, + { + "version_affected": "=", + "version_value": "7.9.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for AWS Marketplace", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.0" + }, + { + "version_affected": "=", + "version_value": "7.9.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for ActiveMatrix BPM", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.0" + }, + { + "version_affected": "=", + "version_value": "7.9.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for Microsoft Azure", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "7.9.1" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: version 7.9.0, TIBCO JasperReports Library for ActiveMatrix BPM: version 7.9.0, TIBCO JasperReports Server: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and 7.9.1, and TIBCO JasperReports Server for Microsoft Azure: version 7.9.1." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "The impact of this vulnerability includes the theoretical possibility that a web server using the provided DefaultWebResourceHandler could expose details of the host system. The disclosed data could include credentials to access other systems." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-15-2022-tibco-jasperreports-library-2022-22771", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-15-2022-tibco-jasperreports-library-2022-22771" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO JasperReports Library version 7.9.0 update to version 7.9.2 or later\nTIBCO JasperReports Library for ActiveMatrix BPM version 7.9.0 update to version 7.9.2 or later\nTIBCO JasperReports Server versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and 7.9.1 update to version 7.9.2 or later\nTIBCO JasperReports Server for Microsoft Azure version 7.9.1 update to version 7.9.2 or later" + } + ], + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:57.428Z" + }, + "references": [ + { + "name": "Test (7068/24750) [3318/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22771" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22771", + "datePublished": "2022-03-15T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:57.428Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO Managed File Transfer Platform Server for UNIX", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO Managed File Transfer Platform Server for z/Linux", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-03-30T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The cfsend, cfrecv, and CyberResp components of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX and TIBCO Managed File Transfer Platform Server for z/Linux contain a difficult to exploit Remote Code Execution (RCE) vulnerability that allows a low privileged attacker with network access to execute arbitrary code on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX: versions 8.1.0 and below and TIBCO Managed File Transfer Platform Server for z/Linux: versions 8.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Successful execution of this vulnerability can result in a low privileged attacker gaining full user access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-30T17:06:13", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-30-2022-tibco-managed-file-transfer-2022-22772" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Managed File Transfer Platform Server for UNIX versions 8.1.0 and below update to version 8.1.1 or later\nTIBCO Managed File Transfer Platform Server for z/Linux versions 8.1.0 and below update to version 8.1.1 or later" + } + ], + "source": { + "discovery": "Toronto-Dominion Bank" + }, + "title": "TIBCO Managed File Transfer Platform Server Remote Code Execution Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-03-30T17:00:00Z", + "ID": "CVE-2022-22772", + "STATE": "PUBLIC", + "TITLE": "TIBCO Managed File Transfer Platform Server Remote Code Execution Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO Managed File Transfer Platform Server for UNIX", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.1.0" + } + ] + } + }, + { + "product_name": "TIBCO Managed File Transfer Platform Server for z/Linux", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The cfsend, cfrecv, and CyberResp components of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX and TIBCO Managed File Transfer Platform Server for z/Linux contain a difficult to exploit Remote Code Execution (RCE) vulnerability that allows a low privileged attacker with network access to execute arbitrary code on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX: versions 8.1.0 and below and TIBCO Managed File Transfer Platform Server for z/Linux: versions 8.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Successful execution of this vulnerability can result in a low privileged attacker gaining full user access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-30-2022-tibco-managed-file-transfer-2022-22772", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-30-2022-tibco-managed-file-transfer-2022-22772" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Managed File Transfer Platform Server for UNIX versions 8.1.0 and below update to version 8.1.1 or later\nTIBCO Managed File Transfer Platform Server for z/Linux versions 8.1.0 and below update to version 8.1.1 or later" + } + ], + "source": { + "discovery": "Toronto-Dominion Bank" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:57.746Z" + }, + "references": [ + { + "name": "Test (7069/24750) [3319/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22772" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22772", + "datePublished": "2022-03-30T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:57.746Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO JasperReports Server", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO JasperReports Server - Community Edition", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO JasperReports Server - Developer Edition", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.0.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO JasperReports Server for AWS Marketplace", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO JasperReports Server for ActiveMatrix BPM", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "7.9.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO JasperReports Server for Microsoft Azure", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "TIBCO would like to extend its appreciation to Mohamed Rezgui for discovery of this vulnerability." + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 8.0.1 and below, TIBCO JasperReports Server - Community Edition: versions 8.0.1 and below, TIBCO JasperReports Server - Developer Edition: versions 8.0.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.1 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.2 and below, and TIBCO JasperReports Server for Microsoft Azure: versions 8.0.1 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-17T18:06:17", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-jasperreports-server-cve-2022-22773" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO JasperReports Server versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server - Community Edition versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server - Developer Edition versions 8.0.0 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server for AWS Marketplace versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.2 and below: This product is deprecated and should be uninstalled\nTIBCO JasperReports Server for Microsoft Azure versions 8.0.1 and below: update to version 8.0.2 or later" + } + ], + "title": "TIBCO JasperReports Server Reflected Cross Site Scripting (XSS) vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-17T17:00:00Z", + "ID": "CVE-2022-22773", + "STATE": "PUBLIC", + "TITLE": "TIBCO JasperReports Server Reflected Cross Site Scripting (XSS) vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO JasperReports Server", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.0.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server - Community Edition", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.0.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server - Developer Edition", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.0.0" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for AWS Marketplace", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.0.1" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for ActiveMatrix BPM", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "7.9.2" + } + ] + } + }, + { + "product_name": "TIBCO JasperReports Server for Microsoft Azure", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.0.1" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "TIBCO would like to extend its appreciation to Mohamed Rezgui for discovery of this vulnerability." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 8.0.1 and below, TIBCO JasperReports Server - Community Edition: versions 8.0.1 and below, TIBCO JasperReports Server - Developer Edition: versions 8.0.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.1 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.2 and below, and TIBCO JasperReports Server for Microsoft Azure: versions 8.0.1 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-jasperreports-server-cve-2022-22773", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-jasperreports-server-cve-2022-22773" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO JasperReports Server versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server - Community Edition versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server - Developer Edition versions 8.0.0 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server for AWS Marketplace versions 8.0.1 and below: update to version 8.0.2 or later\nTIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.2 and below: This product is deprecated and should be uninstalled\nTIBCO JasperReports Server for Microsoft Azure versions 8.0.1 and below: update to version 8.0.2 or later" + } + ], + "source": { + "discovery": "" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:58.093Z" + }, + "references": [ + { + "name": "Test (7070/24750) [3320/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22773" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22773", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:58.093Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO Managed File Transfer Command Center", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.3.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO Managed File Transfer Command Center", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "8.4.0" + }, + { + "status": "affected", + "version": "8.4.1" + } + ] + }, + { + "product": "TIBCO Managed File Transfer Internet Server", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "8.3.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO Managed File Transfer Internet Server", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "status": "affected", + "version": "8.4.0" + }, + { + "status": "affected", + "version": "8.4.1" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "TIBCO would like to extend its appreciation to Niv Levy for discovery of this vulnerability." + } + ], + "datePublic": "2022-05-10T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet Server, and TIBCO Managed File Transfer Internet Server contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute XML External Entity (XXE) attacks on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions 8.3.1 and below, TIBCO Managed File Transfer Command Center: versions 8.4.0 and 8.4.1, TIBCO Managed File Transfer Internet Server: versions 8.3.1 and below, and TIBCO Managed File Transfer Internet Server: versions 8.4.0 and 8.4.1." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Successful execution of this vulnerability can result in unauthorized update, insert or delete access to data on the affected system and associated resources.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-10T17:06:09", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Managed File Transfer Command Center versions 8.3.1 and below update to version 8.3.2 or later\nTIBCO Managed File Transfer Command Center versions 8.4.0 and 8.4.1 update to version 8.4.2 or later\nTIBCO Managed File Transfer Internet Server versions 8.3.1 and below update to version 8.3.2 or later\nTIBCO Managed File Transfer Internet Server versions 8.4.0 and 8.4.1 update to version 8.4.2 or later" + } + ], + "source": { + "discovery": "Niv Levy" + }, + "title": "TIBCO Managed File Transfer Command Center XXE Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-10T17:00:00Z", + "ID": "CVE-2022-22774", + "STATE": "PUBLIC", + "TITLE": "TIBCO Managed File Transfer Command Center XXE Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO Managed File Transfer Command Center", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.3.1" + } + ] + } + }, + { + "product_name": "TIBCO Managed File Transfer Command Center", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.4.0" + }, + { + "version_affected": "=", + "version_value": "8.4.1" + } + ] + } + }, + { + "product_name": "TIBCO Managed File Transfer Internet Server", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.3.1" + } + ] + } + }, + { + "product_name": "TIBCO Managed File Transfer Internet Server", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.4.0" + }, + { + "version_affected": "=", + "version_value": "8.4.1" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "TIBCO would like to extend its appreciation to Niv Levy for discovery of this vulnerability." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet Server, and TIBCO Managed File Transfer Internet Server contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute XML External Entity (XXE) attacks on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions 8.3.1 and below, TIBCO Managed File Transfer Command Center: versions 8.4.0 and 8.4.1, TIBCO Managed File Transfer Internet Server: versions 8.3.1 and below, and TIBCO Managed File Transfer Internet Server: versions 8.4.0 and 8.4.1." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Successful execution of this vulnerability can result in unauthorized update, insert or delete access to data on the affected system and associated resources." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Managed File Transfer Command Center versions 8.3.1 and below update to version 8.3.2 or later\nTIBCO Managed File Transfer Command Center versions 8.4.0 and 8.4.1 update to version 8.4.2 or later\nTIBCO Managed File Transfer Internet Server versions 8.3.1 and below update to version 8.3.2 or later\nTIBCO Managed File Transfer Internet Server versions 8.4.0 and 8.4.1 update to version 8.4.2 or later" + } + ], + "source": { + "discovery": "Niv Levy" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:58.424Z" + }, + "references": [ + { + "name": "Test (7071/24750) [3321/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22774" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22774", + "datePublished": "2022-05-10T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:58.424Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO BPM Enterprise", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "4.3.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "4.3.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-17T18:06:11", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.1 and below: update to version 4.3.2 or later\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.1 and below: update to version 4.3.2 or later" + } + ], + "source": { + "discovery": "ING Bank N.V." + }, + "title": "TIBCO ActiveMatrix BPM Reflected Cross Site Scripting (XSS) vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-17T17:00:00Z", + "ID": "CVE-2022-22775", + "STATE": "PUBLIC", + "TITLE": "TIBCO ActiveMatrix BPM Reflected Cross Site Scripting (XSS) vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO BPM Enterprise", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "4.3.1" + } + ] + } + }, + { + "product_name": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "4.3.1" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.1 and below: update to version 4.3.2 or later\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.1 and below: update to version 4.3.2 or later" + } + ], + "source": { + "discovery": "ING Bank N.V." + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:58.740Z" + }, + "references": [ + { + "name": "Test (7072/24750) [3322/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22775" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22775", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:58.740Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO BusinessConnect Trading Community Management", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "6.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-05-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using these vulnerabilities requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T17:06:17", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22776" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + }, + "title": "TIBCO BusinessConnect Trading Community Management Stored Cross Site Scripting Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-18T17:00:00Z", + "ID": "CVE-2022-22776", + "STATE": "PUBLIC", + "TITLE": "TIBCO BusinessConnect Trading Community Management Stored Cross Site Scripting Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO BusinessConnect Trading Community Management", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "6.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using these vulnerabilities requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22776", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22776" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:59.053Z" + }, + "references": [ + { + "name": "Test (7073/24750) [3323/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22776" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22776", + "datePublished": "2022-05-18T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:59.053Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO BusinessConnect Trading Community Management", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "6.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-05-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow an unauthenticated attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Successful execution of this vulnerability can result in an attacker gaining partial access to the affected system and can result in unauthorized read, update, insert or delete access to a subset of resources.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T17:06:15", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22777" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + }, + "title": "TIBCO BusinessConnect Trading Community Management Reflected Cross Site Scripting Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-18T17:00:00Z", + "ID": "CVE-2022-22777", + "STATE": "PUBLIC", + "TITLE": "TIBCO BusinessConnect Trading Community Management Reflected Cross Site Scripting Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO BusinessConnect Trading Community Management", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "6.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow an unauthenticated attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Successful execution of this vulnerability can result in an attacker gaining partial access to the affected system and can result in unauthorized read, update, insert or delete access to a subset of resources." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22777", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22777" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:59.388Z" + }, + "references": [ + { + "name": "Test (7074/24750) [3324/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22777" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22777", + "datePublished": "2022-05-18T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:59.388Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "TIBCO BusinessConnect Trading Community Management", + "vendor": "TIBCO Software Inc.", + "versions": [ + { + "lessThanOrEqual": "6.1.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-05-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T17:06:16", + "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "shortName": "tibco" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22778" + } + ], + "solutions": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + }, + "title": "TIBCO BusinessConnect Trading Community Management Cross-Site Request Forgery Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2022-05-18T17:00:00Z", + "ID": "CVE-2022-22778", + "STATE": "PUBLIC", + "TITLE": "TIBCO BusinessConnect Trading Community Management Cross-Site Request Forgery Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO BusinessConnect Trading Community Management", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "6.1.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.tibco.com/services/support/advisories", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22778", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-18-2022-tibco-bctcm-cve-2022-22778" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BusinessConnect Trading Community Management versions 6.1.0 and below: update to version 6.1.1 or later" + } + ], + "source": { + "discovery": "Brett Casper / Wisconsin Physicians Service Insurance Corporation" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:54:59.710Z" + }, + "references": [ + { + "name": "Test (7075/24750) [3325/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22778" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", + "assignerShortName": "tibco", + "cveId": "CVE-2022-22778", + "datePublished": "2022-05-18T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:54:59.710Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Keybase Client for macOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Keybase Client for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Olivia O'Hara" + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Keybase Clients for macOS and Windows before version 5.9.0 fails to properly remove exploded messages initiated by a user. This can occur if the receiving user switches to a non-chat feature and places the host in a sleep state before the sending user explodes the messages. This could lead to disclosure of sensitive information which was meant to be deleted from a user’s filesystem." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper Enforcement of Behavioral Workflow", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:15", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Retained exploded messages in Keybase clients for macOS and Windows", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-02-08T12:00:00.000Z", + "ID": "CVE-2022-22779", + "STATE": "PUBLIC", + "TITLE": "Retained exploded messages in Keybase clients for macOS and Windows" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Keybase Client for macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.0" + } + ] + } + }, + { + "product_name": "Keybase Client for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.0" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Olivia O'Hara" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Keybase Clients for macOS and Windows before version 5.9.0 fails to properly remove exploded messages initiated by a user. This can occur if the receiving user switches to a non-chat feature and places the host in a sleep state before the sending user explodes the messages. This could lead to disclosure of sensitive information which was meant to be deleted from a user’s filesystem." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Enforcement of Behavioral Workflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:00.099Z" + }, + "references": [ + { + "name": "Test (7076/24750) [3326/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22779" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22779", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:00.099Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Android", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.8.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for iOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Linux", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.8.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for macOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.7.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.6.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Johnny Yu of Walmart Global Tech" + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Allocation of Resources Without Limits or Throttling", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:15", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Zoom Chat Susceptible to Zip Bombing", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-02-08T12:00:00.000Z", + "ID": "CVE-2022-22780", + "STATE": "PUBLIC", + "TITLE": "Zoom Chat Susceptible to Zip Bombing" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Android", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.8.6" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for iOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Linux", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.8.6" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for macOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.7.3" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.6.3" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Johnny Yu of Walmart Global Tech" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Allocation of Resources Without Limits or Throttling" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:00.425Z" + }, + "references": [ + { + "name": "Test (7077/24750) [3327/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22780" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22780", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:00.425Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for MacOS (Standard and for IT Admin)", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Patrick Wardle of Objective-See" + } + ], + "datePublic": "2022-04-27T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor updating an unsuspecting user’s currently installed version to a less secure version." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Use of Less Trusted Source", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-28T14:59:42", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Update package downgrade in Zoom Client for Meetings for MacOS", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-04-27T12:00:00.000Z", + "ID": "CVE-2022-22781", + "STATE": "PUBLIC", + "TITLE": "Update package downgrade in Zoom Client for Meetings for MacOS" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for MacOS (Standard and for IT Admin)", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.6" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Patrick Wardle of Objective-See" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor updating an unsuspecting user’s currently installed version to a less secure version." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Use of Less Trusted Source" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin/", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:00.737Z" + }, + "references": [ + { + "name": "Test (7078/24750) [3328/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22781" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22781", + "datePublished": "2022-04-27T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:00.737Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.7", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Rooms for Conference Room for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Plugins for Microsoft Outlook for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom VDI Windows Meeting Clients", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.9.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zero Day Initiative" + } + ], + "datePublic": "2022-04-27T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local privilege escalation issue during the installer repair operation. A malicious actor could utilize this to potentially delete system level files or folders, causing integrity or availability issues on the user’s host machine." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.9, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Incorrect Privilege Assignment", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-28T15:00:14", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Local privilege escalation in Windows Zoom Clients", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-04-27T12:00:00.000Z", + "ID": "CVE-2022-22782", + "STATE": "PUBLIC", + "TITLE": "Local privilege escalation in Windows Zoom Clients" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.7" + } + ] + } + }, + { + "product_name": "Zoom Rooms for Conference Room for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Plugins for Microsoft Outlook for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.3" + } + ] + } + }, + { + "product_name": "Zoom VDI Windows Meeting Clients", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.9.6" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local privilege escalation issue during the installer repair operation. A malicious actor could utilize this to potentially delete system level files or folders, causing integrity or availability issues on the user’s host machine." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.9, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Incorrect Privilege Assignment" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin/", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:01.064Z" + }, + "references": [ + { + "name": "Test (7079/24750) [3329/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22782" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22782", + "datePublished": "2022-04-27T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:01.064Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom On-Premise Meeting Connector Controller", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "status": "affected", + "version": "4.8.102.2022031" + } + ] + }, + { + "product": "Zoom On-Premise Meeting Connector MMR", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "status": "affected", + "version": "4.8.102.20220310" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zoom Offensive Security Team" + } + ], + "datePublic": "2022-04-27T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a passive attacker." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Missing Initialization of a Variable", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-28T15:00:36", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Process memory exposure in Zoom on-premise Meeting services", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-04-27T19:00:00.000Z", + "ID": "CVE-2022-22783", + "STATE": "PUBLIC", + "TITLE": "Process memory exposure in Zoom on-premise Meeting services" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom On-Premise Meeting Connector Controller", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.8.102.2022031" + } + ] + } + }, + { + "product_name": "Zoom On-Premise Meeting Connector MMR", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "4.8.102.20220310" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zoom Offensive Security Team" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a passive attacker." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "confidentialityRequirement": "HIGH", + "environmentalScore": 8.3, + "environmentalSeverity": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing Initialization of a Variable" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin/", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:01.443Z" + }, + "references": [ + { + "name": "Test (7080/24750) [3330/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22783" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22783", + "datePublished": "2022-04-27T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:01.443Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Android", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for iOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Linux", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for MacOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper Input Validation", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T15:41:50", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Improper XML Parsing in Zoom Client for Meetings", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-05-17T12:00:00.000Z", + "ID": "CVE-2022-22784", + "STATE": "PUBLIC", + "TITLE": "Improper XML Parsing in Zoom Client for Meetings" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Android", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for iOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Linux", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for MacOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:01.816Z" + }, + "references": [ + { + "name": "Test (7081/24750) [3331/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22784" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22784", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:01.816Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Android", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for iOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Linux", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for MacOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Exposure of Resource to Wrong Sphere", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T15:42:19", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Improperly constrained session cookies in Zoom Client for Meetings", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-05-17T12:00:00.000Z", + "ID": "CVE-2022-22785", + "STATE": "PUBLIC", + "TITLE": "Improperly constrained session cookies in Zoom Client for Meetings" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Android", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for iOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Linux", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for MacOS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Exposure of Resource to Wrong Sphere" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:02.136Z" + }, + "references": [ + { + "name": "Test (7082/24750) [3332/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22785" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22785", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:02.136Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Rooms for Conference Room for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Use of Less Trusted Source", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T15:42:46", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Update package downgrade in Zoom Client for Meetings for Windows", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-05-17T12:00:00.000Z", + "ID": "CVE-2022-22786", + "STATE": "PUBLIC", + "TITLE": "Update package downgrade in Zoom Client for Meetings for Windows" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Rooms for Conference Room for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.0" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Use of Less Trusted Source" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:02.483Z" + }, + "references": [ + { + "name": "Test (7083/24750) [3333/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22786" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22786", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:02.483Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings for Android", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for iOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Linux", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for MacOS", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "Zoom Client for Meetings for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting users client to connect to a malicious server when attempting to use Zoom services." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper Input Validation", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-24T19:06:09", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html" + } + ], + "source": { + "discovery": "USER" + }, + "title": "Insufficient hostname validation during Clusterswitch message in Zoom Client for Meetings", + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "Zoom Video Communications Inc", + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-05-17T12:00:00.000Z", + "ID": "CVE-2022-22787", + "STATE": "PUBLIC", + "TITLE": "Insufficient hostname validation during Clusterswitch message in Zoom Client for Meetings" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings for Android", + "version": { + "version_data": [ + { + "platform": "", + "version_affected": "<", + "version_name": "", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for iOS", + "version": { + "version_data": [ + { + "platform": "", + "version_affected": "<", + "version_name": "", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Linux", + "version": { + "version_data": [ + { + "platform": "", + "version_affected": "<", + "version_name": "", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for MacOS", + "version": { + "version_data": [ + { + "platform": "", + "version_affected": "<", + "version_name": "", + "version_value": "5.10.0" + } + ] + } + }, + { + "product_name": "Zoom Client for Meetings for Windows", + "version": { + "version_data": [ + { + "platform": "", + "version_affected": "<", + "version_name": "", + "version_value": "5.10.0" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "configuration": [], + "credit": [ + { + "lang": "eng", + "value": "Ivan Fratric of Google Project Zero" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting users client to connect to a malicious server when attempting to use Zoom services." + } + ] + }, + "exploit": [], + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin", + "refsource": "CONFIRM", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin" + }, + { + "name": "http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html" + } + ] + }, + "solution": [], + "source": { + "advisory": "", + "defect": [], + "discovery": "USER" + }, + "work_around": [] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:02.829Z" + }, + "references": [ + { + "name": "Test (7084/24750) [3334/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22787" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22787", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:02.829Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zoom Client for Meetings", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + }, + { + "product": "All Zoom Rooms for Conference Room for Windows", + "vendor": "Zoom Video Communications Inc", + "versions": [ + { + "lessThan": "5.10.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported by James Tsz Ko Yeung" + } + ], + "datePublic": "2022-06-14T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 are susceptible to a DLL injection attack. This vulnerability could be used to run arbitrary code on the victims host." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Uncontrolled Search Path Element", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-15T20:12:24", + "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "shortName": "Zoom" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ], + "source": { + "discovery": "USER" + }, + "title": "DLL injection in Zoom Opener installer for Zoom and Zoom Rooms clients", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zoom.us", + "DATE_PUBLIC": "2022-06-14T12:00:00.000Z", + "ID": "CVE-2022-22788", + "STATE": "PUBLIC", + "TITLE": "DLL injection in Zoom Opener installer for Zoom and Zoom Rooms clients" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zoom Client for Meetings", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.3" + } + ] + } + }, + { + "product_name": "All Zoom Rooms for Conference Room for Windows", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "5.10.3" + } + ] + } + } + ] + }, + "vendor_name": "Zoom Video Communications Inc" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported by James Tsz Ko Yeung" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 are susceptible to a DLL injection attack. This vulnerability could be used to run arbitrary code on the victims host." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Uncontrolled Search Path Element" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://explore.zoom.us/en/trust/security/security-bulletin/", + "refsource": "MISC", + "url": "https://explore.zoom.us/en/trust/security/security-bulletin/" + } + ] + }, + "source": { + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:03.168Z" + }, + "references": [ + { + "name": "Test (7085/24750) [3335/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22788" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", + "assignerShortName": "Zoom", + "cveId": "CVE-2022-22788", + "datePublished": "2022-06-14T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:03.168Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "FormStorm Enterprise", + "vendor": "Charactell ", + "versions": [ + { + "status": "affected", + "version": "FormStorm Enterprise version 9.00.065 9.00.065" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Michael Starchenko" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Charactell - FormStorm Enterprise Account takeover – An attacker can modify (add, remove and update) passwords file for all the users. The xx_users.ini file in the FormStorm folder contains usernames in cleartext and an obfuscated password. Malicious user can take over an account by replacing existing password in the file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Account Take Over", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:08", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "A patch was released, Charactell - FormStorm Enterprise version 9.00.066" + } + ], + "source": { + "advisory": "ILVN-2022-0010", + "defect": [ + "ILVN-2022-0010" + ], + "discovery": "EXTERNAL" + }, + "title": "Charactell - FormStorm Enterprise Account Take Over", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "ID": "CVE-2022-22789", + "STATE": "PUBLIC", + "TITLE": "Charactell - FormStorm Enterprise Account Take Over" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "FormStorm Enterprise", + "version": { + "version_data": [ + { + "version_name": "FormStorm Enterprise version 9.00.065", + "version_value": "9.00.065" + } + ] + } + } + ] + }, + "vendor_name": "Charactell " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Michael Starchenko" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Charactell - FormStorm Enterprise Account takeover – An attacker can modify (add, remove and update) passwords file for all the users. The xx_users.ini file in the FormStorm folder contains usernames in cleartext and an obfuscated password. Malicious user can take over an account by replacing existing password in the file." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Account Take Over" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "A patch was released, Charactell - FormStorm Enterprise version 9.00.066" + } + ], + "source": { + "advisory": "ILVN-2022-0010", + "defect": [ + "ILVN-2022-0010" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:03.538Z" + }, + "references": [ + { + "name": "Test (7086/24750) [3336/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22789" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22789", + "datePublished": "2022-01-25T19:11:08", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:03.538Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal & Gad Abuhatziera - Sophtix Security LTD" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "SYNEL - eharmony Directory Traversal. Directory Traversal - is an attack against a server or a Web application aimed at unauthorized access to the file system. on the \"Name\" parameter the attacker can return to the root directory and open the host file. The path exposes sensitive files that users upload" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T19:09:51", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "A patch was released, Update to eharmony version 11" + } + ], + "source": { + "advisory": "ILVN-2022-0011", + "defect": [ + "ILVN-2022-0011" + ], + "discovery": "INTERNAL" + }, + "title": "SYNEL - eharmony Directory Traversal", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "INCD", + "ASSIGNER": "cna@cyber.gov.il", + "ID": "CVE-2022-22790", + "STATE": "PUBLIC", + "TITLE": "SYNEL - eharmony Directory Traversal" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal & Gad Abuhatziera - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "SYNEL - eharmony Directory Traversal. Directory Traversal - is an attack against a server or a Web application aimed at unauthorized access to the file system. on the \"Name\" parameter the attacker can return to the root directory and open the host file. The path exposes sensitive files that users upload" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "A patch was released, Update to eharmony version 11" + } + ], + "source": { + "advisory": "ILVN-2022-0011", + "defect": [ + "ILVN-2022-0011" + ], + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:03.854Z" + }, + "references": [ + { + "name": "Test (7087/24750) [3337/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22790" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22790", + "datePublished": "2022-01-28T19:09:51", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:03.854Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Moriel Harush - Sophtix Security LTD" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the \"comments\" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 6.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T19:09:52", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "A patch was released, Update to eharmony version 11 " + } + ], + "source": { + "advisory": "ILVN-2022-0012", + "defect": [ + "ILVN-2022-0012" + ], + "discovery": "INTERNAL" + }, + "title": "SYNEL - eharmony Authenticated Blind & Stored XSS", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "INCD", + "ASSIGNER": "cna@cyber.gov.il", + "ID": "CVE-2022-22791", + "STATE": "PUBLIC", + "TITLE": "SYNEL - eharmony Authenticated Blind & Stored XSS" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Moriel Harush - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the \"comments\" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 6.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "A patch was released, Update to eharmony version 11 " + } + ], + "source": { + "advisory": "ILVN-2022-0012", + "defect": [ + "ILVN-2022-0012" + ], + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:04.173Z" + }, + "references": [ + { + "name": "Test (7088/24750) [3338/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22791" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22791", + "datePublished": "2022-01-28T19:09:52", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:04.173Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "eharmony", + "vendor": "MobiSoft", + "versions": [ + { + "lessThanOrEqual": "1.0", + "status": "affected", + "version": "MobiPlus", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal - Sophtix Security LTD" + } + ], + "datePublic": "2022-02-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters Attacker can navigate to specific url which will expose all the users and password in clear text. http://IP/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-233", + "description": "CWE-233 Improper Handling of url Parameters", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:07", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "An update was released which addresses the issue" + } + ], + "source": { + "advisory": "ILVN-2022-0013", + "defect": [ + "ILVN-2022-0013" + ], + "discovery": "INTERNAL" + }, + "title": "MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "INCD", + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-02-01T12:26:00.000Z", + "ID": "CVE-2022-22792", + "STATE": "PUBLIC", + "TITLE": "MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "eharmony", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "MobiPlus", + "version_value": "1.0" + } + ] + } + } + ] + }, + "vendor_name": "MobiSoft" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters Attacker can navigate to specific url which will expose all the users and password in clear text. http://IP/MobiPlusWeb/Handlers/MainHandler.ashx?MethodName=GridData&GridName=Users" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-233 Improper Handling of url Parameters" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "An update was released which addresses the issue" + } + ], + "source": { + "advisory": "ILVN-2022-0013", + "defect": [ + "ILVN-2022-0013" + ], + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:04.506Z" + }, + "references": [ + { + "name": "Test (7089/24750) [3339/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22792" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22792", + "datePublished": "2022-02-01T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:04.506Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Pineapp Mail Relay", + "vendor": "Cybonet", + "versions": [ + { + "status": "affected", + "version": "PineApp Latest" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal - Sophtix Security LTD" + } + ], + "datePublic": "2022-02-14T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local File Inclusion ", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-24T16:14:16", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "A patch was released with code hardening by limiting the file path" + } + ], + "source": { + "defect": [ + "ILVN-2022-0014" + ], + "discovery": "INTERNAL" + }, + "title": "Cybonet - PineApp Mail Relay Local File Inclusion ", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "INCD", + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-02-14T10:16:00.000Z", + "ID": "CVE-2022-22793", + "STATE": "PUBLIC", + "TITLE": "Cybonet - PineApp Mail Relay Local File Inclusion " + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Pineapp Mail Relay", + "version": { + "version_data": [ + { + "version_name": "PineApp ", + "version_value": "Latest" + } + ] + } + } + ] + }, + "vendor_name": "Cybonet" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local File Inclusion " + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "A patch was released with code hardening by limiting the file path" + } + ], + "source": { + "defect": [ + "ILVN-2022-0014" + ], + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:04.864Z" + }, + "references": [ + { + "name": "Test (7090/24750) [3340/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22793" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22793", + "datePublished": "2022-02-14T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:04.864Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Pineapp Mail Relay", + "vendor": "Cybonet", + "versions": [ + { + "status": "affected", + "version": "PineApp Latest" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal - Sophtix Security LTD" + }, + { + "lang": "en", + "value": "Gad Abuhatzeira - Sophtix Security LTD" + } + ], + "datePublic": "2022-02-14T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Unauthenticated Sql Injection to Remote Code Execution.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-24T16:14:15", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "A patch was released with a hardening of the input validation" + } + ], + "source": { + "defect": [ + "ILVN-2022-0015" + ], + "discovery": "INTERNAL" + }, + "title": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection ", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "AKA": "INCD", + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-02-14T10:16:00.000Z", + "ID": "CVE-2022-22794", + "STATE": "PUBLIC", + "TITLE": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection " + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Pineapp Mail Relay", + "version": { + "version_data": [ + { + "version_name": "PineApp ", + "version_value": "Latest" + } + ] + } + } + ] + }, + "vendor_name": "Cybonet" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal - Sophtix Security LTD" + }, + { + "lang": "eng", + "value": "Gad Abuhatzeira - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Unauthenticated Sql Injection to Remote Code Execution." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "A patch was released with a hardening of the input validation" + } + ], + "source": { + "defect": [ + "ILVN-2022-0015" + ], + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:05.182Z" + }, + "references": [ + { + "name": "Test (7091/24750) [3341/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22794" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22794", + "datePublished": "2022-02-14T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:05.182Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Signiant", + "vendor": "Signiant", + "versions": [ + { + "status": "affected", + "version": "Signiant Build 78045 13.5.0 " + }, + { + "status": "affected", + "version": "Signiant Build 79008,14.0.0" + }, + { + "status": "affected", + "version": "Signiant Build 79687 14.1.0" + }, + { + "status": "affected", + "version": "Signiant Build 79687 15.0.0 " + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Anton Golotin" + } + ], + "datePublic": "2022-03-02T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "PHYSICAL", + "availabilityImpact": "HIGH", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-611", + "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-09T14:56:32", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "All of 13.5, 14.1, and 15.1 have an update available.\nThe mitigation involved adding a filter that validates for external dtd." + } + ], + "source": { + "advisory": "ILVN-2022-0016", + "defect": [ + "ILVN-2022-0016" + ], + "discovery": "EXTERNAL" + }, + "title": "Signiant - Manager+Agents XML External Entity (XXE)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-03-02T16:21:00.000Z", + "ID": "CVE-2022-22795", + "STATE": "PUBLIC", + "TITLE": "Signiant - Manager+Agents XML External Entity (XXE)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Signiant", + "version": { + "version_data": [ + { + "version_name": "Signiant ", + "version_value": "Build 78045 13.5.0 " + }, + { + "version_name": "Signiant ", + "version_value": "Build 79008,14.0.0" + }, + { + "version_name": "Signiant ", + "version_value": "Build 79687 14.1.0" + }, + { + "version_name": "Signiant ", + "version_value": "Build 79687 15.0.0 " + } + ] + } + } + ] + }, + "vendor_name": "Signiant" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Anton Golotin" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "PHYSICAL", + "availabilityImpact": "HIGH", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "All of 13.5, 14.1, and 15.1 have an update available.\nThe mitigation involved adding a filter that validates for external dtd." + } + ], + "source": { + "advisory": "ILVN-2022-0016", + "defect": [ + "ILVN-2022-0016" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:05.567Z" + }, + "references": [ + { + "name": "Test (7092/24750) [3342/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22795" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22795", + "datePublished": "2022-03-02T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:05.567Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "cloud" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "21.1.29", + "status": "affected", + "version": "21.1.29 cloud version", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "on premise" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "21.4.44", + "status": "affected", + "version": "21.4.44 on premise version", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal, Gad Abuhatziera, Moriel Harush, Alon Zuker - Sophtix Security LTD" + } + ], + "datePublic": "2022-05-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "System Take Over", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:47:32", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 21.1.30 cloud version, or to 21.4.45 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0017" + ], + "discovery": "EXTERNAL" + }, + "title": "Sysaid – Sysaid System Takeover", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-05-09T11:39:00.000Z", + "ID": "CVE-2022-22796", + "STATE": "PUBLIC", + "TITLE": "Sysaid – Sysaid System Takeover" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sysaid ", + "version": { + "version_data": [ + { + "platform": "cloud", + "version_affected": "<=", + "version_name": "21.1.29 cloud version", + "version_value": "21.1.29" + }, + { + "platform": "on premise", + "version_affected": "<=", + "version_name": "21.4.44 on premise version", + "version_value": "21.4.44" + } + ] + } + } + ] + }, + "vendor_name": "SysAid " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal, Gad Abuhatziera, Moriel Harush, Alon Zuker - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Sysaid – Sysaid System Takeover - An attacker can bypass the authentication process by accessing to: /wmiwizard.jsp, Then to: /ConcurrentLogin.jsp, then click on the login button, and it will redirect you to /home.jsp without any authentication." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "System Take Over" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 21.1.30 cloud version, or to 21.4.45 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0017" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:05.896Z" + }, + "references": [ + { + "name": "Test (7093/24750) [3343/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22796" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22796", + "datePublished": "2022-05-09T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:05.896Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "cloud" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.49", + "status": "affected", + "version": "22.1.49 cloud version", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "on premise" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.63", + "status": "affected", + "version": "22.1.63 on premise version", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Moriel Harush - Sophtix Security LTD" + } + ], + "datePublic": "2022-05-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter \"redirectURL\" from\"GET\" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-601", + "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:48:08", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0018" + ], + "discovery": "EXTERNAL" + }, + "title": "Sysaid – sysaid Open Redirect", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-05-09T11:39:00.000Z", + "ID": "CVE-2022-22797", + "STATE": "PUBLIC", + "TITLE": "Sysaid – sysaid Open Redirect" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sysaid ", + "version": { + "version_data": [ + { + "platform": "cloud", + "version_affected": "<=", + "version_name": "22.1.49 cloud version", + "version_value": "22.1.49" + }, + { + "platform": "on premise", + "version_affected": "<=", + "version_name": "22.1.63 on premise version", + "version_value": "22.1.63" + } + ] + } + } + ] + }, + "vendor_name": "SysAid " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Moriel Harush - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter \"redirectURL\" from\"GET\" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0018" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:06.236Z" + }, + "references": [ + { + "name": "Test (7094/24750) [3344/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22797" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22797", + "datePublished": "2022-05-09T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:06.236Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "cloud" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.49", + "status": "affected", + "version": "22.1.49 cloud version", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "on premise" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.63", + "status": "affected", + "version": "22.1.63 on premise version", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Gad Abuhatzeira, Alon Zuker - Sophtix Security LTD" + } + ], + "datePublic": "2022-05-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Broken Access Control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:48:42", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0019" + ], + "discovery": "EXTERNAL" + }, + "title": "Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-05-09T11:39:00.000Z", + "ID": "CVE-2022-22798", + "STATE": "PUBLIC", + "TITLE": "Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sysaid ", + "version": { + "version_data": [ + { + "platform": "cloud", + "version_affected": "<=", + "version_name": "22.1.49 cloud version", + "version_value": "22.1.49" + }, + { + "platform": "on premise", + "version_affected": "<=", + "version_name": "22.1.63 on premise version", + "version_value": "22.1.63" + } + ] + } + } + ] + }, + "vendor_name": "SysAid " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Gad Abuhatzeira, Alon Zuker - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp after that he will receive an error message with a login button, by clicking on it, he will connect to the system dashboard. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Broken Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0019" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:06.566Z" + }, + "references": [ + { + "name": "Test (7095/24750) [3345/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22798" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-22798", + "datePublished": "2022-05-09T00:00:00", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:06.566Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:39", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22804", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)", + "version": { + "version_data": [ + { + "version_value": "EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could allow an authenticated attacker to view data, change settings, or impact availability of the software when the user visits a page containing the injected payload. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:06.895Z" + }, + "references": [ + { + "name": "Test (7096/24750) [3346/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22804" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22804", + "datePublished": "2022-02-04T22:29:39", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:06.895Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SmartConnect ", + "vendor": "Schneider Electric", + "versions": [ + { + "status": "affected", + "version": "SMT Series " + }, + { + "status": "affected", + "version": "SMC Series" + }, + { + "status": "affected", + "version": "SMTL Series" + }, + { + "status": "affected", + "version": "SCL Series" + }, + { + "status": "affected", + "version": "SMX Series" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-28T16:25:28", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22805", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SmartConnect ", + "version": { + "version_data": [ + { + "version_value": "SMT Series " + }, + { + "version_value": "SMC Series" + }, + { + "version_value": "SMTL Series" + }, + { + "version_value": "SCL Series" + }, + { + "version_value": "SMX Series" + } + ] + } + } + ] + }, + "vendor_name": "Schneider Electric" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/", + "refsource": "MISC", + "url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:07.244Z" + }, + "references": [ + { + "name": "Test (7097/24750) [3347/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22805" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22805", + "datePublished": "2022-03-09T19:30:16", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:07.244Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SmartConnect ", + "vendor": "Schneider Electric", + "versions": [ + { + "status": "affected", + "version": "SMT Series " + }, + { + "status": "affected", + "version": "SMC Series" + }, + { + "status": "affected", + "version": "SMTL Series" + }, + { + "status": "affected", + "version": "SCL Series" + }, + { + "status": "affected", + "version": "SMX Series" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-294", + "description": "CWE-294 Authentication Bypass by Capture-replay", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-28T16:25:29", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22806", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SmartConnect ", + "version": { + "version_data": [ + { + "version_value": "SMT Series " + }, + { + "version_value": "SMC Series" + }, + { + "version_value": "SMTL Series" + }, + { + "version_value": "SCL Series" + }, + { + "version_value": "SMX Series" + } + ] + } + } + ] + }, + "vendor_name": "Schneider Electric" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-294 Authentication Bypass by Capture-replay" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/", + "refsource": "MISC", + "url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02/" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:07.561Z" + }, + "references": [ + { + "name": "Test (7098/24750) [3348/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22806" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22806", + "datePublished": "2022-03-09T19:30:17", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:07.561Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22807", + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "dateUpdated": "2024-06-03T14:55:07.872Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-02-09T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider", + "dateUpdated": "2023-01-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)" + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)", + "versions": [ + { + "version": "EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", + "cweId": "CWE-1021" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:07.872Z" + }, + "references": [ + { + "name": "Test (7099/24750) [3349/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22807" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22808", + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "dateUpdated": "2024-06-03T14:55:08.185Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-02-09T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider", + "dateUpdated": "2022-11-10T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)" + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)", + "versions": [ + { + "version": "EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-352: Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:08.185Z" + }, + "references": [ + { + "name": "Test (7100/24750) [3350/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22808" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22809", + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "dateUpdated": "2024-06-03T14:55:28.477Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-02-09T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider", + "dateUpdated": "2023-01-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "versions": [ + { + "version": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-306: Missing Authentication for Critical Function", + "cweId": "CWE-306" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:28.477Z" + }, + "references": [ + { + "name": "Test (7101/24750) [3351/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22809" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-307", + "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:07", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22810", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "version": { + "version_data": [ + { + "version_value": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-307: Improper Restriction of Excessive Authentication Attempts" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:28.780Z" + }, + "references": [ + { + "name": "Test (7102/24750) [3352/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22810" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22810", + "datePublished": "2022-02-09T22:05:07", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:28.780Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system�s configurations when an attacker persuades a user to visit a rogue website. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-352", + "description": "CWE-352: Cross-Site Request Forgery (CSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:08", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22811", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "version": { + "version_data": [ + { + "version_value": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system�s configurations when an attacker persuades a user to visit a rogue website. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:29.101Z" + }, + "references": [ + { + "name": "Test (7103/24750) [3353/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22811" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22811", + "datePublished": "2022-02-09T22:05:08", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:29.101Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:09", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22812", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)", + "version": { + "version_data": [ + { + "version_value": "spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:29.436Z" + }, + "references": [ + { + "name": "Test (7104/24750) [3354/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22812" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22812", + "datePublished": "2022-02-09T22:05:09", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:29.436Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware Versions)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware Versions)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-798", + "description": "CWE-798: Use of Hard-coded Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:05:06", + "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "shortName": "schneider" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cybersecurity@schneider-electric.com", + "ID": "CVE-2022-22813", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware Versions)", + "version": { + "version_data": [ + { + "version_value": "Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware Versions)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798: Use of Hard-coded Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03", + "refsource": "MISC", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:29.754Z" + }, + "references": [ + { + "name": "Test (7105/24750) [3355/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22813" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", + "assignerShortName": "schneider", + "cveId": "CVE-2022-22813", + "datePublished": "2022-02-09T22:05:06", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:29.754Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-10T15:17:13", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22814", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/", + "refsource": "MISC", + "url": "https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:30.099Z" + }, + "references": [ + { + "name": "Test (7106/24750) [3356/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22814" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22814", + "datePublished": "2022-03-10T15:17:13", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:30.099Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22815", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:30.421Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-01-07T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling" + }, + { + "url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331" + }, + { + "name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html" + }, + { + "name": "DSA-5053", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5053" + }, + { + "name": "GLSA-202211-10", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202211-10" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:30.421Z" + }, + "references": [ + { + "name": "Test (7107/24750) [3357/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22815" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22816", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:30.751Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-01-07T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-11-22T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling" + }, + { + "url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331" + }, + { + "name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html" + }, + { + "name": "DSA-5053", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5053" + }, + { + "name": "GLSA-202211-10", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202211-10" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:30.751Z" + }, + "references": [ + { + "name": "Test (7108/24750) [3358/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22816" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22817", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:31.067Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-01-07T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2024-03-22T11:05:55.677996" + }, + "descriptions": [ + { + "lang": "en", + "value": "PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval" + }, + { + "name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html" + }, + { + "name": "DSA-5053", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5053" + }, + { + "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security" + }, + { + "name": "GLSA-202211-10", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202211-10" + }, + { + "name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:31.067Z" + }, + "references": [ + { + "name": "Test (7109/24750) [3359/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22817" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22818", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:31.409Z", + "dateReserved": "2022-01-07T00:00:00", + "datePublished": "2022-02-03T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-10-15T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/" + }, + { + "name": "FEDORA-2022-e7fd530688", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220221-0003/" + }, + { + "name": "DSA-5254", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5254" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:31.409Z" + }, + "references": [ + { + "name": "Test (7110/24750) [3360/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22818" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64, LPC55S69JBD100, and LPC55S69JEV98 microcontrollers (ROM version 1B) have a buffer overflow in parsing SB2 updates before the signature is verified. This can allow an attacker to achieve non-persistent code execution via a crafted unsigned update." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-23T21:13:46", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.nxp.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://oxide.computer/blog/another-vulnerability-in-the-lpc55s69-rom" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22819", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64, LPC55S69JBD100, and LPC55S69JEV98 microcontrollers (ROM version 1B) have a buffer overflow in parsing SB2 updates before the signature is verified. This can allow an attacker to achieve non-persistent code execution via a crafted unsigned update." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.nxp.com", + "refsource": "MISC", + "url": "https://www.nxp.com" + }, + { + "name": "https://oxide.computer/blog/another-vulnerability-in-the-lpc55s69-rom", + "refsource": "MISC", + "url": "https://oxide.computer/blog/another-vulnerability-in-the-lpc55s69-rom" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:31.724Z" + }, + "references": [ + { + "name": "Test (7111/24750) [3361/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22819" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22819", + "datePublished": "2022-03-23T21:13:46", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:31.724Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "LINE for Windows", + "vendor": "LINE Corporation", + "versions": [ + { + "status": "affected", + "version": "<" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T11:47:43", + "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", + "shortName": "LINE" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1357400" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "dl_cve@linecorp.com", + "ID": "CVE-2022-22820", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "LINE for Windows", + "version": { + "version_data": [ + { + "version_affected": "7.4", + "version_value": "<" + } + ] + } + } + ] + }, + "vendor_name": "LINE Corporation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://hackerone.com/reports/1357400", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1357400" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:32.020Z" + }, + "references": [ + { + "name": "Test (7112/24750) [3362/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22820" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", + "assignerShortName": "LINE", + "cveId": "CVE-2022-22820", + "datePublished": "2022-01-20T11:47:43", + "dateReserved": "2022-01-07T00:00:00", + "dateUpdated": "2024-06-03T14:55:32.020Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 2, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AC:L/AV:L/A:N/C:N/I:L/PR:H/S:U/UI:R", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-08T02:35:18", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/NVIDIA/NeMo/security/advisories/GHSA-rpx7-33j2-xx9x" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22821", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AC:L/AV:L/A:N/C:N/I:L/PR:H/S:U/UI:R", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/NVIDIA/NeMo/security/advisories/GHSA-rpx7-33j2-xx9x", + "refsource": "MISC", + "url": "https://github.com/NVIDIA/NeMo/security/advisories/GHSA-rpx7-33j2-xx9x" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:32.356Z" + }, + "references": [ + { + "name": "Test (7113/24750) [3363/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22821" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22821", + "datePublished": "2022-01-08T02:35:18", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:32.356Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:07:14", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22822", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2022-09-12T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22822" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:30.478Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:32.668Z" + }, + "references": [ + { + "name": "Test (7114/24750) [3364/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22822" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22822", + "datePublished": "2022-01-08T02:57:15", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:32.668Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:07:01", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22823", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-04-14T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22823" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:31.806Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:32.977Z" + }, + "references": [ + { + "name": "Test (7115/24750) [3365/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22823" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22823", + "datePublished": "2022-01-08T02:57:07", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:32.977Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:07:03", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22824", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-04-14T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22824" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:32.120Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:33.323Z" + }, + "references": [ + { + "name": "Test (7116/24750) [3366/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22824" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22824", + "datePublished": "2022-01-08T02:56:58", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:33.323Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:06:59", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22825", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-04-14T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "No" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22825" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:32.413Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:33.645Z" + }, + "references": [ + { + "name": "Test (7117/24750) [3367/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22825" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22825", + "datePublished": "2022-01-08T02:56:48", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:33.645Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:07:05", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22826", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-04-14T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "No" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22826" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:32.799Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:33.956Z" + }, + "references": [ + { + "name": "Test (7118/24750) [3368/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22826" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22826", + "datePublished": "2022-01-08T02:56:39", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:33.956Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-29T16:07:18", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202209-24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22827", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/libexpat/libexpat/pull/539", + "refsource": "MISC", + "url": "https://github.com/libexpat/libexpat/pull/539" + }, + { + "name": "[oss-security] 20220117 Expat 2.4.3 released, includes 8 security fixes", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/17/3" + }, + { + "name": "https://www.tenable.com/security/tns-2022-05", + "refsource": "CONFIRM", + "url": "https://www.tenable.com/security/tns-2022-05" + }, + { + "name": "DSA-5073", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "name": "GLSA-202209-24", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202209-24" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-04-14T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "No" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22827" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-10-31T04:00:33.146Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:34.290Z" + }, + "references": [ + { + "name": "Test (7119/24750) [3369/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22827" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22827", + "datePublished": "2022-01-08T02:56:30", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:34.290Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-27T05:41:02", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://web.synametrics.com/SynamanVersionHistory.htm" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/videnlabs/CVE-2022-22828/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22828", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://web.synametrics.com/SynamanVersionHistory.htm", + "refsource": "MISC", + "url": "https://web.synametrics.com/SynamanVersionHistory.htm" + }, + { + "name": "https://github.com/videnlabs/CVE-2022-22828/", + "refsource": "MISC", + "url": "https://github.com/videnlabs/CVE-2022-22828/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:34.595Z" + }, + "references": [ + { + "name": "Test (7120/24750) [3370/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22828" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22828", + "datePublished": "2022-01-27T05:41:02", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:34.595Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add a new sysadmin user via a manipulation of the Authorization HTTP header." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T13:05:56", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165863/Servisnet-Tessa-Authentication-Bypass.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.exploit-db.com/exploits/50714" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22831", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add a new sysadmin user via a manipulation of the Authorization HTTP header." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html", + "refsource": "MISC", + "url": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html" + }, + { + "name": "http://www.servisnet.com.tr/en/page/products", + "refsource": "MISC", + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "name": "http://packetstormsecurity.com/files/165863/Servisnet-Tessa-Authentication-Bypass.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165863/Servisnet-Tessa-Authentication-Bypass.html" + }, + { + "name": "https://www.exploit-db.com/exploits/50714", + "refsource": "MISC", + "url": "https://www.exploit-db.com/exploits/50714" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:34.906Z" + }, + "references": [ + { + "name": "Test (7121/24750) [3371/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22831" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22831", + "datePublished": "2022-02-06T20:53:50", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:34.906Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T14:25:49", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.exploit-db.com/exploits/50712" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22832", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://www.servisnet.com.tr/en/page/products", + "refsource": "MISC", + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "name": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html", + "refsource": "MISC", + "url": "https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html" + }, + { + "name": "http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html" + }, + { + "name": "https://www.exploit-db.com/exploits/50712", + "refsource": "MISC", + "url": "https://www.exploit-db.com/exploits/50712" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:35.212Z" + }, + "references": [ + { + "name": "Test (7122/24750) [3372/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22832" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22832", + "datePublished": "2022-02-06T20:54:53", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:35.212Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T13:01:39", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165867/Servisnet-Tessa-MQTT-Credential-Disclosure.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.exploit-db.com/exploits/50713" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22833", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://www.servisnet.com.tr/en/page/products", + "refsource": "MISC", + "url": "http://www.servisnet.com.tr/en/page/products" + }, + { + "name": "https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html", + "refsource": "MISC", + "url": "https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html" + }, + { + "name": "http://packetstormsecurity.com/files/165867/Servisnet-Tessa-MQTT-Credential-Disclosure.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165867/Servisnet-Tessa-MQTT-Credential-Disclosure.html" + }, + { + "name": "https://www.exploit-db.com/exploits/50713", + "refsource": "MISC", + "url": "https://www.exploit-db.com/exploits/50713" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:35.580Z" + }, + "references": [ + { + "name": "Test (7123/24750) [3373/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22833" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22833", + "datePublished": "2022-02-06T21:11:02", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:35.580Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in OverIT Geocall before 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XSLT Injection vulnerability. Attackers could exploit this issue to achieve remote code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-09T12:48:39", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://overit.us/products/geocall/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://labs.yarix.com/advisories/cve-2022-22834/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22834", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in OverIT Geocall before 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XSLT Injection vulnerability. Attackers could exploit this issue to achieve remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://overit.us/products/geocall/", + "refsource": "MISC", + "url": "https://overit.us/products/geocall/" + }, + { + "name": "https://labs.yarix.com/advisories/cve-2022-22834/", + "refsource": "MISC", + "url": "https://labs.yarix.com/advisories/cve-2022-22834/" + }, + { + "name": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/", + "refsource": "MISC", + "url": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:35.891Z" + }, + "references": [ + { + "name": "Test (7124/24750) [3374/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22834" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22834", + "datePublished": "2022-03-07T20:52:17", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:35.891Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-10T12:45:04", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://overit.us/products/geocall/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://labs.yarix.com/advisories/cve-2022-22835/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22835", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in OverIT Geocall before version 8.0. An authenticated user who has the Test Trasformazione XSL functionality enabled can exploit a XXE vulnerability to read arbitrary files from the filesystem." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://overit.us/products/geocall/", + "refsource": "MISC", + "url": "https://overit.us/products/geocall/" + }, + { + "name": "https://labs.yarix.com/advisories/cve-2022-22835/", + "refsource": "MISC", + "url": "https://labs.yarix.com/advisories/cve-2022-22835/" + }, + { + "name": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/", + "refsource": "MISC", + "url": "https://labs.yarix.com/2022/03/overit-framework-xslt-injection-and-xxe-cve-2022-22834-cve-2022-22835/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:36.213Z" + }, + "references": [ + { + "name": "Test (7125/24750) [3375/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22835" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22835", + "datePublished": "2022-03-07T20:48:20", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:36.213Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-08T22:30:11", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://yoursecuritybores.me/coreftp-vulnerabilities/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22836", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://yoursecuritybores.me/coreftp-vulnerabilities/", + "refsource": "MISC", + "url": "https://yoursecuritybores.me/coreftp-vulnerabilities/" + }, + { + "name": "http://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509", + "refsource": "MISC", + "url": "http://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:36.523Z" + }, + "references": [ + { + "name": "Test (7126/24750) [3376/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22836" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22836", + "datePublished": "2022-01-08T22:30:11", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:36.523Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22844", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:36.839Z", + "dateReserved": "2022-01-08T00:00:00", + "datePublished": "2022-01-08T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-10-31T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://gitlab.com/libtiff/libtiff/-/issues/355" + }, + { + "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/287" + }, + { + "name": "[debian-lts-announce] 20220306 [SECURITY] [DLA 2932-1] tiff security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220311-0002/" + }, + { + "name": "DSA-5108", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5108" + }, + { + "name": "GLSA-202210-10", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-10" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:36.839Z" + }, + "references": [ + { + "name": "Test (7127/24750) [3377/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22844" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-09T15:03:39", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://sipcapture.org" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sipcapture/homer" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22845", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://sipcapture.org", + "refsource": "MISC", + "url": "http://sipcapture.org" + }, + { + "name": "https://github.com/sipcapture/homer", + "refsource": "MISC", + "url": "https://github.com/sipcapture/homer" + }, + { + "name": "https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591", + "refsource": "MISC", + "url": "https://github.com/sipcapture/homer-app/commit/7f92f3afc8b0380c14af3d0fc1c365318a2d1591" + }, + { + "name": "https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28", + "refsource": "MISC", + "url": "https://github.com/sipcapture/homer-app/compare/1.4.27...1.4.28" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:37.160Z" + }, + "references": [ + { + "name": "Test (7128/24750) [3378/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22845" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22845", + "datePublished": "2022-01-09T15:03:39", + "dateReserved": "2022-01-08T00:00:00", + "dateUpdated": "2024-06-03T14:55:37.160Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:N/I:H/PR:N/S:U/UI:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-09T00:49:30", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/paulc/dnslib/issues/30" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22846", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:N/I:H/PR:N/S:U/UI:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/paulc/dnslib/issues/30", + "refsource": "MISC", + "url": "https://github.com/paulc/dnslib/issues/30" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:37.488Z" + }, + "references": [ + { + "name": "Test (7129/24750) [3379/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22846" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22846", + "datePublished": "2022-01-09T00:49:30", + "dateReserved": "2022-01-09T00:00:00", + "dateUpdated": "2024-06-03T14:55:37.488Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration that does not require authentication)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-10T06:02:23", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://support.formpipe.com/news/posts/vulnerability-in-the-client-web-service-of-lasernet-9-and-older" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22847", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration that does not require authentication)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.formpipe.com/news/posts/vulnerability-in-the-client-web-service-of-lasernet-9-and-older", + "refsource": "CONFIRM", + "url": "https://support.formpipe.com/news/posts/vulnerability-in-the-client-web-service-of-lasernet-9-and-older" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:37.791Z" + }, + "references": [ + { + "name": "Test (7130/24750) [3380/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22847" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22847", + "datePublished": "2022-01-10T06:02:23", + "dateReserved": "2022-01-09T00:00:00", + "dateUpdated": "2024-06-03T14:55:37.791Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-26T18:31:00", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Sant268/CVE-2022-22850/blob/main/CVE-2022-22850.md" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22850", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html", + "refsource": "MISC", + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "name": "https://github.com/Sant268/CVE-2022-22850/blob/main/CVE-2022-22850.md", + "refsource": "MISC", + "url": "https://github.com/Sant268/CVE-2022-22850/blob/main/CVE-2022-22850.md" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:38.101Z" + }, + "references": [ + { + "name": "Test (7131/24750) [3381/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22850" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22850", + "datePublished": "2022-01-26T18:31:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:38.101Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-26T15:58:58", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Sant268/CVE-2022-22851/commit/17381378bdb7c9f7b3326af6fb79cf68ca9f9d3d" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22851", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html", + "refsource": "MISC", + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "name": "https://github.com/Sant268/CVE-2022-22851/commit/17381378bdb7c9f7b3326af6fb79cf68ca9f9d3d", + "refsource": "MISC", + "url": "https://github.com/Sant268/CVE-2022-22851/commit/17381378bdb7c9f7b3326af6fb79cf68ca9f9d3d" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:38.436Z" + }, + "references": [ + { + "name": "Test (7132/24750) [3382/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22851" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22851", + "datePublished": "2022-01-26T15:58:58", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:38.436Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-26T19:07:18", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Sant268/CVE-2022-22852/blob/main/CVE-2022-22852.md" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22852", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html", + "refsource": "MISC", + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "name": "https://github.com/Sant268/CVE-2022-22852/blob/main/CVE-2022-22852.md", + "refsource": "MISC", + "url": "https://github.com/Sant268/CVE-2022-22852/blob/main/CVE-2022-22852.md" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:38.765Z" + }, + "references": [ + { + "name": "Test (7133/24750) [3383/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22852" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22852", + "datePublished": "2022-01-26T19:07:18", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:38.765Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Name field." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T17:12:41", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Dheeraj-Deshmukh/stored-xss-in-Hospital-s-Patient-Records-Management-System" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22853", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Name field." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html", + "refsource": "MISC", + "url": "https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html" + }, + { + "name": "https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip", + "refsource": "MISC", + "url": "https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip" + }, + { + "name": "https://github.com/Dheeraj-Deshmukh/stored-xss-in-Hospital-s-Patient-Records-Management-System", + "refsource": "MISC", + "url": "https://github.com/Dheeraj-Deshmukh/stored-xss-in-Hospital-s-Patient-Records-Management-System" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:39.083Z" + }, + "references": [ + { + "name": "Test (7134/24750) [3384/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22853" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22853", + "datePublished": "2022-02-16T17:12:41", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:39.083Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T17:11:14", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Dheeraj-Deshmukh/Hospital-s-patient-management-system" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22854", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/Dheeraj-Deshmukh/Hospital-s-patient-management-system", + "refsource": "MISC", + "url": "https://github.com/Dheeraj-Deshmukh/Hospital-s-patient-management-system" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:39.404Z" + }, + "references": [ + { + "name": "Test (7135/24750) [3385/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22854" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22854", + "datePublished": "2022-02-14T17:11:14", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:39.404Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T18:10:42", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/truonghuuphuc/CVE" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/GibbonEdu/core/issues/1594" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-22868.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22868", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/truonghuuphuc/CVE", + "refsource": "MISC", + "url": "https://github.com/truonghuuphuc/CVE" + }, + { + "name": "https://github.com/GibbonEdu/core/issues/1594", + "refsource": "MISC", + "url": "https://github.com/GibbonEdu/core/issues/1594" + }, + { + "name": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-22868.pdf", + "refsource": "MISC", + "url": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-22868.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:39.711Z" + }, + "references": [ + { + "name": "Test (7136/24750) [3386/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22868" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22868", + "datePublished": "2022-01-28T18:10:42", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:39.711Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T21:42:08", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jeecgboot/jeecg-boot/issues/3347" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22880", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jeecgboot/jeecg-boot/issues/3347", + "refsource": "MISC", + "url": "https://github.com/jeecgboot/jeecg-boot/issues/3347" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:40.019Z" + }, + "references": [ + { + "name": "Test (7137/24750) [3387/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22880" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22880", + "datePublished": "2022-02-16T21:42:08", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:40.019Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T21:42:08", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jeecgboot/jeecg-boot/issues/3348" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22881", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jeecgboot/jeecg-boot/issues/3348", + "refsource": "MISC", + "url": "https://github.com/jeecgboot/jeecg-boot/issues/3348" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:40.339Z" + }, + "references": [ + { + "name": "Test (7138/24750) [3388/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22881" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22881", + "datePublished": "2022-02-16T21:42:08", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:40.339Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T21:56:16", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/dromara/hutool/issues/2042" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://apidoc.gitee.com/dromara/hutool/cn/hutool/http/ssl/DefaultSSLInfo.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22885", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/dromara/hutool/issues/2042", + "refsource": "MISC", + "url": "https://github.com/dromara/hutool/issues/2042" + }, + { + "name": "https://apidoc.gitee.com/dromara/hutool/cn/hutool/http/ssl/DefaultSSLInfo.html", + "refsource": "MISC", + "url": "https://apidoc.gitee.com/dromara/hutool/cn/hutool/http/ssl/DefaultSSLInfo.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:40.663Z" + }, + "references": [ + { + "name": "Test (7139/24750) [3389/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22885" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22885", + "datePublished": "2022-02-16T21:56:16", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:40.663Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T22:16:43", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4848" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22888", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_op_object_find_own in /ecma/operations/ecma-objects.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4848", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4848" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:40.966Z" + }, + "references": [ + { + "name": "Test (7140/24750) [3390/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22888" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22888", + "datePublished": "2022-01-20T22:16:43", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:40.966Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && arguments_type != SCANNER_ARGUMENTS_PRESENT_NO_REG' failed at /jerry-core/parser/js/js-scanner-util.c in Jerryscript 3.0.0." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T22:16:46", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4847" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22890", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && arguments_type != SCANNER_ARGUMENTS_PRESENT_NO_REG' failed at /jerry-core/parser/js/js-scanner-util.c in Jerryscript 3.0.0." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4847", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4847" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:41.297Z" + }, + "references": [ + { + "name": "Test (7141/24750) [3391/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22890" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22890", + "datePublished": "2022-01-20T22:16:46", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:41.297Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:04:22", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4871" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22891", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via ecma_ref_object_inline in /jerry-core/ecma/base/ecma-gc.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4871", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4871" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:41.616Z" + }, + "references": [ + { + "name": "Test (7142/24750) [3392/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22891" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22891", + "datePublished": "2022-01-20T23:04:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:41.616Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_value_null (value) || ecma_is_value_boolean (value) || ecma_is_value_number (value) || ecma_is_value_string (value) || ecma_is_value_bigint (value) || ecma_is_value_symbol (value) || ecma_is_value_object (value)' failed at jerry-core/ecma/base/ecma-helpers-value.c in Jerryscripts 3.0.0." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:04:22", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4872" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22892", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_value_null (value) || ecma_is_value_boolean (value) || ecma_is_value_number (value) || ecma_is_value_string (value) || ecma_is_value_bigint (value) || ecma_is_value_symbol (value) || ecma_is_value_object (value)' failed at jerry-core/ecma/base/ecma-helpers-value.c in Jerryscripts 3.0.0." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4872", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4872" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:41.937Z" + }, + "references": [ + { + "name": "Test (7143/24750) [3393/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22892" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22892", + "datePublished": "2022-01-20T23:04:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:41.937Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:04:23", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4901" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22893", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_loop.lto_priv.304 in /jerry-core/vm/vm.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4901", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4901" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:42.288Z" + }, + "references": [ + { + "name": "Test (7144/24750) [3394/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22893" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22893", + "datePublished": "2022-01-20T23:04:23", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:42.288Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:04:24", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4890" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22894", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4890", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4890" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:42.607Z" + }, + "references": [ + { + "name": "Test (7145/24750) [3395/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22894" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22894", + "datePublished": "2022-01-20T23:04:24", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:42.607Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:04:25", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4882" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4850" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22895", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ecma_utf8_string_to_number_by_radix in /jerry-core/ecma/base/ecma-helpers-conversion.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4882", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4882" + }, + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4850", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4850" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:42.920Z" + }, + "references": [ + { + "name": "Test (7146/24750) [3396/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22895" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22895", + "datePublished": "2022-01-20T23:04:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:42.920Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22897", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:55:43.248Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-08-29T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-01-12T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "http://packetstormsecurity.com/files/168148/PrestaShop-Ap-Pagebuilder-2.4.4-SQL-Injection.html" + }, + { + "url": "https://friends-of-presta.github.io/security-advisories/modules/2023/01/05/appagebuilder.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:43.248Z" + }, + "references": [ + { + "name": "Test (7147/24750) [3397/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22897" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Core FTP / SFTP Server v2 Build 725 was discovered to allow unauthenticated attackers to cause a Denial of Service (DoS) via a crafted packet through the SSH service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-17T12:51:23", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://coreftp.com/forums/viewtopic.php?f=15&t=4022509" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://yoursecuritybores.me/coreftp-vulnerabilities/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://coreftp.com" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22899", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Core FTP / SFTP Server v2 Build 725 was discovered to allow unauthenticated attackers to cause a Denial of Service (DoS) via a crafted packet through the SSH service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://coreftp.com/forums/viewtopic.php?f=15&t=4022509", + "refsource": "MISC", + "url": "http://coreftp.com/forums/viewtopic.php?f=15&t=4022509" + }, + { + "name": "https://yoursecuritybores.me/coreftp-vulnerabilities/", + "refsource": "MISC", + "url": "https://yoursecuritybores.me/coreftp-vulnerabilities/" + }, + { + "name": "http://coreftp.com", + "refsource": "MISC", + "url": "http://coreftp.com" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:43.559Z" + }, + "references": [ + { + "name": "Test (7148/24750) [3398/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22899" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22899", + "datePublished": "2022-02-17T12:51:23", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:43.559Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is an Assertion in 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at parser_parse_function_arguments in /js/js-parser.c of JerryScript commit a6ab5e9." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-17T02:40:13", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://jerryscript.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jerryscript-project/jerryscript/issues/4916" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22901", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is an Assertion in 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at parser_parse_function_arguments in /js/js-parser.c of JerryScript commit a6ab5e9." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://jerryscript.com", + "refsource": "MISC", + "url": "http://jerryscript.com" + }, + { + "name": "https://github.com/jerryscript-project/jerryscript", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript" + }, + { + "name": "https://github.com/jerryscript-project/jerryscript/issues/4916", + "refsource": "MISC", + "url": "https://github.com/jerryscript-project/jerryscript/issues/4916" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:43.968Z" + }, + "references": [ + { + "name": "Test (7149/24750) [3399/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22901" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22901", + "datePublished": "2022-02-17T02:40:13", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:43.968Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-26T21:24:43", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/NF-Security-Team/CVEs/tree/main/CVE-2022-22908" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22908", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/NF-Security-Team/CVEs/tree/main/CVE-2022-22908", + "refsource": "MISC", + "url": "https://github.com/NF-Security-Team/CVEs/tree/main/CVE-2022-22908" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:44.341Z" + }, + "references": [ + { + "name": "Test (7150/24750) [3400/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22908" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22908", + "datePublished": "2022-02-26T21:24:43", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:44.341Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-02T23:49:47", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.hoteldruid.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/0z09e/CVE-2022-22909" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22909", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.hoteldruid.com", + "refsource": "MISC", + "url": "https://www.hoteldruid.com" + }, + { + "name": "https://github.com/0z09e/CVE-2022-22909", + "refsource": "MISC", + "url": "https://github.com/0z09e/CVE-2022-22909" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:44.659Z" + }, + "references": [ + { + "name": "Test (7151/24750) [3401/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22909" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22909", + "datePublished": "2022-03-02T23:49:47", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:44.659Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-17T18:50:43", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TooTallNate/plist.js/issues/114" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22912", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/TooTallNate/plist.js/issues/114", + "refsource": "MISC", + "url": "https://github.com/TooTallNate/plist.js/issues/114" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:44.975Z" + }, + "references": [ + { + "name": "Test (7152/24750) [3402/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22912" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22912", + "datePublished": "2022-02-17T18:50:43", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:44.975Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An incorrect access control issue in the component FileManager of Ovidentia CMS 6.0 allows authenticated attackers to to view and download content in the upload directory via path traversal." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-17T20:50:36", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://ovidentia.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitlab.com/albadotpy/ovidentia-information-disclosure-on-upload-directory-content" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22914", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An incorrect access control issue in the component FileManager of Ovidentia CMS 6.0 allows authenticated attackers to to view and download content in the upload directory via path traversal." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://ovidentia.com", + "refsource": "MISC", + "url": "http://ovidentia.com" + }, + { + "name": "https://gitlab.com/albadotpy/ovidentia-information-disclosure-on-upload-directory-content", + "refsource": "MISC", + "url": "https://gitlab.com/albadotpy/ovidentia-information-disclosure-on-upload-directory-content" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:45.329Z" + }, + "references": [ + { + "name": "Test (7153/24750) [3403/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22914" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22914", + "datePublished": "2022-02-17T20:50:36", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:45.329Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-17T21:08:22", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://o2oa.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/wendell1224/O2OA-POC/blob/main/POC.md" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22916", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://o2oa.com", + "refsource": "MISC", + "url": "http://o2oa.com" + }, + { + "name": "https://github.com/wendell1224/O2OA-POC/blob/main/POC.md", + "refsource": "MISC", + "url": "https://github.com/wendell1224/O2OA-POC/blob/main/POC.md" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:45.645Z" + }, + "references": [ + { + "name": "Test (7154/24750) [3404/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22916" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22916", + "datePublished": "2022-02-17T21:08:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:45.645Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SSO login URLs." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-30T01:13:30", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jdordonezn/CVE-2022-22919/issues/1" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22919", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SSO login URLs." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jdordonezn/CVE-2022-22919/issues/1", + "refsource": "MISC", + "url": "https://github.com/jdordonezn/CVE-2022-22919/issues/1" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:45.949Z" + }, + "references": [ + { + "name": "Test (7155/24750) [3405/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22919" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22919", + "datePublished": "2022-01-30T01:13:30", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:45.949Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovered to use highly predictable and easily detectable session keys, allowing attackers to gain administrative privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-18T00:55:17", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/emremulazimoglu/cve/blob/main/CWE330-TL-WA850RE-v6.md" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22922", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovered to use highly predictable and easily detectable session keys, allowing attackers to gain administrative privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/emremulazimoglu/cve/blob/main/CWE330-TL-WA850RE-v6.md", + "refsource": "MISC", + "url": "https://github.com/emremulazimoglu/cve/blob/main/CWE330-TL-WA850RE-v6.md" + }, + { + "name": "https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware", + "refsource": "MISC", + "url": "https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:46.264Z" + }, + "references": [ + { + "name": "Test (7156/24750) [3406/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22922" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22922", + "datePublished": "2022-02-18T00:55:17", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:46.264Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:40:34", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4RP" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22928", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/mingSoft/MCMS/issues/I4Q4RP", + "refsource": "MISC", + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4RP" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:46.580Z" + }, + "references": [ + { + "name": "Test (7157/24750) [3407/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22928" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22928", + "datePublished": "2022-01-20T23:40:34", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:46.580Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:40:35", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4NV" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22929", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerability in the New Template module, which allows attackers to execute arbitrary code via a crafted ZIP file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/mingSoft/MCMS/issues/I4Q4NV", + "refsource": "MISC", + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4NV" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:46.896Z" + }, + "references": [ + { + "name": "Test (7158/24750) [3408/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22929" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22929", + "datePublished": "2022-01-20T23:40:35", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:46.896Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:40:47", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4M6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-22930", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A remote code execution (RCE) vulnerability in the Template Management function of MCMS v5.2.4 allows attackers to execute arbitrary code via a crafted payload." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/mingSoft/MCMS/issues/I4Q4M6", + "refsource": "MISC", + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4M6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:47.201Z" + }, + "references": [ + { + "name": "Test (7159/24750) [3409/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22930" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-22930", + "datePublished": "2022-01-20T23:40:47", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:47.201Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache James", + "vendor": "Apache Software Foundation", + "versions": [ + { + "status": "affected", + "version": "Apache James 3.6.1" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "These issues were discovered and reported by GHSL team member Jaroslav Lobačevski" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used)." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "moderate" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T18:50:10", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.openwall.com/lists/oss-security/2022/02/07/1" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Path traversal in Apache James 3.6.1", + "workarounds": [ + { + "lang": "en", + "value": "This had been fixed in Apache James 3.6.2." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22931", + "STATE": "PUBLIC", + "TITLE": "Path traversal in Apache James 3.6.1" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache James", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "Apache James", + "version_value": "3.6.1" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "These issues were discovered and reported by GHSL team member Jaroslav Lobačevski" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used)." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "moderate" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/bp8yql4wws56jlh0vxoowj7foothsmpr" + }, + { + "name": "https://www.openwall.com/lists/oss-security/2022/02/07/1", + "refsource": "MISC", + "url": "https://www.openwall.com/lists/oss-security/2022/02/07/1" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "This had been fixed in Apache James 3.6.2." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:47.532Z" + }, + "references": [ + { + "name": "Test (7160/24750) [3410/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22931" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22931", + "datePublished": "2022-02-07T18:50:10", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:47.532Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache Karaf", + "vendor": "Apache Software Foundation", + "versions": [ + { + "changes": [ + { + "at": "4.3.6", + "status": "unaffected" + } + ], + "lessThan": "4.2.15", + "status": "affected", + "version": "Apache Karaf", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "This issue was discovered and reported by GHSL team member Jaroslav Lobacevski" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326" + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "The risk is low as obr:* commands are not very used and the entry is set by user." + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Path traversal flaws", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-26T11:10:12", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://karaf.apache.org/security/cve-2022-22932.txt" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Path traversal flaws", + "workarounds": [ + { + "lang": "en", + "value": "Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-22932", + "STATE": "PUBLIC", + "TITLE": "Path traversal flaws" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Karaf", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Apache Karaf", + "version_value": "4.2.15" + }, + { + "version_affected": "<", + "version_name": "Apache Karaf", + "version_value": "4.3.6" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "This issue was discovered and reported by GHSL team member Jaroslav Lobacevski" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "The risk is low as obr:* commands are not very used and the entry is set by user." + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Path traversal flaws" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://karaf.apache.org/security/cve-2022-22932.txt", + "refsource": "MISC", + "url": "https://karaf.apache.org/security/cve-2022-22932.txt" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:47.836Z" + }, + "references": [ + { + "name": "Test (7161/24750) [3411/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22932" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-22932", + "datePublished": "2022-01-26T11:10:12", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:47.836Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-10-31T13:06:27.077569" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "SaltStack Salt", + "versions": [ + { + "version": "SaltStack Salt prior to 3002.8, 3003.4, 3004.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://saltproject.io/security_announcements/salt-security-advisory-release/%2C" + }, + { + "url": "https://github.com/saltstack/salt/releases%2C" + }, + { + "url": "https://repo.saltproject.io/" + }, + { + "name": "GLSA-202310-22", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-22" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Salt Masters do not sign pillar data with the minion’s public key." + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:48.161Z" + }, + "references": [ + { + "name": "Test (7162/24750) [3412/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22934" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22934", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:48.161Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-29T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-10-31T13:06:25.593962" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "SaltStack Salt", + "versions": [ + { + "version": "SaltStack Salt prior to 3002.8, 3003.4, 3004.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://saltproject.io/security_announcements/salt-security-advisory-release/%2C" + }, + { + "url": "https://github.com/saltstack/salt/releases%2C" + }, + { + "url": "https://repo.saltproject.io/" + }, + { + "name": "GLSA-202310-22", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-22" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Minion authentication denial of service" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:48.523Z" + }, + "references": [ + { + "name": "Test (7163/24750) [3413/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22935" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22935", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:48.523Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-29T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-10-31T13:06:45.986338" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "SaltStack Salt", + "versions": [ + { + "version": "SaltStack Salt prior to 3002.8, 3003.4, 3004.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://saltproject.io/security_announcements/salt-security-advisory-release/%2C" + }, + { + "url": "https://github.com/saltstack/salt/releases%2C" + }, + { + "url": "https://repo.saltproject.io/" + }, + { + "name": "GLSA-202310-22", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-22" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Job publishes and file server replies are susceptible to replay attacks." + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:48.835Z" + }, + "references": [ + { + "name": "Test (7164/24750) [3414/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22936" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22936", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:48.835Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-29T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windows (5.x prior to 5.5.3) contains a denial-of-service vulnerability in the Cortado ThinPrint component. The issue exists in TrueType font parser. A malicious actor with access to a virtual machine or remote desktop may exploit this issue to trigger a denial-of-service condition in the Thinprint service running on the host machine where VMware Workstation or Horizon Client for Windows is installed." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T19:09:25", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0002.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22938", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windows (5.x prior to 5.5.3) contains a denial-of-service vulnerability in the Cortado ThinPrint component. The issue exists in TrueType font parser. A malicious actor with access to a virtual machine or remote desktop may exploit this issue to trigger a denial-of-service condition in the Thinprint service running on the host machine where VMware Workstation or Horizon Client for Windows is installed." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0002.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0002.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:49.144Z" + }, + "references": [ + { + "name": "Test (7165/24750) [3415/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22938" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22938", + "datePublished": "2022-01-28T19:09:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:49.144Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Cloud Foundation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Cloud Foundation 4.x (before 4.3.1.1) and 3.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or more log files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "VMware Cloud Foundation updates address an information disclosure vulnerability.", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:14", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0003.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22939", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Cloud Foundation", + "version": { + "version_data": [ + { + "version_value": "VMware Cloud Foundation 4.x (before 4.3.1.1) and 3.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or more log files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "VMware Cloud Foundation updates address an information disclosure vulnerability." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0003.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0003.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:49.472Z" + }, + "references": [ + { + "name": "Test (7166/24750) [3416/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22939" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22939", + "datePublished": "2022-02-04T22:29:14", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:49.472Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-10-31T13:06:40.983815" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "SaltStack Salt", + "versions": [ + { + "version": "SaltStack Salt prior to 3002.8, 3003.4, 3004.1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://saltproject.io/security_announcements/salt-security-advisory-release/%2C" + }, + { + "url": "https://github.com/saltstack/salt/releases%2C" + }, + { + "url": "https://repo.saltproject.io/" + }, + { + "name": "GLSA-202310-22", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-22" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Salt Master allows configured users to target any of the minions connected to the syndic with their configured commands" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:49.780Z" + }, + "references": [ + { + "name": "Test (7167/24750) [3417/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22941" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22941", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:49.780Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-29T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-22942", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "state": "PUBLISHED", + "assignerShortName": "vmware", + "dateReserved": "2022-01-10T15:34:55.706Z", + "datePublished": "2023-12-13T08:16:34.363Z", + "dateUpdated": "2024-06-03T14:55:50.091Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "Photon OS", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "3.0, 4.0" + } + ] + } + ], + "datePublic": "2022-01-27T07:06:00.000Z", + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer." + } + ], + "value": "The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Privilege escalation", + "lang": "en" + } + ] + } + ], + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-12-13T08:17:05.068Z" + }, + "references": [ + { + "url": "https://github.com/vmware/photon/wiki/Security-Update-3.0-356" + }, + { + "url": "https://github.com/vmware/photon/wiki/Security-Update-4.0-148" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/27/4" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:50.091Z" + }, + "references": [ + { + "name": "Test (7168/24750) [3418/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22942" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Tools for Windows", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0) contains an uncontrolled search path vulnerability. A malicious actor with local administrative privileges in the Windows guest OS, where VMware Tools is installed, may be able to execute code with system privileges in the Windows guest OS due to an uncontrolled search path element." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Uncontrolled search path vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-03T21:59:08", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0007.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22943", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Tools for Windows", + "version": { + "version_data": [ + { + "version_value": "VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0) contains an uncontrolled search path vulnerability. A malicious actor with local administrative privileges in the Windows guest OS, where VMware Tools is installed, may be able to execute code with system privileges in the Windows guest OS due to an uncontrolled search path element." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Uncontrolled search path vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0007.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0007.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:50.413Z" + }, + "references": [ + { + "name": "Test (7169/24750) [3419/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22943" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22943", + "datePublished": "2022-03-03T21:59:08", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:50.413Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Boxer", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Workspace ONE Boxer for iOS prior to 22.02" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Stored cross-site scripting (XSS) vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-02T20:50:17", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0006.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22944", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Boxer", + "version": { + "version_data": [ + { + "version_value": "VMware Workspace ONE Boxer for iOS prior to 22.02" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Stored cross-site scripting (XSS) vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0006.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0006.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:50.724Z" + }, + "references": [ + { + "name": "Test (7170/24750) [3420/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22944" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22944", + "datePublished": "2022-03-02T20:50:17", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:50.724Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware NSX Edge", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "6.4.10" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware NSX Edge contains a CLI shell injection vulnerability. A malicious actor with SSH access to an NSX-Edge appliance can execute arbitrary commands on the operating system as root." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "A CLI shell injection vulnerability affecting VMware NSX Edge", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:35", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0005.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22945", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware NSX Edge", + "version": { + "version_data": [ + { + "version_value": "6.4.10" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware NSX Edge contains a CLI shell injection vulnerability. A malicious actor with SSH access to an NSX-Edge appliance can execute arbitrary commands on the operating system as root." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "A CLI shell injection vulnerability affecting VMware NSX Edge" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0005.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0005.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:51.064Z" + }, + "references": [ + { + "name": "Test (7171/24750) [3421/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22945" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22945", + "datePublished": "2022-02-16T16:38:35", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:51.064Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Cloud Gateway", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring cloud gateway versions 3.1.x prior to 3.1.1+" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:46:27", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22946" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22946", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Cloud Gateway", + "version": { + "version_data": [ + { + "version_value": "Spring cloud gateway versions 3.1.x prior to 3.1.1+" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22946", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22946" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:51.402Z" + }, + "references": [ + { + "name": "Test (7172/24750) [3422/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22946" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22946", + "datePublished": "2022-03-04T15:50:06", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:51.402Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22947", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:51.715Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-03T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2022-10-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Spring Cloud Gateway", + "versions": [ + { + "version": "Spring cloud gateway versions 3.1.x prior to 3.1.1+, 3.0.x prior to 3.0.7+ and all old and unsupported versions", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://tanzu.vmware.com/security/cve-2022-22947" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "cweId": "CWE-94" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-05-16", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-05-16T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22947 added to KEV" + }, + { + "time": "2022-05-16T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22947 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:59.982Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:51.715Z" + }, + "references": [ + { + "name": "Test (7173/24750) [3423/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22947" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware vCenter Server and VMware Cloud Foundation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware vCenter Server (7.0 prior to 7.0 U3d, 6.7 prior to 6.7 U3p and 6.5 prior to 6.5 U3r) and VMware Cloud Foundation (4.x and 3.x prior to 3.11)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information disclosure vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-29T17:24:33", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0009.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22948", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware vCenter Server and VMware Cloud Foundation", + "version": { + "version_data": [ + { + "version_value": "VMware vCenter Server (7.0 prior to 7.0 U3d, 6.7 prior to 6.7 U3p and 6.5 prior to 6.5 U3r) and VMware Cloud Foundation (4.x and 3.x prior to 3.11)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information disclosure vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0009.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0009.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:52.021Z" + }, + "references": [ + { + "name": "Test (7174/24750) [3424/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22948" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22948", + "datePublished": "2022-03-29T17:24:33", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:52.021Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Framework", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-770", + "description": "CWE-770: Allocation of Resources Without Limits or Throttling", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-01T22:17:32", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22950" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22950", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Framework", + "version": { + "version_data": [ + { + "version_value": "Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-770: Allocation of Resources Without Limits or Throttling" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22950", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22950" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:52.401Z" + }, + "references": [ + { + "name": "Test (7175/24750) [3425/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22950" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22950", + "datePublished": "2022-04-01T22:17:32", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:52.401Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Carbon Black App Control (AppC)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains an OS command injection vulnerability. An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "OS command injection vulnerability in VMware Carbon Black App Control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-23T19:46:46", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22951", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Carbon Black App Control (AppC)", + "version": { + "version_data": [ + { + "version_value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains an OS command injection vulnerability. An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "OS command injection vulnerability in VMware Carbon Black App Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:52.711Z" + }, + "references": [ + { + "name": "Test (7176/24750) [3426/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22951" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22951", + "datePublished": "2022-03-23T19:46:46", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:52.711Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Carbon Black App Control (AppC)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "HFile upload vulnerability in VMware Carbon Black App Control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-23T19:46:47", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22952", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Carbon Black App Control (AppC)", + "version": { + "version_data": [ + { + "version_value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains a file upload vulnerability. A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "HFile upload vulnerability in VMware Carbon Black App Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0008.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:53.013Z" + }, + "references": [ + { + "name": "Test (7177/24750) [3427/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22952" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22952", + "datePublished": "2022-03-23T19:46:47", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:53.013Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware HCX", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "4.3.1 and 4.3.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware HCX update addresses an information disclosure vulnerability. A malicious actor with network user access to the VMware HCX appliance may be able to gain access to sensitive information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "VMware HCX update addresses an information disclosure vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-16T15:54:54", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0017.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22953", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware HCX", + "version": { + "version_data": [ + { + "version_value": "4.3.1 and 4.3.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware HCX update addresses an information disclosure vulnerability. A malicious actor with network user access to the VMware HCX appliance may be able to gain access to sensitive information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "VMware HCX update addresses an information disclosure vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0017.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0017.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:53.383Z" + }, + "references": [ + { + "name": "Test (7178/24750) [3428/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22953" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22953", + "datePublished": "2022-06-16T15:54:54", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:53.383Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access and Identity Manager", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-03T17:06:08", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22954", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access and Identity Manager", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + }, + { + "name": "http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-14", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + }, + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2022-04-04T00:00:00+00:00", + "options": [ + { + "Exploitation": "Active" + }, + { + "Automatable": "rapid" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-22954" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-14T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22954 added to KEV" + }, + { + "time": "2022-04-14T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22954 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:52.203Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:53.696Z" + }, + "references": [ + { + "name": "Test (7179/24750) [3429/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22954" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22954", + "datePublished": "2022-04-11T19:37:39", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:53.696Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Authentication bypass", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T17:05:58", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22955", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Authentication bypass" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:54.009Z" + }, + "references": [ + { + "name": "Test (7180/24750) [3430/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22955" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22955", + "datePublished": "2022-04-13T17:05:58", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:54.009Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22956", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:54.331Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-04-13T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-04-18T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "VMware Workspace ONE Access", + "versions": [ + { + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0.", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Authentication bypass" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:54.331Z" + }, + "references": [ + { + "name": "Test (7181/24750) [3431/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22956" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22957", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:54.632Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-04-13T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-04-18T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation.", + "versions": [ + { + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6.", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Remote code execution" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:54.632Z" + }, + "references": [ + { + "name": "Test (7182/24750) [3432/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22957" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation.", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T17:05:58", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22958", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access, Identity Manager and vRealize Automation.", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:54.937Z" + }, + "references": [ + { + "name": "Test (7183/24750) [3433/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22958" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22958", + "datePublished": "2022-04-13T17:05:58", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:54.937Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Cross site request forgery", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T17:05:54", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22959", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross site request forgery" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:55.235Z" + }, + "references": [ + { + "name": "Test (7184/24750) [3434/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22959" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22959", + "datePublished": "2022-04-13T17:05:54", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:55.235Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22960", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:55.559Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-04-13T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-04-19T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "versions": [ + { + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6.", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html" + }, + { + "url": "http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html" + }, + { + "url": "http://packetstormsecurity.com/files/171935/VMware-Workspace-ONE-Access-Privilege-Escalation.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Privilege escalation" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-15", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-15T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22960 added to KEV" + }, + { + "time": "2022-04-15T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22960 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:52.486Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:55.559Z" + }, + "references": [ + { + "name": "Test (7185/24750) [3435/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22960" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information disclosure", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T17:05:56", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22961", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:55.863Z" + }, + "references": [ + { + "name": "Test (7186/24750) [3436/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22961" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22961", + "datePublished": "2022-04-13T17:05:56", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:55.863Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Horizon Agent for Linux", + "vendor": "VMware", + "versions": [ + { + "status": "affected", + "version": "VMware Horizon Agent for Linux prior to 22.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Horizon Agent for Linux (prior to 22.x) contains a local privilege escalation as a user is able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local privilege escalation due to vulnerable symbolic link", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-20T16:54:34", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22962", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Horizon Agent for Linux", + "version": { + "version_data": [ + { + "version_value": "VMware Horizon Agent for Linux prior to 22.x" + } + ] + } + } + ] + }, + "vendor_name": "VMware" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Horizon Agent for Linux (prior to 22.x) contains a local privilege escalation as a user is able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local privilege escalation due to vulnerable symbolic link" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:56.173Z" + }, + "references": [ + { + "name": "Test (7187/24750) [3437/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22962" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22962", + "datePublished": "2022-04-11T19:38:28", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:56.173Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22963", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:56.491Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-04-01T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-07-13T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Spring Cloud Function", + "versions": [ + { + "version": "Spring Cloud Function versions 3.1.6, 3.2.2 and all old and unsupported versions", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://tanzu.vmware.com/security/cve-2022-22963" + }, + { + "name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022", + "tags": [ + "vendor-advisory" + ], + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "cweId": "CWE-94" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-08-25", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-08-25T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22963 added to KEV" + }, + { + "time": "2022-08-25T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22963 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:43:40.888Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:56.491Z" + }, + "references": [ + { + "name": "Test (7188/24750) [3438/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22963" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Horizon Agent for Linux", + "vendor": "VMware", + "versions": [ + { + "status": "affected", + "version": "VMware Horizon Agent for Linux prior to 22.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Horizon Agent for Linux (prior to 22.x) contains a local privilege escalation that allows a user to escalate to root due to a vulnerable configuration file." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local privilege escalation due to vulnerable configuration file", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-20T16:53:01", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22964", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Horizon Agent for Linux", + "version": { + "version_data": [ + { + "version_value": "VMware Horizon Agent for Linux prior to 22.x" + } + ] + } + } + ] + }, + "vendor_name": "VMware" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Horizon Agent for Linux (prior to 22.x) contains a local privilege escalation that allows a user to escalate to root due to a vulnerable configuration file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local privilege escalation due to vulnerable configuration file" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0012.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:56.840Z" + }, + "references": [ + { + "name": "Test (7189/24750) [3439/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22964" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22964", + "datePublished": "2022-04-11T19:38:29", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:56.840Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Framework", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:46:59", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22965" + }, + { + "name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022", + "tags": [ + "vendor-advisory", + "x_refsource_CISCO" + ], + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22965", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Framework", + "version": { + "version_data": [ + { + "version_value": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22965", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22965" + }, + { + "name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022", + "refsource": "CISCO", + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", + "refsource": "CONFIRM", + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005" + }, + { + "name": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html" + }, + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf", + "refsource": "CONFIRM", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-04", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22965 added to KEV" + }, + { + "time": "2022-04-04T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-22965 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:45.071Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:57.151Z" + }, + "references": [ + { + "name": "Test (7190/24750) [3440/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22965" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22965", + "datePublished": "2022-04-01T22:17:30", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:57.151Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Cloud Director", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Cloud Director versions prior to 10.3.3, 10.2.2.3, 10.1.4.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote code execution", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-14T20:05:49", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0013.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22966", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Cloud Director", + "version": { + "version_data": [ + { + "version_value": "VMware Cloud Director versions prior to 10.3.3, 10.2.2.3, 10.1.4.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote code execution" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0013.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0013.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:57.484Z" + }, + "references": [ + { + "name": "Test (7191/24750) [3441/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22966" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22966", + "datePublished": "2022-04-14T20:05:49", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:57.484Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-10-31T13:06:49.249445" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "SaltStack Salt", + "versions": [ + { + "version": "SaltStack Salt prior to 3002.9, 3003.5, 3004.2", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://repo.saltproject.io/" + }, + { + "url": "https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2C" + }, + { + "name": "GLSA-202310-22", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-22" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "PAM auth fails to reject locked accounts." + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:57.797Z" + }, + "references": [ + { + "name": "Test (7192/24750) [3442/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22967" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22967", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:55:57.797Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-06-22T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Framework", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Data Binding Rules Vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:47:10", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22968" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220602-0004/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22968", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Framework", + "version": { + "version_data": [ + { + "version_value": "Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Data Binding Rules Vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22968", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22968" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220602-0004/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220602-0004/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:58.104Z" + }, + "references": [ + { + "name": "Test (7193/24750) [3443/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22968" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22968", + "datePublished": "2022-04-14T20:05:50", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:58.104Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Security OAuth", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": " Spring Security OAuth 2.5.x prior to 2.5.2 and older unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": " Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service (DoS)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:47:21", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22969" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22969", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Security OAuth", + "version": { + "version_data": [ + { + "version_value": " Spring Security OAuth 2.5.x prior to 2.5.2 and older unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": " Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Denial of Service (DoS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22969", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22969" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:58.432Z" + }, + "references": [ + { + "name": "Test (7194/24750) [3444/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22969" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22969", + "datePublished": "2022-04-21T18:16:02", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:58.432Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Framework", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-770", + "description": "CWE-770: Allocation of Resources Without Limits or Throttling", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:47:31", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22970" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220616-0006/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22970", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Framework", + "version": { + "version_data": [ + { + "version_value": "Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-770: Allocation of Resources Without Limits or Throttling" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22970", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22970" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220616-0006/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220616-0006/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:58.748Z" + }, + "references": [ + { + "name": "Test (7195/24750) [3445/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22970" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22970", + "datePublished": "2022-05-12T19:28:47", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:58.748Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Framework", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-770", + "description": "CWE-770: Allocation of Resources Without Limits or Throttling", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:47:39", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22971" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220616-0003/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22971", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Framework", + "version": { + "version_data": [ + { + "version_value": "Spring Framework versions 5.3.x prior to 5.3.20, 5.2.x prior to 5.2.22 and all old and unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-770: Allocation of Resources Without Limits or Throttling" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22971", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22971" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220616-0003/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220616-0003/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:59.056Z" + }, + "references": [ + { + "name": "Test (7196/24750) [3446/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22971" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22971", + "datePublished": "2022-05-12T19:30:49", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:59.056Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Authentication Bypass", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-20T20:18:39", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22972", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3. vRealize Automation 7.6." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Authentication Bypass" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:59.380Z" + }, + "references": [ + { + "name": "Test (7197/24750) [3447/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22972" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22972", + "datePublished": "2022-05-20T20:18:39", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:59.380Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workspace ONE Access and Identity Manager.", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3." + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Privilege escalation", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-20T20:18:27", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22973", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workspace ONE Access and Identity Manager.", + "version": { + "version_data": [ + { + "version_value": "Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0. Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3." + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege escalation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0014.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:55:59.704Z" + }, + "references": [ + { + "name": "Test (7198/24750) [3448/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22973" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22973", + "datePublished": "2022-05-20T20:18:27", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:55:59.704Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Pinniped", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Pinniped versions before v0.17.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "LDAP query injection in Pinniped Supervisor before v0.17.0 causes a malicious user to escalate privileges by changing Kubernetes group memberships when the attacker is also able to edit their own LDAP user entry", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-11T15:13:50", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22975", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Pinniped", + "version": { + "version_data": [ + { + "version_value": "Pinniped versions before v0.17.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "LDAP query injection in Pinniped Supervisor before v0.17.0 causes a malicious user to escalate privileges by changing Kubernetes group memberships when the attacker is also able to edit their own LDAP user entry" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348", + "refsource": "MISC", + "url": "https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:00.027Z" + }, + "references": [ + { + "name": "Test (7199/24750) [3449/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22975" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22975", + "datePublished": "2022-05-11T15:13:50", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:00.027Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Security", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-190", + "description": "CWE-190: Integer Overflow or Wraparound", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:47:52", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22976" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220707-0003/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22976", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Security", + "version": { + "version_data": [ + { + "version_value": "Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-190: Integer Overflow or Wraparound" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22976", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22976" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220707-0003/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220707-0003/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:00.394Z" + }, + "references": [ + { + "name": "Test (7200/24750) [3450/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22976" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22976", + "datePublished": "2022-05-19T14:50:46", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:00.394Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Tools for Windows", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Tools for Windows (12.0.0, 11.x.y and 10.x.y)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "XML External Entity (XXE) vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-24T18:15:38", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0015.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22977", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Tools for Windows", + "version": { + "version_data": [ + { + "version_value": "VMware Tools for Windows (12.0.0, 11.x.y and 10.x.y)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "XML External Entity (XXE) vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0015.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0015.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:20.108Z" + }, + "references": [ + { + "name": "Test (7201/24750) [3451/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22977" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22977", + "datePublished": "2022-05-24T18:15:38", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:20.108Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22978", + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "dateUpdated": "2024-06-03T14:56:20.431Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-05-19T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware", + "dateUpdated": "2023-04-11T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Spring Security", + "versions": [ + { + "version": "Spring security versions 5.4.x prior to 5.4.11+,5.5.x prior to 5.5.7+,5.6.x prior to 5.6.4+ and all earlier unsupported versions", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://spring.io/security/cve-2022-22978" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-863- improper authorization", + "cweId": "CWE-863" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:20.431Z" + }, + "references": [ + { + "name": "Test (7202/24750) [3452/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22978" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Cloud Function", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Spring Cloud Function (prior to 3.2.6)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial-of-service vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T14:23:38", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22979" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22979", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Cloud Function", + "version": { + "version_data": [ + { + "version_value": "Spring Cloud Function (prior to 3.2.6)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Denial-of-service vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22979", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22979" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:20.756Z" + }, + "references": [ + { + "name": "Test (7203/24750) [3453/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22979" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22979", + "datePublished": "2022-06-21T14:23:38", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:20.756Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spring Data MongoDB", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "3.4.0, 3.3.0 to 3.3.4 and Older" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T13:56:00", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tanzu.vmware.com/security/cve-2022-22980" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22980", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spring Data MongoDB", + "version": { + "version_data": [ + { + "version_value": "3.4.0, 3.3.0 to 3.3.4 and Older" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tanzu.vmware.com/security/cve-2022-22980", + "refsource": "MISC", + "url": "https://tanzu.vmware.com/security/cve-2022-22980" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:21.068Z" + }, + "references": [ + { + "name": "Test (7204/24750) [3454/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22980" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22980", + "datePublished": "2022-06-22T13:56:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:21.068Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware vCenter Server", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware vCenter Server (7.0 before 7.0 U3f, 6.7 before 6.7 U3r & 6.5 before 6.5 U3t)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The vCenter Server contains a server-side request forgery (SSRF) vulnerability. A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Server-side request forgery vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-13T18:18:58", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0018.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22982", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware vCenter Server", + "version": { + "version_data": [ + { + "version_value": "VMware vCenter Server (7.0 before 7.0 U3f, 6.7 before 6.7 U3r & 6.5 before 6.5 U3t)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The vCenter Server contains a server-side request forgery (SSRF) vulnerability. A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Server-side request forgery vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0018.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0018.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:21.399Z" + }, + "references": [ + { + "name": "Test (7205/24750) [3455/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22982" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22982", + "datePublished": "2022-07-13T18:18:58", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:21.399Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "VMware Workstation", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "VMware Workstation (16.x prior to 16.2.4)" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "VMware Workstation (16.x prior to 16.2.4) contains an unprotected storage of credentials vulnerability. A malicious actor with local user privileges to the victim machine may exploit this vulnerability leading to the disclosure of user passwords of the remote server connected through VMware Workstation." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Unprotected storage of credentials vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-09T20:19:57", + "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "shortName": "vmware" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0023.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@vmware.com", + "ID": "CVE-2022-22983", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "VMware Workstation", + "version": { + "version_data": [ + { + "version_value": "VMware Workstation (16.x prior to 16.2.4)" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "VMware Workstation (16.x prior to 16.2.4) contains an unprotected storage of credentials vulnerability. A malicious actor with local user privileges to the victim machine may exploit this vulnerability leading to the disclosure of user passwords of the remote server connected through VMware Workstation." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Unprotected storage of credentials vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.vmware.com/security/advisories/VMSA-2022-0023.html", + "refsource": "MISC", + "url": "https://www.vmware.com/security/advisories/VMSA-2022-0023.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:21.708Z" + }, + "references": [ + { + "name": "Test (7206/24750) [3456/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22983" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", + "assignerShortName": "vmware", + "cveId": "CVE-2022-22983", + "datePublished": "2022-08-09T20:19:57", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:21.708Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22984", + "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", + "assignerShortName": "snyk", + "datePublished": "2022-11-30T00:00:00", + "dateUpdated": "2024-06-03T14:56:22.016Z", + "dateReserved": "2022-02-24T00:00:00" + }, + "containers": { + "cna": { + "title": "Command Injection", + "datePublic": "2022-11-30T00:00:00", + "providerMetadata": { + "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", + "shortName": "snyk", + "dateUpdated": "2022-11-30T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "snyk", + "versions": [ + { + "version": "unspecified", + "lessThan": "1.1064.0", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "snyk-mvn-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "2.31.3", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "snyk-gradle-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "3.24.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "@snyk/snyk-cocoapods-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "2.5.3", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "snyk-sbt-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "2.16.2", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "snyk-python-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "1.24.2", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "snyk-docker-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "5.6.5", + "status": "affected", + "versionType": "custom" + } + ] + }, + { + "vendor": "n/a", + "product": "@snyk/snyk-hex-plugin", + "versions": [ + { + "version": "unspecified", + "lessThan": "1.1.6", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" + }, + { + "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + }, + { + "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" + }, + { + "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" + }, + { + "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" + }, + { + "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" + }, + { + "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" + }, + { + "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" + }, + { + "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" + }, + { + "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" + } + ], + "credits": [ + { + "lang": "en", + "value": "Ron Masas - Imperva" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "remediationLevel": "NOT_DEFINED", + "reportConfidence": "NOT_DEFINED", + "baseScore": 5, + "temporalScore": 4.7, + "baseSeverity": "MEDIUM", + "temporalSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Command Injection" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:22.016Z" + }, + "references": [ + { + "name": "Test (7207/24750) [3457/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22984" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "IPCOMM ipDIO ", + "vendor": "IPCOMM", + "versions": [ + { + "status": "affected", + "version": "3.9" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Aarón Flecha Menéndez of S21Sec reported these vulnerabilities to CISA." + } + ], + "datePublic": "2022-03-03T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-09T15:33:40", + "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "shortName": "icscert" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01" + } + ], + "solutions": [ + { + "lang": "en", + "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page." + } + ], + "source": { + "advisory": "ICSA-22-062-01", + "discovery": "EXTERNAL" + }, + "title": "ICSA-22-062-01 IPCOMM ipDIO", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2022-03-03T18:40:00.000Z", + "ID": "CVE-2022-22985", + "STATE": "PUBLIC", + "TITLE": "ICSA-22-062-01 IPCOMM ipDIO" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "IPCOMM ipDIO ", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "3.9", + "version_value": "3.9" + } + ] + } + } + ] + }, + "vendor_name": "IPCOMM" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Aarón Flecha Menéndez of S21Sec reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", + "refsource": "MISC", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page." + } + ], + "source": { + "advisory": "ICSA-22-062-01", + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:22.444Z" + }, + "references": [ + { + "name": "Test (7208/24750) [3458/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22985" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "assignerShortName": "icscert", + "cveId": "CVE-2022-22985", + "datePublished": "2022-03-03T00:00:00", + "dateReserved": "2022-02-15T00:00:00", + "dateUpdated": "2024-06-03T14:56:22.444Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Netcommunity OG410X and OG810X series", + "vendor": "NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION (NTT East) and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT West)", + "versions": [ + { + "status": "affected", + "version": "Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "OS Command Injection", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-31T07:20:41", + "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "shortName": "jpcert" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://business.ntt-east.co.jp/topics/2022/03_22.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/en/vu/JVNVU94900322/index.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vultures@jpcert.or.jp", + "ID": "CVE-2022-22986", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Netcommunity OG410X and OG810X series", + "version": { + "version_data": [ + { + "version_value": "Netcommunity OG410Xa, OG410Xi, OG810Xa and OG810Xi firmware Ver.2.28 and earlier" + } + ] + } + } + ] + }, + "vendor_name": "NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION (NTT East) and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION (NTT West)" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "OS Command Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://business.ntt-east.co.jp/topics/2022/03_22.html", + "refsource": "MISC", + "url": "https://business.ntt-east.co.jp/topics/2022/03_22.html" + }, + { + "name": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html", + "refsource": "MISC", + "url": "https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html" + }, + { + "name": "https://jvn.jp/en/vu/JVNVU94900322/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/en/vu/JVNVU94900322/index.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:22.789Z" + }, + "references": [ + { + "name": "Test (7209/24750) [3459/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22986" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "assignerShortName": "jpcert", + "cveId": "CVE-2022-22986", + "datePublished": "2022-03-31T07:20:41", + "dateReserved": "2022-02-02T00:00:00", + "dateUpdated": "2024-06-03T14:56:22.789Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ADAM-3600", + "vendor": "Advantech", + "versions": [ + { + "lessThanOrEqual": "2.6.2", + "status": "affected", + "version": "ADAM-3600", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Aagam Shah (neutrinoguy) reported this vulnerability to CISA." + } + ], + "datePublic": "2022-02-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The affected product has a hardcoded private key available inside the project folder, which may allow an attacker to achieve Web Server login and perform further actions." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-321", + "description": "CWE-321 Use of Hard-coded Cryptographic Key", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:29:29", + "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "shortName": "icscert" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-02" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Advantech ADAM-3600", + "workarounds": [ + { + "lang": "en", + "value": "Advantech is aware of the issue and is currently developing a solution. For more information, contact Advantech technical support. \n\nAdvantech recommends users add their own generated SSL private key." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2022-02-01T23:08:00.000Z", + "ID": "CVE-2022-22987", + "STATE": "PUBLIC", + "TITLE": "Advantech ADAM-3600" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ADAM-3600", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "ADAM-3600", + "version_value": "2.6.2" + } + ] + } + } + ] + }, + "vendor_name": "Advantech" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Aagam Shah (neutrinoguy) reported this vulnerability to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The affected product has a hardcoded private key available inside the project folder, which may allow an attacker to achieve Web Server login and perform further actions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-321 Use of Hard-coded Cryptographic Key" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-02", + "refsource": "CONFIRM", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-02" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "Advantech is aware of the issue and is currently developing a solution. For more information, contact Advantech technical support. \n\nAdvantech recommends users add their own generated SSL private key." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:23.107Z" + }, + "references": [ + { + "name": "Test (7210/24750) [3460/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22987" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "assignerShortName": "icscert", + "cveId": "CVE-2022-22987", + "datePublished": "2022-02-01T00:00:00", + "dateReserved": "2022-01-27T00:00:00", + "dateUpdated": "2024-06-03T14:56:23.107Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "platforms": [ + "Mac" + ], + "product": "EdgeRover", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "1.5.0-576", + "status": "affected", + "version": "EdgeRover Mac Desktop App", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "platforms": [ + "Windows" + ], + "product": "EdgeRover", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "1.5.0-576", + "status": "affected", + "version": "EdgeRover Windows Desktop App", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. 

" + } + ], + "value": "File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. \n\n" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-275", + "description": "CWE-275 Permission Issues", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT", + "dateUpdated": "2023-10-12T20:25:41.972Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22003-edgerover-desktop-app-version-1-5-0-576" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update your EdgeRover Application to version 1.5.0-576 on Windows and Mac systems.

" + } + ], + "value": "Update your EdgeRover Application to version 1.5.0-576 on Windows and Mac systems. \n\n" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "Insecure file and directory permissions on EdgeRover", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22988", + "STATE": "PUBLIC", + "TITLE": "Insecure file and directory permissions on EdgeRover" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "EdgeRover", + "version": { + "version_data": [ + { + "platform": "Mac", + "version_affected": "<", + "version_name": "EdgeRover Mac Desktop App", + "version_value": "1.5.0-576" + }, + { + "platform": "Windows", + "version_affected": "<", + "version_name": "EdgeRover Windows Desktop App", + "version_value": "1.5.0-576" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-275 Permission Issues" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22003-edgerover-desktop-app-version-1-5-0-576", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22003-edgerover-desktop-app-version-1-5-0-576" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your EdgeRover Application to version 1.5.0-576 on Windows and Mac systems. " + } + ], + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:23.468Z" + }, + "references": [ + { + "name": "Test (7211/24750) [3461/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22988" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22988", + "datePublished": "2022-01-13T20:27:27", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:23.468Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.19.117", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.

" + } + ], + "value": "My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.\n\n" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-121", + "description": "CWE-121 Stack-based Buffer Overflow", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT", + "dateUpdated": "2023-10-12T20:41:26.870Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Update your My Cloud device to firmware version 5.19.117.

" + } + ], + "value": "Update your My Cloud device to firmware version 5.19.117.\n\n" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Pre-authenticated stack overflow vulnerability on FTP Service", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22989", + "STATE": "PUBLIC", + "TITLE": "Pre-authenticated stack overflow vulnerability on FTP Service" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.19.117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121 Stack-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:23.780Z" + }, + "references": [ + { + "name": "Test (7212/24750) [3462/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22989" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22989", + "datePublished": "2022-01-13T20:27:24", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:23.780Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.19.117", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-287", + "description": "CWE-287 Improper Authentication", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T15:06:30", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-076/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-347/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Limited authentication bypass vulnerability on Western Digital My Cloud devices", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22990", + "STATE": "PUBLIC", + "TITLE": "Limited authentication bypass vulnerability on Western Digital My Cloud devices" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.19.117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-287 Improper Authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-076/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-076/" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-347/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-347/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:24.104Z" + }, + "references": [ + { + "name": "Test (7213/24750) [3463/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22990" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22990", + "datePublished": "2022-01-13T20:27:26", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:24.104Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.19.117", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-78", + "description": "CWE-78 OS Command Injection", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-17T14:06:10", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-077/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Command injection through unsecured HTTP calls on Western Digital My Cloud devices", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22991", + "STATE": "PUBLIC", + "TITLE": "Command injection through unsecured HTTP calls on Western Digital My Cloud devices" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.19.117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78 OS Command Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-077/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-077/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:24.428Z" + }, + "references": [ + { + "name": "Test (7214/24750) [3464/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22991" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22991", + "datePublished": "2022-01-13T20:27:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:24.428Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T19:35:04", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Command Injection Remote Code Execution vulnerability on Western Digital My Cloud devices.", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22992", + "STATE": "PUBLIC", + "TITLE": "Command Injection Remote Code Execution vulnerability on Western Digital My Cloud devices." + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:24.745Z" + }, + "references": [ + { + "name": "Test (7215/24750) [3465/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22992" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22992", + "datePublished": "2022-01-28T19:35:04", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:24.745Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.19.117", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-918", + "description": "CWE-918 Server-Side Request Forgery (SSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T15:06:17", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-348/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Limited Server-Side Request Forgery vulnerability on Western Digital My Cloud devices.", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22993", + "STATE": "PUBLIC", + "TITLE": "Limited Server-Side Request Forgery vulnerability on Western Digital My Cloud devices." + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.19.117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-348/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-348/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:25.075Z" + }, + "references": [ + { + "name": "Test (7216/24750) [3466/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22993" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22993", + "datePublished": "2022-01-28T19:09:29", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:25.075Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.19.117", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-345", + "description": "CWE-345 Insufficient Verification of Data Authenticity", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T15:06:21", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-349/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22994", + "STATE": "PUBLIC", + "TITLE": "Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices." + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.19.117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-345 Insufficient Verification of Data Authenticity" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-349/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-349/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update your My Cloud device to firmware version 5.19.117." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:25.409Z" + }, + "references": [ + { + "name": "Test (7217/24750) [3467/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22994" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22994", + "datePublished": "2022-01-28T19:35:05", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:25.409Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Western Digital My Cloud OS 5 and My Cloud Home Unauthenticated Arbitrary File Write Vulnerability in Netatalk", + "providerMetadata": { + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT", + "dateUpdated": "2024-01-04T22:06:13.592937" + }, + "descriptions": [ + { + "lang": "en", + "value": "The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code." + } + ], + "affected": [ + { + "vendor": "Western Digital", + "product": "My Cloud", + "versions": [ + { + "version": "My Cloud OS 5", + "status": "affected", + "lessThan": " 5.19.117", + "versionType": "custom" + } + ], + "platforms": [ + "Linux" + ] + }, + { + "vendor": "Western Digital", + "product": "My Cloud Home", + "versions": [ + { + "version": "My Cloud Home", + "status": "affected", + "lessThan": " 7.16-220", + "versionType": "custom" + } + ], + "platforms": [ + "Android " + ] + } + ], + "references": [ + { + "url": "https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities" + }, + { + "name": "FEDORA-2023-cec97f7b5d", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/" + }, + { + "name": "FEDORA-2023-ef901c862c", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + }, + { + "name": "FEDORA-2023-39f0ec3879", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/" + }, + { + "name": "[debian-lts-announce] 20240104 [SECURITY] [DLA 3706-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html" + } + ], + "credits": [ + { + "lang": "en", + "value": "Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool__) from Synacktiv working with Trend Micro’s Zero Day Initiative" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "LOW", + "baseScore": 10, + "baseSeverity": "CRITICAL" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')", + "cweId": "CWE-59" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "EXTERNAL" + }, + "solutions": [ + { + "lang": "en", + "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification." + } + ] + }, + "adp": [ + { + "references": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/" + }, + { + "name": "Test (7218/24750) [3468/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22995" + } + ], + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:25.735Z" + } + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-22995", + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "dateUpdated": "2024-06-03T14:56:25.735Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-03-25T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Windows" + ], + "product": "G-RAID 4/8 Software Utility", + "vendor": "SanDisk Professional", + "versions": [ + { + "lessThan": "300520006-2", + "status": "affected", + "version": "G-RAID 4/8 Software Utility", + "versionType": "custom" + }, + { + "lessThan": "V6.2.0,16-2", + "status": "affected", + "version": "G-RAID Windows Driver", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "DoHyun Lee(@l33d0hyun) and SeungYun LEE(@SeungYun_Le2) of Korea University Sejong Campus and JaeHeng Yoon(@onnoveath) } of JENBlack Soft " + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The G-RAID 4/8 Software Utility setups for Windows were affected by a DLL hijacking vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the system user." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-427", + "description": "CWE-427 Uncontrolled Search Path Element", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-30T16:03:01", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22007-sandisk-professional-g-raid-4-8-software-utility-setup-for-windows-privilege-escalation" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Western Digital recommends all users install the latest updates for the Windows app and driver from the links below.\n\nG-RAID Software Utility: https://download.g-technology.com/software/G-RAID_Software_Utility_300520006-2.zip\n\nWindows Driver: https://download.g-technology.com/software/SanDisk_WinDrv_Installer_V6.2.0.16-2_WHQL.zip" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "SanDisk Professional G-RAID 4/8 Software Utility, Privilege Escalation", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22996", + "STATE": "PUBLIC", + "TITLE": "SanDisk Professional G-RAID 4/8 Software Utility, Privilege Escalation" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "G-RAID 4/8 Software Utility", + "version": { + "version_data": [ + { + "platform": "Windows", + "version_affected": "<", + "version_name": "G-RAID 4/8 Software Utility", + "version_value": "300520006-2" + }, + { + "platform": "Windows", + "version_affected": "<", + "version_name": "G-RAID Windows Driver", + "version_value": "V6.2.0,16-2" + } + ] + } + } + ] + }, + "vendor_name": "SanDisk Professional" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "DoHyun Lee(@l33d0hyun) and SeungYun LEE(@SeungYun_Le2) of Korea University Sejong Campus and JaeHeng Yoon(@onnoveath) } of JENBlack Soft " + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The G-RAID 4/8 Software Utility setups for Windows were affected by a DLL hijacking vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the system user." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-427 Uncontrolled Search Path Element" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22007-sandisk-professional-g-raid-4-8-software-utility-setup-for-windows-privilege-escalation", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22007-sandisk-professional-g-raid-4-8-software-utility-setup-for-windows-privilege-escalation" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Western Digital recommends all users install the latest updates for the Windows app and driver from the links below.\n\nG-RAID Software Utility: https://download.g-technology.com/software/G-RAID_Software_Utility_300520006-2.zip\n\nWindows Driver: https://download.g-technology.com/software/SanDisk_WinDrv_Installer_V6.2.0.16-2_WHQL.zip" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:26.077Z" + }, + "references": [ + { + "name": "Test (7219/24750) [3469/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22996" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22996", + "datePublished": "2022-03-30T16:03:01", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:26.077Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "My Cloud Home", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "8.5.1-102", + "status": "affected", + "version": "My Cloud Home Firmware", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue." + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-78", + "description": "CWE-78 OS Command Injection", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-12T20:22:36", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107" + } + ], + "solutions": [ + { + "lang": "en", + "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Command Injection Vulnerability on My Cloud Home", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22997", + "STATE": "PUBLIC", + "TITLE": "Command Injection Vulnerability on My Cloud Home" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud Home", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "My Cloud Home Firmware", + "version_value": "8.5.1-102" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-78 OS Command Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:26.434Z" + }, + "references": [ + { + "name": "Test (7220/24750) [3470/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22997" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22997", + "datePublished": "2022-07-12T20:22:36", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:26.434Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "My Cloud Home", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "8.5.1-102", + "status": "affected", + "version": "My Cloud Home Firmware", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue." + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Implemented protections on AWS credentials that were not properly protected." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-522", + "description": "CWE-522 Insufficiently Protected Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-12T20:19:34", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107" + } + ], + "solutions": [ + { + "lang": "en", + "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Protecting AWS credentials stored in plaintext on My Cloud Home", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22998", + "STATE": "PUBLIC", + "TITLE": "Protecting AWS credentials stored in plaintext on My Cloud Home" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud Home", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "My Cloud Home Firmware", + "version_value": "8.5.1-102" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Western Digital would like to thank Viettel Cyber Security for reporting this issue." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Implemented protections on AWS credentials that were not properly protected." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-522 Insufficiently Protected Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "My Cloud Home devices have been automatically updated to resolve this vulnerability" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:26.761Z" + }, + "references": [ + { + "name": "Test (7221/24750) [3471/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22998" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22998", + "datePublished": "2022-07-12T20:19:34", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:26.761Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.23.114", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T18:47:36", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification." + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Cross-site Scripting Vulnerability in USB Backups App", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-22999", + "STATE": "PUBLIC", + "TITLE": "Cross-site Scripting Vulnerability in USB Backups App" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.23.114" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification." + } + ], + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:27.075Z" + }, + "references": [ + { + "name": "Test (7222/24750) [3472/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-22999" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-22999", + "datePublished": "2022-07-25T18:47:36", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:27.075Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "My Cloud", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "5.23.114", + "status": "affected", + "version": "My Cloud OS 5", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-757", + "description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T18:46:02", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification." + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Weak Default SSL use in Port Forwarding Service", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23000", + "STATE": "PUBLIC", + "TITLE": "Weak Default SSL use in Port Forwarding Service" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "My Cloud OS 5", + "version_value": "5.23.114" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification." + } + ], + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:27.419Z" + }, + "references": [ + { + "name": "Test (7223/24750) [3473/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23000" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23000", + "datePublished": "2022-07-25T18:46:02", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:27.419Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Sweet B Library", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "v2", + "status": "affected", + "version": "Sweet B Library", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-682", + "description": "CWE-682 Incorrect Calculation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-29T18:51:26", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ], + "solutions": [ + { + "lang": "en", + "value": "The vulnerability was addressed by correcting the choice of sign bit in the affected routines. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "Sweet-B Library: Point compress/decompress using the wrong bit for sign", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23001", + "STATE": "PUBLIC", + "TITLE": "Sweet-B Library: Point compress/decompress using the wrong bit for sign" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sweet B Library", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Sweet B Library", + "version_value": "v2" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-682 Incorrect Calculation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "The vulnerability was addressed by correcting the choice of sign bit in the affected routines. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:27.759Z" + }, + "references": [ + { + "name": "Test (7224/24750) [3474/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23001" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23001", + "datePublished": "2022-07-29T18:51:26", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:27.759Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Sweet B Library", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "v2", + "status": "affected", + "version": "Sweet B Library", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-703", + "description": "CWE-703 Improper Check or Handling of Exceptional Conditions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-29T18:52:44", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ], + "solutions": [ + { + "lang": "en", + "value": "The vulnerability was addressed by fully reducing the output modulo the field prime. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "Point Compression/Decompression of NIST P-256 points with X coordinate of zero", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23002", + "STATE": "PUBLIC", + "TITLE": "Point Compression/Decompression of NIST P-256 points with X coordinate of zero" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sweet B Library", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Sweet B Library", + "version_value": "v2" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-703 Improper Check or Handling of Exceptional Conditions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "The vulnerability was addressed by fully reducing the output modulo the field prime. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:28.108Z" + }, + "references": [ + { + "name": "Test (7225/24750) [3475/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23002" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23002", + "datePublished": "2022-07-29T18:52:44", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:28.108Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Sweet B Library", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "v2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-703", + "description": "CWE-703 Improper Check or Handling of Exceptional Conditions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-29T18:54:29", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ], + "solutions": [ + { + "lang": "en", + "value": "The vulnerability was addressed by fully reducing the output modulo the field prime. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "Shared secret or Point multiplication of NIST P-256 points with X coordinate of zero", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23003", + "STATE": "PUBLIC", + "TITLE": "Shared secret or Point multiplication of NIST P-256 points with X coordinate of zero" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sweet B Library", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "v2" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-703 Improper Check or Handling of Exceptional Conditions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "The vulnerability was addressed by fully reducing the output modulo the field prime. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:28.460Z" + }, + "references": [ + { + "name": "Test (7226/24750) [3476/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23003" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23003", + "datePublished": "2022-07-29T18:54:29", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:28.460Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Sweet B Library", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "v2", + "status": "affected", + "version": "Sweet B Library", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-707", + "description": "CWE-707 Improper Enforcement of Message or Data Structure", + "lang": "en", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-703", + "description": "CWE-703 Improper Check or Handling of Exceptional Conditions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-29T18:55:55", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ], + "solutions": [ + { + "lang": "en", + "value": "The vulnerability was addressed by improving the point-scalar multiplication algorithm to account for anomalous input and by ensuring that errors are returned from library routines before any output buffer is written. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "title": "Algorithm incorrectly returning error and Invalid unreduced value written to output buffer", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23004", + "STATE": "PUBLIC", + "TITLE": "Algorithm incorrectly returning error and Invalid unreduced value written to output buffer" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sweet B Library", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Sweet B Library", + "version_value": "v2" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-707 Improper Enforcement of Message or Data Structure" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-703 Improper Check or Handling of Exceptional Conditions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", + "refsource": "MISC", + "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "The vulnerability was addressed by improving the point-scalar multiplication algorithm to account for anomalous input and by ensuring that errors are returned from library routines before any output buffer is written. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b" + } + ], + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:28.803Z" + }, + "references": [ + { + "name": "Test (7227/24750) [3477/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23004" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23004", + "datePublished": "2022-07-29T18:55:55", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:28.803Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23005", + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "dateUpdated": "2024-06-03T14:56:29.144Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2023-01-23T00:00:00" + }, + "containers": { + "cna": { + "title": "Host Boot ROM Code Vulnerability in Systems Implementing UFS Boot Feature", + "providerMetadata": { + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT", + "dateUpdated": "2023-01-24T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Western Digital has identified a weakness in the UFS standard that could result in a security vulnerability. This vulnerability may exist in some systems where the Host boot ROM code implements the UFS Boot feature to boot from UFS compliant storage devices. The UFS Boot feature, as specified in the UFS standard, is provided by UFS devices to support platforms that need to download the system boot loader from external non-volatile storage locations. Several scenarios have been identified in which adversaries may disable the boot capability, or revert to an old boot loader code, if the host boot ROM code is improperly implemented. UFS Host Boot ROM implementers may be impacted by this vulnerability. UFS devices are only impacted when connected to a vulnerable UFS Host and are not independently impacted by this vulnerability. When present, the vulnerability is in the UFS Host implementation and is not a vulnerability in Western Digital UFS Devices. Western Digital has provided details of the vulnerability to the JEDEC standards body, multiple vendors of host processors, and software solutions providers." + } + ], + "affected": [ + { + "vendor": "NA", + "product": "NA", + "versions": [ + { + "version": "NA", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.westerndigital.com/support/product-security/wdc-23001-host-boot-rom-code-vulnerability-in-systems-implementing-ufs-boot-feature" + }, + { + "url": "https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-host-boot-rom-code-vulnerability-and-mitigation.pdf" + } + ], + "credits": [ + { + "lang": "en", + "value": "Rotem Sela and Avri Altman of Western Digital" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "HIGH", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 8.7, + "baseSeverity": "HIGH" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-1224 Improper Restriction of Write-Once Bit FieldsCWE-1224 Improper Restriction of Write-Once Bit Fields", + "cweId": "CWE-1224" + } + ] + }, + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection", + "cweId": "CWE-1233" + } + ] + }, + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-1262 Improper Access Control for Register Interface", + "cweId": "CWE-1262" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "INTERNAL" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:29.144Z" + }, + "references": [ + { + "name": "Test (7228/24750) [3478/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23005" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "My Cloud Home", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "8.10.0-117", + "status": "affected", + "version": "8.10.0-117", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "Linux" + ], + "product": "My Cloud Home Duo", + "vendor": "Western Digital", + "versions": [ + { + "lessThan": "8.10.0-117", + "status": "affected", + "version": "8.10.0-117", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "Linux" + ], + "product": "ibi", + "vendor": "SanDisk", + "versions": [ + { + "lessThan": "8.10.0-117", + "status": "affected", + "version": "8.10.0-117", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 1.8, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-121", + "description": "CWE-121 Stack-based Buffer Overflow", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-27T13:53:34", + "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "shortName": "WDC PSIRT" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Your device will be automatically updated to the latest firmware version." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@wdc.com", + "ID": "CVE-2022-23006", + "STATE": "PUBLIC", + "TITLE": "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "My Cloud Home", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "8.10.0-117", + "version_value": "8.10.0-117" + } + ] + } + }, + { + "product_name": "My Cloud Home Duo", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "8.10.0-117", + "version_value": "8.10.0-117" + } + ] + } + } + ] + }, + "vendor_name": "Western Digital" + }, + { + "product": { + "product_data": [ + { + "product_name": "ibi", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<", + "version_name": "8.10.0-117", + "version_value": "8.10.0-117" + } + ] + } + } + ] + }, + "vendor_name": "SanDisk" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 1.8, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121 Stack-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006", + "refsource": "MISC", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23006" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Your device will be automatically updated to the latest firmware version." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:29.478Z" + }, + "references": [ + { + "name": "Test (7229/24750) [3479/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23006" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", + "assignerShortName": "WDC PSIRT", + "cveId": "CVE-2022-23006", + "datePublished": "2022-09-27T13:53:29", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:29.478Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "NGINX Controller API Management", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "3.18.0-3.19.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the \"user\" or \"admin\" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:19", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K57735782" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23008", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "NGINX Controller API Management", + "version": { + "version_data": [ + { + "version_value": "3.18.0-3.19.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the \"user\" or \"admin\" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K57735782", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K57735782" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:29.827Z" + }, + "references": [ + { + "name": "Test (7230/24750) [3480/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23008" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23008", + "datePublished": "2022-01-25T19:11:19", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:29.827Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IQ Centralized Management", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "8.x before 8.1.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-863", + "description": "CWE-863: Incorrect Authorization", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:18", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K47592780" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23009", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IQ Centralized Management", + "version": { + "version_data": [ + { + "version_value": "8.x before 8.1.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-863: Incorrect Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K47592780", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K47592780" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:30.178Z" + }, + "references": [ + { + "name": "Test (7231/24750) [3481/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23009" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23009", + "datePublished": "2022-01-25T19:11:18", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:30.178Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile and an HTTP profile are configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-404", + "description": "CWE-404: Improper Resource Shutdown or Release", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:19", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K34360320" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23010", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile and an HTTP profile are configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-404: Improper Resource Shutdown or Release" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K34360320", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K34360320" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:30.539Z" + }, + "references": [ + { + "name": "Test (7232/24750) [3482/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23010" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23010", + "datePublished": "2022-01-25T19:11:19", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:30.539Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "15.1.x before 15.1.4 and 14.1.x before 14.1.3" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On certain hardware BIG-IP platforms, in version 15.1.x before 15.1.4 and 14.1.x before 14.1.3, virtual servers may stop responding while processing TCP traffic due to an issue in the SYN Cookie Protection feature. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-682", + "description": "CWE-682: Incorrect Calculation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:20", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K68755210" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23011", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "15.1.x before 15.1.4 and 14.1.x before 14.1.3" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On certain hardware BIG-IP platforms, in version 15.1.x before 15.1.4 and 14.1.x before 14.1.3, virtual servers may stop responding while processing TCP traffic due to an issue in the SYN Cookie Protection feature. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-682: Incorrect Calculation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K68755210", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K68755210" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:30.852Z" + }, + "references": [ + { + "name": "Test (7233/24750) [3483/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23011" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23011", + "datePublished": "2022-01-25T19:11:20", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:30.852Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-415", + "description": "CWE-415: Double Free", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:23", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K26310765" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23012", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-415: Double Free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K26310765", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K26310765" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:31.171Z" + }, + "references": [ + { + "name": "Test (7234/24750) [3484/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23012" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23012", + "datePublished": "2022-01-25T19:11:23", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:31.171Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP DNS & GTM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:24", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K29500533" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23013", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP DNS & GTM", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K29500533", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K29500533" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:31.516Z" + }, + "references": [ + { + "name": "Test (7235/24750) [3485/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23013" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23013", + "datePublished": "2022-01-25T19:11:24", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:31.516Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP APM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2 and 15.1.x before 15.1.4.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:21", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K93526903" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23014", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP APM", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2 and 15.1.x before 15.1.4.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K93526903", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K93526903" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:31.832Z" + }, + "references": [ + { + "name": "Test (7236/24750) [3486/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23014" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23014", + "datePublished": "2022-01-25T19:11:21", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:31.832Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4, when a Client SSL profile is configured on a virtual server with Client Certificate Authentication set to request/require and Session Ticket enabled and configured, processing SSL traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "description": "CWE-400: Uncontrolled Resource Consumption", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:22", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K08476614" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23015", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14.1.2.6-14.1.4.4, when a Client SSL profile is configured on a virtual server with Client Certificate Authentication set to request/require and Session Ticket enabled and configured, processing SSL traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K08476614", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K08476614" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:32.275Z" + }, + "references": [ + { + "name": "Test (7237/24750) [3487/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23015" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23015", + "datePublished": "2022-01-25T19:11:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:32.275Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2 and 15.1.x before 15.1.4.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:22", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K91013510" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23016", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2 and 15.1.x before 15.1.4.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K91013510", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K91013510" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:32.588Z" + }, + "references": [ + { + "name": "Test (7238/24750) [3488/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23016" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23016", + "datePublished": "2022-01-25T19:11:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:32.588Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:25", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K28042514" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23017", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when a virtual server is configured with a DNS profile with the Rapid Response Mode setting enabled and is configured on a BIG-IP system, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K28042514", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K28042514" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:32.893Z" + }, + "references": [ + { + "name": "Test (7239/24750) [3489/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23017" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23017", + "datePublished": "2022-01-25T19:11:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:32.893Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP AFM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and 13.1.x beginning in 13.1.3.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP AFM version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and 13.1.x beginning in 13.1.3.4, when a virtual server is configured with both HTTP protocol security and HTTP Proxy Connect profiles, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-755", + "description": "CWE-755: Improper Handling of Exceptional Conditions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:25", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K24358905" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23018", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP AFM", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and 13.1.x beginning in 13.1.3.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP AFM version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and 13.1.x beginning in 13.1.3.4, when a virtual server is configured with both HTTP protocol security and HTTP Proxy Connect profiles, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-755: Improper Handling of Exceptional Conditions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K24358905", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K24358905" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:33.197Z" + }, + "references": [ + { + "name": "Test (7240/24750) [3490/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23018" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23018", + "datePublished": "2022-01-25T19:11:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:33.197Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a message routing type virtual server is configured with both Diameter Session and Router Profiles, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:31", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K82793463" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23019", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a message routing type virtual server is configured with both Diameter Session and Router Profiles, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K82793463", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K82793463" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:33.526Z" + }, + "references": [ + { + "name": "Test (7241/24750) [3491/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23019" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23019", + "datePublished": "2022-01-25T19:11:31", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:33.526Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.2, when the 'Respond on Error' setting is enabled on the Request Logging profile and configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:30", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K17514331" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23020", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.2, when the 'Respond on Error' setting is enabled on the Request Logging profile and configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K17514331", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K17514331" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:33.852Z" + }, + "references": [ + { + "name": "Test (7242/24750) [3492/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23020" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23020", + "datePublished": "2022-01-25T19:11:30", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:33.852Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.2, when any of the following configurations are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate: HTTP redirect rule in an LTM policy, BIG-IP APM Access Profile, and Explicit HTTP Proxy in HTTP Profile. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:31", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K57111075" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23021", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.2, when any of the following configurations are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate: HTTP redirect rule in an LTM policy, BIG-IP APM Access Profile, and Explicit HTTP Proxy in HTTP Profile. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K57111075", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K57111075" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:34.208Z" + }, + "references": [ + { + "name": "Test (7243/24750) [3493/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23021" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23021", + "datePublished": "2022-01-25T19:11:31", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:34.208Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:27", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K96924184" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23022", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K96924184", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K96924184" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:34.521Z" + }, + "references": [ + { + "name": "Test (7244/24750) [3494/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23022" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23022", + "datePublished": "2022-01-25T19:11:27", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:34.521Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP & BIG-IQ", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "description": "CWE-400: Uncontrolled Resource Consumption", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:28", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K11742742" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23023", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP & BIG-IQ", + "version": { + "version_data": [ + { + "version_value": "BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K11742742", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K11742742" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:34.827Z" + }, + "references": [ + { + "name": "Test (7245/24750) [3495/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23023" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23023", + "datePublished": "2022-01-25T19:11:28", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:34.827Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP AFM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, and all versions of 13.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, and all versions of 13.1.x, when the IPsec application layer gateway (ALG) logging profile is configured on an IPsec ALG virtual server, undisclosed IPsec traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "description": "CWE-400: Uncontrolled Resource Consumption", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:28", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K54892865" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23024", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP AFM", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, and all versions of 13.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.2, and all versions of 13.1.x, when the IPsec application layer gateway (ALG) logging profile is configured on an IPsec ALG virtual server, undisclosed IPsec traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K54892865", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K54892865" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:35.141Z" + }, + "references": [ + { + "name": "Test (7246/24750) [3496/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23024" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23024", + "datePublished": "2022-01-25T19:11:28", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:35.141Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "CWE-476: NULL Pointer Dereference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:29", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K44110411" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23025", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-476: NULL Pointer Dereference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K44110411", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K44110411" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:35.480Z" + }, + "references": [ + { + "name": "Test (7247/24750) [3497/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23025" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23025", + "datePublished": "2022-01-25T19:11:29", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:35.480Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP ASM & Advanced WAF", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-434", + "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:26", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K08402414" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23026", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP ASM & Advanced WAF", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434: Unrestricted Upload of File with Dangerous Type" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K08402414", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K08402414" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:35.804Z" + }, + "references": [ + { + "name": "Test (7248/24750) [3498/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23026" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23026", + "datePublished": "2022-01-25T19:11:26", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:35.804Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-697", + "description": "CWE-697: Incorrect Comparison", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:32", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K30573026" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23027", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-697: Incorrect Comparison" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K30573026", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K30573026" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:36.124Z" + }, + "references": [ + { + "name": "Test (7249/24750) [3499/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23027" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23027", + "datePublished": "2022-01-25T19:11:32", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:36.124Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP AFM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-682", + "description": "CWE-682: Incorrect Calculation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:35", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K16101409" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23028", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP AFM", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-682: Incorrect Calculation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K16101409", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K16101409" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:36.428Z" + }, + "references": [ + { + "name": "Test (7250/24750) [3500/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23028" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23028", + "datePublished": "2022-01-25T19:11:35", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:36.428Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-367", + "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:36", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K50343028" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23029", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K50343028", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K50343028" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:36.731Z" + }, + "references": [ + { + "name": "Test (7251/24750) [3501/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23029" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23029", + "datePublished": "2022-01-25T19:11:36", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:36.731Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "description": "CWE-400: Uncontrolled Resource Consumption", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:34", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K53442005" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23030", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K53442005", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K53442005" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:37.076Z" + }, + "references": [ + { + "name": "Test (7252/24750) [3502/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23030" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23030", + "datePublished": "2022-01-25T19:11:34", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:37.076Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP FPS, ASM, and Advanced WAF", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-611", + "description": "CWE-611: Improper Restriction of XML External Entity Reference", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:33", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K61112120" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23031", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP FPS, ASM, and Advanced WAF", + "version": { + "version_data": [ + { + "version_value": "16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K61112120", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K61112120" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:38.564Z" + }, + "references": [ + { + "name": "Test (7253/24750) [3503/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23031" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23031", + "datePublished": "2022-01-25T19:11:33", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:38.564Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "BIG-IP Edge Client for Mac and Windows", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All versions before 7.2.1.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-346", + "description": "CWE-346: Origin Validation Error", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T19:11:34", + "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "shortName": "f5" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.f5.com/csp/article/K30525503" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "f5sirt@f5.com", + "ID": "CVE-2022-23032", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "BIG-IP Edge Client for Mac and Windows", + "version": { + "version_data": [ + { + "version_value": "All versions before 7.2.1.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-346: Origin Validation Error" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.f5.com/csp/article/K30525503", + "refsource": "MISC", + "url": "https://support.f5.com/csp/article/K30525503" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:39.588Z" + }, + "references": [ + { + "name": "Test (7254/24750) [3504/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23032" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", + "assignerShortName": "f5", + "cveId": "CVE-2022-23032", + "datePublished": "2022-01-25T19:11:34", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:39.588Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "xen", + "vendor": "Xen", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-393" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Dmytro Firsov of EPAM.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes." + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A malicious guest may be able to access Xen and other domains' memory.\nThis could cause information leaks, host or domain Denial of Service\n(DoS), and privilege escalations." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T20:08:37", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-393.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/2" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-23" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23033", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "xen", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-393" + } + ] + } + } + ] + }, + "vendor_name": "Xen" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Xen version 4.12 and newer are vulnerable. Only Arm systems are\nvulnerable.\n\nx86 systems are not vulnerable." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Dmytro Firsov of EPAM." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes." + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A malicious guest may be able to access Xen and other domains' memory.\nThis could cause information leaks, host or domain Denial of Service\n(DoS), and privilege escalations." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-393.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-393.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/2" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-23" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no known mitigation." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:40.827Z" + }, + "references": [ + { + "name": "Test (7255/24750) [3505/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23033" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23033", + "datePublished": "2022-01-25T13:36:25", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:40.827Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "xen", + "vendor": "Xen", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-394" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Julien Grall of Amazon.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check." + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Malicious guest kernels may be able to mount a Denial of Service (DoS)\nattack affecting the entire system." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T20:09:01", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-394.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/3" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-23" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23034", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "xen", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-394" + } + ] + } + } + ] + }, + "vendor_name": "Xen" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Xen versions from at least 3.2 onwards are vulnerable in principle,\nif they have the XSA-380 fixes applied.\n\nOnly x86 systems are vulnerable. Arm systems are not vulnerable.\n\nOnly x86 PV guests with access to PCI devices can leverage the\nvulnerability. x86 HVM and PVH guests, as well as PV guests without\naccess to PCI devices, cannot leverage the vulnerability.\n\nAdditionally from Xen 4.13 onwards x86 PV guests can leverage this\nvulnerability only when being granted access to pages owned by another\ndomain." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Julien Grall of Amazon." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check." + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Malicious guest kernels may be able to mount a Denial of Service (DoS)\nattack affecting the entire system." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-394.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-394.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/3" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-23" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Not running PV guests will avoid the vulnerability.\n\nFor Xen 4.12 and older not passing through PCI devices to PV guests will\navoid the vulnerability.\n\nFor Xen 4.13 and newer not enabling PCI device pass-through for PV\nguests will avoid the vulnerability. This can be achieved via omitting\nany \"passthrough=...\" and \"pci=...\" settings from xl guest configuration\nfiles, or by setting \"passthrough=disabled\" there.\n\n- From Xen 4.13 onwards, XSM SILO can be available as a security policy\ndesigned to permit guests to only be able to communicate with Dom0.\nDom0 does not normally offer its pages for guests to map, which means\nthe use of SILO mode normally mitigates the vulnerability." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:41.472Z" + }, + "references": [ + { + "name": "Test (7256/24750) [3506/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23034" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23034", + "datePublished": "2022-01-25T13:43:08", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:41.472Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "xen", + "vendor": "Xen", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-395" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Julien Grall of Amazon.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid." + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The precise impact is system specific, but would typically be a Denial\nof Service (DoS) affecting the entire host. Privilege escalation and\ninformation leaks cannot be ruled out." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-14T20:07:16", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-395.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 395 v2 (CVE-2022-23035) - Insufficient cleanup of passed-through device IRQs", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/4" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "tags": [ + "vendor-advisory", + "x_refsource_GENTOO" + ], + "url": "https://security.gentoo.org/glsa/202208-23" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23035", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "xen", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-395" + } + ] + } + } + ] + }, + "vendor_name": "Xen" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier\nare not vulnerable.\n\nOnly x86 HVM guests with one or more passed-through physical devices\nusing (together) multiple physical interupts can leverage the\nvulnerability. x86 PV guests cannot leverage the vulnerability. x86\nHVM guests without passed-through devices or with a passed-through\ndevice using just a single physical interrupt also cannot leverage the\nvulnerability. Device pass-through is unsupported for x86 PVH guests\nand all Arm guests." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Julien Grall of Amazon." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid." + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The precise impact is system specific, but would typically be a Denial\nof Service (DoS) affecting the entire host. Privilege escalation and\ninformation leaks cannot be ruled out." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-395.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-395.txt" + }, + { + "name": "[oss-security] 20220125 Xen Security Advisory 395 v2 (CVE-2022-23035) - Insufficient cleanup of passed-through device IRQs", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/4" + }, + { + "name": "FEDORA-2022-0cc3916e08", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/" + }, + { + "name": "DSA-5117", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5117" + }, + { + "name": "GLSA-202208-23", + "refsource": "GENTOO", + "url": "https://security.gentoo.org/glsa/202208-23" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation (other than not passing through to x86 HVM guests\nPCI devices with, overall, more than a single physical interrupt)." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:41.876Z" + }, + "references": [ + { + "name": "Test (7257/24750) [3507/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23035" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23035", + "datePublished": "2022-01-25T13:46:03", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:41.876Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:57", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23036", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:42.189Z" + }, + "references": [ + { + "name": "Test (7258/24750) [3508/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23036" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23036", + "datePublished": "2022-03-10T19:20:15", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:42.189Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:32", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23037", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:42.533Z" + }, + "references": [ + { + "name": "Test (7259/24750) [3509/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23037" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23037", + "datePublished": "2022-03-10T19:20:16", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:42.533Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:59", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23038", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:42.847Z" + }, + "references": [ + { + "name": "Test (7260/24750) [3510/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23038" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23038", + "datePublished": "2022-03-10T19:20:18", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:42.847Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:47", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23039", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:43.172Z" + }, + "references": [ + { + "name": "Test (7261/24750) [3511/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23039" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23039", + "datePublished": "2022-03-10T19:20:19", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:43.172Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:37", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23040", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:43.519Z" + }, + "references": [ + { + "name": "Test (7262/24750) [3512/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23040" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23040", + "datePublished": "2022-03-10T19:20:21", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:43.519Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:34", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23041", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:43.826Z" + }, + "references": [ + { + "name": "Test (7263/24750) [3513/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23041" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23041", + "datePublished": "2022-03-10T19:20:22", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:43.826Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "unspecified", + "vendor": "unspecified", + "versions": [ + { + "status": "unknown", + "version": "consult Xen advisory XSA-396" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.'}]}}}" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ], + "metrics": [ + { + "other": { + "content": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "unknown", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-01T13:06:43", + "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "shortName": "XEN" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@xen.org", + "ID": "CVE-2022-23042", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "", + "version": { + "version_data": [ + { + "version_affected": "?", + "version_value": "consult Xen advisory XSA-396" + } + ] + } + } + ] + }, + "vendor_name": "" + } + ] + } + }, + "configuration": { + "configuration_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." + } + ] + } + } + }, + "credit": { + "credit_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." + } + ] + } + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" + } + ] + }, + "impact": { + "impact_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn't have, or it could directly\ntrigger Denial of Service (DoS) in the guest." + } + ] + } + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "unknown" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", + "refsource": "MISC", + "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" + }, + { + "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" + } + ] + }, + "workaround": { + "workaround_data": { + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." + } + ] + } + } + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:44.245Z" + }, + "references": [ + { + "name": "Test (7264/24750) [3514/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23042" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", + "assignerShortName": "XEN", + "cveId": "CVE-2022-23042", + "datePublished": "2022-03-10T19:20:24", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:44.245Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Zenario CMS", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "9.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Insecure file upload (RCE)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-22T18:21:02", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/simone/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23043", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Zenario CMS", + "version": { + "version_data": [ + { + "version_value": "9.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Insecure file upload (RCE)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/simone/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/simone/" + }, + { + "name": "https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826", + "refsource": "MISC", + "url": "https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:44.596Z" + }, + "references": [ + { + "name": "Test (7265/24750) [3515/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23043" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23043", + "datePublished": "2022-02-22T18:21:02", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:44.596Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23044", + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "dateUpdated": "2024-06-03T14:56:44.899Z", + "dateReserved": "2022-01-10T00:00:00", + "datePublished": "2022-11-25T00:00:00" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "Tiny File Manager", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "2.4.8" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.

" + } + ], + "value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote command execution", + "lang": "en" + } + ] + } + ], + "providerMetadata": { + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks", + "dateUpdated": "2022-12-05T11:42:19.302Z" + }, + "references": [ + { + "url": "https://github.com/prasathmani/tinyfilemanager/" + }, + { + "url": "https://fluidattacks.com/advisories/mosey/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:44.899Z" + }, + "references": [ + { + "name": "Test (7266/24750) [3516/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23044" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PhpIPAM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "1.4.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site title\" parameter while updating the site settings. The \"Site title\" setting is injected in several locations which triggers the XSS." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Stored cross-site scripting (XSS)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-19T20:38:57", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/osbourne/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23045", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PhpIPAM", + "version": { + "version_data": [ + { + "version_value": "1.4.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site title\" parameter while updating the site settings. The \"Site title\" setting is injected in several locations which triggers the XSS." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Stored cross-site scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5", + "refsource": "MISC", + "url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5" + }, + { + "name": "https://fluidattacks.com/advisories/osbourne/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/osbourne/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:45.260Z" + }, + "references": [ + { + "name": "Test (7267/24750) [3517/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23045" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23045", + "datePublished": "2022-01-19T20:38:57", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:45.260Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PhpIPAM", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "1.4.4" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the \"subnet\" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "SQL injection", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-25T17:06:11", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/mercury/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23046", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PhpIPAM", + "version": { + "version_data": [ + { + "version_value": "1.4.4" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the \"subnet\" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "SQL injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/mercury/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/mercury/" + }, + { + "name": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5", + "refsource": "MISC", + "url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5" + }, + { + "name": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:45.591Z" + }, + "references": [ + { + "name": "Test (7268/24750) [3518/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23046" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23046", + "datePublished": "2022-01-19T20:38:56", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:45.591Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Exponent CMS", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "v2.6.0patch2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site/Organization Name\",\"Site Title\" and \"Site Header\" parameters while updating the site settings on \"/exponentcms/administration/configure_site\"" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Stored cross-site scripting (XSS)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:03:57", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/franklin/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23047", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Exponent CMS", + "version": { + "version_data": [ + { + "version_value": "v2.6.0patch2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site/Organization Name\",\"Site Title\" and \"Site Header\" parameters while updating the site settings on \"/exponentcms/administration/configure_site\"" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Stored cross-site scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/franklin/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/franklin/" + }, + { + "name": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459", + "refsource": "MISC", + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459" + }, + { + "name": "https://github.com/exponentcms/exponent-cms/issues/1546", + "refsource": "MISC", + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:45.960Z" + }, + "references": [ + { + "name": "Test (7269/24750) [3519/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23047" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23047", + "datePublished": "2022-02-09T22:03:57", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:45.960Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Exponent CMS", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "v2.6.0patch2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at \"themes/simpletheme/{rce}.php\" from where can be accessed in order to execute commands." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Insecure file upload (RCE)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:03:58", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/dylan/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23048", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Exponent CMS", + "version": { + "version_data": [ + { + "version_value": "v2.6.0patch2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at \"themes/simpletheme/{rce}.php\" from where can be accessed in order to execute commands." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Insecure file upload (RCE)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/exponentcms/exponent-cms/issues/1546", + "refsource": "MISC", + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + }, + { + "name": "https://fluidattacks.com/advisories/dylan/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/dylan/" + }, + { + "name": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460", + "refsource": "MISC", + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1460" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:46.324Z" + }, + "references": [ + { + "name": "Test (7270/24750) [3520/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23048" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23048", + "datePublished": "2022-02-09T22:03:58", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:46.324Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Exponent CMS", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "v2.6.0patch2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the \"User-Agent\" header when logging in. When an administrator user visits the \"User Sessions\" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Stored cross-site scripting (XSS)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T22:03:59", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/cobain/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23049", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Exponent CMS", + "version": { + "version_data": [ + { + "version_value": "v2.6.0patch2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the \"User-Agent\" header when logging in. When an administrator user visits the \"User Sessions\" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Stored cross-site scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/exponentcms/exponent-cms/issues/1546", + "refsource": "MISC", + "url": "https://github.com/exponentcms/exponent-cms/issues/1546" + }, + { + "name": "https://fluidattacks.com/advisories/cobain/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/cobain/" + }, + { + "name": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461", + "refsource": "MISC", + "url": "https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:46.661Z" + }, + "references": [ + { + "name": "Test (7271/24750) [3521/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23049" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23049", + "datePublished": "2022-02-09T22:03:59", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:46.661Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ManageEngine AppManager15", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Build No:15510" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "DLL Hijacking", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-24T18:02:05", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/cerati/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2022-23050.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23050", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ManageEngine AppManager15", + "version": { + "version_data": [ + { + "version_value": "Build No:15510" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "DLL Hijacking" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/cerati/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/cerati/" + }, + { + "name": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2022-23050.html", + "refsource": "MISC", + "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2022-23050.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:46.967Z" + }, + "references": [ + { + "name": "Test (7272/24750) [3522/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23050" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23050", + "datePublished": "2022-05-24T18:02:05", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:46.967Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PeTeReport", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "0.5" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Stored cross-site scripting (XSS)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-03T21:55:05", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/brown/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/1modm/petereport/issues/36" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23051", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PeTeReport", + "version": { + "version_data": [ + { + "version_value": "0.5" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Stored cross-site scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/brown/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/brown/" + }, + { + "name": "https://github.com/1modm/petereport/issues/36", + "refsource": "MISC", + "url": "https://github.com/1modm/petereport/issues/36" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:47.293Z" + }, + "references": [ + { + "name": "Test (7273/24750) [3523/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23051" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23051", + "datePublished": "2022-03-03T21:55:05", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:47.293Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PeTeReport", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "0.5" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Cross-site request forgery", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-03T21:56:33", + "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "shortName": "Fluid Attacks" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://fluidattacks.com/advisories/jett/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/1modm/petereport/issues/34" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "help@fluidattacks.com", + "ID": "CVE-2022-23052", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PeTeReport", + "version": { + "version_data": [ + { + "version_value": "0.5" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site request forgery" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fluidattacks.com/advisories/jett/", + "refsource": "MISC", + "url": "https://fluidattacks.com/advisories/jett/" + }, + { + "name": "https://github.com/1modm/petereport/issues/34", + "refsource": "MISC", + "url": "https://github.com/1modm/petereport/issues/34" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:47.603Z" + }, + "references": [ + { + "name": "Test (7274/24750) [3524/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23052" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", + "assignerShortName": "Fluid Attacks", + "cveId": "CVE-2022-23052", + "datePublished": "2022-03-03T21:56:33", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:47.603Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "openmct ", + "vendor": "nasa", + "versions": [ + { + "lessThanOrEqual": "1.7.7", + "status": "affected", + "version": "1.7.7", + "versionType": "custom" + }, + { + "lessThan": "1.3.0*", + "status": "affected", + "version": "1.3.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Daniel Elkabes" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-20T19:00:15", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23053", + "discovery": "UNKNOWN" + }, + "title": "Openmct XSS via the “Condition Widget”", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "ID": "CVE-2022-23053", + "STATE": "PUBLIC", + "TITLE": "Openmct XSS via the “Condition Widget”" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "openmct ", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "1.7.7", + "version_value": "1.7.7" + }, + { + "version_affected": ">=", + "version_name": "1.3.0", + "version_value": "1.3.0" + } + ] + } + } + ] + }, + "vendor_name": "nasa" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Daniel Elkabes" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a", + "refsource": "MISC", + "url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a" + } + ] + }, + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23053", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:47.915Z" + }, + "references": [ + { + "name": "Test (7275/24750) [3525/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23053" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23053", + "datePublished": "2022-02-20T19:00:15", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:47.915Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "openmct ", + "vendor": "nasa", + "versions": [ + { + "lessThanOrEqual": "1.7.7", + "status": "affected", + "version": "1.7.7", + "versionType": "custom" + }, + { + "lessThan": "1.3.0*", + "status": "affected", + "version": "1.3.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Daniel Elkabes" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-20T19:00:17", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23054", + "discovery": "UNKNOWN" + }, + "title": "Openmct XSS via the “Summary Widget” ", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "ID": "CVE-2022-23054", + "STATE": "PUBLIC", + "TITLE": "Openmct XSS via the “Summary Widget” " + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "openmct ", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "1.7.7", + "version_value": "1.7.7" + }, + { + "version_affected": ">=", + "version_name": "1.3.0", + "version_value": "1.3.0" + } + ] + } + } + ] + }, + "vendor_name": "nasa" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Daniel Elkabes" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a", + "refsource": "MISC", + "url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a" + } + ] + }, + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23054", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:48.232Z" + }, + "references": [ + { + "name": "Test (7276/24750) [3526/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23054" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23054", + "datePublished": "2022-02-20T19:00:17", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:48.232Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "frappe", + "vendor": "frappe", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v11.0.3-beta.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v13.14.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-03-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-862", + "description": "CWE-862 Missing Authorization", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-30T17:56:47", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23055" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ERPNext - Improper user access conrol", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Mar 9, 2022, 12:00:00 AM", + "ID": "CVE-2022-23055", + "STATE": "PUBLIC", + "TITLE": "ERPNext - Improper user access conrol" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "frappe", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v11.0.3-beta.1" + }, + { + "version_affected": "<=", + "version_value": "v13.14.1" + } + ] + } + } + ] + }, + "vendor_name": "frappe" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862 Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23055", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23055" + }, + { + "name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134", + "refsource": "MISC", + "url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134" + }, + { + "name": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155", + "refsource": "MISC", + "url": "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:48.559Z" + }, + "references": [ + { + "name": "Test (7277/24750) [3527/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23055" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23055", + "datePublished": "2022-03-09T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:48.559Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "erpnext", + "vendor": "erpnext", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v13.0.0-beta.13", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v13.30.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T07:25:16", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23056" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ERPNext - Stored XSS leads to account takover", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "May 17, 2022, 12:00:00 AM", + "ID": "CVE-2022-23056", + "STATE": "PUBLIC", + "TITLE": "ERPNext - Stored XSS leads to account takover" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "erpnext", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v13.0.0-beta.13" + }, + { + "version_affected": "<=", + "version_value": "v13.30.0" + } + ] + } + } + ] + }, + "vendor_name": "erpnext" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23056", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23056" + }, + { + "name": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288", + "refsource": "MISC", + "url": "https://github.com/frappe/erpnext/blob/21a3ea462aaf319e466c067c2ec406eb9abe6ed3/erpnext/healthcare/page/patient_history/patient_history.js#L288" + } + ] + }, + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:48.876Z" + }, + "references": [ + { + "name": "Test (7278/24750) [3528/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23056" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23056", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:48.876Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "frappe", + "vendor": "frappe", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v12.0.9", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v13.0.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-05-18T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T07:25:11", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23057" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ERPNext - Stored XSS in My Profile ", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "May 18, 2022, 12:00:00 AM", + "ID": "CVE-2022-23057", + "STATE": "PUBLIC", + "TITLE": "ERPNext - Stored XSS in My Profile " + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "frappe", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v12.0.9" + }, + { + "version_affected": "<=", + "version_value": "v13.0.3" + } + ] + } + } + ] + }, + "vendor_name": "frappe" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23057", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23057" + }, + { + "name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7", + "refsource": "MISC", + "url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:49.250Z" + }, + "references": [ + { + "name": "Test (7279/24750) [3529/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23057" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23057", + "datePublished": "2022-05-18T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:49.250Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "frappe", + "vendor": "frappe", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v12.0.9", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v13.0.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-05-19T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T07:30:21", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23058" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ERPNext - Stored XSS in My Settings", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "May 19, 2022, 12:00:00 AM", + "ID": "CVE-2022-23058", + "STATE": "PUBLIC", + "TITLE": "ERPNext - Stored XSS in My Settings" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "frappe", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v12.0.9" + }, + { + "version_affected": "<=", + "version_value": "v13.0.3" + } + ] + } + } + ] + }, + "vendor_name": "frappe" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7", + "refsource": "MISC", + "url": "https://github.com/frappe/frappe/commit/497ea861f481c6a3c52fe2aed9d0df1b6c99e9d7" + }, + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23058", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23058" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v13.1.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:49.571Z" + }, + "references": [ + { + "name": "Test (7280/24750) [3530/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23058" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23058", + "datePublished": "2022-05-19T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:49.571Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Shopizer", + "vendor": "shopizer-ecommerce", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "2.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "2.17.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-03-16T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-06T13:30:15", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23059" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 3.0.0" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Shopizer - Stored XSS in Manage Images", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-03-16T10:43:00.000Z", + "ID": "CVE-2022-23059", + "STATE": "PUBLIC", + "TITLE": "Shopizer - Stored XSS in Manage Images" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Shopizer", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.0" + }, + { + "version_affected": "<=", + "version_value": "2.17.0" + } + ] + } + } + ] + }, + "vendor_name": "shopizer-ecommerce" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23059", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23059" + }, + { + "name": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e", + "refsource": "CONFIRM", + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 3.0.0" + } + ], + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:49.888Z" + }, + "references": [ + { + "name": "Test (7281/24750) [3531/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23059" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23059", + "datePublished": "2022-03-16T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:49.888Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Shopizer", + "vendor": "shopizer-ecommerce", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "2.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "2.17.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-04-06T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-01T12:40:10", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23060" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade version to 3.0.0 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Shopizer - Stored XSS in Manage Files", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-04-06T12:22:00.000Z", + "ID": "CVE-2022-23060", + "STATE": "PUBLIC", + "TITLE": "Shopizer - Stored XSS in Manage Files" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Shopizer", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.0" + }, + { + "version_affected": "<=", + "version_value": "2.17.0" + } + ] + } + } + ] + }, + "vendor_name": "shopizer-ecommerce" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e", + "refsource": "MISC", + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23060", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23060" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade version to 3.0.0 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:50.229Z" + }, + "references": [ + { + "name": "Test (7282/24750) [3532/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23060" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23060", + "datePublished": "2022-04-06T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:50.229Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Shopizer", + "vendor": "shopizer-ecommerce", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "2.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "2.17.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-04-06T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-639", + "description": "CWE-639 Authorization Bypass Through User-Controlled Key", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-01T12:40:11", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade version to 3.0.0 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Shopizer - IDOR delete superadmin", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-04-06T12:22:00.000Z", + "ID": "CVE-2022-23061", + "STATE": "PUBLIC", + "TITLE": "Shopizer - IDOR delete superadmin" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Shopizer", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.0" + }, + { + "version_affected": "<=", + "version_value": "2.17.0" + } + ] + } + } + ] + }, + "vendor_name": "shopizer-ecommerce" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e", + "refsource": "MISC", + "url": "https://github.com/shopizer-ecommerce/shopizer/commit/6b9f1ecd303b3b724d96bd08095c1a751dcc287e" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23061" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade version to 3.0.0 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:50.595Z" + }, + "references": [ + { + "name": "Test (7283/24750) [3533/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23061" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23061", + "datePublished": "2022-04-06T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:50.595Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Shopizer", + "vendor": "shopizer-ecommerce", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "2.3.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "3.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-05-02T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-613", + "description": "CWE-613 Insufficient Session Expiration", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-03T08:55:09", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Shopizer - Insufficient Session Expiration", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-02T12:07:00.000Z", + "ID": "CVE-2022-23063", + "STATE": "PUBLIC", + "TITLE": "Shopizer - Insufficient Session Expiration" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Shopizer", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "2.3.0" + }, + { + "version_affected": "<=", + "version_value": "3.0.1" + } + ] + } + } + ] + }, + "vendor_name": "shopizer-ecommerce" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-613 Insufficient Session Expiration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237", + "refsource": "MISC", + "url": "https://github.com/shopizer-ecommerce/shopizer/blob/3.0.1/sm-shop/src/main/java/com/salesmanager/shop/store/api/v1/customer/AuthenticateCustomerApi.java#L213-L237" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23063" + } + ] + }, + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:50.909Z" + }, + "references": [ + { + "name": "Test (7284/24750) [3534/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23063" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23063", + "datePublished": "2022-05-02T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:50.909Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "snipe-it", + "vendor": "snipe", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": " v3.0-alpha", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v5.3.7", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-05-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-74", + "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-02T12:30:14", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23064" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade version to v5.3.8 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Snipe-IT - Host Header Injection", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-01T12:07:00.000Z", + "ID": "CVE-2022-23064", + "STATE": "PUBLIC", + "TITLE": "Snipe-IT - Host Header Injection" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "snipe-it", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": " v3.0-alpha" + }, + { + "version_affected": "<=", + "version_value": "v5.3.7" + } + ] + } + } + ] + }, + "vendor_name": "snipe" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc", + "refsource": "MISC", + "url": "https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23064", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23064" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade version to v5.3.8 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:51.257Z" + }, + "references": [ + { + "name": "Test (7285/24750) [3535/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23064" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23064", + "datePublished": "2022-05-01T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:51.257Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "vendure", + "vendor": "vendure-ecommerce", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.1.0-alpha.2", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.5.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-05-02T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-02T12:30:16", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/vendure-ecommerce/vendure/commit/69a44869112c0a5b836e2ddd3969ea9b533f51f0" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23065" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade version to 1.5.2 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Vendure - XSS via SVG File Upload", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-02T12:07:00.000Z", + "ID": "CVE-2022-23065", + "STATE": "PUBLIC", + "TITLE": "Vendure - XSS via SVG File Upload" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "vendure", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.1.0-alpha.2" + }, + { + "version_affected": "<=", + "version_value": "1.5.1" + } + ] + } + } + ] + }, + "vendor_name": "vendure-ecommerce" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/vendure-ecommerce/vendure/commit/69a44869112c0a5b836e2ddd3969ea9b533f51f0", + "refsource": "MISC", + "url": "https://github.com/vendure-ecommerce/vendure/commit/69a44869112c0a5b836e2ddd3969ea9b533f51f0" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23065", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23065" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade version to 1.5.2 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:51.587Z" + }, + "references": [ + { + "name": "Test (7286/24750) [3536/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23065" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23065", + "datePublished": "2022-05-02T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:51.587Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "rbpf", + "vendor": "solana-labs", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.2.26", + "versionType": "custom" + }, + { + "lessThanOrEqual": "0.2.27", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "BlockSec" + } + ], + "datePublic": "2022-05-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-682", + "description": "CWE-682 Incorrect Calculation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-12T13:20:08", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade version to 0.2.28 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Solana rBPF - Incorrect Calculation in sdiv instruction", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-08T14:15:00.000Z", + "ID": "CVE-2022-23066", + "STATE": "PUBLIC", + "TITLE": "Solana rBPF - Incorrect Calculation in sdiv instruction" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "rbpf", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.2.26" + }, + { + "version_affected": "<=", + "version_value": "0.2.27" + } + ] + } + } + ] + }, + "vendor_name": "solana-labs" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "BlockSec" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-682 Incorrect Calculation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297", + "refsource": "MISC", + "url": "https://github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066" + }, + { + "name": "https://blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324", + "refsource": "MISC", + "url": "https://blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade version to 0.2.28 or higher" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:51.915Z" + }, + "references": [ + { + "name": "Test (7287/24750) [3537/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23066" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23066", + "datePublished": "2022-05-08T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:51.915Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ToolJet", + "vendor": "ToolJet", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.5.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.2.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "description": "CWE-200 Information Exposure", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T11:45:13", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ToolJet/ToolJet/commit/eacbfc4c9da089ff9cda9edf8a1156390ae8a101" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23067" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to version v1.3.0 or later" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ToolJet - Token Leakage via Referer Header", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-17T10:46:00.000Z", + "ID": "CVE-2022-23067", + "STATE": "PUBLIC", + "TITLE": "ToolJet - Token Leakage via Referer Header" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ToolJet", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.5.0" + }, + { + "version_affected": "<=", + "version_value": "1.2.2" + } + ] + } + } + ] + }, + "vendor_name": "ToolJet" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Information Exposure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/ToolJet/ToolJet/commit/eacbfc4c9da089ff9cda9edf8a1156390ae8a101", + "refsource": "MISC", + "url": "https://github.com/ToolJet/ToolJet/commit/eacbfc4c9da089ff9cda9edf8a1156390ae8a101" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23067", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23067" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to version v1.3.0 or later" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:52.251Z" + }, + "references": [ + { + "name": "Test (7288/24750) [3538/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23067" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23067", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:52.251Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ToolJet", + "vendor": "ToolJet", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.6.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.10.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "datePublic": "2022-05-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-74", + "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-18T11:45:15", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ToolJet/ToolJet/commit/431dc961cdfe4d26343d1c1c951ced778fbddb58" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23068" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to version v1.11.0 or later" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "ToolJet - HTML Injection in Invite New User", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-17T10:46:00.000Z", + "ID": "CVE-2022-23068", + "STATE": "PUBLIC", + "TITLE": "ToolJet - HTML Injection in Invite New User" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ToolJet", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.6.0" + }, + { + "version_affected": "<=", + "version_value": "1.10.2" + } + ] + } + } + ] + }, + "vendor_name": "ToolJet" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "WhiteSource Vulnerability Research Team (WVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/ToolJet/ToolJet/commit/431dc961cdfe4d26343d1c1c951ced778fbddb58", + "refsource": "MISC", + "url": "https://github.com/ToolJet/ToolJet/commit/431dc961cdfe4d26343d1c1c951ced778fbddb58" + }, + { + "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23068", + "refsource": "MISC", + "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23068" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to version v1.11.0 or later" + } + ], + "source": { + "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:52.600Z" + }, + "references": [ + { + "name": "Test (7289/24750) [3539/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23068" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23068", + "datePublished": "2022-05-17T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:52.600Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "recipes", + "vendor": "recipes", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.9.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.2.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-918", + "description": "CWE-918 Server-Side Request Forgery (SSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-19T10:15:14", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Recipes - SSRF on Import", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23071", + "STATE": "PUBLIC", + "TITLE": "Recipes - SSRF on Import" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "recipes", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.9.1" + }, + { + "version_affected": "<=", + "version_value": "1.2.5" + } + ] + } + } + ] + }, + "vendor_name": "recipes" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23071", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071" + }, + { + "name": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c", + "refsource": "MISC", + "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:52.922Z" + }, + "references": [ + { + "name": "Test (7290/24750) [3540/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23071" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23071", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:52.922Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "recipes", + "vendor": "recipes", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "1.0.5", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.2.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T08:10:11", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23072" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Recipes - Stored XSS in Add to Cart", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23072", + "STATE": "PUBLIC", + "TITLE": "Recipes - Stored XSS in Add to Cart" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "recipes", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "1.0.5" + }, + { + "version_affected": "<=", + "version_value": "1.2.5" + } + ] + } + } + ] + }, + "vendor_name": "recipes" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23072", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23072" + }, + { + "name": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6", + "refsource": "MISC", + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:53.252Z" + }, + "references": [ + { + "name": "Test (7291/24750) [3541/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23072" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23072", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:53.252Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "recipes", + "vendor": "recipes", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "1.0.5", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.2.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T08:50:09", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23073" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Recipes - Stored XSS in Clipboard", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23073", + "STATE": "PUBLIC", + "TITLE": "Recipes - Stored XSS in Clipboard" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "recipes", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "1.0.5" + }, + { + "version_affected": "<=", + "version_value": "1.2.5" + } + ] + } + } + ] + }, + "vendor_name": "recipes" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6", + "refsource": "MISC", + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + }, + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23073", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23073" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:53.685Z" + }, + "references": [ + { + "name": "Test (7292/24750) [3542/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23073" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23073", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:53.685Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "recipes", + "vendor": "recipes", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.17.0", + "versionType": "custom" + }, + { + "lessThanOrEqual": "1.2.5", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T09:20:10", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Recipes - Stored XSS in Name Parameter", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23074", + "STATE": "PUBLIC", + "TITLE": "Recipes - Stored XSS in Name Parameter" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "recipes", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.17.0" + }, + { + "version_affected": "<=", + "version_value": "1.2.5" + } + ] + } + } + ] + }, + "vendor_name": "recipes" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6", + "refsource": "MISC", + "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6" + }, + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23074", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 1.2.6 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:54.445Z" + }, + "references": [ + { + "name": "Test (7293/24750) [3543/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23074" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23074", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:54.445Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "habitica", + "vendor": "habitica", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v4.119.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v4.232.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T11:30:16", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23077" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v4.233.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Habitica - DOM XSS in login page", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23077", + "STATE": "PUBLIC", + "TITLE": "Habitica - DOM XSS in login page" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "habitica", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v4.119.1" + }, + { + "version_affected": "<=", + "version_value": "v4.232.2" + } + ] + } + } + ] + }, + "vendor_name": "habitica" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23077", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23077" + }, + { + "name": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f", + "refsource": "MISC", + "url": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v4.233.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:55.142Z" + }, + "references": [ + { + "name": "Test (7294/24750) [3544/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23077" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23077", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:55.142Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "habitica", + "vendor": "habitica", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v4.119.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v4.232.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-601", + "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T12:00:16", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23078" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v4.233.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Habitica - Open redirect in login page", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23078", + "STATE": "PUBLIC", + "TITLE": "Habitica - Open redirect in login page" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "habitica", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v4.119.1" + }, + { + "version_affected": "<=", + "version_value": "v4.232.2" + } + ] + } + } + ] + }, + "vendor_name": "habitica" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f", + "refsource": "MISC", + "url": "https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f" + }, + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23078", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23078" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v4.233.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:55.638Z" + }, + "references": [ + { + "name": "Test (7295/24750) [3545/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23078" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23078", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:55.638Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "motor-admin", + "vendor": "motor-admin", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "0.0.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "0.2.56", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-116", + "description": "CWE-116 Improper Encoding or Escaping of Output", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T13:05:10", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23079" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/motor-admin/motor-admin/commit/a461b7507940a1fa062836daa89c82404fe3ecf9" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to 0.2.61 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "motoradmin - host header Injection in the reset password functionality ", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23079", + "STATE": "PUBLIC", + "TITLE": "motoradmin - host header Injection in the reset password functionality " + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "motor-admin", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "0.0.1" + }, + { + "version_affected": "<=", + "version_value": "0.2.56" + } + ] + } + } + ] + }, + "vendor_name": "motor-admin" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-116 Improper Encoding or Escaping of Output" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23079", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23079" + }, + { + "name": "https://github.com/motor-admin/motor-admin/commit/a461b7507940a1fa062836daa89c82404fe3ecf9", + "refsource": "MISC", + "url": "https://github.com/motor-admin/motor-admin/commit/a461b7507940a1fa062836daa89c82404fe3ecf9" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to 0.2.61 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:55.971Z" + }, + "references": [ + { + "name": "Test (7296/24750) [3546/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23079" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23079", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:55.971Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "directus", + "vendor": "directus", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v9.0.0-beta.10", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v9.6.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-918", + "description": "CWE-918 Server-Side Request Forgery (SSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T15:40:10", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23080" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to v9.7.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "directus - SSRF which leads to internal port scan", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23080", + "STATE": "PUBLIC", + "TITLE": "directus - SSRF which leads to internal port scan" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "directus", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v9.0.0-beta.10" + }, + { + "version_affected": "<=", + "version_value": "v9.6.0" + } + ] + } + } + ] + }, + "vendor_name": "directus" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23080", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23080" + }, + { + "name": "https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83", + "refsource": "MISC", + "url": "https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to v9.7.0 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:56.333Z" + }, + "references": [ + { + "name": "Test (7297/24750) [3547/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23080" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23080", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:56.333Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "openlibrary", + "vendor": "openlibrary", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "deploy-2019-10-16/sponsorship", + "versionType": "custom" + }, + { + "lessThanOrEqual": "deploy-2021-12-22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "datePublic": "2022-01-11T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS." + } + ], + "metrics": [ + { + "other": { + "content": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-22T17:20:12", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23081" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/internetarchive/openlibrary/pull/6597/commits/5460c8e8b517ef83c6a3b33654ba43ef0cbf051e" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version to deploy-2022-06-09 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "Openlibrary - Reflected XSS", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", + "ID": "CVE-2022-23081", + "STATE": "PUBLIC", + "TITLE": "Openlibrary - Reflected XSS" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "openlibrary", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "deploy-2019-10-16/sponsorship" + }, + { + "version_affected": "<=", + "version_value": "deploy-2021-12-22" + } + ] + } + } + ] + }, + "vendor_name": "openlibrary" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Mend Vulnerability Research Team (MVR)" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": 3.1 + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23081", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23081" + }, + { + "name": "https://github.com/internetarchive/openlibrary/pull/6597/commits/5460c8e8b517ef83c6a3b33654ba43ef0cbf051e", + "refsource": "MISC", + "url": "https://github.com/internetarchive/openlibrary/pull/6597/commits/5460c8e8b517ef83c6a3b33654ba43ef0cbf051e" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version to deploy-2022-06-09 or later" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:56.671Z" + }, + "references": [ + { + "name": "Test (7298/24750) [3548/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23081" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23081", + "datePublished": "2022-01-11T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:56.671Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CureKit", + "vendor": "WhiteSource", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "v1.0.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "v1.1.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Jonathan Leitschuh" + } + ], + "datePublic": "2022-05-31T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-01T09:30:12", + "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "shortName": "Mend" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23082" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Upgrade to version V1.1.4" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + }, + "title": "CureKit - Path Traversal in isFileOutsideDir", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", + "DATE_PUBLIC": "2022-05-31T13:20:00.000Z", + "ID": "CVE-2022-23082", + "STATE": "PUBLIC", + "TITLE": "CureKit - Path Traversal in isFileOutsideDir" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CureKit", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "v1.0.1" + }, + { + "version_affected": "<=", + "version_value": "v1.1.3" + } + ] + } + } + ] + }, + "vendor_name": "WhiteSource" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Jonathan Leitschuh" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6", + "refsource": "MISC", + "url": "https://github.com/whitesource/CureKit/commit/af35e870ed09411d2f1fae6db1b04598cd1a31b6" + }, + { + "name": "https://www.mend.io/vulnerability-database/CVE-2022-23082", + "refsource": "MISC", + "url": "https://www.mend.io/vulnerability-database/CVE-2022-23082" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Upgrade to version V1.1.4" + } + ], + "source": { + "advisory": "https://www.mend.io/vulnerability-database/", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:56.992Z" + }, + "references": [ + { + "name": "Test (7299/24750) [3549/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23082" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", + "assignerShortName": "Mend", + "cveId": "CVE-2022-23082", + "datePublished": "2022-05-31T00:00:00", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:56.992Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "NetMaster Network Management for TCP/IP and NetMaster File Transfer Management", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "12.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Cross-Site Scripting", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-18T16:52:35", + "orgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", + "shortName": "ca" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.broadcom.com/external/content/security-advisories/NetMaster-12.2-ReportCenter-Vulnerability-CVE-2022-23083/20049" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vuln@ca.com", + "ID": "CVE-2022-23083", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "NetMaster Network Management for TCP/IP and NetMaster File Transfer Management", + "version": { + "version_data": [ + { + "version_value": "12.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transfer Management contain a XSS (Cross-Site Scripting) vulnerability in ReportCenter UI due to insufficient input validation that could potentially allow an attacker to execute code on the affected machine." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-Site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.broadcom.com/external/content/security-advisories/NetMaster-12.2-ReportCenter-Vulnerability-CVE-2022-23083/20049", + "refsource": "MISC", + "url": "https://support.broadcom.com/external/content/security-advisories/NetMaster-12.2-ReportCenter-Vulnerability-CVE-2022-23083/20049" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:56:57.323Z" + }, + "references": [ + { + "name": "Test (7300/24750) [3550/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23083" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e291eae9-7c0a-46ac-ba7d-5251811f8b7f", + "assignerShortName": "ca", + "cveId": "CVE-2022-23083", + "datePublished": "2022-01-18T16:52:35", + "dateReserved": "2022-01-10T00:00:00", + "dateUpdated": "2024-06-03T14:56:57.323Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23084", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.040Z", + "datePublished": "2024-02-15T04:52:09.645Z", + "dateUpdated": "2024-06-03T14:57:20.077Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "netmap" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RC1", + "versionType": "release" + }, + { + "lessThan": "p11", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p5", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Reno Robert" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Lucas Leong (@_wmliang_)" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Trend Micro Zero Day Initiative" + } + ], + "datePublic": "2022-04-06T05:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption.\n\nOn systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T04:52:09.645Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240419-0003/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Potential jail escape vulnerabilities in netmap", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:20.077Z" + }, + "references": [ + { + "name": "Test (7301/24750) [3551/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23084" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23085", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.040Z", + "datePublished": "2024-02-15T04:52:17.556Z", + "dateUpdated": "2024-06-03T14:57:20.424Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "netmap" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RC1", + "versionType": "release" + }, + { + "lessThan": "p11", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p5", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Reno Robert" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Lucas Leong (@_wmliang_)" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Trend Micro Zero Day Initiative" + } + ], + "datePublic": "2022-04-06T05:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption.\n\nOn systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T04:52:17.556Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240322-0004/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Potential jail escape vulnerabilities in netmap", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:20.424Z" + }, + "references": [ + { + "name": "Test (7302/24750) [3552/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23085" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23086", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.040Z", + "datePublished": "2024-02-15T04:57:19.622Z", + "dateUpdated": "2024-06-03T14:57:20.748Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "mpr", + "mps", + "mpt" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RC1", + "versionType": "release" + }, + { + "lessThan": "p11", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p5", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Lucas Leong (@_wmliang_)" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Trend Micro Zero Day Initiative" + } + ], + "datePublic": "2022-04-06T05:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.\n\nUsers with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T04:57:19.622Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240419-0002/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "mpr/mps/mpt driver ioctl heap out-of-bounds write", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:20.748Z" + }, + "references": [ + { + "name": "Test (7303/24750) [3553/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23086" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23087", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.040Z", + "datePublished": "2024-02-15T05:01:00.770Z", + "dateUpdated": "2024-06-03T14:57:21.083Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "bhyve" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RC1", + "versionType": "release" + }, + { + "lessThan": "p11", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p5", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Mehdi Talbi" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Synacktiv" + } + ], + "datePublic": "2022-04-06T05:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload (\"TSO\"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.\n\nWhen checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.\n\nA misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.\n\nThe bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:01:00.770Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:05.bhyve.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0005/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Bhyve e82545 device emulation out-of-bounds write", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:21.083Z" + }, + "references": [ + { + "name": "Test (7304/24750) [3554/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23087" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23088", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.041Z", + "datePublished": "2024-02-15T05:03:38.536Z", + "dateUpdated": "2024-06-03T14:57:21.415Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "net80211" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RC1", + "versionType": "release" + }, + { + "lessThan": "p11", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p5", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "m00nbsd" + }, + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Trend Micro Zero Day Initiative" + } + ], + "datePublic": "2022-04-06T05:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.\n\nWhile a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:03:38.536Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "802.11 heap buffer overflow", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:21.415Z" + }, + "references": [ + { + "name": "Test (7305/24750) [3555/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23088" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23089", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.041Z", + "datePublished": "2024-02-15T05:07:13.996Z", + "dateUpdated": "2024-06-03T14:57:21.733Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "kernel" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p12", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p6", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Josef 'Jeff' Sipek" + } + ], + "datePublic": "2022-08-09T23:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled.\n\nAn out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:07:13.996Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:09.elf.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0006/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Out of bound read in elf_note_prpsinfo()", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "id": "CVE-2022-23089", + "role": "CISA Coordinator", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + } + ], + "version": "2.0.3", + "timestamp": "2024-02-15T20:01:04.904349Z" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-24T01:07:49.017Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:21.733Z" + }, + "references": [ + { + "name": "Test (7306/24750) [3556/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23089" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23090", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.041Z", + "datePublished": "2024-02-15T05:09:27.389Z", + "dateUpdated": "2024-06-03T14:57:22.051Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "kernel" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p12", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p6", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Chris J-D " + } + ], + "datePublic": "2022-08-09T23:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case.\n\nAn attacker may cause the reference count to overflow, leading to a use after free (UAF)." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:09:27.389Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:10.aio.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0007/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "AIO credential reference count leak", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:22.051Z" + }, + "references": [ + { + "name": "Test (7307/24750) [3557/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23090" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23091", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.042Z", + "datePublished": "2024-02-15T05:11:35.101Z", + "dateUpdated": "2024-06-03T14:57:22.377Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "vm" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p12", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p6", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Mark Johnston" + } + ], + "datePublic": "2022-08-09T23:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause.\n\nAn unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:11:35.101Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:11.vm.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0008/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Memory disclosure by stale virtual memory mapping", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "id": "CVE-2022-23091", + "role": "CISA Coordinator", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + } + ], + "version": "2.0.3", + "timestamp": "2024-02-15T16:28:20.765100Z" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-24T01:07:54.768Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:22.377Z" + }, + "references": [ + { + "name": "Test (7308/24750) [3558/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23091" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23092", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.042Z", + "datePublished": "2024-02-15T05:13:50.356Z", + "dateUpdated": "2024-06-03T14:57:22.688Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "lib9p" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p1", + "status": "affected", + "version": "13.1-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p12", + "status": "affected", + "version": "13.0-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Robert Morris" + } + ], + "datePublic": "2022-08-09T23:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.\n\nThe bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:13:50.356Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240415-0009/" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Missing bounds check in 9p message handling", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:22.688Z" + }, + "references": [ + { + "name": "Test (7309/24750) [3559/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23092" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23093", + "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "state": "PUBLISHED", + "assignerShortName": "freebsd", + "dateReserved": "2022-01-10T22:07:46.043Z", + "datePublished": "2024-02-15T05:18:44.628Z", + "dateUpdated": "2024-06-03T14:57:22.987Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unknown", + "modules": [ + "ping" + ], + "product": "FreeBSD", + "vendor": "FreeBSD", + "versions": [ + { + "lessThan": "p5", + "status": "affected", + "version": "13.1-RELEASE", + "versionType": "release" + }, + { + "lessThan": "p2", + "status": "affected", + "version": "12.4-RC2", + "versionType": "release" + }, + { + "lessThan": "p10", + "status": "affected", + "version": "12.3-RELEASE", + "versionType": "release" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "NetApp, Inc." + } + ], + "datePublic": "2022-11-30T01:00:00.000Z", + "descriptions": [ + { + "lang": "en", + "value": "ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a \"quoted packet,\" which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.\n\nThe pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.\n\nThe memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.\n\nThe ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur." + } + ], + "providerMetadata": { + "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", + "shortName": "freebsd", + "dateUpdated": "2024-02-15T05:18:44.628Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:15.ping.asc" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Stack overflow in ping(8)", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + }, + "adp": [ + { + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "id": "CVE-2022-23093", + "role": "CISA Coordinator", + "options": [ + { + "Exploitation": "none" + }, + { + "Automatable": "no" + }, + { + "Technical Impact": "partial" + } + ], + "version": "2.0.3", + "timestamp": "2024-03-14T21:25:53.167040Z" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-24T01:05:59.133Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:22.987Z" + }, + "references": [ + { + "name": "Test (7310/24750) [3560/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23093" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T16:06:23", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://libreswan.org/security/CVE-2022-23094" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libreswan/libreswan/issues/585" + }, + { + "name": "DSA-5048", + "tags": [ + "vendor-advisory", + "x_refsource_DEBIAN" + ], + "url": "https://www.debian.org/security/2022/dsa-5048" + }, + { + "name": "FEDORA-2022-a4bca77f88", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFZ7WP5LNNBW5ADIOPDSPQ23SXZJRNMP/" + }, + { + "name": "FEDORA-2022-42e0892147", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPMIHAXWQUJAPCIGNJ5J5Q6ASWQBU7T5/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23094", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://libreswan.org/security/CVE-2022-23094", + "refsource": "MISC", + "url": "https://libreswan.org/security/CVE-2022-23094" + }, + { + "name": "https://github.com/libreswan/libreswan/issues/585", + "refsource": "MISC", + "url": "https://github.com/libreswan/libreswan/issues/585" + }, + { + "name": "DSA-5048", + "refsource": "DEBIAN", + "url": "https://www.debian.org/security/2022/dsa-5048" + }, + { + "name": "FEDORA-2022-a4bca77f88", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFZ7WP5LNNBW5ADIOPDSPQ23SXZJRNMP/" + }, + { + "name": "FEDORA-2022-42e0892147", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPMIHAXWQUJAPCIGNJ5J5Q6ASWQBU7T5/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:23.319Z" + }, + "references": [ + { + "name": "Test (7311/24750) [3561/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23094" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23094", + "datePublished": "2022-01-15T01:37:32", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:23.319Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this vulnerability to execute code in the context of the current process." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-15T14:36:32", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.opendesign.com/security-advisories" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23095", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this vulnerability to execute code in the context of the current process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.opendesign.com/security-advisories", + "refsource": "MISC", + "url": "https://www.opendesign.com/security-advisories" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-12-08T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "No" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-23095" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-12-09T05:05:47.711Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:23.637Z" + }, + "references": [ + { + "name": "Test (7312/24750) [3562/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23095" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23095", + "datePublished": "2022-01-15T14:36:32", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:23.637Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-10-31T07:06:15.995176" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/pub/scm/network/connman/connman.git/log/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/25/1" + }, + { + "name": "[debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00009.html" + }, + { + "name": "DSA-5231", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5231" + }, + { + "name": "GLSA-202310-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-21" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:23.989Z" + }, + "references": [ + { + "name": "Test (7313/24750) [3563/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23096" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23096", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:57:23.989Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2022-01-28T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-10-31T07:06:17.527788" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/pub/scm/network/connman/connman.git/log/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/25/1" + }, + { + "name": "[debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00009.html" + }, + { + "name": "DSA-5231", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5231" + }, + { + "name": "GLSA-202310-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-21" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:24.336Z" + }, + "references": [ + { + "name": "Test (7314/24750) [3564/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23097" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23097", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:57:24.336Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2022-01-28T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-10-31T07:06:19.178744" + }, + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/pub/scm/network/connman/connman.git/log/" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/25/1" + }, + { + "name": "[debian-lts-announce] 20220209 [SECURITY] [DLA 2915-1] connman security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00009.html" + }, + { + "name": "DSA-5231", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5231" + }, + { + "name": "GLSA-202310-21", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-21" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:24.652Z" + }, + "references": [ + { + "name": "Test (7315/24750) [3565/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23098" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23098", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:57:24.652Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2022-01-28T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OX App Suite through 7.10.6 allows XSS by forcing block-wise read." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-27T13:25:54", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://open-xchange.com" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23099", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "OX App Suite through 7.10.6 allows XSS by forcing block-wise read." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://open-xchange.com", + "refsource": "MISC", + "url": "https://open-xchange.com" + }, + { + "name": "https://seclists.org/fulldisclosure/2022/Jul/11", + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:24.974Z" + }, + "references": [ + { + "name": "Test (7316/24750) [3566/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23099" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23099", + "datePublished": "2022-07-27T13:25:54", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:24.974Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-27T13:23:24", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://open-xchange.com" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23100", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://open-xchange.com", + "refsource": "MISC", + "url": "https://open-xchange.com" + }, + { + "name": "https://seclists.org/fulldisclosure/2022/Jul/11", + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:25.310Z" + }, + "references": [ + { + "name": "Test (7317/24750) [3567/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23100" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23100", + "datePublished": "2022-07-27T13:23:24", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:25.310Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-27T13:30:51", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://open-xchange.com" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23101", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://open-xchange.com", + "refsource": "MISC", + "url": "https://open-xchange.com" + }, + { + "name": "https://seclists.org/fulldisclosure/2022/Jul/11", + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2022/Jul/11" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:25.621Z" + }, + "references": [ + { + "name": "Test (7318/24750) [3568/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23101" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23101", + "datePublished": "2022-07-27T13:30:51", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:25.621Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SINEMA Remote Connect Server", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V2.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-601", + "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:06:16", + "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "shortName": "siemens" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf" + }, + { + "name": "20220210 SEC Consult SA-20220209 :: Open Redirect in Login Page in SIEMENS-SINEMA Remote Connect", + "tags": [ + "mailing-list", + "x_refsource_FULLDISC" + ], + "url": "http://seclists.org/fulldisclosure/2022/Feb/20" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165966/SIEMENS-SINEMA-Remote-Connect-1.0-SP3-HF1-Open-Redirection.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "productcert@siemens.com", + "ID": "CVE-2022-23102", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SINEMA Remote Connect Server", + "version": { + "version_data": [ + { + "version_value": "All versions < V2.0" + } + ] + } + } + ] + }, + "vendor_name": "Siemens" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf", + "refsource": "MISC", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-654775.pdf" + }, + { + "name": "20220210 SEC Consult SA-20220209 :: Open Redirect in Login Page in SIEMENS-SINEMA Remote Connect", + "refsource": "FULLDISC", + "url": "http://seclists.org/fulldisclosure/2022/Feb/20" + }, + { + "name": "http://packetstormsecurity.com/files/165966/SIEMENS-SINEMA-Remote-Connect-1.0-SP3-HF1-Open-Redirection.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165966/SIEMENS-SINEMA-Remote-Connect-1.0-SP3-HF1-Open-Redirection.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:25.916Z" + }, + "references": [ + { + "name": "Test (7319/24750) [3569/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23102" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "assignerShortName": "siemens", + "cveId": "CVE-2022-23102", + "datePublished": "2022-02-09T15:17:29", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:25.916Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "LinkHub Mesh Wifi", + "vendor": "TCL", + "versions": [ + { + "status": "affected", + "version": "MS1G_00_01.00_14" + } + ] + } + ], + "datePublic": "2022-08-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A stack-based buffer overflow vulnerability exists in the confsrv confctl_set_app_language functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-121", + "description": "CWE-121: Stack-based Buffer Overflow", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-05T21:12:03", + "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "shortName": "talos" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1462" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "talos-cna@cisco.com", + "DATE_PUBLIC": "2022-08-01", + "ID": "CVE-2022-23103", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "LinkHub Mesh Wifi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "MS1G_00_01.00_14" + } + ] + } + } + ] + }, + "vendor_name": "TCL" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A stack-based buffer overflow vulnerability exists in the confsrv confctl_set_app_language functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 8.8, + "baseSeverity": "High", + "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121: Stack-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1462", + "refsource": "MISC", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1462" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:26.298Z" + }, + "references": [ + { + "name": "Test (7320/24750) [3570/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23103" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "assignerShortName": "talos", + "cveId": "CVE-2022-23103", + "datePublished": "2022-08-01T00:00:00", + "dateReserved": "2022-01-26T00:00:00", + "dateUpdated": "2024-06-03T14:57:26.298Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "WIN-911", + "vendor": "WIN-911", + "versions": [ + { + "status": "affected", + "version": "2021 R1 5.21.10" + }, + { + "status": "affected", + "version": "2021 R2 5.21.17" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA." + } + ], + "datePublic": "2022-02-22T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the program Operator Workspace directory, which holds DLL files and executables. A low-privilege attacker could write a malicious DLL file to the Operator Workspace directory to achieve privilege escalation and the permissions of the user running the program." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-276", + "description": "CWE-276 Incorrect Default Permissions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-24T18:26:59", + "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "shortName": "icscert" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-03" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://supportdesk.win911.com/support/solutions/articles/24000074683-win-911-2021-r1-r2-file-permission-vulnerability" + } + ], + "solutions": [ + { + "lang": "en", + "value": "WIN-911 has released a hotfix that removes write access for the user’s group on the affected directory subfolders. For the hotfix and more information." + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "WIN-911 2021 Incorrect Default Permissions", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2022-02-22T23:35:00.000Z", + "ID": "CVE-2022-23104", + "STATE": "PUBLIC", + "TITLE": "WIN-911 2021 Incorrect Default Permissions" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "WIN-911", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "2021 R1", + "version_value": "5.21.10" + }, + { + "version_affected": "=", + "version_name": "2021 R2", + "version_value": "5.21.17" + } + ] + } + } + ] + }, + "vendor_name": "WIN-911" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Noam Moshe of Claroty reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the program Operator Workspace directory, which holds DLL files and executables. A low-privilege attacker could write a malicious DLL file to the Operator Workspace directory to achieve privilege escalation and the permissions of the user running the program." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-276 Incorrect Default Permissions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-03", + "refsource": "CONFIRM", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-03" + }, + { + "name": "https://supportdesk.win911.com/support/solutions/articles/24000074683-win-911-2021-r1-r2-file-permission-vulnerability", + "refsource": "CONFIRM", + "url": "https://supportdesk.win911.com/support/solutions/articles/24000074683-win-911-2021-r1-r2-file-permission-vulnerability" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "WIN-911 has released a hotfix that removes write access for the user’s group on the affected directory subfolders. For the hotfix and more information." + } + ], + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:26.647Z" + }, + "references": [ + { + "name": "Test (7321/24750) [3571/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23104" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", + "assignerShortName": "icscert", + "cveId": "CVE-2022-23104", + "datePublished": "2022-02-22T00:00:00", + "dateReserved": "2022-02-10T00:00:00", + "dateUpdated": "2024-06-03T14:57:26.647Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Active Directory Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "2.25", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "status": "unaffected", + "version": "2.23.1" + }, + { + "status": "unaffected", + "version": "2.24.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:11.581Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1389" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23105", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Active Directory Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "2.25" + }, + { + "version_affected": "!", + "version_value": "2.23.1" + }, + { + "version_affected": "!", + "version_value": "2.24.1" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-319: Cleartext Transmission of Sensitive Information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1389", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1389" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:26.944Z" + }, + "references": [ + { + "name": "Test (7322/24750) [3572/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23105" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23105", + "datePublished": "2022-01-12T19:06:02", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:26.944Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23106", + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "dateUpdated": "2024-06-03T14:57:27.256Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2022-01-12T00:00:00" + }, + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Configuration as Code Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "status": "unaffected", + "version": "1.47.1" + }, + { + "status": "unaffected", + "version": "1.53.1" + }, + { + "status": "unaffected", + "version": "1.54.1" + }, + { + "lessThanOrEqual": "1.55", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:12.729Z" + }, + "references": [ + { + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2141" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:27.256Z" + }, + "references": [ + { + "name": "Test (7323/24750) [3573/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23106" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Warnings Next Generation Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "9.10.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "status": "unaffected", + "version": "9.0.2" + }, + { + "status": "unaffected", + "version": "9.5.2" + }, + { + "status": "unaffected", + "version": "9.7.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:13.872Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2090" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23107", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Warnings Next Generation Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "9.10.2" + }, + { + "version_affected": "!", + "version_value": "9.0.2" + }, + { + "version_affected": "!", + "version_value": "9.5.2" + }, + { + "version_affected": "!", + "version_value": "9.7.1" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2090", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2090" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:27.561Z" + }, + "references": [ + { + "name": "Test (7324/24750) [3574/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23107" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23107", + "datePublished": "2022-01-12T19:06:06", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:27.561Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Badge Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.9", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:15.046Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2547" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23108", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Badge Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.9" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2547", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2547" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:28.190Z" + }, + "references": [ + { + "name": "Test (7325/24750) [3575/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23108" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23108", + "datePublished": "2022-01-12T19:06:08", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:28.190Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins HashiCorp Vault Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "3.7.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:16.175Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23109", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins HashiCorp Vault Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "3.7.0" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-668: Exposure of Resource to Wrong Sphere" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:28.859Z" + }, + "references": [ + { + "name": "Test (7326/24750) [3576/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23109" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23109", + "datePublished": "2022-01-12T19:06:09", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:28.859Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Publish Over SSH Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.22", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:17.316Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2287" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23110", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Publish Over SSH Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.22" + }, + { + "version_affected": "?>", + "version_value": "1.22" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2287", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2287" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:29.330Z" + }, + "references": [ + { + "name": "Test (7327/24750) [3577/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23110" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23110", + "datePublished": "2022-01-12T19:06:11", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:29.330Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Publish Over SSH Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.22", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:18.462Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23111", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Publish Over SSH Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.22" + }, + { + "version_affected": "?>", + "version_value": "1.22" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:29.632Z" + }, + "references": [ + { + "name": "Test (7328/24750) [3578/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23111" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23111", + "datePublished": "2022-01-12T19:06:13", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:29.632Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Publish Over SSH Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.22", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:19.715Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23112", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Publish Over SSH Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.22" + }, + { + "version_affected": "?>", + "version_value": "1.22" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2290" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:29.932Z" + }, + "references": [ + { + "name": "Test (7329/24750) [3579/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23112" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23112", + "datePublished": "2022-01-12T19:06:15", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:29.932Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Publish Over SSH Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.22", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:20.894Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2307" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23113", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Publish Over SSH Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.22" + }, + { + "version_affected": "?>", + "version_value": "1.22" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2307", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2307" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:30.244Z" + }, + "references": [ + { + "name": "Test (7330/24750) [3580/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23113" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23113", + "datePublished": "2022-01-12T19:06:17", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:30.244Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Publish Over SSH Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.22", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.22", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:22.156Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2291" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23114", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Publish Over SSH Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.22" + }, + { + "version_affected": "?>", + "version_value": "1.22" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256: Plaintext Storage of a Password" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2291", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2291" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:30.559Z" + }, + "references": [ + { + "name": "Test (7331/24750) [3581/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23114" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23114", + "datePublished": "2022-01-12T19:06:19", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:30.559Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins batch task Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.19", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.19", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:23.359Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1025" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23115", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins batch task Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.19" + }, + { + "version_affected": "?>", + "version_value": "1.19" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1025", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1025" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:30.861Z" + }, + "references": [ + { + "name": "Test (7332/24750) [3582/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23115" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23115", + "datePublished": "2022-01-12T19:06:21", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:30.861Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Conjur Secrets Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.0.9", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.0.9", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:24.585Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23116", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Conjur Secrets Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.0.9" + }, + { + "version_affected": "?>", + "version_value": "1.0.9" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:31.174Z" + }, + "references": [ + { + "name": "Test (7333/24750) [3583/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23116" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23116", + "datePublished": "2022-01-12T19:06:23", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:31.174Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Conjur Secrets Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.0.9", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.0.9", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:25.878Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%282%29" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23117", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Conjur Secrets Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.0.9" + }, + { + "version_affected": "?>", + "version_value": "1.0.9" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(2)", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(2)" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:31.508Z" + }, + "references": [ + { + "name": "Test (7334/24750) [3584/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23117" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23117", + "datePublished": "2022-01-12T19:06:25", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:31.508Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jenkins Debian Package Builder Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "1.6.11", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "unspecified", + "status": "unknown", + "version": "next of 1.6.11", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller." + } + ], + "providerMetadata": { + "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "shortName": "jenkins", + "dateUpdated": "2023-10-24T14:19:27.153Z" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2546" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "jenkinsci-cert@googlegroups.com", + "ID": "CVE-2022-23118", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jenkins Debian Package Builder Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.6.11" + }, + { + "version_affected": "?>", + "version_value": "1.6.11" + } + ] + } + } + ] + }, + "vendor_name": "Jenkins project" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2546", + "refsource": "CONFIRM", + "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2546" + }, + { + "name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:31.822Z" + }, + "references": [ + { + "name": "Test (7335/24750) [3585/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23118" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", + "assignerShortName": "jenkins", + "cveId": "CVE-2022-23118", + "datePublished": "2022-01-12T19:06:27", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:31.822Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Trend Micro Deep Security Agent for Linux", + "vendor": "Trend Micro", + "versions": [ + { + "status": "affected", + "version": "20, 12, 11, 10" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system. Please note: an attacker must first obtain compromised access to the target Deep Security Manager (DSM) or the target agent must be not yet activated or configured in order to exploit this vulnerability." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Directory Traversal", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T18:11:17", + "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", + "shortName": "trendmicro" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://success.trendmicro.com/solution/000290104" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@trendmicro.com", + "ID": "CVE-2022-23119", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Trend Micro Deep Security Agent for Linux", + "version": { + "version_data": [ + { + "version_value": "20, 12, 11, 10" + } + ] + } + } + ] + }, + "vendor_name": "Trend Micro" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system. Please note: an attacker must first obtain compromised access to the target Deep Security Manager (DSM) or the target agent must be not yet activated or configured in order to exploit this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Directory Traversal" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://success.trendmicro.com/solution/000290104", + "refsource": "MISC", + "url": "https://success.trendmicro.com/solution/000290104" + }, + { + "name": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt", + "refsource": "MISC", + "url": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:32.124Z" + }, + "references": [ + { + "name": "Test (7336/24750) [3586/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23119" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", + "assignerShortName": "trendmicro", + "cveId": "CVE-2022-23119", + "datePublished": "2022-01-20T18:11:17", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:32.124Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Trend Micro Deep Security Agent for Linux", + "vendor": "Trend Micro", + "versions": [ + { + "status": "affected", + "version": "20, 12, 11, 10" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: an attacker must first obtain access to the target agent in an un-activated and unconfigured state in order to exploit this vulnerability." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Code Injection LPE", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T18:11:18", + "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", + "shortName": "trendmicro" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://success.trendmicro.com/solution/000290104" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@trendmicro.com", + "ID": "CVE-2022-23120", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Trend Micro Deep Security Agent for Linux", + "version": { + "version_data": [ + { + "version_value": "20, 12, 11, 10" + } + ] + } + } + ] + }, + "vendor_name": "Trend Micro" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: an attacker must first obtain access to the target agent in an un-activated and unconfigured state in order to exploit this vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Code Injection LPE" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://success.trendmicro.com/solution/000290104", + "refsource": "MISC", + "url": "https://success.trendmicro.com/solution/000290104" + }, + { + "name": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt", + "refsource": "MISC", + "url": "https://www.modzero.com/advisories/MZ-21-02-Trendmicro.txt" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:32.456Z" + }, + "references": [ + { + "name": "Test (7337/24750) [3587/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23120" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", + "assignerShortName": "trendmicro", + "cveId": "CVE-2022-23120", + "datePublished": "2022-01-20T18:11:18", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:32.456Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23121", + "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "assignerShortName": "zdi", + "dateUpdated": "2024-06-03T14:57:32.763Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2023-03-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "shortName": "zdi", + "dateUpdated": "2023-11-01T16:06:24.449286" + }, + "descriptions": [ + { + "lang": "en", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819." + } + ], + "affected": [ + { + "vendor": "Netatalk", + "product": "Netatalk", + "versions": [ + { + "version": "3.1.12", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-527/" + }, + { + "name": "[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html" + }, + { + "name": "[debian-lts-announce] 20230601 [SECURITY] [DLA 3426-2] netatalk regression update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00000.html" + }, + { + "name": "DSA-5503", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2023/dsa-5503" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + } + ], + "credits": [ + { + "lang": "en", + "value": "NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) " + } + ], + "metrics": [ + { + "cvssV3_0": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-755: Improper Handling of Exceptional Conditions", + "cweId": "CWE-755" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:32.763Z" + }, + "references": [ + { + "name": "Test (7338/24750) [3588/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23121" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23122", + "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "assignerShortName": "zdi", + "dateUpdated": "2024-06-03T14:57:33.075Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2023-03-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "shortName": "zdi", + "dateUpdated": "2023-11-01T16:06:16.491962" + }, + "descriptions": [ + { + "lang": "en", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837." + } + ], + "affected": [ + { + "vendor": "Netatalk", + "product": "Netatalk", + "versions": [ + { + "version": "3.1.12", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-529/" + }, + { + "name": "[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html" + }, + { + "name": "DSA-5503", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2023/dsa-5503" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + } + ], + "credits": [ + { + "lang": "en", + "value": "Orange Tsai (@orange_8361) from DEVCORE Research Team" + } + ], + "metrics": [ + { + "cvssV3_0": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-121: Stack-based Buffer Overflow", + "cweId": "CWE-121" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:33.075Z" + }, + "references": [ + { + "name": "Test (7339/24750) [3589/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23122" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23123", + "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "assignerShortName": "zdi", + "dateUpdated": "2024-06-03T14:57:33.420Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2023-03-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "shortName": "zdi", + "dateUpdated": "2023-11-01T16:06:26.028841" + }, + "descriptions": [ + { + "lang": "en", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830." + } + ], + "affected": [ + { + "vendor": "Netatalk", + "product": "Netatalk", + "versions": [ + { + "version": "3.1.12", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-528/" + }, + { + "name": "[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html" + }, + { + "name": "[debian-lts-announce] 20230813 [SECURITY] [DLA 3426-3] netatalk regression update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00016.html" + }, + { + "name": "DSA-5503", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2023/dsa-5503" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + } + ], + "credits": [ + { + "lang": "en", + "value": "Orange Tsai (@orange_8361) from DEVCORE Research Team" + } + ], + "metrics": [ + { + "cvssV3_0": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "cweId": "CWE-125" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:33.420Z" + }, + "references": [ + { + "name": "Test (7340/24750) [3590/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23123" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23124", + "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "assignerShortName": "zdi", + "dateUpdated": "2024-06-03T14:57:33.719Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2023-03-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "shortName": "zdi", + "dateUpdated": "2023-11-01T16:06:18.022769" + }, + "descriptions": [ + { + "lang": "en", + "value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15870." + } + ], + "affected": [ + { + "vendor": "Netatalk", + "product": "Netatalk", + "versions": [ + { + "version": "3.1.12", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-525/" + }, + { + "name": "[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html" + }, + { + "name": "DSA-5503", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2023/dsa-5503" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + } + ], + "credits": [ + { + "lang": "en", + "value": "Theori (@theori_io)" + } + ], + "metrics": [ + { + "cvssV3_0": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "cweId": "CWE-125" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:33.719Z" + }, + "references": [ + { + "name": "Test (7341/24750) [3591/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23124" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23125", + "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "assignerShortName": "zdi", + "dateUpdated": "2024-06-03T14:57:34.028Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2023-03-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", + "shortName": "zdi", + "dateUpdated": "2023-11-01T16:06:22.856318" + }, + "descriptions": [ + { + "lang": "en", + "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869." + } + ], + "affected": [ + { + "vendor": "Netatalk", + "product": "Netatalk", + "versions": [ + { + "version": "5.18.117", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html" + }, + { + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-526/" + }, + { + "name": "[debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html" + }, + { + "name": "DSA-5503", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2023/dsa-5503" + }, + { + "name": "GLSA-202311-02", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202311-02" + } + ], + "credits": [ + { + "lang": "en", + "value": "Theori (@theori_io)" + } + ], + "metrics": [ + { + "cvssV3_0": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-121: Stack-based Buffer Overflow", + "cweId": "CWE-121" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:34.028Z" + }, + "references": [ + { + "name": "Test (7342/24750) [3592/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23125" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route. This occurs because an attacker can leverage Grafana login access to obtain a token for Tesla API calls." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-24T18:07:18", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/adriankumpf/teslamate/commit/fff6915e7364f83b3030f980d5743299c4e5260d" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://twitter.com/teslascope/status/1481252837174624258" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/adriankumpf/teslamate/compare/v1.25.0...v1.25.1" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/adriankumpf/teslamate/releases/tag/v1.25.1" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://medium.com/%40david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23126", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route. This occurs because an attacker can leverage Grafana login access to obtain a token for Tesla API calls." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/adriankumpf/teslamate/commit/fff6915e7364f83b3030f980d5743299c4e5260d", + "refsource": "MISC", + "url": "https://github.com/adriankumpf/teslamate/commit/fff6915e7364f83b3030f980d5743299c4e5260d" + }, + { + "name": "https://twitter.com/teslascope/status/1481252837174624258", + "refsource": "MISC", + "url": "https://twitter.com/teslascope/status/1481252837174624258" + }, + { + "name": "https://github.com/adriankumpf/teslamate/compare/v1.25.0...v1.25.1", + "refsource": "MISC", + "url": "https://github.com/adriankumpf/teslamate/compare/v1.25.0...v1.25.1" + }, + { + "name": "https://github.com/adriankumpf/teslamate/releases/tag/v1.25.1", + "refsource": "CONFIRM", + "url": "https://github.com/adriankumpf/teslamate/releases/tag/v1.25.1" + }, + { + "name": "https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028", + "refsource": "MISC", + "url": "https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:34.363Z" + }, + "references": [ + { + "name": "Test (7343/24750) [3593/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23126" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23126", + "datePublished": "2022-01-24T18:07:18", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:34.363Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Mitsubishi Electric MC Works64; ICONICS MobileHMI", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior" + }, + { + "status": "affected", + "version": "ICONICS MobileHMI versions 10.96.2 and prior" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Cross-site Scripting", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T18:17:32", + "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "shortName": "Mitsubishi" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", + "ID": "CVE-2022-23127", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mitsubishi Electric MC Works64; ICONICS MobileHMI", + "version": { + "version_data": [ + { + "version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior" + }, + { + "version_value": "ICONICS MobileHMI versions 10.96.2 and prior" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS MobileHMI versions 10.96.2 and prior allows a remote unauthenticated attacker to gain authentication information of an MC Works64 or MobileHMI and perform any operation using the acquired authentication information, by injecting a malicious script in the URL of a monitoring screen delivered from the MC Works64 server or MobileHMI server to an application for mobile devices and leading a legitimate user to access this URL." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jvn.jp/vu/JVNVU95403720/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf", + "refsource": "MISC", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-025_en.pdf" + }, + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", + "refsource": "MISC", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:34.677Z" + }, + "references": [ + { + "name": "Test (7344/24750) [3594/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23127" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "assignerShortName": "Mitsubishi", + "cveId": "CVE-2022-23127", + "datePublished": "2022-01-21T18:17:32", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:34.677Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian; ICONICS AnalytiX; ICONICS MobileHMI", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)" + }, + { + "status": "affected", + "version": "ICONICS GENESIS64 versions 10.95.3 to 10.97" + }, + { + "status": "affected", + "version": "ICONICS Hyper Historian versions 10.95.3 to 10.97" + }, + { + "status": "affected", + "version": "ICONICS AnalytiX versions 10.95.3 to 10.97" + }, + { + "status": "affected", + "version": "ICONICS MobileHMI versions 10.95.3 to 10.97" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Incomplete List of Disallowed Inputs", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T18:17:33", + "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "shortName": "Mitsubishi" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", + "ID": "CVE-2022-23128", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian; ICONICS AnalytiX; ICONICS MobileHMI", + "version": { + "version_data": [ + { + "version_value": "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)" + }, + { + "version_value": "ICONICS GENESIS64 versions 10.95.3 to 10.97" + }, + { + "version_value": "ICONICS Hyper Historian versions 10.95.3 to 10.97" + }, + { + "version_value": "ICONICS AnalytiX versions 10.95.3 to 10.97" + }, + { + "version_value": "ICONICS MobileHMI versions 10.95.3 to 10.97" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Incomplete List of Disallowed Inputs" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jvn.jp/vu/JVNVU95403720/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01", + "refsource": "MISC", + "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01" + }, + { + "name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf", + "refsource": "MISC", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:34.994Z" + }, + "references": [ + { + "name": "Test (7345/24750) [3595/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23128" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "assignerShortName": "Mitsubishi", + "cveId": "CVE-2022-23128", + "datePublished": "2022-01-21T18:17:33", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:34.994Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Mitsubishi Electric MC Works64; ICONICS GENESIS64", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior" + }, + { + "status": "affected", + "version": "ICONICS GENESIS64 versions 10.90 to 10.97" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Plaintext Storage of a Password", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T18:17:31", + "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "shortName": "Mitsubishi" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", + "ID": "CVE-2022-23129", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64", + "version": { + "version_data": [ + { + "version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior" + }, + { + "version_value": "ICONICS GENESIS64 versions 10.90 to 10.97" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Plaintext Storage of a Password" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jvn.jp/vu/JVNVU95403720/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01", + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01" + }, + { + "name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf", + "refsource": "MISC", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:35.328Z" + }, + "references": [ + { + "name": "Test (7346/24750) [3596/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23129" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "assignerShortName": "Mitsubishi", + "cveId": "CVE-2022-23129", + "datePublished": "2022-01-21T18:17:31", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:35.328Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)" + }, + { + "status": "affected", + "version": "ICONICS GENESIS64 versions 10.97 and prior" + }, + { + "status": "affected", + "version": "ICONICS Hyper Historian versions 10.97 and prior" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.97 and prior and ICONICS Hyper Historian versions 10.97 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64 or MC Works64 and execute commands against the database from GENESIS64 or MC Works64." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Buffer Over-read", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T18:17:30", + "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "shortName": "Mitsubishi" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-028_en.pdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", + "ID": "CVE-2022-23130", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64; ICONICS Hyper Historian", + "version": { + "version_data": [ + { + "version_value": "Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01)" + }, + { + "version_value": "ICONICS GENESIS64 versions 10.97 and prior" + }, + { + "version_value": "ICONICS Hyper Historian versions 10.97 and prior" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.97 and prior and ICONICS Hyper Historian versions 10.97 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64 or MC Works64 and execute commands against the database from GENESIS64 or MC Works64." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Buffer Over-read" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-028_en.pdf", + "refsource": "MISC", + "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-028_en.pdf" + }, + { + "name": "https://jvn.jp/vu/JVNVU95403720/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/vu/JVNVU95403720/index.html" + }, + { + "name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01", + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:35.632Z" + }, + "references": [ + { + "name": "Test (7347/24750) [3597/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23130" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", + "assignerShortName": "Mitsubishi", + "cveId": "CVE-2022-23130", + "datePublished": "2022-01-21T18:17:30", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:35.632Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Frontend", + "vendor": "Zabbix", + "versions": [ + { + "status": "affected", + "version": "5.4.0 - 5.4.8" + }, + { + "lessThan": "5.4.9*", + "status": "unaffected", + "version": "5.4.9", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us" + } + ], + "datePublic": "2021-11-22T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default)." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-290", + "description": "CWE-290 Authentication Bypass by Spoofing", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-13T15:50:39", + "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "shortName": "Zabbix" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zabbix.com/browse/ZBX-20350" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To remediate this vulnerability, install the updates or if an immediate update is not possible, follow the presented workarounds." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML", + "workarounds": [ + { + "lang": "en", + "value": "Disable SAML authentication" + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zabbix.com", + "DATE_PUBLIC": "2021-11-22T14:03:00.000Z", + "ID": "CVE-2022-23131", + "STATE": "PUBLIC", + "TITLE": "Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Frontend", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "5.4.0 - 5.4.8", + "version_value": "5.4.0 - 5.4.8" + }, + { + "version_affected": "!>=", + "version_name": "5.4.9", + "version_value": "5.4.9" + } + ] + } + } + ] + }, + "vendor_name": "Zabbix" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default)." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-290 Authentication Bypass by Spoofing" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zabbix.com/browse/ZBX-20350", + "refsource": "MISC", + "url": "https://support.zabbix.com/browse/ZBX-20350" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To remediate this vulnerability, install the updates or if an immediate update is not possible, follow the presented workarounds." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "work_around": [ + { + "lang": "en", + "value": "Disable SAML authentication" + } + ] + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-02-22", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-02-22T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23131 added to KEV" + }, + { + "time": "2022-02-22T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23131 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:37:06.105Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:35.941Z" + }, + "references": [ + { + "name": "Test (7348/24750) [3598/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23131" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "assignerShortName": "Zabbix", + "cveId": "CVE-2022-23131", + "datePublished": "2021-11-22T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:35.941Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Proxy, Server", + "vendor": "Zabbix", + "versions": [ + { + "status": "affected", + "version": "4.0.0 - 4.0.36" + }, + { + "status": "affected", + "version": "5.0.0 – 5.0.18" + }, + { + "status": "affected", + "version": "5.4.0 – 5.4.8" + }, + { + "lessThan": "5.0.19*", + "status": "unaffected", + "version": "5.0.19", + "versionType": "custom" + }, + { + "lessThan": "5.4.9*", + "status": "unaffected", + "version": "5.4.9", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zabbix wants to thank Brian J. Murrell for reporting this issue to us" + } + ], + "datePublic": "2021-12-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.3, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-284", + "description": "CWE-284 Improper Access Control", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-23T03:06:29", + "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "shortName": "Zabbix" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zabbix.com/browse/ZBX-20341" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Incorrect permissions of [/var/run/zabbix] forces dac_override", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zabbix.com", + "DATE_PUBLIC": "2021-12-01T16:09:00.000Z", + "ID": "CVE-2022-23132", + "STATE": "PUBLIC", + "TITLE": "Incorrect permissions of [/var/run/zabbix] forces dac_override" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Proxy, Server", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "4.0.0 - 4.0.36", + "version_value": "4.0.0 - 4.0.36" + }, + { + "version_affected": "=", + "version_name": "5.0.0 – 5.0.18", + "version_value": "5.0.0 – 5.0.18" + }, + { + "version_affected": "=", + "version_name": "5.4.0 – 5.4.8", + "version_value": "5.4.0 – 5.4.8" + }, + { + "version_affected": "!>=", + "version_name": "5.0.19", + "version_value": "5.0.19" + }, + { + "version_affected": "!>=", + "version_name": "5.4.9", + "version_value": "5.4.9" + } + ] + } + } + ] + }, + "vendor_name": "Zabbix" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zabbix wants to thank Brian J. Murrell for reporting this issue to us" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.3, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284 Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zabbix.com/browse/ZBX-20341", + "refsource": "MISC", + "url": "https://support.zabbix.com/browse/ZBX-20341" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:36.335Z" + }, + "references": [ + { + "name": "Test (7349/24750) [3599/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23132" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "assignerShortName": "Zabbix", + "cveId": "CVE-2022-23132", + "datePublished": "2021-12-01T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:36.335Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Frontend", + "vendor": "Zabbix", + "versions": [ + { + "status": "affected", + "version": "5.0.0 – 5.0.18" + }, + { + "status": "affected", + "version": "5.4.0 – 5.4.8" + }, + { + "lessThan": "5.0.19*", + "status": "unaffected", + "version": "5.0.19", + "versionType": "custom" + }, + { + "lessThan": "5.4.9*", + "status": "unaffected", + "version": "5.4.9", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zabbix wants to thank Hazem Osama for reporting this issue to us" + } + ], + "datePublic": "2021-12-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-23T03:06:27", + "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "shortName": "Zabbix" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zabbix.com/browse/ZBX-20388" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Stored XSS in host groups configuration window in Zabbix Frontend", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zabbix.com", + "DATE_PUBLIC": "2021-12-08T14:30:00.000Z", + "ID": "CVE-2022-23133", + "STATE": "PUBLIC", + "TITLE": "Stored XSS in host groups configuration window in Zabbix Frontend" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Frontend", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "5.0.0 – 5.0.18", + "version_value": "5.0.0 – 5.0.18" + }, + { + "version_affected": "=", + "version_name": "5.4.0 – 5.4.8", + "version_value": "5.4.0 – 5.4.8" + }, + { + "version_affected": "!>=", + "version_name": "5.0.19", + "version_value": "5.0.19" + }, + { + "version_affected": "!>=", + "version_name": "5.4.9", + "version_value": "5.4.9" + } + ] + } + } + ] + }, + "vendor_name": "Zabbix" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zabbix wants to thank Hazem Osama for reporting this issue to us" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zabbix.com/browse/ZBX-20388", + "refsource": "MISC", + "url": "https://support.zabbix.com/browse/ZBX-20388" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates." + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:36.663Z" + }, + "references": [ + { + "name": "Test (7350/24750) [3600/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23133" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "assignerShortName": "Zabbix", + "cveId": "CVE-2022-23133", + "datePublished": "2021-12-08T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:36.663Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Frontend", + "vendor": "Zabbix", + "versions": [ + { + "status": "affected", + "version": "5.4.0 - 5.4.8" + }, + { + "lessThan": "5.4.9*", + "status": "unaffected", + "version": "5.4.9", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us" + } + ], + "datePublic": "2021-12-20T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-284", + "description": "CWE-284 Improper Access Control", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T23:06:09", + "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "shortName": "Zabbix" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zabbix.com/browse/ZBX-20384" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + }, + { + "name": "[debian-lts-announce] 20220207 [SECURITY] [DLA 2914-1] zabbix security update", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html" + } + ], + "solutions": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates or if an immediate update is not possible, follow the presented workarounds." + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Possible view of the setup pages by unauthenticated users if config file already exists", + "workarounds": [ + { + "lang": "en", + "value": "If an immediate update is not possible, please remove the setup.php file" + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@zabbix.com", + "DATE_PUBLIC": "2021-12-20T09:53:00.000Z", + "ID": "CVE-2022-23134", + "STATE": "PUBLIC", + "TITLE": "Possible view of the setup pages by unauthenticated users if config file already exists" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Frontend", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_name": "5.4.0 - 5.4.8", + "version_value": "5.4.0 - 5.4.8" + }, + { + "version_affected": "!>=", + "version_name": "5.4.9", + "version_value": "5.4.9" + } + ] + } + } + ] + }, + "vendor_name": "Zabbix" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284 Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zabbix.com/browse/ZBX-20384", + "refsource": "MISC", + "url": "https://support.zabbix.com/browse/ZBX-20384" + }, + { + "name": "FEDORA-2022-dfe346f53f", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/" + }, + { + "name": "FEDORA-2022-1a667b0f90", + "refsource": "FEDORA", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/" + }, + { + "name": "[debian-lts-announce] 20220207 [SECURITY] [DLA 2914-1] zabbix security update", + "refsource": "MLIST", + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "To remediate this vulnerability, apply the updates or if an immediate update is not possible, follow the presented workarounds." + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "If an immediate update is not possible, please remove the setup.php file" + } + ] + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-02-22", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-02-22T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23134 added to KEV" + }, + { + "time": "2022-02-22T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23134 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:37:06.389Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:36.998Z" + }, + "references": [ + { + "name": "Test (7351/24750) [3601/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23134" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", + "assignerShortName": "Zabbix", + "cveId": "CVE-2022-23134", + "datePublished": "2021-12-20T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:36.998Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXHN F677, ZXHN F477", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All versions up to V9.0.0P1N28" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is a directory traversal vulnerability in some home gateway products of ZTE. Due to the lack of verification of user modified destination path, an attacker with specific permissions could modify the FTP access path to access and modify the system path contents without authorization, which will cause information leak and affect device operation." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "directory traversal", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-24T18:26:55", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1023444" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23135", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXHN F677, ZXHN F477", + "version": { + "version_data": [ + { + "version_value": "All versions up to V9.0.0P1N28" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is a directory traversal vulnerability in some home gateway products of ZTE. Due to the lack of verification of user modified destination path, an attacker with specific permissions could modify the FTP access path to access and modify the system path contents without authorization, which will cause information leak and affect device operation." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "directory traversal" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1023444", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1023444" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:37.335Z" + }, + "references": [ + { + "name": "Test (7352/24750) [3602/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23135" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23135", + "datePublished": "2022-02-24T18:26:55", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:37.335Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXHN F680", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "V6.0.10P3N20" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "stored XSS", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-30T16:01:59", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024084" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23136", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXHN F680", + "version": { + "version_data": [ + { + "version_value": "V6.0.10P3N20" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "stored XSS" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024084", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024084" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:37.663Z" + }, + "references": [ + { + "name": "Test (7353/24750) [3603/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23136" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23136", + "datePublished": "2022-03-30T16:01:59", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:37.663Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXCDN", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All versions up to ZXCDN-IAMV8.01.01.02" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ZTE's ZXCDN product has a reflective XSS vulnerability. The attacker could modify the parameters in the content clearing request url, and when a user clicks the url, an XSS attack will be triggered." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "reflective XSS", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-11T15:11:29", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024404" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23137", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXCDN", + "version": { + "version_data": [ + { + "version_value": "All versions up to ZXCDN-IAMV8.01.01.02" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ZTE's ZXCDN product has a reflective XSS vulnerability. The attacker could modify the parameters in the content clearing request url, and when a user clicks the url, an XSS attack will be triggered." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "reflective XSS" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024404", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024404" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:37.972Z" + }, + "references": [ + { + "name": "Test (7354/24750) [3604/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23137" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23137", + "datePublished": "2022-05-11T15:11:29", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:37.972Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "MF297D", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "MF297D_Nordic1_B05" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ZTE's MF297D product has cryptographic issues vulnerability. Due to the use of weak random values, the security of the device is reduced, and it may face the risk of attack." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "cryptographic issues", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-09T14:34:36", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024624" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23138", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "MF297D", + "version": { + "version_data": [ + { + "version_value": "MF297D_Nordic1_B05" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ZTE's MF297D product has cryptographic issues vulnerability. Due to the use of weak random values, the security of the device is reduced, and it may face the risk of attack." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "cryptographic issues" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024624", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024624" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:38.332Z" + }, + "references": [ + { + "name": "Test (7355/24750) [3605/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23138" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23138", + "datePublished": "2022-06-09T14:34:36", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:38.332Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXMP M721", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "V5.10.030.006" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ZTE's ZXMP M721 product has a permission and access control vulnerability. Since the folder permission viewed by sftp is 666, which is inconsistent with the actual permission. It’s easy for?users to?ignore the modification?of?the file permission configuration, so that low-authority accounts could actually obtain higher operating permissions on key files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "permission and access control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:26:38", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024444" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23139", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXMP M721", + "version": { + "version_data": [ + { + "version_value": "V5.10.030.006" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ZTE's ZXMP M721 product has a permission and access control vulnerability. Since the folder permission viewed by sftp is 666, which is inconsistent with the actual permission. It’s easy for?users to?ignore the modification?of?the file permission configuration, so that low-authority accounts could actually obtain higher operating permissions on key files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "permission and access control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024444", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1024444" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:38.636Z" + }, + "references": [ + { + "name": "Test (7356/24750) [3606/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23139" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23139", + "datePublished": "2022-05-12T19:26:38", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:38.636Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXMP M721", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "COMMOND21BOOTV100004_LS1045" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "information leak", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-15T14:44:50", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23141", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXMP M721", + "version": { + "version_data": [ + { + "version_value": "COMMOND21BOOTV100004_LS1045" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "information leak" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025264" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:38.946Z" + }, + "references": [ + { + "name": "Test (7357/24750) [3607/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23141" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23141", + "datePublished": "2022-07-15T14:44:50", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:38.946Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXEN CG200", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All versions up to V1.0.0P1N5_M" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "ZXEN CG200 has a DoS vulnerability. An attacker could construct and send a large number of HTTP GET requests in a short time, which can make the product management websites not accessible." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "DoS", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-18T14:47:32", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025304" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23142", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXEN CG200", + "version": { + "version_data": [ + { + "version_value": "All versions up to V1.0.0P1N5_M" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "ZXEN CG200 has a DoS vulnerability. An attacker could construct and send a large number of HTTP GET requests in a short time, which can make the product management websites not accessible." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "DoS" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025304", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1025304" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:39.248Z" + }, + "references": [ + { + "name": "Test (7358/24750) [3608/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23142" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23142", + "datePublished": "2022-07-18T14:47:32", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:39.248Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23143", + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "dateUpdated": "2024-06-03T14:57:39.555Z", + "dateReserved": "2022-01-11T00:00:00", + "datePublished": "2022-12-05T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte", + "dateUpdated": "2022-12-05T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "ZTE OTCP product is impacted by a permission and access control vulnerability. Due to improper permission settings, an attacker with high permissions could use this vulnerability to maliciously delete and modify files." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "OTCP", + "versions": [ + { + "version": "V2.21.40.06RC1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1026164" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "permission and access control vulnerability" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:39.555Z" + }, + "references": [ + { + "name": "Test (7359/24750) [3609/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23143" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ZXvSTB", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All versions up to ZXvSTB-CAMSV2.01.02.01" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is a broken access control vulnerability in ZTE ZXvSTB product. Due to improper permission control, attackers could use this vulnerability to delete the default application type, which affects normal use of system." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "access control vulnerability", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-23T14:11:59", + "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "shortName": "zte" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1026224" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@zte.com.cn", + "ID": "CVE-2022-23144", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ZXvSTB", + "version": { + "version_data": [ + { + "version_value": "All versions up to ZXvSTB-CAMSV2.01.02.01" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is a broken access control vulnerability in ZTE ZXvSTB product. Due to improper permission control, attackers could use this vulnerability to delete the default application type, which affects normal use of system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "access control vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1026224", + "refsource": "MISC", + "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1026224" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:39.852Z" + }, + "references": [ + { + "name": "Test (7360/24750) [3610/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23144" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", + "assignerShortName": "zte", + "cveId": "CVE-2022-23144", + "datePublished": "2022-09-23T14:11:59", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:39.852Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Wyse Management Suite", + "vendor": "Dell", + "versions": [ + { + "lessThan": "3.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-434", + "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-01T20:00:31", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000195918" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-02-17", + "ID": "CVE-2022-23155", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Wyse Management Suite", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "3.6" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 7.2, + "baseSeverity": "High", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-434: Unrestricted Upload of File with Dangerous Type" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000195918", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000195918" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:40.164Z" + }, + "references": [ + { + "name": "Test (7361/24750) [3611/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23155" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23155", + "datePublished": "2022-02-17T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:40.164Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Dell Wyse Device Agent", + "vendor": "Dell", + "versions": [ + { + "lessThan": "14.6.2.13", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. A malicious user could potentially exploit this vulnerability by providing invalid input in order to obtain a connection to WMS server." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Other", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-01T20:00:32", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-02-17", + "ID": "CVE-2022-23156", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Dell Wyse Device Agent", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "14.6.2.13" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. A malicious user could potentially exploit this vulnerability by providing invalid input in order to obtain a connection to WMS server." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 6, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Other" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196005", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:40.620Z" + }, + "references": [ + { + "name": "Test (7362/24750) [3612/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23156" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23156", + "datePublished": "2022-02-17T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:40.620Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Dell Wyse Device Agent", + "vendor": "Dell", + "versions": [ + { + "lessThan": "14.6.2.13", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "description": "CWE-200: Information Exposure", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-01T20:00:33", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-02-17", + "ID": "CVE-2022-23157", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Dell Wyse Device Agent", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "14.6.2.13" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 4.4, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Information Exposure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196005", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:40.939Z" + }, + "references": [ + { + "name": "Test (7363/24750) [3613/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23157" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23157", + "datePublished": "2022-02-17T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:40.939Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Dell Wyse Device Agent", + "vendor": "Dell", + "versions": [ + { + "lessThan": "14.6.2.13", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-17T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS server" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 6, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-183", + "description": "CWE-183: Permissive Whitelist", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-01T20:00:35", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-02-17", + "ID": "CVE-2022-23158", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Dell Wyse Device Agent", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "14.6.2.13" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS server" + } + ] + }, + "impact": { + "cvss": { + "baseScore": 6, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-183: Permissive Whitelist" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196005", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196005" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:41.253Z" + }, + "references": [ + { + "name": "Test (7364/24750) [3614/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23158" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23158", + "datePublished": "2022-02-17T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:41.253Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PowerScale OneFS", + "vendor": "Dell", + "versions": [ + { + "status": "affected", + "version": "8.2.2 - 9.3.0.x" + } + ] + } + ], + "datePublic": "2022-03-03T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges could exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-401", + "description": "CWE-401 Missing Release of Memory after Effective Lifetime", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T17:50:49", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-03-03", + "ID": "CVE-2022-23159", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PowerScale OneFS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.2.2 - 9.3.0.x" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges could exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 4.8, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-401 Missing Release of Memory after Effective Lifetime" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196009", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:41.554Z" + }, + "references": [ + { + "name": "Test (7365/24750) [3615/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23159" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23159", + "datePublished": "2022-03-03T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:41.554Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PowerScale OneFS", + "vendor": "Dell", + "versions": [ + { + "status": "affected", + "version": "8.2.0-9.3.0" + } + ] + } + ], + "datePublic": "2022-03-03T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user could potentially exploit this vulnerability, leading to gaining write permissions on read-only files." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-274", + "description": "CWE-274: Improper Handling of Insufficient Privileges", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T17:50:51", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-03-03", + "ID": "CVE-2022-23160", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PowerScale OneFS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.2.0-9.3.0" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user could potentially exploit this vulnerability, leading to gaining write permissions on read-only files." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 5.4, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-274: Improper Handling of Insufficient Privileges" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196009", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:41.847Z" + }, + "references": [ + { + "name": "Test (7366/24750) [3616/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23160" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23160", + "datePublished": "2022-03-03T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:41.847Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PowerScale OneFS", + "vendor": "Dell", + "versions": [ + { + "status": "affected", + "version": "8.2.x - 9.3.0.x" + } + ] + } + ], + "datePublic": "2022-03-03T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-755", + "description": "CWE-755: Improper Handling of Exceptional Conditions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-11T15:55:10", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-03-03", + "ID": "CVE-2022-23161", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PowerScale OneFS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.2.x - 9.3.0.x" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 7.5, + "baseSeverity": "High", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-755: Improper Handling of Exceptional Conditions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196009", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:42.166Z" + }, + "references": [ + { + "name": "Test (7367/24750) [3617/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23161" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23161", + "datePublished": "2022-03-03T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:42.166Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "PowerScale OneFS", + "vendor": "Dell", + "versions": [ + { + "status": "affected", + "version": "8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x" + } + ] + } + ], + "datePublic": "2022-03-03T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-379", + "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T17:50:54", + "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "shortName": "dell" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2022-03-03", + "ID": "CVE-2022-23163", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PowerScale OneFS", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 4.7, + "baseSeverity": "Medium", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.dell.com/support/kbdoc/000196009", + "refsource": "MISC", + "url": "https://www.dell.com/support/kbdoc/000196009" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:42.886Z" + }, + "references": [ + { + "name": "Test (7369/24750) [3619/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23163" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", + "assignerShortName": "dell", + "cveId": "CVE-2022-23163", + "datePublished": "2022-03-03T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:42.886Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "cloud" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.2.19", + "status": "affected", + "version": "22.2.19 cloud version", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "on premise" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.63", + "status": "affected", + "version": "22.1.63 on premise version", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Robert Catalin Raducioiu,, Francesco Di Castri" + } + ], + "datePublic": "2022-05-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter \"helpPageName\" used by the page \"/help/treecontent.jsp\" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected product to expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user. Furthermore, an attacker would require the victim to open a malicious link. An attacker may exploit this vulnerability in order to perform phishing attacks. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:49:18", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0020" + ], + "discovery": "EXTERNAL" + }, + "title": "Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-05-09T11:39:00.000Z", + "ID": "CVE-2022-23165", + "STATE": "PUBLIC", + "TITLE": "Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sysaid ", + "version": { + "version_data": [ + { + "platform": "cloud", + "version_affected": "<=", + "version_name": "22.2.19 cloud version", + "version_value": "22.2.19" + }, + { + "platform": "on premise", + "version_affected": "<=", + "version_name": "22.1.63 on premise version", + "version_value": "22.1.63" + } + ] + } + } + ] + }, + "vendor_name": "SysAid " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Robert Catalin Raducioiu,, Francesco Di Castri" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Sysaid – Sysaid 14.2.0 Reflected Cross-Site Scripting (XSS) - The parameter \"helpPageName\" used by the page \"/help/treecontent.jsp\" suffers from a Reflected Cross-Site Scripting vulnerability. For an attacker to exploit this Cross-Site Scripting vulnerability, it's necessary for the affected product to expose the Offline Help Pages. An attacker may gain access to sensitive information or execute client-side code in the browser session of the victim user. Furthermore, an attacker would require the victim to open a malicious link. An attacker may exploit this vulnerability in order to perform phishing attacks. The attacker can receive sensitive data like server details, usernames, workstations, etc. He can also perform actions such as uploading files, deleting calls from the system" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0020" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:43.429Z" + }, + "references": [ + { + "name": "Test (7371/24750) [3621/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23165" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23165", + "datePublished": "2022-05-09T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:43.429Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "cloud" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.2.19", + "status": "affected", + "version": "22.2.19 cloud version", + "versionType": "custom" + } + ] + }, + { + "platforms": [ + "on premise" + ], + "product": "Sysaid ", + "vendor": "SysAid ", + "versions": [ + { + "lessThanOrEqual": "22.1.63", + "status": "affected", + "version": "22.1.63 on premise version", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Dudu Moyal - Sophtix Security LTD " + } + ], + "datePublic": "2022-05-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to \"/lib/tinymce/examples/index.html\" path. in the \"Insert/Edit Embedded Media\" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local File Inclusion ", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-12T19:49:52", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0021" + ], + "discovery": "EXTERNAL" + }, + "title": "Sysaid – Sysaid Local File Inclusion (LFI)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-05-09T11:39:00.000Z", + "ID": "CVE-2022-23166", + "STATE": "PUBLIC", + "TITLE": "Sysaid – Sysaid Local File Inclusion (LFI)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Sysaid ", + "version": { + "version_data": [ + { + "platform": "cloud", + "version_affected": "<=", + "version_name": "22.2.19 cloud version", + "version_value": "22.2.19" + }, + { + "platform": "on premise", + "version_affected": "<=", + "version_name": "22.1.63 on premise version", + "version_value": "22.1.63" + } + ] + } + } + ] + }, + "vendor_name": "SysAid " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Dudu Moyal - Sophtix Security LTD " + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to \"/lib/tinymce/examples/index.html\" path. in the \"Insert/Edit Embedded Media\" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local File Inclusion " + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 22.2.20 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0021" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:43.740Z" + }, + "references": [ + { + "name": "Test (7372/24750) [3622/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23166" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23166", + "datePublished": "2022-05-09T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:43.740Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Amodat", + "vendor": "Amodat ", + "versions": [ + { + "lessThanOrEqual": "7.12.00.09", + "status": "affected", + "version": "7.12.00.08", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "datePublic": "2022-06-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Attacker crafts a GET request to: /mobile/downloadfile.aspx? Filename =../.. /windows/boot.ini the LFI is UNAUTHENTICATED." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Local File Inclusion", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-13T16:11:55", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Amodat - Mobile Application Gateway Local File Inclusion (LFI)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-09T12:15:00.000Z", + "ID": "CVE-2022-23167", + "STATE": "PUBLIC", + "TITLE": "Amodat - Mobile Application Gateway Local File Inclusion (LFI)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Amodat", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.12.00.08", + "version_value": "7.12.00.09" + } + ] + } + } + ] + }, + "vendor_name": "Amodat " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Attacker crafts a GET request to: /mobile/downloadfile.aspx? Filename =../.. /windows/boot.ini the LFI is UNAUTHENTICATED." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Local File Inclusion" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:44.102Z" + }, + "references": [ + { + "name": "Test (7373/24750) [3623/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23167" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23167", + "datePublished": "2022-06-09T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:44.102Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Amodat", + "vendor": "Amodat ", + "versions": [ + { + "lessThanOrEqual": "7.12.00.09", + "status": "affected", + "version": "7.12.00.08", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "datePublic": "2022-06-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "The attacker could get access to the database. The SQL injection is in the username parameter at the login panel: username: admin'--" + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-89", + "description": "CWE-89 SQL Injection", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-13T16:12:36", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Amodat - Mobile Application Gateway SQL Injection (SQLi)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-09T12:15:00.000Z", + "ID": "CVE-2022-23168", + "STATE": "PUBLIC", + "TITLE": "Amodat - Mobile Application Gateway SQL Injection (SQLi)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Amodat", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.12.00.08", + "version_value": "7.12.00.09" + } + ] + } + } + ] + }, + "vendor_name": "Amodat " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The attacker could get access to the database. The SQL injection is in the username parameter at the login panel: username: admin'--" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 SQL Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:44.465Z" + }, + "references": [ + { + "name": "Test (7374/24750) [3624/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23168" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23168", + "datePublished": "2022-06-09T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:44.465Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Amodat", + "vendor": "Amodat ", + "versions": [ + { + "lessThanOrEqual": "7.12.00.09", + "status": "affected", + "version": "7.12.00.08", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "datePublic": "2022-06-09T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "attacker needs to craft a SQL payload. the vulnerable parameter is \"agentid\" must be authenticated to the admin panel." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-89", + "description": "CWE-89 SQL Injection", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-13T16:13:31", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Amodat - Mobile Application Gateway SQL Injection (SQLi)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-09T12:15:00.000Z", + "ID": "CVE-2022-23169", + "STATE": "PUBLIC", + "TITLE": "Amodat - Mobile Application Gateway SQL Injection (SQLi)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Amodat", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "7.12.00.08", + "version_value": "7.12.00.09" + } + ] + } + } + ] + }, + "vendor_name": "Amodat " + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": " Moriel Harush, Dudu Moyal, Gad Abuhatziera - Sophtix Security LTD" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "attacker needs to craft a SQL payload. the vulnerable parameter is \"agentid\" must be authenticated to the admin panel." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 SQL Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 7.12.00.09 version" + } + ], + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:44.820Z" + }, + "references": [ + { + "name": "Test (7375/24750) [3625/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23169" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23169", + "datePublished": "2022-06-09T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:44.820Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SysAid - Okta SSO integration", + "vendor": "Sysaid", + "versions": [ + { + "lessThan": "22.1.49*", + "status": "affected", + "version": "22.1.63", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Niv Levy - CyberArk" + } + ], + "datePublic": "2022-06-14T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-611", + "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-24T15:00:10", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0025" + ], + "discovery": "EXTERNAL" + }, + "title": "SysAid - Okta SSO integration", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-14T08:07:00.000Z", + "ID": "CVE-2022-23170", + "STATE": "PUBLIC", + "TITLE": "SysAid - Okta SSO integration" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SysAid - Okta SSO integration", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_name": "22.1.49", + "version_value": "22.1.63" + } + ] + } + } + ] + }, + "vendor_name": "Sysaid" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Niv Levy - CyberArk" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability. Any SysAid environment that uses the Okta SSO integration might be vulnerable. An unauthenticated attacker could exploit the XXE vulnerability by sending a malformed POST request to the identity provider endpoint. An attacker can extract the identity provider endpoint by decoding the SAMLRequest parameter's value and searching for the AssertionConsumerServiceURL parameter's value. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to 22.1.50 cloud version, or to 22.1.64 on premise version." + } + ], + "source": { + "defect": [ + "ILVN-2022-0025" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:45.203Z" + }, + "references": [ + { + "name": "Test (7376/24750) [3626/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23170" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23170", + "datePublished": "2022-06-14T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:45.203Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "AtlasVPN", + "vendor": "AtlasVPN", + "versions": [ + { + "lessThanOrEqual": "2.4.2", + "status": "affected", + "version": "2.4.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Alex Katziv" + } + ], + "datePublic": "2022-06-20T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "AtlasVPN - Privilege Escalation Lack of proper security controls on named pipe messages can allow an attacker with low privileges to send a malicious payload and gain SYSTEM permissions on a windows computer where the AtlasVPN client is installed." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Privilege Escalation", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T14:23:39", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update version 2.4.2 of the Windows app." + } + ], + "source": { + "defect": [ + "ILVN-2022-0026" + ], + "discovery": "USER" + }, + "title": "AtlasVPN - Privilege Escalation", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-20T05:56:00.000Z", + "ID": "CVE-2022-23171", + "STATE": "PUBLIC", + "TITLE": "AtlasVPN - Privilege Escalation" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "AtlasVPN", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "2.4.0", + "version_value": "2.4.2" + } + ] + } + } + ] + }, + "vendor_name": "AtlasVPN" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Alex Katziv" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "AtlasVPN - Privilege Escalation Lack of proper security controls on named pipe messages can allow an attacker with low privileges to send a malicious payload and gain SYSTEM permissions on a windows computer where the AtlasVPN client is installed." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Privilege Escalation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update version 2.4.2 of the Windows app." + } + ], + "source": { + "defect": [ + "ILVN-2022-0026" + ], + "discovery": "USER" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:45.545Z" + }, + "references": [ + { + "name": "Test (7377/24750) [3627/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23171" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23171", + "datePublished": "2022-06-20T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:45.545Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Priority", + "vendor": "Priority", + "versions": [ + { + "lessThan": "22.0", + "status": "affected", + "version": "22.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": ": Dudu Moyal - Sophtix Security LTD." + } + ], + "datePublic": "2022-06-26T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "An attacker can access to \"Forgot my password\" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "User Enumeration", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-06T13:11:31", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to version V22.0" + } + ], + "source": { + "defect": [ + "ILVN-2022-0027" + ], + "discovery": "EXTERNAL" + }, + "title": "Priority - Priority User Enumeration", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-26T13:17:00.000Z", + "ID": "CVE-2022-23172", + "STATE": "PUBLIC", + "TITLE": "Priority - Priority User Enumeration" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Priority", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "22.0", + "version_value": "22.0" + } + ] + } + } + ] + }, + "vendor_name": "Priority" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": ": Dudu Moyal - Sophtix Security LTD." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An attacker can access to \"Forgot my password\" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "User Enumeration" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to version V22.0" + } + ], + "source": { + "defect": [ + "ILVN-2022-0027" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:45.856Z" + }, + "references": [ + { + "name": "Test (7378/24750) [3628/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23172" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23172", + "datePublished": "2022-06-26T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:45.856Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Priority web", + "vendor": "Priority", + "versions": [ + { + "lessThan": "V22.0*", + "status": "affected", + "version": "V22.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Gad Abuhatzeira - Sophtix Security LTD. " + } + ], + "datePublic": "2022-06-27T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the \"Login menu - demo site\" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Insecure direct object references (IDOR)", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-06T13:11:59", + "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "shortName": "INCD" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.gov.il/en/Departments/faq/cve_advisories" + } + ], + "solutions": [ + { + "lang": "en", + "value": "Update to version V22.0." + } + ], + "source": { + "defect": [ + "ILVN-2022-0028" + ], + "discovery": "EXTERNAL" + }, + "title": "Priority - Priority web Insecure direct object references (IDOR)", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cna@cyber.gov.il", + "DATE_PUBLIC": "2022-06-27T08:35:00.000Z", + "ID": "CVE-2022-23173", + "STATE": "PUBLIC", + "TITLE": "Priority - Priority web Insecure direct object references (IDOR)" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Priority web", + "version": { + "version_data": [ + { + "version_affected": ">", + "version_name": "V22.0", + "version_value": "V22.0" + } + ] + } + } + ] + }, + "vendor_name": "Priority" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Gad Abuhatzeira - Sophtix Security LTD. " + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the \"Login menu - demo site\" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Insecure direct object references (IDOR)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.gov.il/en/Departments/faq/cve_advisories", + "refsource": "MISC", + "url": "https://www.gov.il/en/Departments/faq/cve_advisories" + } + ] + }, + "solution": [ + { + "lang": "en", + "value": "Update to version V22.0." + } + ], + "source": { + "defect": [ + "ILVN-2022-0028" + ], + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:46.185Z" + }, + "references": [ + { + "name": "Test (7379/24750) [3629/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23173" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", + "assignerShortName": "INCD", + "cveId": "CVE-2022-23173", + "datePublished": "2022-06-27T00:00:00", + "dateReserved": "2022-01-11T00:00:00", + "dateUpdated": "2024-06-03T14:57:46.185Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-08T02:22:03", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securityportal.watchguard.com" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U7/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23176", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securityportal.watchguard.com", + "refsource": "MISC", + "url": "https://securityportal.watchguard.com" + }, + { + "name": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html#Fireware/en-US/resolved_issues.html", + "refsource": "CONFIRM", + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "name": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.html", + "refsource": "MISC", + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7_2/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "name": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U7/index.html#Fireware/en-US/resolved_issues.html", + "refsource": "MISC", + "url": "https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U7/index.html#Fireware/en-US/resolved_issues.html" + }, + { + "name": "https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/", + "refsource": "MISC", + "url": "https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/" + } + ] + } + } + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "kev", + "content": { + "dateAdded": "2022-04-11", + "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" + } + } + } + ], + "timeline": [ + { + "time": "2022-04-11T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23176 added to KEV" + }, + { + "time": "2022-04-11T00:00:00+00:00", + "lang": "en", + "value": "CVE-2022-23176 added to CISA KEV" + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-05-03T14:42:47.080Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:46.539Z" + }, + "references": [ + { + "name": "Test (7380/24750) [3630/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23176" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23176", + "datePublished": "2022-02-24T00:52:48", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:46.539Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-15T14:40:25", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-009" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23178", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-009", + "refsource": "MISC", + "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-009" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:46.872Z" + }, + "references": [ + { + "name": "Test (7381/24750) [3631/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23178" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23178", + "datePublished": "2022-01-15T14:40:25", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:46.872Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23179", + "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "state": "PUBLISHED", + "assignerShortName": "WPScan", + "dateReserved": "2022-01-12T09:37:44.753Z", + "datePublished": "2024-01-16T15:52:09.488Z", + "dateUpdated": "2024-06-03T14:57:47.197Z" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "shortName": "WPScan", + "dateUpdated": "2024-01-16T15:52:09.488Z" + }, + "title": "Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting", + "problemTypes": [ + { + "descriptions": [ + { + "description": "CWE-79 Cross-Site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "affected": [ + { + "vendor": "Unknown", + "product": "Contact Form & Lead Form Elementor Builder", + "versions": [ + { + "status": "affected", + "versionType": "semver", + "version": "0", + "lessThan": "1.7.0" + } + ], + "defaultStatus": "unaffected", + "collectionURL": "https://wordpress.org/plugins" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed" + } + ], + "references": [ + { + "url": "https://wpscan.com/vulnerability/90b8af99-e4a1-4076-99fa-efe805dd4be4/", + "tags": [ + "exploit", + "vdb-entry", + "technical-description" + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Yoru Oni", + "type": "finder" + }, + { + "lang": "en", + "value": "WPScan", + "type": "coordinator" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "x_generator": { + "engine": "WPScan CVE Generator" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:47.197Z" + }, + "references": [ + { + "name": "Test (7382/24750) [3632/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23179" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23180", + "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "state": "PUBLISHED", + "assignerShortName": "WPScan", + "dateReserved": "2022-01-12T09:37:44.754Z", + "datePublished": "2024-01-16T15:52:09.047Z", + "dateUpdated": "2024-06-03T14:57:47.520Z" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", + "shortName": "WPScan", + "dateUpdated": "2024-01-16T15:52:09.047Z" + }, + "title": "Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update", + "problemTypes": [ + { + "descriptions": [ + { + "description": "CWE-862 Missing Authorization", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "affected": [ + { + "vendor": "Unknown", + "product": "Contact Form & Lead Form Elementor Builder", + "versions": [ + { + "status": "affected", + "versionType": "semver", + "version": "0", + "lessThan": "1.7.4" + } + ], + "defaultStatus": "unaffected", + "collectionURL": "https://wordpress.org/plugins" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings" + } + ], + "references": [ + { + "url": "https://wpscan.com/vulnerability/da87358a-3a72-4cf7-a2af-a266dd9b4290/", + "tags": [ + "exploit", + "vdb-entry", + "technical-description" + ] + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/2670484", + "tags": [ + "patch" + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Yoru Oni", + "type": "finder" + }, + { + "lang": "en", + "value": "WPScan", + "type": "coordinator" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "x_generator": { + "engine": "WPScan CVE Generator" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:47.520Z" + }, + "references": [ + { + "name": "Test (7383/24750) [3633/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23180" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23181", + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "dateUpdated": "2024-06-03T14:57:47.840Z", + "dateReserved": "2022-01-12T00:00:00", + "datePublished": "2022-01-27T00:00:00" + }, + "containers": { + "cna": { + "title": "Local privilege escalation with FileStore", + "providerMetadata": { + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache", + "dateUpdated": "2022-10-30T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore." + } + ], + "affected": [ + { + "vendor": "Apache Software Foundation", + "product": "Apache Tomcat", + "versions": [ + { + "version": "Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M8", + "status": "affected" + }, + { + "version": "Apache Tomcat 10.0 10.0.0-M5 to 10.0.14", + "status": "affected" + }, + { + "version": "Apache Tomcat 9 9.0.35 to 9.0.56", + "status": "affected" + }, + { + "version": "Apache Tomcat 8 8.5.55 to 8.5.73", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220217-0010/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "[debian-lts-announce] 20221026 [SECURITY] [DLA 3160-1] tomcat9 security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html" + }, + { + "name": "DSA-5265", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5265" + } + ], + "metrics": [ + { + "other": { + "type": "unknown", + "content": { + "other": "low" + } + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", + "cweId": "CWE-367" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:47.840Z" + }, + "references": [ + { + "name": "Test (7384/24750) [3634/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23181" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Intel(R) Data Center Manager software", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "before version 4.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "escalation of privilege", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-18T19:52:50", + "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "shortName": "intel" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@intel.com", + "ID": "CVE-2022-23182", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Intel(R) Data Center Manager software", + "version": { + "version_data": [ + { + "version_value": "before version 4.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "escalation of privilege" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html", + "refsource": "MISC", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:48.141Z" + }, + "references": [ + { + "name": "Test (7385/24750) [3635/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23182" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "assignerShortName": "intel", + "cveId": "CVE-2022-23182", + "datePublished": "2022-08-18T19:52:50", + "dateReserved": "2022-02-18T00:00:00", + "dateUpdated": "2024-06-03T14:57:48.141Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Advanced Custom Fields", + "vendor": "Delicious Brains", + "versions": [ + { + "status": "affected", + "version": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Missing authorization", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-31T07:20:54", + "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "shortName": "jpcert" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.advancedcustomfields.com/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://wordpress.org/plugins/advanced-custom-fields/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://jvn.jp/en/jp/JVN42543427/index.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vultures@jpcert.or.jp", + "ID": "CVE-2022-23183", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Advanced Custom Fields", + "version": { + "version_data": [ + { + "version_value": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1" + } + ] + } + } + ] + }, + "vendor_name": "Delicious Brains" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Missing authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.advancedcustomfields.com/", + "refsource": "MISC", + "url": "https://www.advancedcustomfields.com/" + }, + { + "name": "https://wordpress.org/plugins/advanced-custom-fields/", + "refsource": "MISC", + "url": "https://wordpress.org/plugins/advanced-custom-fields/" + }, + { + "name": "https://jvn.jp/en/jp/JVN42543427/index.html", + "refsource": "MISC", + "url": "https://jvn.jp/en/jp/JVN42543427/index.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:48.478Z" + }, + "references": [ + { + "name": "Test (7386/24750) [3636/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23183" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "assignerShortName": "jpcert", + "cveId": "CVE-2022-23183", + "datePublished": "2022-03-31T07:20:54", + "dateReserved": "2022-02-18T00:00:00", + "dateUpdated": "2024-06-03T14:57:48.478Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Octopus Server", + "vendor": "Octopus Deploy", + "versions": [ + { + "lessThan": "2021.2.8011", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThan": "2021.3.11057", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Open Redirect Vulnerability in Octopus Server", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T02:35:09", + "orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", + "shortName": "Octopus" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://advisories.octopus.com/post/2022/sa2022-02/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@octopus.com", + "ID": "CVE-2022-23184", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Octopus Server", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2021.2.8011" + }, + { + "version_affected": "<", + "version_value": "2021.3.11057" + } + ] + } + } + ] + }, + "vendor_name": "Octopus Deploy" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Open Redirect Vulnerability in Octopus Server" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://advisories.octopus.com/post/2022/sa2022-02/", + "refsource": "MISC", + "url": "https://advisories.octopus.com/post/2022/sa2022-02/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:48.804Z" + }, + "references": [ + { + "name": "Test (7387/24750) [3637/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23184" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", + "assignerShortName": "Octopus", + "cveId": "CVE-2022-23184", + "datePublished": "2022-02-07T02:35:09", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:48.804Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-787", + "description": "Out-of-bounds Write (CWE-787)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:17", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Write could lead to Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23186", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Write could lead to Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Write (CWE-787)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:49.133Z" + }, + "references": [ + { + "name": "Test (7388/24750) [3638/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23186" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23186", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:49.133Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "26.0.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-03-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator version 26.0.3 (and earlier) is affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Illustrator." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "Buffer Overflow (CWE-120)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-11T17:54:31", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-15.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator 2022 Buffer Overflow could lead to Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-03-08T23:00:00.000Z", + "ID": "CVE-2022-23187", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator 2022 Buffer Overflow could lead to Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "26.0.3" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator version 26.0.3 (and earlier) is affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Illustrator." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Buffer Overflow (CWE-120)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-15.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-15.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:49.487Z" + }, + "references": [ + { + "name": "Test (7389/24750) [3639/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23187" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23187", + "datePublished": "2022-03-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:49.487Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted malicious file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted malicious file in Illustrator." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "Buffer Overflow (CWE-120)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:16", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Buffer Overflow could lead to Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23188", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Buffer Overflow could lead to Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted malicious file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted malicious file in Illustrator." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Buffer Overflow (CWE-120)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:49.796Z" + }, + "references": [ + { + "name": "Test (7390/24750) [3640/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23188" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23188", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:49.796Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "NULL Pointer Dereference (CWE-476)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:16", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23189", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "None", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "NULL Pointer Dereference (CWE-476)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:50.100Z" + }, + "references": [ + { + "name": "Test (7391/24750) [3641/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23189" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23189", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:50.100Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:19", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23190", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:50.424Z" + }, + "references": [ + { + "name": "Test (7392/24750) [3642/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23190" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23190", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:50.424Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:18", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23191", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:50.741Z" + }, + "references": [ + { + "name": "Test (7393/24750) [3643/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23191" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23191", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:50.741Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:15", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23192", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:51.068Z" + }, + "references": [ + { + "name": "Test (7394/24750) [3644/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23192" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23192", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:51.068Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:14", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23193", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:51.411Z" + }, + "references": [ + { + "name": "Test (7395/24750) [3645/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23193" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23193", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:51.411Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:20", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23194", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:51.748Z" + }, + "references": [ + { + "name": "Test (7396/24750) [3646/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23194" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23194", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:51.748Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:21", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23195", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:52.063Z" + }, + "references": [ + { + "name": "Test (7397/24750) [3647/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23195" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23195", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:52.063Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:22", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23196", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:52.409Z" + }, + "references": [ + { + "name": "Test (7398/24750) [3648/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23196" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23196", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:52.409Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:24", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23197", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator Out-of-bounds Read could lead to Memory leak" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:52.735Z" + }, + "references": [ + { + "name": "Test (7399/24750) [3649/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23197" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23197", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:52.735Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "NULL Pointer Dereference (CWE-476)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:23", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23198", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "None", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "NULL Pointer Dereference (CWE-476)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:57:53.063Z" + }, + "references": [ + { + "name": "Test (7400/24750) [3650/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23198" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23198", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:57:53.063Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Illustrator", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "25.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "26.0.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "description": "NULL Pointer Dereference (CWE-476)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:24", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23199", + "STATE": "PUBLIC", + "TITLE": "Adobe Illustrator NULL Pointer Dereference Application denial-of-service" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Illustrator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "25.4.3" + }, + { + "version_affected": "<=", + "version_value": "26.0.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "None", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "NULL Pointer Dereference (CWE-476)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:15.339Z" + }, + "references": [ + { + "name": "Test (7401/24750) [3651/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23199" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23199", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:15.339Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "After Effects", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "22.1.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "18.4.3", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe After Effects versions 22.1.1 (and earlier) and 18.4.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-787", + "description": "Out-of-bounds Write (CWE-787)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T18:06:25", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/after_effects/apsb22-09.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-376/" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe After Effects 3GP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23200", + "STATE": "PUBLIC", + "TITLE": "Adobe After Effects 3GP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "After Effects", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "22.1.1" + }, + { + "version_affected": "<=", + "version_value": "18.4.3" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe After Effects versions 22.1.1 (and earlier) and 18.4.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Write (CWE-787)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/after_effects/apsb22-09.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/after_effects/apsb22-09.html" + }, + { + "name": "https://www.zerodayinitiative.com/advisories/ZDI-22-376/", + "refsource": "MISC", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-376/" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:15.664Z" + }, + "references": [ + { + "name": "Test (7402/24750) [3652/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23200" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23200", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:15.664Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "RoboHelp", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "2020.0.7", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-07-12T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "Cross-site Scripting (Reflected XSS) (CWE-79)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-15T15:46:28", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/robohelp/apsb22-10.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe RoboHelp Reflected XSS could lead to Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-07-12T23:00:00.000Z", + "ID": "CVE-2022-23201", + "STATE": "PUBLIC", + "TITLE": "Adobe RoboHelp Reflected XSS could lead to Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "RoboHelp", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "2020.0.7" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 6.1, + "baseSeverity": "Medium", + "confidentialityImpact": "Low", + "integrityImpact": "Low", + "privilegesRequired": "None", + "scope": "Changed", + "userInteraction": "Required", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cross-site Scripting (Reflected XSS) (CWE-79)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/robohelp/apsb22-10.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/robohelp/apsb22-10.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:15.979Z" + }, + "references": [ + { + "name": "Test (7403/24750) [3653/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23201" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23201", + "datePublished": "2022-07-12T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:15.979Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + } + ], + "totalCount": 8087, + "itemsPerPage": 500, + "pageCount": 17, + "currentPage": 1, + "prevPage": null, + "nextPage": 2 +} \ No newline at end of file diff --git a/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP2.json b/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP2.json new file mode 100644 index 0000000..1ec6233 --- /dev/null +++ b/test/fixtures/adapters/cveservices/getAllCvesChangedInTimeFrameUnitTestDataP2.json @@ -0,0 +1,85215 @@ +{ + "cveRecords": [ + { + "containers": { + "cna": { + "affected": [ + { + "product": "Creative Cloud (desktop component)", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "2.7.0.13", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-427", + "description": "Uncontrolled Search Path Element (CWE-427)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:29", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Creative Cloud Desktop Uncontrolled Search Path Element Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23202", + "STATE": "PUBLIC", + "TITLE": "Adobe Creative Cloud Desktop Uncontrolled Search Path Element Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Creative Cloud (desktop component)", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "2.7.0.13" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must download a malicious DLL file. The attacker has to deliver the DLL on the same folder as the installer which makes it as a high complexity attack vector." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "High", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Uncontrolled Search Path Element (CWE-427)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb22-11.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:16.327Z" + }, + "references": [ + { + "name": "Test (7404/24750) [3654/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23202" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23202", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:16.327Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Photoshop", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "23.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "22.5.4", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Photoshop." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "Buffer Overflow (CWE-120)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:25", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/photoshop/apsb22-08.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Photoshop Buffer Overflow could lead to Arbitrary code execution", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23203", + "STATE": "PUBLIC", + "TITLE": "Adobe Photoshop Buffer Overflow could lead to Arbitrary code execution" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Photoshop", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "23.1" + }, + { + "version_affected": "<=", + "version_value": "22.5.4" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a crafted file in Photoshop." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Buffer Overflow (CWE-120)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/photoshop/apsb22-08.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb22-08.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:16.643Z" + }, + "references": [ + { + "name": "Test (7405/24750) [3655/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23203" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23203", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:16.643Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Premiere Rush", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "2.0", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-02-08T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Premiere Rush versions 2.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "Out-of-bounds Read (CWE-125)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T16:38:26", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/premiere_rush/apsb22-06.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Premiere Rush JPEG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-02-08T23:00:00.000Z", + "ID": "CVE-2022-23204", + "STATE": "PUBLIC", + "TITLE": "Adobe Premiere Rush JPEG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Premiere Rush", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "2.0" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Premiere Rush versions 2.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "None", + "baseScore": 5.5, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Read (CWE-125)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/premiere_rush/apsb22-06.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/premiere_rush/apsb22-06.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:16.968Z" + }, + "references": [ + { + "name": "Test (7406/24750) [3656/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23204" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23204", + "datePublished": "2022-02-08T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:16.968Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Photoshop", + "vendor": "Adobe", + "versions": [ + { + "lessThanOrEqual": "22.5.6", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "23.2.2", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + }, + { + "lessThanOrEqual": "None", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-04-12T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-787", + "description": "Out-of-bounds Write (CWE-787)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-06T17:02:16", + "orgId": "078d4453-3bcd-4900-85e6-15281da43538", + "shortName": "adobe" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Adobe Photoshop Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@adobe.com", + "DATE_PUBLIC": "2022-04-12T23:00:00.000Z", + "ID": "CVE-2022-23205", + "STATE": "PUBLIC", + "TITLE": "Adobe Photoshop Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Photoshop", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "22.5.6" + }, + { + "version_affected": "<=", + "version_value": "23.2.2" + }, + { + "version_affected": "<=", + "version_value": "None" + }, + { + "version_affected": "<=", + "version_value": "None" + } + ] + } + } + ] + }, + "vendor_name": "Adobe" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.8, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "Required", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Out-of-bounds Write (CWE-787)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html", + "refsource": "MISC", + "url": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:17.308Z" + }, + "references": [ + { + "name": "Test (7407/24750) [3657/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23205" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", + "assignerShortName": "adobe", + "cveId": "CVE-2022-23205", + "datePublished": "2022-04-12T00:00:00", + "dateReserved": "2022-01-12T00:00:00", + "dateUpdated": "2024-06-03T14:58:17.308Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache Traffic Control", + "vendor": "Apache Software Foundation", + "versions": [ + { + "changes": [ + { + "at": "5.1.6", + "status": "unaffected" + } + ], + "lessThan": "6.1.0", + "status": "affected", + "version": "Traffic Ops", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue." + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-918", + "description": "CWE-918 Server-Side Request Forgery (SSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-06T15:15:10", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth", + "workarounds": [ + { + "lang": "en", + "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-23206", + "STATE": "PUBLIC", + "TITLE": "Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Traffic Control", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Traffic Ops", + "version_value": "6.1.0" + }, + { + "version_affected": "<", + "version_name": "Traffic Ops", + "version_value": "5.1.6" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Apache Traffic Control would like to thank walkerxiong of SecCoder Security Lab for reporting this issue." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + {} + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/lsrd2mqj29vrvwsh8g0d560vvz8n126f" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "6.0.x user should upgrade to 6.1.0.\n5.1.x users should upgrade to 5.1.6 or 6.1.0." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:17.619Z" + }, + "references": [ + { + "name": "Test (7408/24750) [3658/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23206" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-23206", + "datePublished": "2022-02-06T15:15:10", + "dateReserved": "2022-01-13T00:00:00", + "dateUpdated": "2024-06-03T14:58:17.619Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23218", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:17.930Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-01-14T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-10-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28768" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "name": "GLSA-202208-24", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202208-24" + }, + { + "name": "[debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-12-05T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-23218" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-12-06T05:00:39.659Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:17.930Z" + }, + "references": [ + { + "name": "Test (7409/24750) [3659/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23218" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23219", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:18.240Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-01-14T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-10-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22542" + }, + { + "name": "GLSA-202208-24", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202208-24" + }, + { + "name": "[debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2022-07-29T00:00:00+00:00", + "options": [ + { + "Exploitation": "PoC" + }, + { + "Automatable": "No" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-23219" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-12-06T05:00:35.253Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:18.240Z" + }, + "references": [ + { + "name": "Test (7410/24750) [3660/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23219" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-10-26T06:06:16.049280" + }, + "descriptions": [ + { + "lang": "en", + "value": "USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/21/1" + }, + { + "name": "DSA-5052", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5052" + }, + { + "name": "[oss-security] 20220122 Re: usbview polkit policy local root exploit (CVE-2022-23220)", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/22/1" + }, + { + "name": "GLSA-202310-15", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202310-15" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:18.563Z" + }, + "references": [ + { + "name": "Test (7411/24750) [3661/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23220" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23220", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:18.563Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-01-21T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-08-18T13:06:46.031809" + }, + "descriptions": [ + { + "lang": "en", + "value": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/h2database/h2database/security/advisories" + }, + { + "name": "20220124 Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/Jan/39" + }, + { + "name": "[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html" + }, + { + "name": "DSA-5076", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5076" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://github.com/h2database/h2database/releases/tag/version-2.1.210" + }, + { + "url": "https://twitter.com/d0nkey_man/status/1483824727936450564" + }, + { + "url": "http://packetstormsecurity.com/files/165676/H2-Database-Console-Remote-Code-Execution.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230818-0011/" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2024-02-12T00:00:00+00:00", + "options": [ + { + "Exploitation": "PoC" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Total" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-23221" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2024-02-13T05:00:40.697Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:18.879Z" + }, + "references": [ + { + "name": "Test (7412/24750) [3662/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23221" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23221", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:18.879Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-01-19T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2024-03-25T00:10:53.963364" + }, + "descriptions": [ + { + "lang": "en", + "value": "kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://www.openwall.com/lists/oss-security/2022/01/13/1" + }, + { + "name": "[oss-security] 20220114 Re: Linux Kernel eBPF Improper Input Validation Vulnerability", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/14/1" + }, + { + "name": "[oss-security] 20220118 Re: Linux Kernel eBPF Improper Input Validation Vulnerability", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/2" + }, + { + "name": "DSA-5050", + "tags": [ + "vendor-advisory" + ], + "url": "https://www.debian.org/security/2022/dsa-5050" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220217-0002/" + }, + { + "name": "FEDORA-2022-952bb7b856", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCR3LIRUEXR7CA63W5M2HT3K63MZGKBR/" + }, + { + "name": "FEDORA-2022-edbd74424e", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z5VTIZZUPC73IEJNZX66BY2YCBRZAELB/" + }, + { + "name": "[oss-security] 20220601 Re: Linux Kernel eBPF Improper Input Validation Vulnerability", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/06/01/1" + }, + { + "name": "[oss-security] 20220604 Re: Linux Kernel eBPF Improper Input Validation Vulnerability", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/06/04/3" + }, + { + "name": "[oss-security] 20220607 Re: Linux Kernel eBPF Improper Input Validation Vulnerability", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/06/07/3" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=64620e0a1e712a778095bd35cbb277dc2259281f" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1194765" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:19.195Z" + }, + "references": [ + { + "name": "Test (7413/24750) [3663/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23222" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23222", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:19.195Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-01-14T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache ShenYu (incubating) ", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "2.4.2", + "status": "affected", + "version": "Apache ShenYu (incubating) ", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-522", + "description": "CWE-522 Insufficiently Protected Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache", + "dateUpdated": "2023-10-04T08:00:34.196Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s" + }, + { + "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7" + }, + { + "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Apache ShenYu Password leakage", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-23223", + "STATE": "PUBLIC", + "TITLE": "Apache ShenYu Password leakage" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache ShenYu (incubating) ", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Apache ShenYu (incubating) ", + "version_value": "2.4.2" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + {} + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-522 Insufficiently Protected Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s" + }, + { + "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7" + }, + { + "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:19.523Z" + }, + "references": [ + { + "name": "Test (7414/24750) [3664/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23223" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-23223", + "datePublished": "2022-01-25T13:00:22", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:19.523Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-14T17:13:57", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/rapid7/metasploit-framework/pull/16044" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://news.ycombinator.com/item?id=29936569" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23227", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd", + "refsource": "MISC", + "url": "https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd" + }, + { + "name": "https://github.com/rapid7/metasploit-framework/pull/16044", + "refsource": "MISC", + "url": "https://github.com/rapid7/metasploit-framework/pull/16044" + }, + { + "name": "https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device", + "refsource": "MISC", + "url": "https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device" + }, + { + "name": "https://news.ycombinator.com/item?id=29936569", + "refsource": "MISC", + "url": "https://news.ycombinator.com/item?id=29936569" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:19.823Z" + }, + "references": [ + { + "name": "Test (7415/24750) [3665/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23227" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23227", + "datePublished": "2022-01-14T17:13:57", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:19.823Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Pexip Infinity before 27.0 has improper WebRTC input validation. An unauthenticated remote attacker can use excessive resources, temporarily causing denial of service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-18T21:50:04", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://docs.pexip.com/admin/security_bulletins.htm" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23228", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Pexip Infinity before 27.0 has improper WebRTC input validation. An unauthenticated remote attacker can use excessive resources, temporarily causing denial of service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://docs.pexip.com/admin/security_bulletins.htm", + "refsource": "MISC", + "url": "https://docs.pexip.com/admin/security_bulletins.htm" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:20.143Z" + }, + "references": [ + { + "name": "Test (7416/24750) [3666/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23228" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23228", + "datePublished": "2022-02-18T21:50:04", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:20.143Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "StorageGRID (formerly StorageGRID Webscale)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Prior to 11.6.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Access Bypass", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-04T17:21:50", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/NTAP-20220303-0009/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23232", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "StorageGRID (formerly StorageGRID Webscale)", + "version": { + "version_data": [ + { + "version_value": "Prior to 11.6.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Access Bypass" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/NTAP-20220303-0009/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/NTAP-20220303-0009/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:20.477Z" + }, + "references": [ + { + "name": "Test (7417/24750) [3667/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23232" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23232", + "datePublished": "2022-03-04T17:21:50", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:20.477Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "StorageGRID (formerly StorageGRID Webscale)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Prior to 11.6.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-04T17:22:54", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/NTAP-20220303-0010/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23233", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "StorageGRID (formerly StorageGRID Webscale)", + "version": { + "version_data": [ + { + "version_value": "Prior to 11.6.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Denial of Service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/NTAP-20220303-0010/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/NTAP-20220303-0010/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:20.773Z" + }, + "references": [ + { + "name": "Test (7418/24750) [3668/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23233" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23233", + "datePublished": "2022-03-04T17:22:54", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:20.773Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SnapCenter", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Versions prior to 4.5" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Disclosure of Sensitive Information", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-16T14:12:31", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/ntap-20220228-0001/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23234", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SnapCenter", + "version": { + "version_data": [ + { + "version_value": "Versions prior to 4.5" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Disclosure of Sensitive Information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/ntap-20220228-0001/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/ntap-20220228-0001/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:21.072Z" + }, + "references": [ + { + "name": "Test (7419/24750) [3669/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23234" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23234", + "datePublished": "2022-03-16T14:12:31", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:21.072Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Active IQ Unified Manager", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "prior to 9.10P1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-25T17:25:48", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/ntap-20220324-0001/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23235", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Active IQ Unified Manager", + "version": { + "version_data": [ + { + "version_value": "prior to 9.10P1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/ntap-20220324-0001/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/ntap-20220324-0001/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:21.400Z" + }, + "references": [ + { + "name": "Test (7420/24750) [3670/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23235" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23235", + "datePublished": "2022-08-25T17:25:48", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:21.400Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "E-Series SANtricity OS Controller Software 11.x", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "11.40 through 11.70.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-01T13:46:06", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/NTAP-20220527-0001/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23236", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "E-Series SANtricity OS Controller Software 11.x", + "version": { + "version_data": [ + { + "version_value": "11.40 through 11.70.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/NTAP-20220527-0001/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/NTAP-20220527-0001/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:21.719Z" + }, + "references": [ + { + "name": "Test (7421/24750) [3671/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23236" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23236", + "datePublished": "2022-06-01T13:46:06", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:21.719Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "E-Series SANtricity OS Controller Software 11.x", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "11.x through 11.70.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Host Header Injection", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-01T13:54:46", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/NTAP-20220527-0002/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23237", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "E-Series SANtricity OS Controller Software 11.x", + "version": { + "version_data": [ + { + "version_value": "11.x through 11.70.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Host Header Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/NTAP-20220527-0002/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/NTAP-20220527-0002/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:22.028Z" + }, + "references": [ + { + "name": "Test (7422/24750) [3672/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23237" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23237", + "datePublished": "2022-06-01T13:54:46", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:22.028Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "StorageGRID (formerly StorageGRID Webscale)", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "11.6.0 through 11.6.0.2" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper Access Control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-09T20:18:39", + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.netapp.com/advisory/NTAP-20220808-0001/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-alert@netapp.com", + "ID": "CVE-2022-23238", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "StorageGRID (formerly StorageGRID Webscale)", + "version": { + "version_data": [ + { + "version_value": "11.6.0 through 11.6.0.2" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.netapp.com/advisory/NTAP-20220808-0001/", + "refsource": "MISC", + "url": "https://security.netapp.com/advisory/NTAP-20220808-0001/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:22.364Z" + }, + "references": [ + { + "name": "Test (7423/24750) [3673/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23238" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "cveId": "CVE-2022-23238", + "datePublished": "2022-08-09T20:18:39", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:22.364Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23239", + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "dateUpdated": "2024-06-03T14:58:22.675Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2023-02-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp", + "dateUpdated": "2023-02-28T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows", + "versions": [ + { + "version": "prior to 9.11P1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://security.netapp.com/advisory/ntap-20220901-0001/" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Stored Cross-Site Scripting (XSS)" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:22.675Z" + }, + "references": [ + { + "name": "Test (7424/24750) [3674/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23239" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23240", + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "dateUpdated": "2024-06-03T14:58:22.983Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2023-02-28T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp", + "dateUpdated": "2023-02-28T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows", + "versions": [ + { + "version": "prior to 9.11P1", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://security.netapp.com/advisory/ntap-20220901-0002/" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Improper Authorization" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:22.983Z" + }, + "references": [ + { + "name": "Test (7425/24750) [3675/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23240" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23241", + "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "assignerShortName": "netapp", + "dateUpdated": "2024-06-03T14:58:23.309Z", + "dateReserved": "2022-01-14T00:00:00", + "datePublished": "2022-10-19T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", + "shortName": "netapp", + "dateUpdated": "2022-10-19T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "Clustered Data ONTAP", + "versions": [ + { + "version": "9.11.1 through 9.11.1P2", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://security.netapp.com/advisory/ntap-20221017-0001/" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Arbitrary Data Modification" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:23.309Z" + }, + "references": [ + { + "name": "Test (7426/24750) [3676/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23241" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "platforms": [ + "Linux" + ], + "product": "TeamViewer for Linux", + "vendor": "TeamViewer", + "versions": [ + { + "lessThanOrEqual": "15.27", + "status": "affected", + "version": "15.27", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2022-03-22T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "N/A", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-23T15:18:25", + "orgId": "13430f76-86eb-43b2-a71c-82c956ef31b6", + "shortName": "TV" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.teamviewer.com/en/trust-center/security-bulletins/TV-2022-1001/" + } + ], + "source": { + "advisory": "TV-2022-1001", + "discovery": "UNKNOWN" + }, + "title": "TeamViewer Linux - Deletion command not properly executed after process crash", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@teamviewer.com", + "DATE_PUBLIC": "2022-03-22T15:01:00.000Z", + "ID": "CVE-2022-23242", + "STATE": "PUBLIC", + "TITLE": "TeamViewer Linux - Deletion command not properly executed after process crash" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TeamViewer for Linux", + "version": { + "version_data": [ + { + "platform": "Linux", + "version_affected": "<=", + "version_name": "15.27", + "version_value": "15.27" + } + ] + } + } + ] + }, + "vendor_name": "TeamViewer" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "N/A" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.teamviewer.com/en/trust-center/security-bulletins/TV-2022-1001/", + "refsource": "MISC", + "url": "https://www.teamviewer.com/en/trust-center/security-bulletins/TV-2022-1001/" + } + ] + }, + "source": { + "advisory": "TV-2022-1001", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:23.619Z" + }, + "references": [ + { + "name": "Test (7427/24750) [3677/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23242" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "13430f76-86eb-43b2-a71c-82c956ef31b6", + "assignerShortName": "TV", + "cveId": "CVE-2022-23242", + "datePublished": "2022-03-22T00:00:00", + "dateReserved": "2022-01-14T00:00:00", + "dateUpdated": "2024-06-03T14:58:23.619Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Office Information Disclosure Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Office 2019", + "cpes": [ + "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "19.0.0", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft 365 Apps for Enterprise", + "cpes": [ + "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office LTSC 2021", + "cpes": [ + "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "16.0.1", + "lessThan": "https://aka.ms/OfficeSecurityReleases", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office 2016", + "cpes": [ + "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*", + "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "16.0.0", + "lessThan": "16.0.5278.1000", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Office 2013 Service Pack 1", + "cpes": [ + "cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", + "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x86:*", + "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "ARM64-based Systems", + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "15.0.0", + "lessThan": "15.0.5423.1000", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Office Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:35.299Z" + }, + "references": [ + { + "name": "Microsoft Office Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23252" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:23.924Z" + }, + "references": [ + { + "name": "Test (7428/24750) [3678/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23252" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23252", + "datePublished": "2022-02-09T16:37:10", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:23.924Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:59.915Z" + }, + "references": [ + { + "name": "Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23253" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:24.233Z" + }, + "references": [ + { + "name": "Test (7429/24750) [3679/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23253" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23253", + "datePublished": "2022-03-09T17:06:51", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:24.233Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Power BI Information Disclosure Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "PowerBI-client JS SDK", + "cpes": [ + "cpe:2.3:a:microsoft:powerbi-client_js_sdk:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "2.0.0", + "lessThan": "2.19.1", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Power BI Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:18.493Z" + }, + "references": [ + { + "name": "Microsoft Power BI Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23254" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 4.9, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:24.550Z" + }, + "references": [ + { + "name": "Test (7430/24750) [3680/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23254" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23254", + "datePublished": "2022-02-09T16:37:12", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:24.550Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft OneDrive for Android Security Feature Bypass Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "OneDrive for Android", + "cpes": [ + "cpe:2.3:a:microsoft:onedrive:-:*:*:*:*:android:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0", + "lessThan": "6.46", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft OneDrive for Android Security Feature Bypass Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Security Feature Bypass", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:35.798Z" + }, + "references": [ + { + "name": "Microsoft OneDrive for Android Security Feature Bypass Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23255" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.9, + "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:24.919Z" + }, + "references": [ + { + "name": "Test (7431/24750) [3681/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23255" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23255", + "datePublished": "2022-02-09T16:37:13", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:24.919Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Azure Data Explorer Spoofing Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Azure Data Explorer", + "cpes": [], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "N/A", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Azure Data Explorer Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:36.363Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23256" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:25.552Z" + }, + "references": [ + { + "name": "Test (7432/24750) [3682/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23256" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23256", + "datePublished": "2022-02-09T16:37:15", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:25.552Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Hyper-V Remote Code Execution Vulnerability", + "datePublic": "2022-04-12T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 11 version 22H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_22H2:10.0.22621.1413:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22621.1413", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1645:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1645", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.643:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.643", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1645:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1645", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.613:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.613", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1645:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1645", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Hyper-V Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:36:10.767Z" + }, + "references": [ + { + "name": "Windows Hyper-V Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:26.009Z" + }, + "references": [ + { + "name": "Test (7433/24750) [3683/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23257" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23257", + "datePublished": "2022-04-15T19:02:50", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:26.009Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Edge for Android Spoofing Vulnerability", + "datePublic": "2022-01-21T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Edge for Android", + "cpes": [ + "cpe:2.3:a:microsoft:edge:-:*:*:*:*:android:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "97.0.1072.69", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Edge for Android Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spoofing", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T03:03:50.972Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23258" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 4.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:26.408Z" + }, + "references": [ + { + "name": "Test (7434/24750) [3684/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23258" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23258", + "datePublished": "2022-01-25T21:23:16", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:26.408Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability", + "datePublic": "2022-04-12T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics 365 (on-premises) version 9.0", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "9.0.0", + "lessThan": "9.0.37.2", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics 365 (on-premises) version 9.1", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_365:9.1:*:*:*:on-premises:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "9.0", + "lessThan": "9.1.9.8", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:36:08.575Z" + }, + "references": [ + { + "name": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23259" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:26.715Z" + }, + "references": [ + { + "name": "Test (7435/24750) [3685/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23259" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23259", + "datePublished": "2022-04-15T19:02:52", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:26.715Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Edge (Chromium-based) Tampering Vulnerability", + "datePublic": "2022-02-03T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Edge (Chromium-based)", + "cpes": [ + "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "98.0.1108.43", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Edge (Chromium-based) Tampering Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Tampering", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:36.905Z" + }, + "references": [ + { + "name": "Microsoft Edge (Chromium-based) Tampering Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23261" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:27.015Z" + }, + "references": [ + { + "name": "Test (7436/24750) [3686/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23261" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23261", + "datePublished": "2022-02-07T17:10:12", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:27.015Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "datePublic": "2022-02-03T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Edge (Chromium-based)", + "cpes": [ + "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "98.0.1108.43", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:37.458Z" + }, + "references": [ + { + "name": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23262" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 6.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:27.335Z" + }, + "references": [ + { + "name": "Test (7437/24750) [3687/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23262" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23262", + "datePublished": "2022-02-07T17:10:13", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:27.335Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "datePublic": "2022-02-03T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Edge (Chromium-based)", + "cpes": [ + "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "98.0.1108.43", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:37.956Z" + }, + "references": [ + { + "name": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23263" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:27.646Z" + }, + "references": [ + { + "name": "Test (7438/24750) [3688/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23263" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23263", + "datePublished": "2022-02-07T17:10:15", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:27.646Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23264", + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "state": "PUBLISHED", + "assignerShortName": "microsoft", + "dateReserved": "2022-01-15T00:25:21.994Z", + "datePublished": "2023-06-29T04:25:21.701Z", + "dateUpdated": "2024-06-03T14:58:27.956Z" + }, + "containers": { + "cna": { + "title": "Microsoft Edge (Chromium-based) Spoofing Vulnerability", + "datePublic": "2022-02-10T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Edge (Chromium-based)", + "cpes": [ + "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "98.0.1108.50", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Edge (Chromium-based) Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spoofing", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:38.624Z" + }, + "references": [ + { + "name": "Microsoft Edge (Chromium-based) Spoofing Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23264" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 4.7, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:27.956Z" + }, + "references": [ + { + "name": "Test (7439/24750) [3689/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23264" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "title": "Microsoft Defender for IoT Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Defender for IoT", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_iot:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "22.0.0", + "lessThan": "22.1.2", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Defender for IoT Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:41.846Z" + }, + "references": [ + { + "name": "Microsoft Defender for IoT Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23265" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.2, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:28.286Z" + }, + "references": [ + { + "name": "Test (7440/24750) [3690/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23265" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23265", + "datePublished": "2022-03-09T17:06:52", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:28.286Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Defender for IoT Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Defender for IoT", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_iot:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "22.0.0", + "lessThan": "22.1.2", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Defender for IoT Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:42.360Z" + }, + "references": [ + { + "name": "Microsoft Defender for IoT Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23266" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:28.604Z" + }, + "references": [ + { + "name": "Test (7441/24750) [3691/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23266" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23266", + "datePublished": "2022-03-09T17:06:54", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:28.604Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": ".NET and Visual Studio Denial of Service Vulnerability", + "datePublic": "2022-05-10T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": ".NET Core 3.1", + "cpes": [ + "cpe:2.3:a:microsoft:.net_core:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "3.1", + "lessThan": "3.1.25", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": ".NET 5.0", + "cpes": [ + "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "5.0.0", + "lessThan": "5.0.17", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2019:16.9:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "15.0.0", + "lessThan": "16.9.21", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Visual Studio 2019 for Mac version 8.10", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2019:8.10:*:*:*:*:macos:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "8.1.0", + "lessThan": "8.10.24", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "16.11.0", + "lessThan": "16.11.14", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Visual Studio 2022 version 17.0", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2022:17.0:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "17.0.0", + "lessThan": "17.0.10", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": ".NET 6.0", + "cpes": [ + "cpe:2.3:a:microsoft:.net:6.0.0:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.5", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Visual Studio 2022 version 17.1", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2022:17.1:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "17.0.0", + "lessThan": "17.1.7", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "PowerShell 7.0", + "cpes": [ + "cpe:2.3:a:microsoft:powershell_core:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "7.0.0", + "lessThan": "7.0.11", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "PowerShell 7.2", + "cpes": [ + "cpe:2.3:a:microsoft:powershell:7.2:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "7.2.0", + "lessThan": "7.2.4", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Visual Studio 2022 for Mac version 17.0", + "cpes": [ + "cpe:2.3:a:microsoft:visual_studio_2022:17.0:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "17.0.0", + "lessThan": "17.0.3", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": ".NET and Visual Studio Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:27:19.793Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23267" + }, + { + "name": "FEDORA-2022-d69fee9f38", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBYSBUDJYQ76HK4TULXVIIPCKK2U6WDB/" + }, + { + "name": "FEDORA-2022-9a1d5ea33c", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNXQL7EZORGU4PZCPJ5EPQ4P7IEY3ZZO/" + }, + { + "name": "FEDORA-2022-256d559f0c", + "tags": [ + "vendor-advisory", + "x_refsource_FEDORA" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5FPEQ6BTYRGTS6IYCDTZW6YF5HLQ3BY/" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:28.946Z" + }, + "references": [ + { + "name": "Test (7442/24750) [3692/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23267" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23267", + "datePublished": "2022-05-10T20:33:32", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:28.946Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Hyper-V Denial of Service Vulnerability", + "datePublic": "2022-04-12T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.643:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.643", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.613:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.613", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Hyper-V Denial of Service Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of Service", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:36:07.440Z" + }, + "references": [ + { + "name": "Windows Hyper-V Denial of Service Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23268" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 6.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:29.353Z" + }, + "references": [ + { + "name": "Test (7443/24750) [3693/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23268" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23268", + "datePublished": "2022-04-15T19:02:54", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:29.353Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics GP Spoofing Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics GP", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_gp:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "18.0.0", + "lessThan": "18.4.1434", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics GP Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spoofing", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:19.026Z" + }, + "references": [ + { + "name": "Microsoft Dynamics GP Spoofing Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23269" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.4, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:29.668Z" + }, + "references": [ + { + "name": "Test (7444/24750) [3694/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23269" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23269", + "datePublished": "2022-02-09T16:37:21", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:29.668Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability", + "datePublic": "2022-05-10T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2928:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2928:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2928:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2928", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2928:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2928", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2928:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2928", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2274:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2274:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2274:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2274", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.707:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.707", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1706:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1706:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1706:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.675:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.675:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.675", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19043.1706:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1706:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1706:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1706", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.19044.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19297:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19297:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19297", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5125:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5125:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5125", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5125:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5125", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5125:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5125", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25954:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25954", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25954:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25954", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20371:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20365:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20371:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20365:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20367:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20371", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20365", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20367", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21481:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21481", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21481:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21481:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21481", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21481:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21481", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25954:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25954", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25954:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25954", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23714:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23714", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23714:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23714", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20371:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20365:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20371", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20365", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20371:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20365:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20371", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20365", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:27:17.578Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23270" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:29.979Z" + }, + "references": [ + { + "name": "Test (7445/24750) [3695/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23270" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23270", + "datePublished": "2022-05-10T20:33:33", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:29.979Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics GP", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_gp:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "18.0.0", + "lessThan": "18.4.1434", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:19.576Z" + }, + "references": [ + { + "name": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23271" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 6.5, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:30.307Z" + }, + "references": [ + { + "name": "Test (7446/24750) [3696/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23271" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23271", + "datePublished": "2022-02-09T16:37:23", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:30.307Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics GP", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_gp:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "18.0.0", + "lessThan": "18.4.1434", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:20.125Z" + }, + "references": [ + { + "name": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23272" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:30.635Z" + }, + "references": [ + { + "name": "Test (7447/24750) [3697/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23272" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23272", + "datePublished": "2022-02-09T16:37:24", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:30.635Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics GP", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_gp:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "18.0.0", + "lessThan": "18.4.1434", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:20.650Z" + }, + "references": [ + { + "name": "Microsoft Dynamics GP Elevation Of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23273" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.1, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:30.970Z" + }, + "references": [ + { + "name": "Test (7448/24750) [3698/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23273" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23273", + "datePublished": "2022-02-09T16:37:25", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:30.970Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Dynamics GP Remote Code Execution Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Dynamics GP", + "cpes": [ + "cpe:2.3:a:microsoft:dynamics_gp:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "18.0.0", + "lessThan": "18.4.1434", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Dynamics GP Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:21.136Z" + }, + "references": [ + { + "name": "Microsoft Dynamics GP Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23274" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:31.386Z" + }, + "references": [ + { + "name": "Test (7449/24750) [3699/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23274" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23274", + "datePublished": "2022-02-09T16:37:27", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:31.386Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "SQL Server for Linux Containers Elevation of Privilege Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "SQL Server 2019 for Linux Containers", + "cpes": [ + "cpe:2.3:a:microsoft:sql_server:2019:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "15.0.0", + "lessThan": "15.0.2090.38", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "SQL Server for Linux Containers Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:21.711Z" + }, + "references": [ + { + "name": "SQL Server for Linux Containers Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23276" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:31.711Z" + }, + "references": [ + { + "name": "Test (7450/24750) [3700/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23276" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23276", + "datePublished": "2022-02-09T16:37:28", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:31.711Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Exchange Server 2013 Cumulative Update 23", + "cpes": [ + "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.00.0", + "lessThan": "15.00.1497.033", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Exchange Server 2016 Cumulative Update 21", + "cpes": [ + "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.01.0", + "lessThan": "15.01.2308.027", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Exchange Server 2019 Cumulative Update 10", + "cpes": [ + "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.02.0", + "lessThan": "15.02.0922.027", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Exchange Server 2016 Cumulative Update 22", + "cpes": [ + "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.0.0", + "lessThan": "15.01.2375.024", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Exchange Server 2019 Cumulative Update 11", + "cpes": [ + "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "15.02.0", + "lessThan": "15.02.0986.022", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Exchange Server Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:00.457Z" + }, + "references": [ + { + "name": "Microsoft Exchange Server Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23277" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:32.019Z" + }, + "references": [ + { + "name": "Test (7451/24750) [3701/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23277" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23277", + "datePublished": "2022-03-09T17:06:55", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:32.019Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Defender for Endpoint Spoofing Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint for Linux", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "101.0.0", + "lessThan": "101.60.93", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint for Mac", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint:-:*:*:*:*:macos:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "101.0.0", + "lessThan": "101.60.91", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint for Android", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "1.0.3011.0302", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint for iOS", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "1.1.18090109", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint for Windows", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Windows 10 Version 20H2 for 32-bit Systems", + "Windows 10 Version 1909 for ARM64-based Systems", + "Windows Server, version 20H2 (Server Core Installation)", + "Windows 11 version 21H2 for x64-based Systems", + "Windows 10 Version 21H2 for 32-bit Systems", + "Windows 11 version 21H2 for ARM64-based Systems", + "Windows 10 Version 1909 for x64-based Systems", + "Windows Server 2022", + "Windows Server 2022 Datacenter: Azure Edition", + "Windows 10 Version 1909 for 32-bit Systems", + "Windows 10 Version 21H1 for ARM64-based Systems", + "Windows 10 Version 20H2 for ARM64-based Systems", + "Windows Server 2019 (Server Core installation)", + "Windows 10 Version 21H1 for 32-bit Systems", + "Windows 10 Version 21H2 for x64-based Systems", + "Windows 10 Version 21H2 for ARM64-based Systems", + "Windows Server 2022 (Server Core installation)", + "Windows 10 Version 21H1 for x64-based Systems", + "Windows Server 2019", + "Windows 10 Version 1809 for x64-based Systems", + "Windows 10 Version 1809 for ARM64-based Systems", + "Windows 10 Version 1809 for 32-bit Systems" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + }, + { + "version": "1.0.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Microsoft Defender for Endpoint EDR sensor", + "cpes": [ + "cpe:2.3:a:microsoft:defender_for_endpoint_edr_sensor:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Windows Server 2016", + "Windows Server 2016 (Server Core installation)", + "Windows Server 2012 R2", + "Windows Server 2012 R2 (Server Core installation)" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "10.8047.22439", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Defender for Endpoint Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spoofing", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:00.962Z" + }, + "references": [ + { + "name": "Microsoft Defender for Endpoint Spoofing Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.9, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:32.336Z" + }, + "references": [ + { + "name": "Test (7452/24750) [3702/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23278" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23278", + "datePublished": "2022-03-09T17:06:57", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:32.336Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows ALPC Elevation of Privilege Vulnerability", + "datePublic": "2022-05-10T07:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2274:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2274:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2274:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2274", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1706:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.707:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.707", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1706:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1706:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1706:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1706", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.675:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.675:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.675", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19043.1706:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1706:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1706:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1706", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.19044.1706", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows ALPC Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:27:53.284Z" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23279" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:32.643Z" + }, + "references": [ + { + "name": "Test (7453/24750) [3703/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23279" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23279", + "datePublished": "2022-05-10T20:33:35", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:32.643Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Outlook for Mac Security Feature Bypass Vulnerability", + "datePublic": "2022-02-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft Outlook 2016 for Mac", + "cpes": [ + "cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:macos:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "16.0", + "lessThan": "16.57", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Outlook for Mac Security Feature Bypass Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Security Feature Bypass", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:41:39.208Z" + }, + "references": [ + { + "name": "Microsoft Outlook for Mac Security Feature Bypass Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23280" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:32.943Z" + }, + "references": [ + { + "name": "Test (7454/24750) [3704/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23280" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23280", + "datePublished": "2022-02-09T16:37:30", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:32.943Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Common Log File System Driver Information Disclosure Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Common Log File System Driver Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:01.461Z" + }, + "references": [ + { + "name": "Windows Common Log File System Driver Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23281" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:33.282Z" + }, + "references": [ + { + "name": "Test (7455/24750) [3705/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23281" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23281", + "datePublished": "2022-03-09T17:06:58", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:33.282Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Paint 3D Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Paint 3D", + "cpes": [ + "cpe:2.3:a:microsoft:paint_3d:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.2203.1037.0", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Paint 3D Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:01.976Z" + }, + "references": [ + { + "name": "Paint 3D Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23282" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:33.611Z" + }, + "references": [ + { + "name": "Test (7456/24750) [3706/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23282" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23282", + "datePublished": "2022-03-09T17:07:00", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:33.611Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows ALPC Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows ALPC Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:02.512Z" + }, + "references": [ + { + "name": "Windows ALPC Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23283" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:33.919Z" + }, + "references": [ + { + "name": "Test (7457/24750) [3707/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23283" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23283", + "datePublished": "2022-03-09T17:07:01", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:33.919Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Print Spooler Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Print Spooler Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:03.025Z" + }, + "references": [ + { + "name": "Windows Print Spooler Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.2, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:34.266Z" + }, + "references": [ + { + "name": "Test (7458/24750) [3708/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23284" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23284", + "datePublished": "2022-03-09T17:07:03", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:34.266Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Remote Desktop Client Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Remote Desktop Client Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:03.520Z" + }, + "references": [ + { + "name": "Remote Desktop Client Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23285" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:34.580Z" + }, + "references": [ + { + "name": "Test (7459/24750) [3709/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23285" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23285", + "datePublished": "2022-03-09T17:07:05", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:34.580Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:04.028Z" + }, + "references": [ + { + "name": "Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23286" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:34.916Z" + }, + "references": [ + { + "name": "Test (7460/24750) [3710/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23286" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23286", + "datePublished": "2022-03-09T17:07:07", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:34.916Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows ALPC Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows ALPC Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:04.533Z" + }, + "references": [ + { + "name": "Windows ALPC Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23287" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:35.231Z" + }, + "references": [ + { + "name": "Test (7461/24750) [3711/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23287" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23287", + "datePublished": "2022-03-09T17:07:08", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:35.231Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:05.043Z" + }, + "references": [ + { + "name": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23288" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:35.551Z" + }, + "references": [ + { + "name": "Test (7462/24750) [3712/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23288" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23288", + "datePublished": "2022-03-09T17:07:10", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:35.551Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Inking COM Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Inking COM Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:42.851Z" + }, + "references": [ + { + "name": "Windows Inking COM Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23290" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:35.872Z" + }, + "references": [ + { + "name": "Test (7463/24750) [3713/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23290" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23290", + "datePublished": "2022-03-09T17:07:11", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:35.872Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:43.375Z" + }, + "references": [ + { + "name": "Windows DWM Core Library Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23291" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:36.209Z" + }, + "references": [ + { + "name": "Test (7464/24750) [3714/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23291" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23291", + "datePublished": "2022-03-09T17:07:13", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:36.209Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Microsoft Power BI Spoofing Vulnerability", + "datePublic": "2022-04-12T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Microsoft On-Premises Data Gateway", + "cpes": [ + "cpe:2.3:a:microsoft:on-premises_data_gateway:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "3000.0.0", + "lessThan": "3000.118.2", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Microsoft Power BI Spoofing Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Spoofing", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2024-05-29T14:36:09.158Z" + }, + "references": [ + { + "name": "Microsoft Power BI Spoofing Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23292" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "LOW", + "baseScore": 3.7, + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:36.523Z" + }, + "references": [ + { + "name": "Test (7465/24750) [3715/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23292" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23292", + "datePublished": "2022-04-15T19:02:55", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:36.523Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:43.884Z" + }, + "references": [ + { + "name": "Windows Fast FAT File System Driver Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23293" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:36.849Z" + }, + "references": [ + { + "name": "Test (7466/24750) [3716/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23293" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23293", + "datePublished": "2022-03-09T17:07:14", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:36.849Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Event Tracing Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Event Tracing Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:44.393Z" + }, + "references": [ + { + "name": "Windows Event Tracing Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23294" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 8.8, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:37.186Z" + }, + "references": [ + { + "name": "Test (7467/24750) [3717/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23294" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23294", + "datePublished": "2022-03-09T17:07:16", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:37.186Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Raw Image Extension Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Raw Image Extension", + "cpes": [ + "cpe:2.3:a:microsoft:raw_image_extension:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Windows 10 Version 1809 for 32-bit Systems", + "Windows 10 Version 1809 for x64-based Systems", + "Windows 10 Version 1809 for ARM64-based Systems", + "Windows 10 Version 1809 for HoloLens", + "Windows 10 Version 1909 for 32-bit Systems", + "Windows 10 Version 1909 for x64-based Systems", + "Windows 10 Version 1909 for ARM64-based Systems", + "Windows 10 Version 21H1 for x64-based Systems", + "Windows 10 Version 21H1 for ARM64-based Systems", + "Windows 10 Version 21H1 for 32-bit Systems", + "Windows 10 Version 20H2 for 32-bit Systems", + "Windows 10 Version 20H2 for ARM64-based Systems", + "Windows 11 version 21H2 for x64-based Systems", + "Windows 11 version 21H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for 32-bit Systems", + "Windows 10 Version 21H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for x64-based Systems", + "Windows 10 for 32-bit Systems", + "Windows 10 for x64-based Systems", + "Windows 10 Version 1607 for 32-bit Systems", + "Windows 10 Version 1607 for x64-based Systems" + ], + "versions": [ + { + "version": "2.1.0.0", + "lessThan": "2.0.30391.0", + "versionType": "custom", + "status": "affected" + }, + { + "version": "2.1.0.0", + "lessThan": "2.1.30391.0", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Raw Image Extension Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:44.900Z" + }, + "references": [ + { + "name": "Raw Image Extension Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23295" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:37.532Z" + }, + "references": [ + { + "name": "Test (7468/24750) [3718/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23295" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23295", + "datePublished": "2022-03-09T17:07:18", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:37.532Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows Installer Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows Installer Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:45.391Z" + }, + "references": [ + { + "name": "Windows Installer Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23296" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:37.857Z" + }, + "references": [ + { + "name": "Test (7469/24750) [3719/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23296" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23296", + "datePublished": "2022-03-09T17:07:19", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:37.857Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information Disclosure", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:32:05.553Z" + }, + "references": [ + { + "name": "Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23297" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "MEDIUM", + "baseScore": 5.5, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:38.182Z" + }, + "references": [ + { + "name": "Test (7470/24750) [3720/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23297" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23297", + "datePublished": "2022-03-09T17:07:21", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:38.182Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows NT OS Kernel Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows NT OS Kernel Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:45.913Z" + }, + "references": [ + { + "name": "Windows NT OS Kernel Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7, + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:38.513Z" + }, + "references": [ + { + "name": "Test (7471/24750) [3721/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23298" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23298", + "datePublished": "2022-03-09T17:07:22", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:38.513Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Windows PDEV Elevation of Privilege Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1809", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.2686:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2019 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2686:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.17763.2686", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1909", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1909:10.0.18363.2158:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_1809:10.0.18363.2158:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.18363.2158", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H1:10.0.19043.1586:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems", + "32-bit Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19043.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2022", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.587:*:*:*:*:*:*:*", + "cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.580:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.20348.587", + "versionType": "custom", + "status": "affected" + }, + { + "version": "10.0.0", + "lessThan": "10.0.20348.580", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_20H2:10.0.19042.1586:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server version 20H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_20H2:10.0.19042.1586:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19042.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 11 version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_11_21H2:10.0.22000.556:*:*:*:*:*:arm64:*" + ], + "platforms": [ + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.22000.556", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 21H2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:arm64:*", + "cpe:2.3:o:microsoft:windows_10_21H2:10.0.19044.1586:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.19044.1586", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1507", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19235:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.10240.19235", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 10 Version 1607", + "cpes": [ + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5006:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2016 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.5006:*:*:*:*:*:*:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "10.0.0", + "lessThan": "10.0.14393.5006", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 7 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_7:6.1.7601.25898:sp1:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows 8.1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x86:*", + "cpe:2.3:o:microsoft:windows_8.1:6.3.9600.20303:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_rt_8.1:6.3.9600.20296:*:*:*:*:*:*:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems", + "ARM64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.3.0", + "lessThan": "6.3.9600.20296", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*" + ], + "platforms": [ + "32-bit Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "32-bit Systems", + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 Service Pack 2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21416:*:*:*:*:*:x86:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.0.6003.21416", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.1.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25898:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.0.0", + "lessThan": "6.1.7601.25898", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23645:*:*:*:*:*:x64:*", + "cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23639:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.2.0", + "lessThan": "6.2.9200.23645", + "versionType": "custom", + "status": "affected" + }, + { + "version": "6.2.0", + "lessThan": "6.2.9200.23639", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "Windows Server 2012 R2 (Server Core installation)", + "cpes": [ + "cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20303:*:*:*:*:*:x64:*" + ], + "platforms": [ + "x64-based Systems" + ], + "versions": [ + { + "version": "6.3.0", + "lessThan": "6.3.9600.20303", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Windows PDEV Elevation of Privilege Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Elevation of Privilege", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:46.405Z" + }, + "references": [ + { + "name": "Windows PDEV Elevation of Privilege Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23299" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:38.840Z" + }, + "references": [ + { + "name": "Test (7472/24750) [3722/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23299" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23299", + "datePublished": "2022-03-09T17:07:23", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:38.840Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "Raw Image Extension Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "Raw Image Extension", + "cpes": [ + "cpe:2.3:a:microsoft:raw_image_extension:-:*:*:*:*:*:*:*" + ], + "platforms": [ + "Windows 10 Version 1809 for 32-bit Systems", + "Windows 10 Version 1809 for x64-based Systems", + "Windows 10 Version 1809 for ARM64-based Systems", + "Windows 10 Version 1809 for HoloLens", + "Windows 10 Version 1909 for 32-bit Systems", + "Windows 10 Version 1909 for x64-based Systems", + "Windows 10 Version 1909 for ARM64-based Systems", + "Windows 10 Version 21H1 for x64-based Systems", + "Windows 10 Version 21H1 for ARM64-based Systems", + "Windows 10 Version 21H1 for 32-bit Systems", + "Windows 10 Version 20H2 for 32-bit Systems", + "Windows 10 Version 20H2 for ARM64-based Systems", + "Windows 11 version 21H2 for x64-based Systems", + "Windows 11 version 21H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for 32-bit Systems", + "Windows 10 Version 21H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for x64-based Systems", + "Windows 10 for 32-bit Systems", + "Windows 10 for x64-based Systems", + "Windows 10 Version 1607 for 32-bit Systems", + "Windows 10 Version 1607 for x64-based Systems" + ], + "versions": [ + { + "version": "2.1.0.0", + "lessThan": "2.0.30391.0", + "versionType": "custom", + "status": "affected" + }, + { + "version": "2.1.0.0", + "lessThan": "2.1.30391.0", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "Raw Image Extension Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:46.927Z" + }, + "references": [ + { + "name": "Raw Image Extension Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23300" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:39.161Z" + }, + "references": [ + { + "name": "Test (7473/24750) [3723/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23300" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23300", + "datePublished": "2022-03-09T17:07:25", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:39.161Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "title": "HEVC Video Extensions Remote Code Execution Vulnerability", + "datePublic": "2022-03-08T08:00:00+00:00", + "affected": [ + { + "vendor": "Microsoft", + "product": "HEVC Video Extension", + "cpes": [ + "cpe:2.3:a:microsoft:hevc_video_extensions:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0.0", + "lessThan": "1.0.50361.1", + "versionType": "custom", + "status": "affected" + } + ] + }, + { + "vendor": "Microsoft", + "product": "HEVC Video Extensions", + "cpes": [ + "cpe:2.3:a:microsoft:hevc_video_extensions:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Unknown" + ], + "versions": [ + { + "version": "1.0.0", + "lessThan": "1.0.50361.0", + "versionType": "custom", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "value": "HEVC Video Extensions Remote Code Execution Vulnerability", + "lang": "en-US" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote Code Execution", + "lang": "en-US", + "type": "Impact" + } + ] + } + ], + "providerMetadata": { + "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "shortName": "microsoft", + "dateUpdated": "2023-12-21T00:31:47.440Z" + }, + "references": [ + { + "name": "HEVC Video Extensions Remote Code Execution Vulnerability", + "tags": [ + "vendor-advisory" + ], + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23301" + } + ], + "metrics": [ + { + "format": "CVSS", + "scenarios": [ + { + "lang": "en-US", + "value": "GENERAL" + } + ], + "cvssV3_1": { + "version": "3.1", + "baseSeverity": "HIGH", + "baseScore": 7.8, + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C" + } + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:39.496Z" + }, + "references": [ + { + "name": "Test (7474/24750) [3724/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23301" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", + "assignerShortName": "microsoft", + "cveId": "CVE-2022-23301", + "datePublished": "2022-03-09T17:07:26", + "dateReserved": "2022-01-15T00:00:00", + "dateUpdated": "2024-06-03T14:58:39.496Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache Log4j 1.x", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "1.0.1", + "versionType": "custom" + }, + { + "lessThan": "2.0-alpha1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google." + } + ], + "descriptions": [ + { + "lang": "en", + "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "high" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-502", + "description": "CWE-502 Deserialization of Untrusted Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:49:03", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220217-0006/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", + "workarounds": [ + { + "lang": "en", + "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-23302", + "STATE": "PUBLIC", + "TITLE": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Log4j 1.x", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "1.0.1" + }, + { + "version_affected": "<", + "version_value": "2.0-alpha1" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "high" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502 Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" + }, + { + "name": "https://logging.apache.org/log4j/1.2/index.html", + "refsource": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220217-0006/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220217-0006/" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:39.824Z" + }, + "references": [ + { + "name": "Test (7475/24750) [3725/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23302" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-23302", + "datePublished": "2022-01-18T15:25:20", + "dateReserved": "2022-01-16T00:00:00", + "dateUpdated": "2024-06-03T14:58:39.824Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-09-30T10:06:19.467622" + }, + "descriptions": [ + { + "lang": "en", + "value": "The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://w1.fi/security/2022-1/" + }, + { + "name": "FEDORA-2022-da8222a1bc", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPDHU5MV464CZBPX7N2SNMUYP6DFIBZL/" + }, + { + "name": "GLSA-202309-16", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202309-16" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:40.146Z" + }, + "references": [ + { + "name": "Test (7476/24750) [3726/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23303" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23303", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:40.146Z", + "dateReserved": "2022-01-17T00:00:00", + "datePublished": "2022-01-17T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-09-30T10:06:20.892698" + }, + "descriptions": [ + { + "lang": "en", + "value": "The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://w1.fi/security/2022-1/" + }, + { + "name": "FEDORA-2022-da8222a1bc", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPDHU5MV464CZBPX7N2SNMUYP6DFIBZL/" + }, + { + "name": "GLSA-202309-16", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202309-16" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:40.467Z" + }, + "references": [ + { + "name": "Test (7477/24750) [3727/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23304" + } + ] + } + ] + }, + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23304", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:40.467Z", + "dateReserved": "2022-01-17T00:00:00", + "datePublished": "2022-01-17T00:00:00" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache Log4j 1.x ", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "1.2.1", + "versionType": "custom" + }, + { + "lessThan": "2.0-alpha1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "Daniel Martin of NCC Group" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "high" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-89", + "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:49:18", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, + { + "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1", + "tags": [ + "mailing-list", + "x_refsource_MLIST" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220217-0007/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "SQL injection in JDBC Appender in Apache Log4j V1", + "workarounds": [ + { + "lang": "en", + "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-23305", + "STATE": "PUBLIC", + "TITLE": "SQL injection in JDBC Appender in Apache Log4j V1" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Log4j 1.x ", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "1.2.1" + }, + { + "version_affected": "<", + "version_value": "2.0-alpha1" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Daniel Martin of NCC Group" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "high" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://logging.apache.org/log4j/1.2/index.html", + "refsource": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, + { + "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1", + "refsource": "MLIST", + "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220217-0007/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220217-0007/" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:40.772Z" + }, + "references": [ + { + "name": "Test (7478/24750) [3728/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23305" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-23305", + "datePublished": "2022-01-18T15:25:22", + "dateReserved": "2022-01-17T00:00:00", + "dateUpdated": "2024-06-03T14:58:40.772Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Apache Log4j 1.x", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "unspecified", + "status": "affected", + "version": "1.2.1", + "versionType": "custom" + }, + { + "lessThanOrEqual": "2.0-alpha1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "value": "@kingkk" + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." + } + ], + "metrics": [ + { + "other": { + "content": { + "other": "Critical" + }, + "type": "unknown" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-502", + "description": "CWE-502 Deserialization of Untrusted Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-25T16:49:30", + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.", + "workarounds": [ + { + "lang": "en", + "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0." + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security@apache.org", + "ID": "CVE-2022-23307", + "STATE": "PUBLIC", + "TITLE": " A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution." + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Apache Log4j 1.x", + "version": { + "version_data": [ + { + "version_affected": ">=", + "version_value": "1.2.1" + }, + { + "version_affected": "<=", + "version_value": "2.0-alpha1" + } + ] + } + } + ] + }, + "vendor_name": "Apache Software Foundation" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "@kingkk" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": [ + { + "other": "Critical" + } + ], + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502 Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://logging.apache.org/log4j/1.2/index.html", + "refsource": "MISC", + "url": "https://logging.apache.org/log4j/1.2/index.html" + }, + { + "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "refsource": "MISC", + "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" + }, + { + "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "name": "https://www.oracle.com/security-alerts/cpujul2022.html", + "refsource": "MISC", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + }, + "work_around": [ + { + "lang": "en", + "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0." + } + ] + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:41.084Z" + }, + "references": [ + { + "name": "Test (7479/24750) [3729/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23307" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "cveId": "CVE-2022-23307", + "datePublished": "2022-01-18T15:25:23", + "dateReserved": "2022-01-17T00:00:00", + "dateUpdated": "2024-06-03T14:58:41.084Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23308", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:41.434Z", + "dateReserved": "2022-01-17T00:00:00", + "datePublished": "2022-02-26T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2022-10-16T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "name": "FEDORA-2022-050c712ed7", + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/" + }, + { + "name": "[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update", + "tags": [ + "mailing-list" + ], + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/33" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-6 tvOS 15.5", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/37" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/35" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/38" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-5 watchOS 8.6", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/36" + }, + { + "name": "20220516 APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5", + "tags": [ + "mailing-list" + ], + "url": "http://seclists.org/fulldisclosure/2022/May/34" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS" + }, + { + "url": "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20220331-0008/" + }, + { + "url": "https://support.apple.com/kb/HT213253" + }, + { + "url": "https://support.apple.com/kb/HT213258" + }, + { + "url": "https://support.apple.com/kb/HT213254" + }, + { + "name": "GLSA-202210-03", + "tags": [ + "vendor-advisory" + ], + "url": "https://security.gentoo.org/glsa/202210-03" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "title": "CISA ADP Pilot", + "metrics": [ + { + "other": { + "type": "ssvc", + "content": { + "timestamp": "2023-03-17T00:00:00+00:00", + "options": [ + { + "Exploitation": "None" + }, + { + "Automatable": "Yes" + }, + { + "Technical Impact": "Partial" + } + ], + "role": "CISA Coordinator", + "version": "2.0.3", + "id": "CVE-2022-23308" + } + } + } + ], + "providerMetadata": { + "orgId": "8c464350-323a-4346-a867-fc54517fa145", + "shortName": "CISAADP", + "dateUpdated": "2023-09-22T04:01:02.383Z" + } + }, + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:41.434Z" + }, + "references": [ + { + "name": "Test (7480/24750) [3730/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23308" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Spectrum Power 4", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V4.70 SP9 Security Patch 1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP9 Security Patch 1). The integrated web application \"Online Help\" in affected product contains a Cross-Site Scripting (XSS) vulnerability that could be exploited if unsuspecting users are tricked into accessing a malicious link." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T15:17:30", + "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "shortName": "siemens" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-831168.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "productcert@siemens.com", + "ID": "CVE-2022-23312", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Spectrum Power 4", + "version": { + "version_data": [ + { + "version_value": "All versions < V4.70 SP9 Security Patch 1" + } + ] + } + } + ] + }, + "vendor_name": "Siemens" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP9 Security Patch 1). The integrated web application \"Online Help\" in affected product contains a Cross-Site Scripting (XSS) vulnerability that could be exploited if unsuspecting users are tricked into accessing a malicious link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-831168.pdf", + "refsource": "MISC", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-831168.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:41.747Z" + }, + "references": [ + { + "name": "Test (7481/24750) [3731/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23312" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "assignerShortName": "siemens", + "cveId": "CVE-2022-23312", + "datePublished": "2022-02-09T15:17:30", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:41.747Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:40:37", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4OT" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23314", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via /ms/mdiy/model/importJson.do." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/mingSoft/MCMS/issues/I4Q4OT", + "refsource": "MISC", + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4OT" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:42.056Z" + }, + "references": [ + { + "name": "Test (7482/24750) [3732/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23314" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23314", + "datePublished": "2022-01-20T23:40:37", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:42.056Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-20T23:40:37", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4PX" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23315", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnerability via the component /ms/template/writeFileContent.do." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/mingSoft/MCMS/issues/I4Q4PX", + "refsource": "MISC", + "url": "https://gitee.com/mingSoft/MCMS/issues/I4Q4PX" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:42.377Z" + }, + "references": [ + { + "name": "Test (7483/24750) [3733/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23315" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23315", + "datePublished": "2022-01-20T23:40:37", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:42.377Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in taoCMS v3.0.2. There is an arbitrary file read vulnerability that can read any files via admin.php?action=file&ctrl=download&path=../../1.txt." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T11:24:13", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/taogogo/taocms/issues/15" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23316", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in taoCMS v3.0.2. There is an arbitrary file read vulnerability that can read any files via admin.php?action=file&ctrl=download&path=../../1.txt." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/taogogo/taocms/issues/15", + "refsource": "MISC", + "url": "https://github.com/taogogo/taocms/issues/15" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:42.676Z" + }, + "references": [ + { + "name": "Test (7484/24750) [3734/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23316" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23316", + "datePublished": "2022-02-04T11:24:13", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:42.676Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "CobaltStrike <=4.5 HTTP(S) listener does not determine whether the request URL begins with \"/\", and attackers can obtain relevant information by specifying the URL." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T12:53:17", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://donghuangt1.com/writings/Stager/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23317", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "CobaltStrike <=4.5 HTTP(S) listener does not determine whether the request URL begins with \"/\", and attackers can obtain relevant information by specifying the URL." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://donghuangt1.com/writings/Stager/", + "refsource": "MISC", + "url": "https://donghuangt1.com/writings/Stager/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:42.988Z" + }, + "references": [ + { + "name": "Test (7485/24750) [3735/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23317" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23317", + "datePublished": "2022-02-15T12:53:17", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:42.988Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attacker to trigger unsafe memory access via a specially crafted PCF font file. This out-of-bound read may lead to an application crash, information disclosure via program memory or other context-dependent impact." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-18T11:57:53", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ganaware/pcf2bdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ganaware/pcf2bdf/issues/4" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23318", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attacker to trigger unsafe memory access via a specially crafted PCF font file. This out-of-bound read may lead to an application crash, information disclosure via program memory or other context-dependent impact." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/ganaware/pcf2bdf", + "refsource": "MISC", + "url": "https://github.com/ganaware/pcf2bdf" + }, + { + "name": "https://github.com/ganaware/pcf2bdf/issues/4", + "refsource": "MISC", + "url": "https://github.com/ganaware/pcf2bdf/issues/4" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:43.341Z" + }, + "references": [ + { + "name": "Test (7486/24750) [3736/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23318" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23318", + "datePublished": "2022-02-17T12:44:33", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:43.341Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A segmentation fault during PCF file parsing in pcf2bdf versions >=1.05 allows an attacker to trigger a program crash via a specially crafted PCF font file. This crash affects the availability of the software and dependent downstream components." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-18T11:56:54", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ganaware/pcf2bdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ganaware/pcf2bdf/issues/5" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23319", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A segmentation fault during PCF file parsing in pcf2bdf versions >=1.05 allows an attacker to trigger a program crash via a specially crafted PCF font file. This crash affects the availability of the software and dependent downstream components." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/ganaware/pcf2bdf", + "refsource": "MISC", + "url": "https://github.com/ganaware/pcf2bdf" + }, + { + "name": "https://github.com/ganaware/pcf2bdf/issues/5", + "refsource": "MISC", + "url": "https://github.com/ganaware/pcf2bdf/issues/5" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:43.665Z" + }, + "references": [ + { + "name": "Test (7487/24750) [3737/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23319" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23319", + "datePublished": "2022-02-17T13:44:29", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:43.665Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-07T10:47:33", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://xmpie.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.xmpie.com/ustore-release-notes/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.linkedin.com/feed/update/urn:li:activity:6894666176450887681?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6894666176450887681%2C6895051709354192896%29" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23320", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://xmpie.com", + "refsource": "MISC", + "url": "http://xmpie.com" + }, + { + "name": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/", + "refsource": "MISC", + "url": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/" + }, + { + "name": "https://www.xmpie.com/ustore-release-notes/", + "refsource": "MISC", + "url": "https://www.xmpie.com/ustore-release-notes/" + }, + { + "name": "https://www.linkedin.com/feed/update/urn:li:activity:6894666176450887681?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6894666176450887681%2C6895051709354192896%29", + "refsource": "MISC", + "url": "https://www.linkedin.com/feed/update/urn:li:activity:6894666176450887681?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6894666176450887681%2C6895051709354192896%29" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:44.072Z" + }, + "references": [ + { + "name": "Test (7488/24750) [3738/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23320" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23320", + "datePublished": "2022-02-07T10:47:33", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:44.072Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-10T18:11:16", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://xmpie.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.xmpie.com/ustore-release-notes/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23321", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://xmpie.com", + "refsource": "MISC", + "url": "http://xmpie.com" + }, + { + "name": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/", + "refsource": "MISC", + "url": "https://www.triaxiomsecurity.com/xmpie-ustore-vulnerabilities-discovered/" + }, + { + "name": "https://www.xmpie.com/ustore-release-notes/", + "refsource": "MISC", + "url": "https://www.xmpie.com/ustore-release-notes/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:44.433Z" + }, + "references": [ + { + "name": "Test (7489/24750) [3739/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23321" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23321", + "datePublished": "2022-02-10T18:11:16", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:44.433Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-04T11:24:13", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://ethereum.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://go-ethereum.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tristartom.github.io/docs/ccs21.pdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23327", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://ethereum.com", + "refsource": "MISC", + "url": "http://ethereum.com" + }, + { + "name": "http://go-ethereum.com", + "refsource": "MISC", + "url": "http://go-ethereum.com" + }, + { + "name": "https://tristartom.github.io/docs/ccs21.pdf", + "refsource": "MISC", + "url": "https://tristartom.github.io/docs/ccs21.pdf" + }, + { + "name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369", + "refsource": "MISC", + "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:44.761Z" + }, + "references": [ + { + "name": "Test (7490/24750) [3740/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23327" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23327", + "datePublished": "2022-03-04T11:24:13", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:44.761Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-04T11:24:22", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://ethereum.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://go-ethereum.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tristartom.github.io/docs/ccs21.pdf" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23328", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://ethereum.com", + "refsource": "MISC", + "url": "http://ethereum.com" + }, + { + "name": "http://go-ethereum.com", + "refsource": "MISC", + "url": "http://go-ethereum.com" + }, + { + "name": "https://tristartom.github.io/docs/ccs21.pdf", + "refsource": "MISC", + "url": "https://tristartom.github.io/docs/ccs21.pdf" + }, + { + "name": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369", + "refsource": "MISC", + "url": "https://dl.acm.org/doi/pdf/10.1145/3460120.3485369" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:45.112Z" + }, + "references": [ + { + "name": "Test (7491/24750) [3741/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23328" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23328", + "datePublished": "2022-03-04T11:24:22", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:45.112Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability in ${\"freemarker.template.utility.Execute\"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T21:03:52", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/jspxcms/Jspxcms/issues/I4QAZN" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23329", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability in ${\"freemarker.template.utility.Execute\"?new() of UJCMS Jspxcms v10.2.0 allows attackers to execute arbitrary commands via uploading malicious files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/jspxcms/Jspxcms/issues/I4QAZN", + "refsource": "MISC", + "url": "https://gitee.com/jspxcms/Jspxcms/issues/I4QAZN" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:45.519Z" + }, + "references": [ + { + "name": "Test (7492/24750) [3742/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23329" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23329", + "datePublished": "2022-02-04T21:03:52", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:45.519Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T21:03:55", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gitee.com/JPressProjects/jpress/issues/I4QZZ8" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23330", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A remote code execution (RCE) vulnerability in HelloWorldAddonController.java of jpress v4.2.0 allows attackers to execute arbitrary code via a crafted JAR package." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gitee.com/JPressProjects/jpress/issues/I4QZZ8", + "refsource": "MISC", + "url": "https://gitee.com/JPressProjects/jpress/issues/I4QZZ8" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:45.830Z" + }, + "references": [ + { + "name": "Test (7493/24750) [3743/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23330" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23330", + "datePublished": "2022-02-04T21:03:55", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:45.830Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-08T12:29:28", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/dataease/dataease/issues/1618" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23331", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/dataease/dataease/issues/1618", + "refsource": "MISC", + "url": "https://github.com/dataease/dataease/issues/1618" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:46.191Z" + }, + "references": [ + { + "name": "Test (7494/24750) [3744/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23331" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23331", + "datePublished": "2022-02-08T12:29:28", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:46.191Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-27T11:51:05", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://en.ejointech.com/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://drive.google.com/drive/folders/1QRs6wos3mL9289TTUm98n5OmgBVrbYTx" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/kyl3song/CVE/tree/main/CVE-2022-23332" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23332", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://en.ejointech.com/", + "refsource": "MISC", + "url": "http://en.ejointech.com/" + }, + { + "name": "https://drive.google.com/drive/folders/1QRs6wos3mL9289TTUm98n5OmgBVrbYTx", + "refsource": "MISC", + "url": "https://drive.google.com/drive/folders/1QRs6wos3mL9289TTUm98n5OmgBVrbYTx" + }, + { + "name": "https://github.com/kyl3song/CVE/tree/main/CVE-2022-23332", + "refsource": "MISC", + "url": "https://github.com/kyl3song/CVE/tree/main/CVE-2022-23332" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:46.527Z" + }, + "references": [ + { + "name": "Test (7495/24750) [3745/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23332" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23332", + "datePublished": "2022-05-09T13:37:24", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:46.527Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23334", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:58:46.834Z", + "dateReserved": "2022-01-18T00:00:00", + "datePublished": "2023-01-30T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-01-30T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing NEWTESTREMOTEMANAGER.EXE." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "http://ip-label.com" + }, + { + "url": "http://newtest.com" + }, + { + "url": "https://www.on-x.com/wp-content/uploads/2023/01/ON-X-Security-Advisory-Ip-label-Ekara-Newtest-CVE-2022-23334.pdf" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:46.834Z" + }, + "references": [ + { + "name": "Test (7496/24750) [3746/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23334" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:18:11", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://note.youdao.com/noteshare?id=3009926ba5c401a766901ded26c1df63" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23335", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://note.youdao.com/noteshare?id=3009926ba5c401a766901ded26c1df63", + "refsource": "MISC", + "url": "http://note.youdao.com/noteshare?id=3009926ba5c401a766901ded26c1df63" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:47.152Z" + }, + "references": [ + { + "name": "Test (7497/24750) [3747/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23335" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23335", + "datePublished": "2022-02-14T20:18:11", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:47.152Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:18:13", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://note.youdao.com/noteshare?id=30c7cdeac5c7611fdf64379eb4569269" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23336", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://note.youdao.com/noteshare?id=30c7cdeac5c7611fdf64379eb4569269", + "refsource": "MISC", + "url": "http://note.youdao.com/noteshare?id=30c7cdeac5c7611fdf64379eb4569269" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:47.468Z" + }, + "references": [ + { + "name": "Test (7498/24750) [3748/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23336" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23336", + "datePublished": "2022-02-14T20:18:13", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:47.468Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:18:14", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://note.youdao.com/noteshare?id=608f19009c8bd1ace5f1a59c1ddd657b" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23337", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://note.youdao.com/noteshare?id=608f19009c8bd1ace5f1a59c1ddd657b", + "refsource": "MISC", + "url": "http://note.youdao.com/noteshare?id=608f19009c8bd1ace5f1a59c1ddd657b" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:47.770Z" + }, + "references": [ + { + "name": "Test (7499/24750) [3749/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23337" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23337", + "datePublished": "2022-02-14T20:18:14", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:47.770Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-08T13:20:31", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/laurent22/joplin/issues/6004" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23340", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/laurent22/joplin/issues/6004", + "refsource": "MISC", + "url": "https://github.com/laurent22/joplin/issues/6004" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:58:48.080Z" + }, + "references": [ + { + "name": "Test (7500/24750) [3750/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23340" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23340", + "datePublished": "2022-02-08T13:20:31", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:58:48.080Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-06-21T13:29:21", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/InitRoot/CVE-2022-23342" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://community.hyland.com/login?returnUrl=/connect/hyland-research-and-development/security-advisories/username-enumeration-in-onbase" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23342", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/InitRoot/CVE-2022-23342", + "refsource": "MISC", + "url": "https://github.com/InitRoot/CVE-2022-23342" + }, + { + "name": "https://community.hyland.com/login?returnUrl=/connect/hyland-research-and-development/security-advisories/username-enumeration-in-onbase", + "refsource": "MISC", + "url": "https://community.hyland.com/login?returnUrl=/connect/hyland-research-and-development/security-advisories/username-enumeration-in-onbase" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:06.544Z" + }, + "references": [ + { + "name": "Test (7501/24750) [3751/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23342" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23342", + "datePublished": "2022-06-21T13:29:21", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:06.544Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:06:28", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23345" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23345", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23345", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23345" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:06.868Z" + }, + "references": [ + { + "name": "Test (7502/24750) [3752/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23345" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23345", + "datePublished": "2022-03-21T19:42:29", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:06.868Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:06:34", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23346" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23346", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23346", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23346" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:07.201Z" + }, + "references": [ + { + "name": "Test (7503/24750) [3753/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23346" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23346", + "datePublished": "2022-03-21T19:39:32", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:07.201Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:06:41", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23347", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23347" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:07.528Z" + }, + "references": [ + { + "name": "Test (7504/24750) [3754/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23347" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23347", + "datePublished": "2022-03-21T19:23:37", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:07.528Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:06:53", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23348", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:07.840Z" + }, + "references": [ + { + "name": "Test (7505/24750) [3755/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23348" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23348", + "datePublished": "2022-03-21T19:33:00", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:07.840Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:07:01", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23349" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23349", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23349", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23349" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:08.160Z" + }, + "references": [ + { + "name": "Test (7506/24750) [3756/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23349" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23349", + "datePublished": "2022-03-21T19:26:28", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:08.160Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain a cross-site scripting (XSS) vulnerability." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:07:10", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23350" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23350", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain a cross-site scripting (XSS) vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23350", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23350" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:08.502Z" + }, + "references": [ + { + "name": "Test (7507/24750) [3757/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23350" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23350", + "datePublished": "2022-03-21T19:29:34", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:08.502Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue in BigAnt Software BigAnt Server v5.6.06 can lead to a Denial of Service (DoS)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-13T13:07:21", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://bigant.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23352" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.bigantsoft.com/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23352", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue in BigAnt Software BigAnt Server v5.6.06 can lead to a Denial of Service (DoS)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://bigant.com", + "refsource": "MISC", + "url": "http://bigant.com" + }, + { + "name": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23352", + "refsource": "MISC", + "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23352" + }, + { + "name": "https://www.bigantsoft.com/", + "refsource": "MISC", + "url": "https://www.bigantsoft.com/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:08.810Z" + }, + "references": [ + { + "name": "Test (7508/24750) [3758/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23352" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23352", + "datePublished": "2022-03-21T19:35:48", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:08.810Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-03T02:38:41", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/truonghuuphuc/CVE" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-23357.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23357", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/truonghuuphuc/CVE", + "refsource": "MISC", + "url": "https://github.com/truonghuuphuc/CVE" + }, + { + "name": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-23357.pdf", + "refsource": "MISC", + "url": "https://github.com/truonghuuphuc/CVE/blob/main/CVE-2022-23357.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:09.119Z" + }, + "references": [ + { + "name": "Test (7509/24750) [3759/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23357" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23357", + "datePublished": "2022-02-03T02:38:41", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:09.119Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-16T12:01:24", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/jojosec/EasyCMS-s-SQL-injection-new-/blob/main/README.md" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23358", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/jojosec/EasyCMS-s-SQL-injection-new-/blob/main/README.md", + "refsource": "MISC", + "url": "https://github.com/jojosec/EasyCMS-s-SQL-injection-new-/blob/main/README.md" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:09.443Z" + }, + "references": [ + { + "name": "Test (7510/24750) [3760/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23358" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23358", + "datePublished": "2022-02-16T12:01:24", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:09.443Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T22:08:43", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/g33kyrash/Online-Banking-system/issues/15" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23363", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via index.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/g33kyrash/Online-Banking-system/issues/15", + "refsource": "MISC", + "url": "https://github.com/g33kyrash/Online-Banking-system/issues/15" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:09.743Z" + }, + "references": [ + { + "name": "Test (7511/24750) [3761/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23363" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23363", + "datePublished": "2022-01-21T22:08:43", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:09.743Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T22:08:44", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23364", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via adminlogin.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/kabirkhyrul/HMS/discussions/4", + "refsource": "MISC", + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:10.049Z" + }, + "references": [ + { + "name": "Test (7512/24750) [3762/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23364" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23364", + "datePublished": "2022-01-21T22:08:44", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:10.049Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-21T22:08:46", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23365", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via doctorlogin.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/kabirkhyrul/HMS/discussions/4", + "refsource": "MISC", + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:10.383Z" + }, + "references": [ + { + "name": "Test (7513/24750) [3763/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23365" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23365", + "datePublished": "2022-01-21T22:08:46", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:10.383Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T13:59:06", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165948/Hospital-Management-Startup-1.0-SQL-Injection.html" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-23366" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.nu11secur1ty.com/2022/02/cve-2022-23366.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23366", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "HMS v1.0 was discovered to contain a SQL injection vulnerability via patientlogin.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/kabirkhyrul/HMS/discussions/4", + "refsource": "MISC", + "url": "https://github.com/kabirkhyrul/HMS/discussions/4" + }, + { + "name": "http://packetstormsecurity.com/files/165948/Hospital-Management-Startup-1.0-SQL-Injection.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165948/Hospital-Management-Startup-1.0-SQL-Injection.html" + }, + { + "name": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-23366", + "refsource": "MISC", + "url": "https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-23366" + }, + { + "name": "https://www.nu11secur1ty.com/2022/02/cve-2022-23366.html", + "refsource": "MISC", + "url": "https://www.nu11secur1ty.com/2022/02/cve-2022-23366.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:10.687Z" + }, + "references": [ + { + "name": "Test (7514/24750) [3764/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23366" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23366", + "datePublished": "2022-01-21T22:08:47", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:10.687Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T17:45:45", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://gist.github.com/bincat99/311aff295c270371dc8ee89599b016f1" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23367", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://gist.github.com/bincat99/311aff295c270371dc8ee89599b016f1", + "refsource": "MISC", + "url": "https://gist.github.com/bincat99/311aff295c270371dc8ee89599b016f1" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:11.000Z" + }, + "references": [ + { + "name": "Test (7515/24750) [3765/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23367" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23367", + "datePublished": "2022-02-14T17:45:45", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:11.000Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-19T15:43:09", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://wikidocs.it/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://demo.wikidocs.it/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Zavy86/WikiDocs" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Zavy86/WikiDocs/issues/28" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23375", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://wikidocs.it/", + "refsource": "MISC", + "url": "https://wikidocs.it/" + }, + { + "name": "https://demo.wikidocs.it/", + "refsource": "MISC", + "url": "https://demo.wikidocs.it/" + }, + { + "name": "https://github.com/Zavy86/WikiDocs", + "refsource": "MISC", + "url": "https://github.com/Zavy86/WikiDocs" + }, + { + "name": "https://github.com/Zavy86/WikiDocs/issues/28", + "refsource": "MISC", + "url": "https://github.com/Zavy86/WikiDocs/issues/28" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:11.320Z" + }, + "references": [ + { + "name": "Test (7516/24750) [3766/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23375" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23375", + "datePublished": "2022-02-19T15:43:09", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:11.320Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on different pages." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-19T15:42:29", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://wikidocs.it/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://demo.wikidocs.it/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Zavy86/WikiDocs" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/Zavy86/WikiDocs/issues/28" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23376", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on different pages." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://wikidocs.it/", + "refsource": "MISC", + "url": "https://wikidocs.it/" + }, + { + "name": "https://demo.wikidocs.it/", + "refsource": "MISC", + "url": "https://demo.wikidocs.it/" + }, + { + "name": "https://github.com/Zavy86/WikiDocs", + "refsource": "MISC", + "url": "https://github.com/Zavy86/WikiDocs" + }, + { + "name": "https://github.com/Zavy86/WikiDocs/issues/28", + "refsource": "MISC", + "url": "https://github.com/Zavy86/WikiDocs/issues/28" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:11.620Z" + }, + "references": [ + { + "name": "Test (7517/24750) [3767/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23376" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23376", + "datePublished": "2022-02-19T15:42:29", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:11.620Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-01T12:44:19", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.exploit-db.com/exploits/50665" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23377", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.exploit-db.com/exploits/50665", + "refsource": "MISC", + "url": "https://www.exploit-db.com/exploits/50665" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:11.935Z" + }, + "references": [ + { + "name": "Test (7518/24750) [3768/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23377" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23377", + "datePublished": "2022-03-01T12:44:19", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:11.935Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The \"items%5B0%5D%5Bpath%5D\" parameter of a request made to /admin/allergens/edit/1 is vulnerable." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-09T12:16:57", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tastyigniter.com/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/TheGetch/CVE-2022-23378" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23378", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The \"items%5B0%5D%5Bpath%5D\" parameter of a request made to /admin/allergens/edit/1 is vulnerable." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://tastyigniter.com/", + "refsource": "MISC", + "url": "https://tastyigniter.com/" + }, + { + "name": "https://github.com/TheGetch/CVE-2022-23378", + "refsource": "MISC", + "url": "https://github.com/TheGetch/CVE-2022-23378" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:12.241Z" + }, + "references": [ + { + "name": "Test (7519/24750) [3769/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23378" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23378", + "datePublished": "2022-02-09T12:16:57", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:12.241Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Emlog v6.0 was discovered to contain a SQL injection vulnerability via the $TagID parameter of getblogidsfromtagid()." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-04T22:19:22", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/emlog/emlog/issues/144" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23379", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Emlog v6.0 was discovered to contain a SQL injection vulnerability via the $TagID parameter of getblogidsfromtagid()." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/emlog/emlog/issues/144", + "refsource": "MISC", + "url": "https://github.com/emlog/emlog/issues/144" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:12.553Z" + }, + "references": [ + { + "name": "Test (7520/24750) [3770/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23379" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23379", + "datePublished": "2022-02-04T22:19:22", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:12.553Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "There is a SQL injection vulnerability in the background of taocms 3.0.2 in parameter id:action=admin&id=2&ctrl=edit." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-01T13:12:07", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/taogogo/taocms/issues/16" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23380", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There is a SQL injection vulnerability in the background of taocms 3.0.2 in parameter id:action=admin&id=2&ctrl=edit." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/taogogo/taocms/issues/16", + "refsource": "MISC", + "url": "https://github.com/taogogo/taocms/issues/16" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:12.859Z" + }, + "references": [ + { + "name": "Test (7521/24750) [3771/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23380" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23380", + "datePublished": "2022-03-01T13:12:07", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:12.859Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23382", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:59:13.179Z", + "dateReserved": "2022-01-18T00:00:00", + "datePublished": "2023-09-11T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-09-11T14:29:14.327135" + }, + "descriptions": [ + { + "lang": "en", + "value": "Shenzhen Hichip Vision Technology IP Camera Firmware V11.4.8.1.1-20170926 has a denial of service vulnerability through sending a crafted multicast message in a local network." + } + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "http://lackylab.pl/articles/CVE-2022-23382.html" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AC:L/AV:A/A:H/C:N/I:H/PR:N/S:U/UI:N", + "attackVector": "ADJACENT_NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 8.1, + "baseSeverity": "HIGH" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:13.179Z" + }, + "references": [ + { + "name": "Test (7522/24750) [3772/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23382" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-07T15:15:58", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://yzmcms.com" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://down.chinaz.com/soft/37810.htm" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.cnvd.org.cn/user/myreport/6499961" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23383", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://yzmcms.com", + "refsource": "MISC", + "url": "http://yzmcms.com" + }, + { + "name": "https://down.chinaz.com/soft/37810.htm", + "refsource": "MISC", + "url": "https://down.chinaz.com/soft/37810.htm" + }, + { + "name": "https://www.cnvd.org.cn/user/myreport/6499961", + "refsource": "MISC", + "url": "https://www.cnvd.org.cn/user/myreport/6499961" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:13.512Z" + }, + "references": [ + { + "name": "Test (7523/24750) [3773/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23383" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23383", + "datePublished": "2022-03-07T15:15:58", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:13.512Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-15T12:04:48", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/yzmcms/yzmcms/issues/58" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23384", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/yzmcms/yzmcms/issues/58", + "refsource": "MISC", + "url": "https://github.com/yzmcms/yzmcms/issues/58" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:13.816Z" + }, + "references": [ + { + "name": "Test (7524/24750) [3774/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23384" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23384", + "datePublished": "2022-02-15T12:04:48", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:13.816Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue was discovered in taocms 3.0.2. This is a SQL blind injection that can obtain database data through the Comment Update field." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-01T16:42:36", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/taogogo/taocms/issues" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/taogogo/taocms/issues/23" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23387", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue was discovered in taocms 3.0.2. This is a SQL blind injection that can obtain database data through the Comment Update field." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/taogogo/taocms/issues", + "refsource": "MISC", + "url": "https://github.com/taogogo/taocms/issues" + }, + { + "name": "https://github.com/taogogo/taocms/issues/23", + "refsource": "MISC", + "url": "https://github.com/taogogo/taocms/issues/23" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:14.141Z" + }, + "references": [ + { + "name": "Test (7525/24750) [3775/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23387" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23387", + "datePublished": "2022-03-01T16:42:36", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:14.141Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:48:05", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sanluan/PublicCMS/issues/59" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23389", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/sanluan/PublicCMS/issues/59", + "refsource": "MISC", + "url": "https://github.com/sanluan/PublicCMS/issues/59" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:14.478Z" + }, + "references": [ + { + "name": "Test (7526/24750) [3776/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23389" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23389", + "datePublished": "2022-02-14T20:48:05", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:14.478Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:48:06", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/diyhi/bbs/issues/51" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23390", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/diyhi/bbs/issues/51", + "refsource": "MISC", + "url": "https://github.com/diyhi/bbs/issues/51" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:14.822Z" + }, + "references": [ + { + "name": "Test (7527/24750) [3777/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23390" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23390", + "datePublished": "2022-02-14T20:48:06", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:14.822Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Search box." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-14T20:48:08", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/tomoya92/pybbs/issues/171" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23391", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Search box." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/tomoya92/pybbs/issues/171", + "refsource": "MISC", + "url": "https://github.com/tomoya92/pybbs/issues/171" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:15.143Z" + }, + "references": [ + { + "name": "Test (7528/24750) [3778/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23391" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23391", + "datePublished": "2022-02-14T20:48:08", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:15.143Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS)." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-25T07:06:19", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://snyk.io/test/npm/jquery.cookie/1.4.1?tab=issues" + }, + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://security.netapp.com/advisory/ntap-20220325-0008/" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23395", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS)." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://snyk.io/test/npm/jquery.cookie/1.4.1?tab=issues", + "refsource": "MISC", + "url": "https://snyk.io/test/npm/jquery.cookie/1.4.1?tab=issues" + }, + { + "name": "https://security.netapp.com/advisory/ntap-20220325-0008/", + "refsource": "CONFIRM", + "url": "https://security.netapp.com/advisory/ntap-20220325-0008/" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:15.491Z" + }, + "references": [ + { + "name": "Test (7529/24750) [3779/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23395" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23395", + "datePublished": "2022-03-02T11:16:55", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:15.491Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23397", + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "dateUpdated": "2024-06-03T14:59:15.808Z", + "dateReserved": "2022-01-18T00:00:00", + "datePublished": "2022-03-04T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre", + "dateUpdated": "2023-03-24T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has \"no clear steps of reproduction.\"" + } + ], + "tags": [ + "disputed" + ], + "affected": [ + { + "vendor": "n/a", + "product": "n/a", + "versions": [ + { + "version": "n/a", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://ado.im/cedar-gate-ez-net" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "n/a" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:15.808Z" + }, + "references": [ + { + "name": "Test (7530/24750) [3780/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23397" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "LinkHub Mesh Wifi", + "vendor": "TCL", + "versions": [ + { + "status": "affected", + "version": "MS1G_00_01.00_14" + } + ] + } + ], + "datePublic": "2022-08-01T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-121", + "description": "CWE-121: Stack-based Buffer Overflow", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-05T21:12:20", + "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "shortName": "talos" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1454" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "talos-cna@cisco.com", + "DATE_PUBLIC": "2022-08-01", + "ID": "CVE-2022-23399", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "LinkHub Mesh Wifi", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "MS1G_00_01.00_14" + } + ] + } + } + ] + }, + "vendor_name": "TCL" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 8.8, + "baseSeverity": "High", + "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121: Stack-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1454", + "refsource": "MISC", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1454" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:16.123Z" + }, + "references": [ + { + "name": "Test (7531/24750) [3781/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23399" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "assignerShortName": "talos", + "cveId": "CVE-2022-23399", + "datePublished": "2022-08-01T00:00:00", + "dateReserved": "2022-01-24T00:00:00", + "dateUpdated": "2024-06-03T14:59:16.123Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "ImageGear", + "vendor": "Accusoft", + "versions": [ + { + "status": "affected", + "version": "19.10" + } + ] + } + ], + "datePublic": "2022-05-02T00:00:00", + "descriptions": [ + { + "lang": "en", + "value": "A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability." + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", + "version": "3.0" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-193", + "description": "CWE-193: Off-by-one Error", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-03T16:05:21", + "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "shortName": "talos" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1465" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "talos-cna@cisco.com", + "DATE_PUBLIC": "2022-05-02", + "ID": "CVE-2022-23400", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "ImageGear", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "19.10" + } + ] + } + } + ] + }, + "vendor_name": "Accusoft" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 7.1, + "baseSeverity": "High", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-193: Off-by-one Error" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1465", + "refsource": "MISC", + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1465" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:16.466Z" + }, + "references": [ + { + "name": "Test (7532/24750) [3782/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23400" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", + "assignerShortName": "talos", + "cveId": "CVE-2022-23400", + "datePublished": "2022-05-02T00:00:00", + "dateReserved": "2022-01-31T00:00:00", + "dateUpdated": "2024-06-03T14:59:16.466Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CENTUM CS 3000", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R3.08.10 to R3.09.00" + } + ] + }, + { + "product": "CENTUM VP", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R4.01.00 to R4.03.00" + }, + { + "status": "affected", + "version": "versions from R5.01.00 to R5.04.20" + }, + { + "status": "affected", + "version": "versions from R6.01.00 to R6.08.00" + } + ] + }, + { + "product": "Exaopc", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R3.72.00 to R3.79.00" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The following Yokogawa Electric products contain insecure DLL loading issues. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-427", + "description": "CWE-427: Uncontrolled Search Path Element", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-11T09:10:51", + "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "shortName": "jpcert" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vultures@jpcert.or.jp", + "ID": "CVE-2022-23401", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CENTUM CS 3000", + "version": { + "version_data": [ + { + "version_value": "versions from R3.08.10 to R3.09.00" + } + ] + } + }, + { + "product_name": "CENTUM VP", + "version": { + "version_data": [ + { + "version_value": "versions from R4.01.00 to R4.03.00" + }, + { + "version_value": "versions from R5.01.00 to R5.04.20" + }, + { + "version_value": "versions from R6.01.00 to R6.08.00" + } + ] + } + }, + { + "product_name": "Exaopc", + "version": { + "version_data": [ + { + "version_value": "versions from R3.72.00 to R3.79.00" + } + ] + } + } + ] + }, + "vendor_name": "Yokogawa Electric Corporation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The following Yokogawa Electric products contain insecure DLL loading issues. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-427: Uncontrolled Search Path Element" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf", + "refsource": "CONFIRM", + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:16.789Z" + }, + "references": [ + { + "name": "Test (7533/24750) [3783/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23401" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "assignerShortName": "jpcert", + "cveId": "CVE-2022-23401", + "datePublished": "2022-03-11T09:10:51", + "dateReserved": "2022-02-03T00:00:00", + "dateUpdated": "2024-06-03T14:59:16.789Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "CENTUM VP", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R5.01.00 to R5.04.20" + }, + { + "status": "affected", + "version": "versions from R6.01.00 to R6.08.00" + } + ] + }, + { + "product": "Exaopc", + "vendor": "Yokogawa Electric Corporation", + "versions": [ + { + "status": "affected", + "version": "versions from R3.72.00 to R3.79.00" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-798", + "description": "CWE-798: Use of Hard-coded Credentials", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-11T09:10:53", + "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "shortName": "jpcert" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "vultures@jpcert.or.jp", + "ID": "CVE-2022-23402", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CENTUM VP", + "version": { + "version_data": [ + { + "version_value": "versions from R5.01.00 to R5.04.20" + }, + { + "version_value": "versions from R6.01.00 to R6.08.00" + } + ] + } + }, + { + "product_name": "Exaopc", + "version": { + "version_data": [ + { + "version_value": "versions from R3.72.00 to R3.79.00" + } + ] + } + } + ] + }, + "vendor_name": "Yokogawa Electric Corporation" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00" + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798: Use of Hard-coded Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf", + "refsource": "CONFIRM", + "url": "https://web-material3.yokogawa.com/1/32094/files/YSAR-22-0001-E.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:17.104Z" + }, + "references": [ + { + "name": "Test (7534/24750) [3784/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23402" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", + "assignerShortName": "jpcert", + "cveId": "CVE-2022-23402", + "datePublished": "2022-03-11T09:10:53", + "dateReserved": "2022-02-03T00:00:00", + "dateUpdated": "2024-06-03T14:59:17.104Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Intel(R) Data Center Manager software", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "before version 4.1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Improper input validation in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "denial of service", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-18T19:55:40", + "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "shortName": "intel" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "secure@intel.com", + "ID": "CVE-2022-23403", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Intel(R) Data Center Manager software", + "version": { + "version_data": [ + { + "version_value": "before version 4.1" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper input validation in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "denial of service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html", + "refsource": "MISC", + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:17.438Z" + }, + "references": [ + { + "name": "Test (7535/24750) [3785/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23403" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", + "assignerShortName": "intel", + "cveId": "CVE-2022-23403", + "datePublished": "2022-08-18T19:55:40", + "dateReserved": "2022-02-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:17.438Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-18T20:20:15", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/wolfSSL/wolfssl/pull/4710" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022" + } + ], + "source": { + "discovery": "INTERNAL" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23408", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/wolfSSL/wolfssl/pull/4710", + "refsource": "MISC", + "url": "https://github.com/wolfSSL/wolfssl/pull/4710" + }, + { + "name": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022", + "refsource": "MISC", + "url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022" + } + ] + }, + "source": { + "discovery": "INTERNAL" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:17.775Z" + }, + "references": [ + { + "name": "Test (7536/24750) [3786/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23408" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23408", + "datePublished": "2022-01-18T20:20:15", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:17.775Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-31T07:04:50", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://sec-consult.com/vulnerability-lab/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://plugins.craftcms.com/logs" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "http://packetstormsecurity.com/files/165706/Ethercreative-Logs-3.0.3-Path-Traversal.html" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23409", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://sec-consult.com/vulnerability-lab/", + "refsource": "MISC", + "url": "https://sec-consult.com/vulnerability-lab/" + }, + { + "name": "https://plugins.craftcms.com/logs", + "refsource": "MISC", + "url": "https://plugins.craftcms.com/logs" + }, + { + "name": "http://packetstormsecurity.com/files/165706/Ethercreative-Logs-3.0.3-Path-Traversal.html", + "refsource": "MISC", + "url": "http://packetstormsecurity.com/files/165706/Ethercreative-Logs-3.0.3-Path-Traversal.html" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:18.109Z" + }, + "references": [ + { + "name": "Test (7537/24750) [3787/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23409" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23409", + "datePublished": "2022-01-31T07:04:50", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:18.109Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "All version prior to 4.18.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking. IPUtility.exe would attempt to load DLLs from its current working directory which could allow for remote code execution if a compromised DLL would be placed in the same folder." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Remote code execution and local privilege escalation by the means of DLL hijacking", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-03-09T14:54:30", + "orgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807", + "shortName": "Axis" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.axis.com/files/tech_notes/CVE-2022-23410.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "product-security@axis.com", + "ID": "CVE-2022-23410", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "All version prior to 4.18.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking. IPUtility.exe would attempt to load DLLs from its current working directory which could allow for remote code execution if a compromised DLL would be placed in the same folder." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Remote code execution and local privilege escalation by the means of DLL hijacking" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.axis.com/files/tech_notes/CVE-2022-23410.pdf", + "refsource": "MISC", + "url": "https://www.axis.com/files/tech_notes/CVE-2022-23410.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:18.452Z" + }, + "references": [ + { + "name": "Test (7538/24750) [3788/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23410" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807", + "assignerShortName": "Axis", + "cveId": "CVE-2022-23410", + "datePublished": "2022-02-14T21:04:28", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:18.452Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "P(9.0), Q(10.0), R(11.0), S(12.0) with select Exynos devices", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:09", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23425", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "P(9.0), Q(10.0), R(11.0), S(12.0) with select Exynos devices", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:18.802Z" + }, + "references": [ + { + "name": "Test (7539/24750) [3789/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23425" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23425", + "datePublished": "2022-02-11T17:40:09", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:18.802Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices ", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "P(9.0), Q(10.0), R(11.0)", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:09", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23426", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices ", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "P(9.0), Q(10.0), R(11.0)", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:19.143Z" + }, + "references": [ + { + "name": "Test (7540/24750) [3790/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23426" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23426", + "datePublished": "2022-02-11T17:40:09", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:19.143Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices ", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "Q(10), R(11), S(12)", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.9, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:10", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23427", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices ", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Q(10), R(11), S(12)", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 3.9, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:19.484Z" + }, + "references": [ + { + "name": "Test (7541/24750) [3791/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23427" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23427", + "datePublished": "2022-02-11T17:40:10", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:19.484Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices with Exynos chipsets", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper boundary check in eden_runtime hal service prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120:Buffer Copy without Checking Size of Input", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:11", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23428", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices with Exynos chipsets", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper boundary check in eden_runtime hal service prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120:Buffer Copy without Checking Size of Input" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:19.832Z" + }, + "references": [ + { + "name": "Test (7542/24750) [3792/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23428" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23428", + "datePublished": "2022-02-11T17:40:11", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:19.832Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices ", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "P(9.0), Q(10.0), R(11.0)", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "description": "CWE-125:Out-of-bounds Read", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:12", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23429", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices ", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "P(9.0), Q(10.0), R(11.0)", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-125:Out-of-bounds Read" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:20.171Z" + }, + "references": [ + { + "name": "Test (7543/24750) [3793/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23429" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23429", + "datePublished": "2022-02-11T17:40:12", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:20.171Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices with Exynos chipsets", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "description": "CWE-120:Buffer Copy without Checking Size of Input", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:13", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23431", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices with Exynos chipsets", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-120:Buffer Copy without Checking Size of Input" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:20.598Z" + }, + "references": [ + { + "name": "Test (7544/24750) [3794/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23431" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23431", + "datePublished": "2022-02-11T17:40:13", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:20.598Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Samsung Mobile Devices with Exynos chipsets", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "SMR Feb-2022 Release 1", + "status": "affected", + "version": "P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-20", + "description": "CWE-20: Improper Input Validation", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:13", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23432", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Samsung Mobile Devices with Exynos chipsets", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets", + "version_value": "SMR Feb-2022 Release 1" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:20.948Z" + }, + "references": [ + { + "name": "Test (7545/24750) [3795/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23432" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23432", + "datePublished": "2022-02-11T17:40:13", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:20.948Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Reminder", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10)", + "status": "affected", + "version": "-", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-284", + "description": "CWE-284: Improper Access Control", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:14", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23433", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Reminder", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "-", + "version_value": "12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10)" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-284: Improper Access Control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:21.335Z" + }, + "references": [ + { + "name": "Test (7546/24750) [3796/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23433" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23433", + "datePublished": "2022-02-11T17:40:14", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:21.335Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Bixby Vision", + "vendor": "Samsung Mobile", + "versions": [ + { + "lessThan": "3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below", + "status": "affected", + "version": "-", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-02-11T17:40:15", + "orgId": "3af57064-a867-422c-b2ad-40307b65c458", + "shortName": "Samsung Mobile" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "mobile.security@samsung.com", + "ID": "CVE-2022-23434", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Bixby Vision", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "-", + "version_value": "3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below" + } + ] + } + } + ] + }, + "vendor_name": "Samsung Mobile" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-94: Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2", + "refsource": "MISC", + "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:21.683Z" + }, + "references": [ + { + "name": "Test (7547/24750) [3797/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23434" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", + "assignerShortName": "Samsung Mobile", + "cveId": "CVE-2022-23434", + "datePublished": "2022-02-11T17:40:15", + "dateReserved": "2022-01-18T00:00:00", + "dateUpdated": "2024-06-03T14:59:21.683Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-19T00:26:04", + "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "shortName": "mitre" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/koral--/android-gif-drawable/commit/9f0f0c89e6fa38548163771feeb4bde84b828887" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/koral--/android-gif-drawable/compare/v1.2.23...v1.2.24" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2022-23435", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of a comment, leading to denial of service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/koral--/android-gif-drawable/commit/9f0f0c89e6fa38548163771feeb4bde84b828887", + "refsource": "MISC", + "url": "https://github.com/koral--/android-gif-drawable/commit/9f0f0c89e6fa38548163771feeb4bde84b828887" + }, + { + "name": "https://github.com/koral--/android-gif-drawable/compare/v1.2.23...v1.2.24", + "refsource": "MISC", + "url": "https://github.com/koral--/android-gif-drawable/compare/v1.2.23...v1.2.24" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:22.018Z" + }, + "references": [ + { + "name": "Test (7548/24750) [3798/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23435" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", + "assignerShortName": "mitre", + "cveId": "CVE-2022-23435", + "datePublished": "2022-01-19T00:26:04", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:22.018Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23437", + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "assignerShortName": "apache", + "dateUpdated": "2024-06-03T14:59:22.367Z", + "dateReserved": "2022-01-19T00:00:00", + "datePublished": "2022-01-24T00:00:00" + }, + "containers": { + "cna": { + "title": "Infinite loop within Apache XercesJ xml parser", + "providerMetadata": { + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache", + "dateUpdated": "2022-10-28T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions." + } + ], + "affected": [ + { + "vendor": "Apache Software Foundation", + "product": "Apache Xerces", + "versions": [ + { + "version": "Apache XercesJ", + "status": "affected", + "lessThanOrEqual": "2.12.1", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" + }, + { + "name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", + "tags": [ + "mailing-list" + ], + "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20221028-0005/" + } + ], + "credits": [ + { + "lang": "en", + "value": "This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team" + } + ], + "metrics": [ + { + "other": { + "type": "unknown", + "content": { + "other": "high" + } + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "text", + "lang": "en", + "description": "Infinite loop within Apache XercesJ xml parser" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + }, + "workarounds": [ + { + "lang": "en", + "value": "Apache XercesJ users, should migrate to version 2.12.2" + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:22.367Z" + }, + "references": [ + { + "name": "Test (7549/24750) [3799/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23437" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiOS", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiOS 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the captive portal authentication replacement page." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "exploitCodeMaturity": "UNPROVEN", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "remediationLevel": "WORKAROUND", + "reportConfidence": "UNKNOWN", + "scope": "CHANGED", + "temporalScore": 3.9, + "temporalSeverity": "LOW", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:W/RC:U", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Execute unauthorized code or commands", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-07-18T16:40:43", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-21-057" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23438", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiOS", + "version": { + "version_data": [ + { + "version_value": "FortiOS 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.9, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the captive portal authentication replacement page." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "High", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 3.9, + "baseSeverity": "Low", + "confidentialityImpact": "Low", + "integrityImpact": "Low", + "privilegesRequired": "None", + "scope": "Changed", + "userInteraction": "Required", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:W/RC:U", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Execute unauthorized code or commands" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-21-057", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-21-057" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:22.699Z" + }, + "references": [ + { + "name": "Test (7550/24750) [3800/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23438" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23438", + "datePublished": "2022-07-18T16:40:44", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:22.699Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiEDR", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "exploitCodeMaturity": "FUNCTIONAL", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "remediationLevel": "UNAVAILABLE", + "reportConfidence": "CONFIRMED", + "scope": "UNCHANGED", + "temporalScore": 7.6, + "temporalSeverity": "HIGH", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of service", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-06T09:30:14", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-22-018" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23440", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiEDR", + "version": { + "version_data": [ + { + "version_value": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 7.6, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "Low", + "scope": "Unchanged", + "userInteraction": "None", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Denial of service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-018", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-22-018" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:23.057Z" + }, + "references": [ + { + "name": "Test (7551/24750) [3801/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23440" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23440", + "datePublished": "2022-04-06T09:30:14", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:23.057Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiEDR", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "remediationLevel": "UNAVAILABLE", + "reportConfidence": "CONFIRMED", + "scope": "UNCHANGED", + "temporalScore": 8.6, + "temporalSeverity": "HIGH", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:U/RC:C", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper access control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-06T09:10:10", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-22-019" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23441", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiEDR", + "version": { + "version_data": [ + { + "version_value": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 8.6, + "baseSeverity": "High", + "confidentialityImpact": "High", + "integrityImpact": "High", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "None", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:U/RC:C", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper access control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-019", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-22-019" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:23.444Z" + }, + "references": [ + { + "name": "Test (7552/24750) [3802/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23441" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23441", + "datePublished": "2022-04-06T09:10:10", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:23.444Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiOS", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiOS 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.11, 6.2.10, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "exploitCodeMaturity": "NOT_DEFINED", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "remediationLevel": "NOT_DEFINED", + "reportConfidence": "NOT_DEFINED", + "scope": "UNCHANGED", + "temporalScore": 4.3, + "temporalSeverity": "MEDIUM", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Improper access control", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-03T13:20:27", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-22-036" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23442", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiOS", + "version": { + "version_data": [ + { + "version_value": "FortiOS 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.8, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.11, 6.2.10, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 4.3, + "baseSeverity": "Medium", + "confidentialityImpact": "Low", + "integrityImpact": "None", + "privilegesRequired": "Low", + "scope": "Unchanged", + "userInteraction": "None", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Improper access control" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-036", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-22-036" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:23.764Z" + }, + "references": [ + { + "name": "Test (7553/24750) [3803/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23442" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23442", + "datePublished": "2022-08-03T13:20:27", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:23.764Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiSOAR", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiSOAR 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0, 6.0.0, 5.x.x" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "remediationLevel": "TEMPORARY_FIX", + "reportConfidence": "CONFIRMED", + "scope": "UNCHANGED", + "temporalScore": 6.8, + "temporalSeverity": "MEDIUM", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:T/RC:C", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Information disclosure", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-05-04T15:25:21", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-22-041" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23443", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiSOAR", + "version": { + "version_data": [ + { + "version_value": "FortiSOAR 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0, 6.0.0, 5.x.x" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Network", + "availabilityImpact": "None", + "baseScore": 6.8, + "baseSeverity": "Medium", + "confidentialityImpact": "High", + "integrityImpact": "None", + "privilegesRequired": "None", + "scope": "Unchanged", + "userInteraction": "None", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:T/RC:C", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information disclosure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-041", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-22-041" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:24.088Z" + }, + "references": [ + { + "name": "Test (7554/24750) [3804/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23443" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23443", + "datePublished": "2022-05-04T15:25:21", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:24.088Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Fortinet FortiEDR", + "vendor": "Fortinet", + "versions": [ + { + "status": "affected", + "version": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A improper control of a resource through its lifetime in Fortinet FortiEDR version 5.0.3 and earlier allows attacker to make the whole application unresponsive via changing its root directory access permission." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "exploitCodeMaturity": "PROOF_OF_CONCEPT", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "remediationLevel": "OFFICIAL_FIX", + "reportConfidence": "CONFIRMED", + "scope": "UNCHANGED", + "temporalScore": 4, + "temporalSeverity": "MEDIUM", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "Denial of service", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-06T09:00:17", + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://fortiguard.com/psirt/FG-IR-22-052" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "psirt@fortinet.com", + "ID": "CVE-2022-23446", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Fortinet FortiEDR", + "version": { + "version_data": [ + { + "version_value": "FortiEDR 5.0.2, 5.0.1, 5.0.0, 4.0.0" + } + ] + } + } + ] + }, + "vendor_name": "Fortinet" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A improper control of a resource through its lifetime in Fortinet FortiEDR version 5.0.3 and earlier allows attacker to make the whole application unresponsive via changing its root directory access permission." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "Low", + "attackVector": "Local", + "availabilityImpact": "High", + "baseScore": 4, + "baseSeverity": "Medium", + "confidentialityImpact": "None", + "integrityImpact": "None", + "privilegesRequired": "High", + "scope": "Unchanged", + "userInteraction": "None", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Denial of service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-052", + "refsource": "CONFIRM", + "url": "https://fortiguard.com/psirt/FG-IR-22-052" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:24.448Z" + }, + "references": [ + { + "name": "Test (7555/24750) [3805/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23446" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "assignerShortName": "fortinet", + "cveId": "CVE-2022-23446", + "datePublished": "2022-04-06T09:00:17", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:24.448Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23447", + "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "state": "PUBLISHED", + "assignerShortName": "fortinet", + "dateReserved": "2022-01-19T07:38:03.514Z", + "datePublished": "2023-07-11T16:52:42.353Z", + "dateUpdated": "2024-06-03T14:59:24.935Z" + }, + "containers": { + "cna": { + "affected": [ + { + "vendor": "Fortinet", + "product": "FortiExtender", + "defaultStatus": "unaffected", + "versions": [ + { + "versionType": "semver", + "version": "7.0.0", + "lessThanOrEqual": "7.0.3", + "status": "affected" + }, + { + "version": "5.3.2", + "status": "affected" + }, + { + "versionType": "semver", + "version": "4.2.0", + "lessThanOrEqual": "4.2.4", + "status": "affected" + }, + { + "versionType": "semver", + "version": "4.1.1", + "lessThanOrEqual": "4.1.8", + "status": "affected" + }, + { + "versionType": "semver", + "version": "4.0.0", + "lessThanOrEqual": "4.0.2", + "status": "affected" + }, + { + "versionType": "semver", + "version": "3.3.0", + "lessThanOrEqual": "3.3.2", + "status": "affected" + }, + { + "versionType": "semver", + "version": "3.2.1", + "lessThanOrEqual": "3.2.3", + "status": "affected" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests." + } + ], + "providerMetadata": { + "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", + "shortName": "fortinet", + "dateUpdated": "2023-07-11T16:52:42.353Z" + }, + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "cweId": "CWE-22", + "description": "Information disclosure", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "format": "CVSS", + "cvssV3_1": { + "version": "3.1", + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:U/RC:C" + } + } + ], + "solutions": [ + { + "lang": "en", + "value": "Please upgrade to FortiExtender version 7.2.0 or above Please upgrade to FortiExtender version 7.0.4 or above Please upgrade to FortiExtender version 4.2.5 or above Please upgrade to FortiExtender version 4.1.9 or above Please upgrade to FortiExtender version 4.0.3 or above Please upgrade to FortiExtender version 3.3.3 or above Please upgrade to FortiExtender version 3.2.4 or above " + } + ], + "references": [ + { + "name": "https://fortiguard.com/psirt/FG-IR-22-039", + "url": "https://fortiguard.com/psirt/FG-IR-22-039" + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:24.935Z" + }, + "references": [ + { + "name": "Test (7556/24750) [3806/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23447" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SIMATIC Energy Manager Basic", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + }, + { + "product": "SIMATIC Energy Manager PRO", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Affected applications improperly assign permissions to critical directories and files used by the application processes. This could allow a local unprivileged attacker to achieve code execution with ADMINISTRATOR or even NT AUTHORITY/SYSTEM privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-732", + "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T09:07:35", + "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "shortName": "siemens" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "productcert@siemens.com", + "ID": "CVE-2022-23448", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SIMATIC Energy Manager Basic", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + }, + { + "product_name": "SIMATIC Energy Manager PRO", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + } + ] + }, + "vendor_name": "Siemens" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Affected applications improperly assign permissions to critical directories and files used by the application processes. This could allow a local unprivileged attacker to achieve code execution with ADMINISTRATOR or even NT AUTHORITY/SYSTEM privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-732: Incorrect Permission Assignment for Critical Resource" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf", + "refsource": "MISC", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:25.293Z" + }, + "references": [ + { + "name": "Test (7557/24750) [3807/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23448" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "assignerShortName": "siemens", + "cveId": "CVE-2022-23448", + "datePublished": "2022-04-12T09:07:35", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:25.293Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SIMATIC Energy Manager Basic", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + }, + { + "product": "SIMATIC Energy Manager PRO", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). A DLL Hijacking vulnerability could allow a local attacker to execute code with elevated privileges by placing a malicious DLL in one of the directories on the DLL search path." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-427", + "description": "CWE-427: Uncontrolled Search Path Element", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T09:07:37", + "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "shortName": "siemens" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "productcert@siemens.com", + "ID": "CVE-2022-23449", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SIMATIC Energy Manager Basic", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + }, + { + "product_name": "SIMATIC Energy Manager PRO", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + } + ] + }, + "vendor_name": "Siemens" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). A DLL Hijacking vulnerability could allow a local attacker to execute code with elevated privileges by placing a malicious DLL in one of the directories on the DLL search path." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-427: Uncontrolled Search Path Element" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf", + "refsource": "MISC", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:25.620Z" + }, + "references": [ + { + "name": "Test (7558/24750) [3808/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23449" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "assignerShortName": "siemens", + "cveId": "CVE-2022-23449", + "datePublished": "2022-04-12T09:07:37", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:25.620Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "SIMATIC Energy Manager Basic", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + }, + { + "product": "SIMATIC Energy Manager PRO", + "vendor": "Siemens", + "versions": [ + { + "status": "affected", + "version": "All versions < V7.3 Update 1" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-502", + "description": "CWE-502: Deserialization of Untrusted Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-04-12T09:07:38", + "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "shortName": "siemens" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "productcert@siemens.com", + "ID": "CVE-2022-23450", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "SIMATIC Energy Manager Basic", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + }, + { + "product_name": "SIMATIC Energy Manager PRO", + "version": { + "version_data": [ + { + "version_value": "All versions < V7.3 Update 1" + } + ] + } + } + ] + }, + "vendor_name": "Siemens" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502: Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf", + "refsource": "MISC", + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:25.940Z" + }, + "references": [ + { + "name": "Test (7559/24750) [3809/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23450" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", + "assignerShortName": "siemens", + "cveId": "CVE-2022-23450", + "datePublished": "2022-04-12T09:07:38", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:25.940Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "openstack/barbican", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Fixed in v14.0.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-863", + "description": "CWE-863 - Incorrect Authorization.", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-06T17:18:52", + "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "shortName": "redhat" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025089" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022878" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://storyboard.openstack.org/#%21/story/2009253" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://review.opendev.org/c/openstack/barbican/+/811236" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://access.redhat.com/security/cve/CVE-2022-23451" + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:26.288Z" + }, + "references": [ + { + "name": "Test (7560/24750) [3810/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23451" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "assignerShortName": "redhat", + "cveId": "CVE-2022-23451", + "datePublished": "2022-09-06T17:18:52", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:26.288Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "openstack/barbican", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "Fixed in v14.0.0" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-863", + "description": "CWE-863 - Incorrect Authorization.", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-01T20:57:45", + "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "shortName": "redhat" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025090" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2022908" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://storyboard.openstack.org/#%21/story/2009297" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://review.opendev.org/c/openstack/barbican/+/814200" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://access.redhat.com/security/cve/CVE-2022-23452" + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:26.623Z" + }, + "references": [ + { + "name": "Test (7561/24750) [3811/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23452" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", + "assignerShortName": "redhat", + "cveId": "CVE-2022-23452", + "datePublished": "2022-09-01T20:57:45", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:26.623Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23453", + "assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "state": "PUBLISHED", + "assignerShortName": "hp", + "dateReserved": "2022-01-19T16:54:44.045Z", + "datePublished": "2023-01-30T21:34:48.942Z", + "dateUpdated": "2024-06-03T14:59:26.931Z" + }, + "containers": { + "cna": { + "descriptions": [ + { + "lang": "en", + "value": "Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of files." + } + ], + "affected": [ + { + "versions": [ + { + "version": "See HP Security Bulletin reference for affected versions.", + "status": "affected" + } + ], + "product": "HP Support Assistant", + "vendor": "HP Inc." + } + ], + "references": [ + { + "url": "https://support.hp.com/us-en/document/ish_5585999-5586023-16/hpsbgn03762" + } + ], + "providerMetadata": { + "orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "shortName": "hp", + "dateUpdated": "2023-02-01T06:15:59.102527Z" + }, + "x_generator": { + "engine": "cveClient/1.0.13" + }, + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:26.931Z" + }, + "references": [ + { + "name": "Test (7562/24750) [3812/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23453" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23454", + "assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "state": "PUBLISHED", + "assignerShortName": "hp", + "dateReserved": "2022-01-19T16:54:44.046Z", + "datePublished": "2023-01-30T21:35:42.349Z", + "dateUpdated": "2024-06-03T14:59:27.250Z" + }, + "containers": { + "cna": { + "descriptions": [ + { + "lang": "en", + "value": "Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of files." + } + ], + "affected": [ + { + "versions": [ + { + "version": "See HP Security Bulletin reference for affected versions.", + "status": "affected" + } + ], + "product": "HP Support Assistant", + "vendor": "HP Inc." + } + ], + "references": [ + { + "url": "https://support.hp.com/us-en/document/ish_5585999-5586023-16/hpsbgn03762" + } + ], + "providerMetadata": { + "orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "shortName": "hp", + "dateUpdated": "2023-02-01T06:15:59.102527Z" + }, + "x_generator": { + "engine": "cveClient/1.0.13" + }, + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:27.250Z" + }, + "references": [ + { + "name": "Test (7563/24750) [3813/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23454" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23455", + "assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "state": "PUBLISHED", + "assignerShortName": "hp", + "dateReserved": "2022-01-19T16:54:44.046Z", + "datePublished": "2023-01-30T21:36:24.359Z", + "dateUpdated": "2024-06-03T14:59:27.564Z" + }, + "containers": { + "cna": { + "descriptions": [ + { + "lang": "en", + "value": "Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of files." + } + ], + "affected": [ + { + "versions": [ + { + "version": "See HP Security Bulletin reference for affected versions.", + "status": "affected" + } + ], + "product": "HP Support Assistant", + "vendor": "HP Inc." + } + ], + "references": [ + { + "url": "https://support.hp.com/us-en/document/ish_5585999-5586023-16/hpsbgn03762" + } + ], + "providerMetadata": { + "orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "shortName": "hp", + "dateUpdated": "2023-02-01T06:15:59.102527Z" + }, + "x_generator": { + "engine": "cveClient/1.0.13" + }, + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ] + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:27.564Z" + }, + "references": [ + { + "name": "Test (7564/24750) [3814/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23455" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "n/a", + "vendor": "n/a", + "versions": [ + { + "status": "affected", + "version": "n/a" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Potential arbitrary file deletion vulnerability has been identified in HP Support Assistant software." + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "description": "n/a", + "lang": "en", + "type": "text" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-01-28T19:09:58", + "orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "shortName": "hp" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://support.hp.com/us-en/document/ish_5585999-5586023-16" + } + ], + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "hp-security-alert@hp.com", + "ID": "CVE-2022-23456", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Potential arbitrary file deletion vulnerability has been identified in HP Support Assistant software." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://support.hp.com/us-en/document/ish_5585999-5586023-16", + "refsource": "MISC", + "url": "https://support.hp.com/us-en/document/ish_5585999-5586023-16" + } + ] + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:27.879Z" + }, + "references": [ + { + "name": "Test (7565/24750) [3815/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23456" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2", + "assignerShortName": "hp", + "cveId": "CVE-2022-23456", + "datePublished": "2022-01-28T19:09:58", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:27.879Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23457", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "dateUpdated": "2024-06-03T14:59:28.243Z", + "dateReserved": "2022-01-19T00:00:00", + "datePublished": "2022-04-25T00:00:00" + }, + "containers": { + "cna": { + "title": "Path Traversal in ESAPI", + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-27T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this." + } + ], + "affected": [ + { + "vendor": "OWASP ESAPI", + "product": "org.owasp.esapi:esapi", + "versions": [ + { + "version": "2.3.0.0", + "status": "affected", + "lessThan": "2.3.0.0", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/" + }, + { + "url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2" + }, + { + "url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230127-0014/" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "cweId": "CWE-22" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:28.243Z" + }, + "references": [ + { + "name": "Test (7566/24750) [3816/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23457" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "tui.grid", + "vendor": "nhn", + "versions": [ + { + "lessThan": "4.21.3", + "status": "affected", + "version": "4.21.3", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Toast UI Grid is a component to display and edit data. Versions prior to 4.21.3 are vulnerable to cross-site scripting attacks when pasting specially crafted content into editable cells. This issue was fixed in version 4.21.3. There are no known workarounds." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-22T22:05:09", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-029_nhn_tui_grid/" + }, + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/nhn/tui.grid/commit/e9db5968675ae113c07efc091cce210f2b26854f" + } + ], + "source": { + "advisory": "GHSL-2022-029", + "discovery": "UNKNOWN" + }, + "title": "Toast UI Grid vulnerable to Cross-site scripting", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23458", + "STATE": "PUBLIC", + "TITLE": "Toast UI Grid vulnerable to Cross-site scripting" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "tui.grid", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "4.21.3", + "version_value": "4.21.3" + } + ] + } + } + ] + }, + "vendor_name": "nhn" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Toast UI Grid is a component to display and edit data. Versions prior to 4.21.3 are vulnerable to cross-site scripting attacks when pasting specially crafted content into editable cells. This issue was fixed in version 4.21.3. There are no known workarounds." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-029_nhn_tui_grid/", + "refsource": "CONFIRM", + "url": "https://securitylab.github.com/advisories/GHSL-2022-029_nhn_tui_grid/" + }, + { + "name": "https://github.com/nhn/tui.grid/commit/e9db5968675ae113c07efc091cce210f2b26854f", + "refsource": "MISC", + "url": "https://github.com/nhn/tui.grid/commit/e9db5968675ae113c07efc091cce210f2b26854f" + } + ] + }, + "source": { + "advisory": "GHSL-2022-029", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:28.560Z" + }, + "references": [ + { + "name": "Test (7567/24750) [3817/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23458" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23458", + "datePublished": "2022-09-22T22:05:09", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:28.560Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jsonxx", + "vendor": "hjiang", + "versions": [ + { + "lessThanOrEqual": "1.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-416", + "description": "CWE-416 Use After Free", + "lang": "en", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-415", + "description": "CWE-415 Double Free", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-19T19:00:16", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Double free or Use after Free in Value class of Jsonxx", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23459", + "STATE": "PUBLIC", + "TITLE": "Double free or Use after Free in Value class of Jsonxx" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jsonxx", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.0.1" + } + ] + } + } + ] + }, + "vendor_name": "hjiang" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-416 Use After Free" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-415 Double Free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx", + "refsource": "MISC", + "url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:28.883Z" + }, + "references": [ + { + "name": "Test (7568/24750) [3818/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23459" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23459", + "datePublished": "2022-08-19T19:00:16", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:28.883Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jsonxx", + "vendor": "hjiang", + "versions": [ + { + "lessThanOrEqual": "1.0.1", + "status": "affected", + "version": "unspecified", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-121", + "description": "CWE-121 Stack-based Buffer Overflow", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-08-19T20:10:08", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx" + } + ], + "source": { + "discovery": "UNKNOWN" + }, + "title": "Stack overflow in Jsonxx", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23460", + "STATE": "PUBLIC", + "TITLE": "Stack overflow in Jsonxx" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jsonxx", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "1.0.1" + } + ] + } + } + ] + }, + "vendor_name": "hjiang" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-121 Stack-based Buffer Overflow" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx", + "refsource": "MISC", + "url": "https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:29.217Z" + }, + "references": [ + { + "name": "Test (7569/24750) [3819/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23460" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23460", + "datePublished": "2022-08-19T20:10:08", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:29.217Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Jodit Editor", + "vendor": "xdan", + "versions": [ + { + "lessThanOrEqual": "3.20.4", + "status": "affected", + "version": "3.20.4", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "description": "CWE-79 Cross-site Scripting (XSS)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-24T03:25:08", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/" + } + ], + "source": { + "advisory": "GHSL-2022-030", + "discovery": "UNKNOWN" + }, + "title": "Cross-Site Scripting (XSS) in Jodit Editor", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23461", + "STATE": "PUBLIC", + "TITLE": "Cross-Site Scripting (XSS) in Jodit Editor" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Jodit Editor", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "3.20.4", + "version_value": "3.20.4" + } + ] + } + } + ] + }, + "vendor_name": "xdan" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Cross-site Scripting (XSS)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/", + "refsource": "MISC", + "url": "https://securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/" + } + ] + }, + "source": { + "advisory": "GHSL-2022-030", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:29.632Z" + }, + "references": [ + { + "name": "Test (7570/24750) [3820/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23461" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23461", + "datePublished": "2022-09-24T03:05:08", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:29.632Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23462", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "dateUpdated": "2024-06-03T14:59:29.953Z", + "dateReserved": "2022-01-19T00:00:00", + "datePublished": "2022-10-21T00:00:00" + }, + "containers": { + "cna": { + "title": "Stack Buffer Overflow in iowow", + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-10-21T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "IOWOW is a C utility library and persistent key/value storage engine. Versions 1.4.15 and prior contain a stack buffer overflow vulnerability that allows for Denial of Service (DOS) when it parses scientific notation numbers present in JSON. A patch for this issue is available at commit a79d31e4cff1d5a08f665574b29fd885897a28fd in the `master` branch of the repository. There are no workarounds other than applying the patch." + } + ], + "affected": [ + { + "vendor": "Softmotions", + "product": "iowow", + "versions": [ + { + "version": "1.4.15", + "status": "affected", + "lessThanOrEqual": "1.4.15", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://securitylab.github.com/advisories/GHSL-2022-066_iowow/" + }, + { + "url": "https://github.com/Softmotions/iowow/commit/a79d31e4cff1d5a08f665574b29fd885897a28fd" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "baseScore": 6.2, + "baseSeverity": "MEDIUM" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-120 Buffer Overflow", + "cweId": "CWE-120" + } + ] + }, + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-121 Stack-based Buffer Overflow", + "cweId": "CWE-121" + } + ] + } + ], + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "source": { + "advisory": "GHSL-2022-066", + "defect": [ + "GHSL-2022-066" + ], + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:29.953Z" + }, + "references": [ + { + "name": "Test (7571/24750) [3821/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23462" + } + ] + } + ] + } + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Discover", + "vendor": "Nepxion", + "versions": [ + { + "lessThanOrEqual": "6.16.2", + "status": "affected", + "version": "6.16.2", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 9.4, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-917", + "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-24T04:40:12", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/" + } + ], + "source": { + "advisory": "GHSL-2022-033", + "discovery": "UNKNOWN" + }, + "title": "SpEL Injection in Nepxion Discovery", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23463", + "STATE": "PUBLIC", + "TITLE": "SpEL Injection in Nepxion Discovery" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Discover", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "6.16.2", + "version_value": "6.16.2" + } + ] + } + } + ] + }, + "vendor_name": "Nepxion" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 9.4, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/", + "refsource": "MISC", + "url": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/" + } + ] + }, + "source": { + "advisory": "GHSL-2022-033", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:30.280Z" + }, + "references": [ + { + "name": "Test (7572/24750) [3822/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23463" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23463", + "datePublished": "2022-09-24T04:40:12", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:30.280Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "containers": { + "cna": { + "affected": [ + { + "product": "Discovery", + "vendor": "Nepxion", + "versions": [ + { + "lessThanOrEqual": "6.16.2", + "status": "affected", + "version": "6.16.2", + "versionType": "custom" + } + ] + } + ], + "descriptions": [ + { + "lang": "en", + "value": "Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-918", + "description": "CWE-918 Server-Side Request Forgery (SSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "dateUpdated": "2022-09-24T04:40:08", + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M" + }, + "references": [ + { + "tags": [ + "x_refsource_MISC" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/" + } + ], + "source": { + "advisory": "GHSL-2022-034", + "discovery": "UNKNOWN" + }, + "title": "Potential Server Side Request Forgery (SSRF) in Nepxion Discovery", + "x_generator": { + "engine": "Vulnogram 0.0.9" + }, + "x_legacyV4Record": { + "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", + "ID": "CVE-2022-23464", + "STATE": "PUBLIC", + "TITLE": "Potential Server Side Request Forgery (SSRF) in Nepxion Discovery" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Discovery", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "6.16.2", + "version_value": "6.16.2" + } + ] + } + } + ] + }, + "vendor_name": "Nepxion" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds." + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-918 Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/", + "refsource": "MISC", + "url": "https://securitylab.github.com/advisories/GHSL-2022-033_GHSL-2022-034_Discovery/" + } + ] + }, + "source": { + "advisory": "GHSL-2022-034", + "discovery": "UNKNOWN" + } + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:30.596Z" + }, + "references": [ + { + "name": "Test (7573/24750) [3823/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23464" + } + ] + } + ] + }, + "cveMetadata": { + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "cveId": "CVE-2022-23464", + "datePublished": "2022-09-24T04:40:08", + "dateReserved": "2022-01-19T00:00:00", + "dateUpdated": "2024-06-03T14:59:30.596Z", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.1" + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23465", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.755Z", + "datePublished": "2022-12-02T22:53:45.174Z", + "dateUpdated": "2024-06-03T14:59:30.912Z" + }, + "containers": { + "cna": { + "title": "SwiftTerm vulnerable to arbitrary command execution", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "lang": "en", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/migueldeicaza/SwiftTerm/security/advisories/GHSA-jq43-q8mx-r7mq", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/migueldeicaza/SwiftTerm/security/advisories/GHSA-jq43-q8mx-r7mq" + }, + { + "name": "https://github.com/migueldeicaza/SwiftTerm/commit/a94e6b24d24ce9680ad79884992e1dff8e150a31", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/migueldeicaza/SwiftTerm/commit/a94e6b24d24ce9680ad79884992e1dff8e150a31" + } + ], + "affected": [ + { + "vendor": "migueldeicaza", + "product": "SwiftTerm", + "versions": [ + { + "version": "< a94e6b24d24ce9680ad79884992e1dff8e150a31", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-02T22:53:45.174Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "SwiftTerm is a Xterm/VT100 Terminal emulator. Prior to commit a94e6b24d24ce9680ad79884992e1dff8e150a31, an attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Version a94e6b24d24ce9680ad79884992e1dff8e150a31 contains a patch for this issue. There are no known workarounds available." + } + ], + "source": { + "advisory": "GHSA-jq43-q8mx-r7mq", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:30.912Z" + }, + "references": [ + { + "name": "Test (7574/24750) [3824/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23465" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23466", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.755Z", + "datePublished": "2022-12-06T17:58:52.867Z", + "dateUpdated": "2024-06-03T14:59:31.221Z" + }, + "containers": { + "cna": { + "title": "DOM-based cross-site scripting (XSS) in teler dashboard", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q" + }, + { + "name": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e" + } + ], + "affected": [ + { + "vendor": "kitabisa", + "product": "teler", + "versions": [ + { + "version": ">= v2.0.0-rc, < v2.0.0-rc.4", + "status": "affected" + }, + { + "version": "= v2.0.0-dev", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-06T17:58:52.867Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ], + "source": { + "advisory": "GHSA-xr7p-8q82-878q", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:31.221Z" + }, + "references": [ + { + "name": "Test (7575/24750) [3825/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23466" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23467", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.756Z", + "datePublished": "2022-12-05T19:22:30.988Z", + "dateUpdated": "2024-06-03T14:59:31.560Z" + }, + "containers": { + "cna": { + "title": "Out of Bounds Read in OpenRazer Driver", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "PHYSICAL", + "availabilityImpact": "LOW", + "baseScore": 4.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h" + }, + { + "name": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6" + } + ], + "affected": [ + { + "vendor": "openrazer", + "product": "openrazer", + "versions": [ + { + "version": "< 3.5.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-05T19:22:30.988Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices." + } + ], + "source": { + "advisory": "GHSA-39hg-jvc9-fg7h", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:31.560Z" + }, + "references": [ + { + "name": "Test (7576/24750) [3826/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23467" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23468", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.756Z", + "datePublished": "2022-12-09T17:49:24.766Z", + "dateUpdated": "2024-06-03T14:59:31.882Z" + }, + "containers": { + "cna": { + "title": "Buffer Overflow in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "lang": "en", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8c2f-mw8m-qpx6", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8c2f-mw8m-qpx6" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:49:24.766Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a buffer over flow in xrdp_login_wnd_create() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-8c2f-mw8m-qpx6", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:31.882Z" + }, + "references": [ + { + "name": "Test (7577/24750) [3827/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23468" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23469", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.756Z", + "datePublished": "2022-12-08T21:33:19.114Z", + "dateUpdated": "2024-06-03T14:59:32.204Z" + }, + "containers": { + "cna": { + "title": "Authorization header displayed in the debug logs", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-h2ph-vhm7-g4hp" + }, + { + "name": "https://github.com/traefik/traefik/pull/9574", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/traefik/traefik/pull/9574" + }, + { + "name": "https://github.com/traefik/traefik/releases/tag/v2.9.6", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/traefik/traefik/releases/tag/v2.9.6" + } + ], + "affected": [ + { + "vendor": "traefik", + "product": "traefik", + "versions": [ + { + "version": "< 2.9.6", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T21:33:19.114Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`." + } + ], + "source": { + "advisory": "GHSA-h2ph-vhm7-g4hp", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:32.204Z" + }, + "references": [ + { + "name": "Test (7578/24750) [3828/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23469" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23470", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.756Z", + "datePublished": "2022-12-06T17:37:23.638Z", + "dateUpdated": "2024-06-03T14:59:32.543Z" + }, + "containers": { + "cna": { + "title": "Arbitrary file access in the Galaxy data analysis platform", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "lang": "en", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.6, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x" + }, + { + "name": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346" + } + ], + "affected": [ + { + "vendor": "galaxyproject", + "product": "galaxy", + "versions": [ + { + "version": ">= 22.01, <= 22.05", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-06T17:37:23.638Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability." + } + ], + "source": { + "advisory": "GHSA-grjf-2ghx-q77x", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:32.543Z" + }, + "references": [ + { + "name": "Test (7579/24750) [3829/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23470" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23471", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.757Z", + "datePublished": "2022-12-07T22:51:34.193Z", + "dateUpdated": "2024-06-03T14:59:32.860Z" + }, + "containers": { + "cna": { + "title": "containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 5.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9" + }, + { + "name": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0" + }, + { + "url": "https://security.gentoo.org/glsa/202401-31" + } + ], + "affected": [ + { + "vendor": "containerd", + "product": "containerd", + "versions": [ + { + "version": "< 1.5.16", + "status": "affected" + }, + { + "version": ">= 1.6.0, < 1.6.12", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-07T22:51:34.193Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. " + } + ], + "source": { + "advisory": "GHSA-2qjp-425j-52j9", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:32.860Z" + }, + "references": [ + { + "name": "Test (7580/24750) [3830/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23471" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23472", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.757Z", + "datePublished": "2022-12-06T17:18:59.217Z", + "dateUpdated": "2024-06-03T14:59:33.181Z" + }, + "containers": { + "cna": { + "title": "Use of insecure random number generator in Passeo", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-338", + "lang": "en", + "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h" + }, + { + "name": "https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a" + }, + { + "name": "https://peps.python.org/pep-0506/", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://peps.python.org/pep-0506/" + } + ], + "affected": [ + { + "vendor": "ArjunSharda", + "product": "Passeo", + "versions": [ + { + "version": "< 1.0.5", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-06T17:18:59.217Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability." + } + ], + "source": { + "advisory": "GHSA-mhhf-vgwh-fw9h", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:33.181Z" + }, + "references": [ + { + "name": "Test (7581/24750) [3831/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23472" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23473", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.757Z", + "datePublished": "2022-12-13T06:46:17.479Z", + "dateUpdated": "2024-06-03T14:59:33.515Z" + }, + "containers": { + "cna": { + "title": "Tuleap MediaWiki standalone \"readers\" can also edit pages", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-863", + "lang": "en", + "description": "CWE-863: Incorrect Authorization", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-c7rr-5vmc-rgcw" + }, + { + "name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=97cac78302170a883c1d60c9fa6dfd0d95854cb9" + }, + { + "name": "https://tuleap.net/plugins/tracker/?aid=29645", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://tuleap.net/plugins/tracker/?aid=29645" + } + ], + "affected": [ + { + "vendor": "Enalean", + "product": "tuleap", + "versions": [ + { + "version": "< 14.2.99.148", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-13T06:46:17.479Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6." + } + ], + "source": { + "advisory": "GHSA-c7rr-5vmc-rgcw", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:33.515Z" + }, + "references": [ + { + "name": "Test (7582/24750) [3832/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23473" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23474", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.757Z", + "datePublished": "2022-12-15T02:08:07.054Z", + "dateUpdated": "2024-06-03T14:59:33.819Z" + }, + "containers": { + "cna": { + "title": "editor.js contains Code Injection", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "lang": "en", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js/", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js/" + }, + { + "name": "https://github.com/codex-team/editor.js/pull/2100", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/codex-team/editor.js/pull/2100" + } + ], + "affected": [ + { + "vendor": "codex-team", + "product": "editor.js", + "versions": [ + { + "version": "2.26.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-15T02:08:07.054Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0." + } + ], + "source": { + "advisory": "GHSA-6mvj-2569-3mcm", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:33.819Z" + }, + "references": [ + { + "name": "Test (7583/24750) [3833/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23474" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23475", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.758Z", + "datePublished": "2022-12-06T19:13:36.217Z", + "dateUpdated": "2024-06-03T14:59:34.126Z" + }, + "containers": { + "cna": { + "title": "dalorRadius full account take over", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-352", + "lang": "en", + "description": "CWE-352: Cross-Site Request Forgery (CSRF)", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/lirantal/daloradius/security/advisories/GHSA-c9xx-6mvw-9v84", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/lirantal/daloradius/security/advisories/GHSA-c9xx-6mvw-9v84" + }, + { + "name": "https://github.com/lirantal/daloradius/commit/ec3b4a419e20540cf28ce60e48998b893e3f1dea", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/lirantal/daloradius/commit/ec3b4a419e20540cf28ce60e48998b893e3f1dea" + } + ], + "affected": [ + { + "vendor": "lirantal", + "product": "daloradius", + "versions": [ + { + "version": "<= 1.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-06T19:13:36.217Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.\n\n\n" + } + ], + "source": { + "advisory": "GHSA-c9xx-6mvw-9v84", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:34.126Z" + }, + "references": [ + { + "name": "Test (7584/24750) [3834/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23475" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23476", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.758Z", + "datePublished": "2022-12-08T03:03:24.572Z", + "dateUpdated": "2024-06-03T14:59:34.461Z" + }, + "containers": { + "cna": { + "title": "Unchecked return value from xmlTextReaderExpand in Nokogiri", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-252", + "lang": "en", + "description": "CWE-252: Unchecked Return Value", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-476", + "lang": "en", + "description": "CWE-476: NULL Pointer Dereference", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj" + }, + { + "name": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce" + }, + { + "name": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50" + } + ], + "affected": [ + { + "vendor": "sparklemotion", + "product": "nokogiri", + "versions": [ + { + "version": ">= 1.13.8, < 1.13.10", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T03:03:24.572Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected." + } + ], + "source": { + "advisory": "GHSA-qv4q-mr5r-qprj", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:34.461Z" + }, + "references": [ + { + "name": "Test (7585/24750) [3835/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23476" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23477", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.759Z", + "datePublished": "2022-12-09T17:51:32.781Z", + "dateUpdated": "2024-06-03T14:59:34.777Z" + }, + "containers": { + "cna": { + "title": "Buffer Overflow in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "lang": "en", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:51:32.781Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-hqw2-jx2c-wrr2", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:34.777Z" + }, + "references": [ + { + "name": "Test (7586/24750) [3836/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23477" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23478", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.759Z", + "datePublished": "2022-12-09T17:49:42.594Z", + "dateUpdated": "2024-06-03T14:59:35.087Z" + }, + "containers": { + "cna": { + "title": "Out of Bound Write in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-787", + "lang": "en", + "description": "CWE-787: Out-of-bounds Write", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2f49-wwpm-78pj", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2f49-wwpm-78pj" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:49:42.594Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-2f49-wwpm-78pj", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:35.087Z" + }, + "references": [ + { + "name": "Test (7587/24750) [3837/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23478" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23479", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.760Z", + "datePublished": "2022-12-09T17:49:56.260Z", + "dateUpdated": "2024-06-03T14:59:35.411Z" + }, + "containers": { + "cna": { + "title": "Buffer Overflow occurs in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "lang": "en", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-pgx2-3fjj-fqqh", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-pgx2-3fjj-fqqh" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:49:56.260Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-pgx2-3fjj-fqqh", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:35.411Z" + }, + "references": [ + { + "name": "Test (7588/24750) [3838/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23479" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23480", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.760Z", + "datePublished": "2022-12-09T17:50:08.748Z", + "dateUpdated": "2024-06-03T14:59:35.723Z" + }, + "containers": { + "cna": { + "title": "Buffer Overflow in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-120", + "lang": "en", + "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3jmx-f6hv-95wg", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3jmx-f6hv-95wg" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:50:08.748Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a buffer over flow in devredir_proc_client_devlist_announce_req() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-3jmx-f6hv-95wg", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:35.723Z" + }, + "references": [ + { + "name": "Test (7589/24750) [3839/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23480" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23481", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.760Z", + "datePublished": "2022-12-09T17:50:24.280Z", + "dateUpdated": "2024-06-03T14:59:36.031Z" + }, + "containers": { + "cna": { + "title": "Out-of-Bound Read in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 0, + "baseSeverity": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hm75-9jcg-p7hq", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hm75-9jcg-p7hq" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:50:24.280Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-hm75-9jcg-p7hq", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:36.031Z" + }, + "references": [ + { + "name": "Test (7590/24750) [3840/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23481" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23482", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.760Z", + "datePublished": "2022-12-09T17:50:39.075Z", + "dateUpdated": "2024-06-03T14:59:36.364Z" + }, + "containers": { + "cna": { + "title": "Out-of-Bound Read in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 0, + "baseSeverity": "NONE", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-56pq-2pm9-7fhm", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-56pq-2pm9-7fhm" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:50:39.075Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-56pq-2pm9-7fhm", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:36.364Z" + }, + "references": [ + { + "name": "Test (7591/24750) [3841/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23482" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23483", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.761Z", + "datePublished": "2022-12-09T17:50:52.518Z", + "dateUpdated": "2024-06-03T14:59:36.671Z" + }, + "containers": { + "cna": { + "title": "Out-of-Bound Read in libxrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-38rw-9ch2-fcxq", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-38rw-9ch2-fcxq" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:50:52.518Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-38rw-9ch2-fcxq", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:36.671Z" + }, + "references": [ + { + "name": "Test (7592/24750) [3842/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23483" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23484", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.761Z", + "datePublished": "2022-12-09T17:51:15.376Z", + "dateUpdated": "2024-06-03T14:59:36.971Z" + }, + "containers": { + "cna": { + "title": "Integer Overflow in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-190", + "lang": "en", + "description": "CWE-190: Integer Overflow or Wraparound", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rqfx-5fv8-q9c6", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rqfx-5fv8-q9c6" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:51:15.376Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-rqfx-5fv8-q9c6", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:36.971Z" + }, + "references": [ + { + "name": "Test (7593/24750) [3843/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23484" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23485", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.761Z", + "datePublished": "2022-12-10T00:40:46.301Z", + "dateUpdated": "2024-06-03T14:59:37.291Z" + }, + "containers": { + "cna": { + "title": "Invite code reuse via cookie manipulation in sentry", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-269", + "lang": "en", + "description": "CWE-269: Improper Privilege Management", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-284", + "lang": "en", + "description": "CWE-284: Improper Access Control", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/getsentry/sentry/security/advisories/GHSA-jv85-mqxj-3f9j", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-jv85-mqxj-3f9j" + } + ], + "affected": [ + { + "vendor": "getsentry", + "product": "sentry", + "versions": [ + { + "version": ">= 20.6.0, < 22.11.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-10T00:40:46.301Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).\n" + } + ], + "source": { + "advisory": "GHSA-jv85-mqxj-3f9j", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:37.291Z" + }, + "references": [ + { + "name": "Test (7594/24750) [3844/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23485" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23486", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.761Z", + "datePublished": "2022-12-07T20:03:35.212Z", + "dateUpdated": "2024-06-03T14:59:37.604Z" + }, + "containers": { + "cna": { + "title": "libp2p-rust denial of service vulnerability from lack of resource management", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8" + } + ], + "affected": [ + { + "vendor": "libp2p", + "product": "rust-libp2p", + "versions": [ + { + "version": "< 0.45.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-07T20:03:35.212Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/." + } + ], + "source": { + "advisory": "GHSA-jvgw-gccv-q5p8", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:37.604Z" + }, + "references": [ + { + "name": "Test (7595/24750) [3845/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23486" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23487", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.762Z", + "datePublished": "2022-12-07T20:05:35.319Z", + "dateUpdated": "2024-06-03T14:59:37.908Z" + }, + "containers": { + "cna": { + "title": "libp2p denial of service vulnerability from lack of resource management", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv" + } + ], + "affected": [ + { + "vendor": "libp2p", + "product": "js-libp2p", + "versions": [ + { + "version": "< 0.38.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-07T20:05:35.319Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability." + } + ], + "source": { + "advisory": "GHSA-f44q-634c-jvwv", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:37.908Z" + }, + "references": [ + { + "name": "Test (7596/24750) [3846/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23487" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23488", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.762Z", + "datePublished": "2022-12-17T00:28:46.567Z", + "dateUpdated": "2024-06-03T14:59:38.212Z" + }, + "containers": { + "cna": { + "title": "BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-201", + "lang": "en", + "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq" + }, + { + "name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6" + } + ], + "affected": [ + { + "vendor": "bigbluebutton", + "product": "bigbluebutton", + "versions": [ + { + "version": "< 2.4-rc-6", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-17T00:28:46.567Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds." + } + ], + "source": { + "advisory": "GHSA-j5g3-f74q-rvfq", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:38.212Z" + }, + "references": [ + { + "name": "Test (7597/24750) [3847/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23488" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23490", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.762Z", + "datePublished": "2022-12-16T21:02:30.109Z", + "dateUpdated": "2024-06-03T14:59:38.519Z" + }, + "containers": { + "cna": { + "title": "Improper access control to polling votes", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-863", + "lang": "en", + "description": "CWE-863: Incorrect Authorization", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg" + }, + { + "name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0" + } + ], + "affected": [ + { + "vendor": "bigbluebutton", + "product": "bigbluebutton", + "versions": [ + { + "version": "< 2.4.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-16T21:02:30.109Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.\n" + } + ], + "source": { + "advisory": "GHSA-4qgc-xhw5-6qfg", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:38.519Z" + }, + "references": [ + { + "name": "Test (7598/24750) [3848/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23490" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23491", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.763Z", + "datePublished": "2022-12-07T21:15:53.804Z", + "dateUpdated": "2024-06-03T14:59:38.827Z" + }, + "containers": { + "cna": { + "title": "Removal of TrustCor root certificate", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-345", + "lang": "en", + "description": "CWE-345: Insufficient Verification of Data Authenticity", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8" + }, + { + "name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ" + } + ], + "affected": [ + { + "vendor": "certifi", + "product": "python-certifi", + "versions": [ + { + "version": "< 2022.12.07", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-07T21:15:53.804Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from \"TrustCor\" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion." + } + ], + "source": { + "advisory": "GHSA-43fp-rhv2-5gv8", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:38.827Z" + }, + "references": [ + { + "name": "Test (7599/24750) [3849/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23491" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23492", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.765Z", + "datePublished": "2022-12-08T00:08:11.210Z", + "dateUpdated": "2024-06-03T14:59:39.136Z" + }, + "containers": { + "cna": { + "title": "go-libp2p denial of service vulnerability from lack of resource management", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw" + }, + { + "name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de" + }, + { + "name": "https://docs.libp2p.io/reference/dos-mitigation/", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://docs.libp2p.io/reference/dos-mitigation/" + } + ], + "affected": [ + { + "vendor": "libp2p", + "product": "go-libp2p", + "versions": [ + { + "version": "< 0.18.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T00:08:11.210Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. " + } + ], + "source": { + "advisory": "GHSA-j7qp-mfxf-8xjw", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T14:59:39.136Z" + }, + "references": [ + { + "name": "Test (7600/24750) [3850/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23492" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23493", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.765Z", + "datePublished": "2022-12-09T17:48:49.800Z", + "dateUpdated": "2024-06-03T15:00:06.777Z" + }, + "containers": { + "cna": { + "title": "Out of Bound Read in xrdp", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.1, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5502" + } + ], + "affected": [ + { + "vendor": "neutrinolabs", + "product": "xrdp", + "versions": [ + { + "version": "< 0.9.21", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T17:48:49.800Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP).\nxrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. There are no known workarounds for this issue. Users are advised to upgrade." + } + ], + "source": { + "advisory": "GHSA-59wp-3wq6-jh5v", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:06.777Z" + }, + "references": [ + { + "name": "Test (7601/24750) [3851/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23493" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23494", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.766Z", + "datePublished": "2022-12-08T21:29:26.610Z", + "dateUpdated": "2024-06-03T15:00:07.088Z" + }, + "containers": { + "cna": { + "title": "Cross-site scripting vulnerability in TinyMCE alerts", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92" + }, + { + "name": "https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e" + }, + { + "name": "https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d" + }, + { + "name": "https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes" + }, + { + "name": "https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes" + }, + { + "name": "https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler" + } + ], + "affected": [ + { + "vendor": "tinymce", + "product": "tinymce", + "versions": [ + { + "version": "< 5.10.7", + "status": "affected" + }, + { + "version": ">= 6.0.0, < 6.3.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T21:29:26.610Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation." + } + ], + "source": { + "advisory": "GHSA-gg8r-xjwq-4w92", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:07.088Z" + }, + "references": [ + { + "name": "Test (7602/24750) [3852/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23494" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23495", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.766Z", + "datePublished": "2022-12-08T21:25:40.257Z", + "dateUpdated": "2024-06-03T15:00:07.437Z" + }, + "containers": { + "cna": { + "title": "ProtoNode may be modified such that common method calls may panic in ipfs/go-merkledag", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-755", + "lang": "en", + "description": "CWE-755: Improper Handling of Exceptional Conditions", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46" + }, + { + "name": "https://github.com/ipfs/go-merkledag/issues/90", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/issues/90" + }, + { + "name": "https://github.com/ipfs/kubo/issues/9297", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/kubo/issues/9297" + }, + { + "name": "https://github.com/ipfs/go-merkledag/pull/91", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/pull/91" + }, + { + "name": "https://github.com/ipfs/go-merkledag/pull/92", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/pull/92" + }, + { + "name": "https://github.com/ipfs/go-merkledag/pull/93", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/pull/93" + }, + { + "name": "https://en.wikipedia.org/wiki/Directed_acyclic_graph", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://en.wikipedia.org/wiki/Directed_acyclic_graph" + }, + { + "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.0" + }, + { + "name": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/ipfs/go-merkledag/releases/tag/v0.8.1" + } + ], + "affected": [ + { + "vendor": "ipfs", + "product": "go-merkledag", + "versions": [ + { + "version": ">= 0.4.0, < 0.8.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T21:25:40.257Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.\n" + } + ], + "source": { + "advisory": "GHSA-x39j-h85h-3f46", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:07.437Z" + }, + "references": [ + { + "name": "Test (7603/24750) [3853/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23495" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23496", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.767Z", + "datePublished": "2022-12-08T21:19:30.227Z", + "dateUpdated": "2024-06-03T15:00:07.780Z" + }, + "containers": { + "cna": { + "title": "A crafted list can trigger a ArrayIndexOutOfBoundsException in Yauaa ", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-755", + "lang": "en", + "description": "CWE-755: Improper Handling of Exceptional Conditions", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/nielsbasjes/yauaa/security/advisories/GHSA-c4pm-63cg-9j7h" + }, + { + "name": "https://github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/nielsbasjes/yauaa/commit/3017a866e2cff0d308f264b66fde4fa79e3beb9e" + } + ], + "affected": [ + { + "vendor": "nielsbasjes", + "product": "yauaa", + "versions": [ + { + "version": ">= 7.0.0, < 7.9.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-08T21:19:30.227Z" + }, + "descriptions": [ + { + "lang": "en", + "value": " Yet Another UserAgent Analyzer (Yauaa) is a java library that tries to parse and analyze the useragent string and extract as many relevant attributes as possible. Applications using the Client Hints analysis feature introduced with 7.0.0 can crash because the Yauaa library throws an ArrayIndexOutOfBoundsException. If uncaught the exception will result in a program crash. Applications that do not use this feature are not affected. Users are advised to upgrade to version 7.9.0. Users unable to upgrade may catch and discard any ArrayIndexOutOfBoundsException thrown by the Yauaa library." + } + ], + "source": { + "advisory": "GHSA-c4pm-63cg-9j7h", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:07.780Z" + }, + "references": [ + { + "name": "Test (7604/24750) [3854/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23496" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23497", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.767Z", + "datePublished": "2022-12-09T22:16:00.220Z", + "dateUpdated": "2024-06-03T15:00:08.115Z" + }, + "containers": { + "cna": { + "title": "Insecure file access in FreshRSS", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6" + }, + { + "name": "https://github.com/FreshRSS/FreshRSS/pull/4928", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/FreshRSS/FreshRSS/pull/4928" + }, + { + "name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2" + } + ], + "affected": [ + { + "vendor": "FreshRSS", + "product": "FreshRSS", + "versions": [ + { + "version": ">= 1.18.0, < 1.20.2", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T22:16:00.220Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file `./FreshRSS/p/ext.php`." + } + ], + "source": { + "advisory": "GHSA-hvrj-5fwj-p7v6", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:08.115Z" + }, + "references": [ + { + "name": "Test (7605/24750) [3855/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23497" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23498", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.768Z", + "datePublished": "2023-02-03T21:34:58.677Z", + "dateUpdated": "2024-06-03T15:00:08.471Z" + }, + "containers": { + "cna": { + "title": "When query caching is enabled in Grafana users can query another users session", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8" + } + ], + "affected": [ + { + "vendor": "grafana", + "product": "grafana", + "versions": [ + { + "version": ">= 8.3.0-beta1, < 9.2.10", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-02-03T21:34:58.677Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.\n" + } + ], + "source": { + "advisory": "GHSA-2j8f-6whh-frc8", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:08.471Z" + }, + "references": [ + { + "name": "Test (7606/24750) [3856/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23498" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23499", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.768Z", + "datePublished": "2022-12-13T20:29:41.025Z", + "dateUpdated": "2024-06-03T15:00:08.788Z" + }, + "containers": { + "cna": { + "title": "Cross-Site Scripting Protection bypass in HTML Sanitizer", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-hvwx-qh2h-xcfj", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-hvwx-qh2h-xcfj" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "html-sanitizer", + "versions": [ + { + "version": ">= 1.0.0, < 1.5.0", + "status": "affected" + }, + { + "version": ">= 2.0.0, < 2.1.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-13T20:29:41.025Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "HTML sanitizer is written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values. In versions prior to 1.5.0 or 2.1.1, malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized due to a parsing issue in the upstream package masterminds/html5. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. The upstream package masterminds/html5 provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. This issue has been fixed in versions 1.5.0 and 2.1.1." + } + ], + "source": { + "advisory": "GHSA-hvwx-qh2h-xcfj", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:08.788Z" + }, + "references": [ + { + "name": "Test (7607/24750) [3857/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23499" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23500", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.769Z", + "datePublished": "2022-12-14T07:07:05.039Z", + "dateUpdated": "2024-06-03T15:00:09.097Z" + }, + "containers": { + "cna": { + "title": "TYPO3 subject to Uncontrolled Recursion resulting in Denial of Service", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-674", + "lang": "en", + "description": "CWE-674: Uncontrolled Recursion", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-8c28-5mp7-v24h", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-8c28-5mp7-v24h" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "typo3", + "versions": [ + { + "version": ">= 9.0.0, < 9.5.38", + "status": "affected" + }, + { + "version": ">= 10.0.0, < 10.4.33", + "status": "affected" + }, + { + "version": ">= 11.0.0, < 11.5.20", + "status": "affected" + }, + { + "version": ">= 12.0.0, < 12.1.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T07:07:05.039Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in CVE-2021-21359. This issue is patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20 or 12.1.1." + } + ], + "source": { + "advisory": "GHSA-8c28-5mp7-v24h", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:09.097Z" + }, + "references": [ + { + "name": "Test (7608/24750) [3858/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23500" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23501", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.770Z", + "datePublished": "2022-12-14T07:23:46.127Z", + "dateUpdated": "2024-06-03T15:00:09.427Z" + }, + "containers": { + "cna": { + "title": "TYPO3 vulnerable to Improper Authentication in Frontend Login", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-287", + "lang": "en", + "description": "CWE-287: Improper Authentication", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-jfp7-79g7-89rf" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "typo3", + "versions": [ + { + "version": ">= 8.0.0, < 8.7.49", + "status": "affected" + }, + { + "version": ">= 9.0.0, < 9.5.38", + "status": "affected" + }, + { + "version": ">= 10.0.0, < 10.4.33", + "status": "affected" + }, + { + "version": ">= 11.0.0, < 11.5.20", + "status": "affected" + }, + { + "version": ">= 12.0.0, < 12.1.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T07:23:46.127Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1." + } + ], + "source": { + "advisory": "GHSA-jfp7-79g7-89rf", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:09.427Z" + }, + "references": [ + { + "name": "Test (7609/24750) [3859/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23501" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23502", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.770Z", + "datePublished": "2022-12-14T07:34:21.327Z", + "dateUpdated": "2024-06-03T15:00:09.790Z" + }, + "containers": { + "cna": { + "title": "TYPO3 contains Insufficient Session Expiration after Password Reset", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-613", + "lang": "en", + "description": "CWE-613: Insufficient Session Expiration", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "typo3", + "versions": [ + { + "version": ">= 10.0.0, < 10.4.33", + "status": "affected" + }, + { + "version": ">= 11.0.0, < 11.5.20", + "status": "affected" + }, + { + "version": ">= 12.0.0, < 12.1.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T07:34:21.327Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1." + } + ], + "source": { + "advisory": "GHSA-mgj2-q8wp-29rr", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:09.790Z" + }, + "references": [ + { + "name": "Test (7610/24750) [3860/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23502" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23503", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.770Z", + "datePublished": "2022-12-14T07:51:03.984Z", + "dateUpdated": "2024-06-03T15:00:10.092Z" + }, + "containers": { + "cna": { + "title": "TYPO3 vulnerable to Arbitrary Code Execution via Form Framework", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-94", + "lang": "en", + "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "typo3", + "versions": [ + { + "version": ">= 8.0.0, < 8.7.49", + "status": "affected" + }, + { + "version": ">= 9.0.0, < 9.5.38", + "status": "affected" + }, + { + "version": ">= 10.0.0, < 10.4.33", + "status": "affected" + }, + { + "version": ">= 11.0.0, < 11.5.20", + "status": "affected" + }, + { + "version": ">= 12.0.0, < 12.1.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T07:51:03.984Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1." + } + ], + "source": { + "advisory": "GHSA-c5wx-6c2c-f7rm", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:10.092Z" + }, + "references": [ + { + "name": "Test (7611/24750) [3861/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23503" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23504", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.772Z", + "datePublished": "2022-12-14T07:58:05.232Z", + "dateUpdated": "2024-06-03T15:00:10.458Z" + }, + "containers": { + "cna": { + "title": "TYPO3 contains Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-917", + "lang": "en", + "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr" + } + ], + "affected": [ + { + "vendor": "TYPO3", + "product": "typo3", + "versions": [ + { + "version": ">= 9.0.0, < 9.5.38", + "status": "affected" + }, + { + "version": ">= 10.0.0, < 10.4.33", + "status": "affected" + }, + { + "version": ">= 11.0.0, < 11.5.20", + "status": "affected" + }, + { + "version": ">= 12.0.0, < 12.1.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T07:58:05.232Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1." + } + ], + "source": { + "advisory": "GHSA-8w3p-qh3x-6gjr", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:10.458Z" + }, + "references": [ + { + "name": "Test (7612/24750) [3862/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23504" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23505", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.773Z", + "datePublished": "2022-12-13T07:04:23.487Z", + "dateUpdated": "2024-06-03T15:00:10.775Z" + }, + "containers": { + "cna": { + "title": "Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-287", + "lang": "en", + "description": "CWE-287: Improper Authentication", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-ppjq-qxhx-m25f", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-ppjq-qxhx-m25f" + } + ], + "affected": [ + { + "vendor": "auth0", + "product": "passport-wsfed-saml2", + "versions": [ + { + "version": "< 4.6.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-13T07:04:23.487Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround." + } + ], + "source": { + "advisory": "GHSA-ppjq-qxhx-m25f", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:10.775Z" + }, + "references": [ + { + "name": "Test (7613/24750) [3863/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23505" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23506", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.773Z", + "datePublished": "2023-01-03T20:04:25.392Z", + "dateUpdated": "2024-06-03T15:00:11.111Z" + }, + "containers": { + "cna": { + "title": "Spinnaker's Rosco microservice vulnerable to improper log masking on AWS Packer builds", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-532", + "lang": "en", + "description": "CWE-532: Insertion of Sensitive Information into Log File", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-2233-cqj8-j2q5", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-2233-cqj8-j2q5" + }, + { + "name": "https://github.com/spinnaker/rosco/commit/e80cfaa1abfb3a0e9026d45d6027291bfb815daf", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/spinnaker/rosco/commit/e80cfaa1abfb3a0e9026d45d6027291bfb815daf" + } + ], + "affected": [ + { + "vendor": "spinnaker", + "product": "spinnaker", + "versions": [ + { + "version": "< 1.27.3", + "status": "affected" + }, + { + "version": ">= 1.28.0, < 1.28.4", + "status": "affected" + }, + { + "version": ">= 1.29.0, < 1.29.2", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-03T20:04:25.392Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue.\n\nA workaround is available. It's recommended to use short lived credentials via role assumption and IAM profiles. Additionally, credentials can be set in `/home/spinnaker/.aws/credentials` and `/home/spinnaker/.aws/config` as a volume mount for Rosco pods vs. setting credentials in roscos bake config properties. Last even with those it's recommend to use IAM Roles vs. long lived credentials. This drastically mitigates the risk of credentials exposure. If users have used static credentials, it's recommended to purge any bake logs for AWS, evaluate whether AWS_ACCESS_KEY, SECRET_KEY and/or other sensitive data has been introduced in log files and bake job logs. Then, rotate these credentials and evaluate potential improper use of those credentials." + } + ], + "source": { + "advisory": "GHSA-2233-cqj8-j2q5", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:11.111Z" + }, + "references": [ + { + "name": "Test (7614/24750) [3864/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23506" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23507", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.774Z", + "datePublished": "2022-12-15T00:01:04.540Z", + "dateUpdated": "2024-06-03T15:00:11.476Z" + }, + "containers": { + "cna": { + "title": "Light client verification not taking into account chain ID", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-347", + "lang": "en", + "description": "CWE-347: Improper Verification of Cryptographic Signature", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-xqqc-c5gw-c5r5", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-xqqc-c5gw-c5r5" + } + ], + "affected": [ + { + "vendor": "informalsystems", + "product": "tendermint-rs", + "versions": [ + { + "version": "0.28.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-15T00:01:04.540Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Tendermint is a high-performance blockchain consensus engine for Byzantine fault tolerant applications. Versions prior to 0.28.0 contain a potential attack via Improper Verification of Cryptographic Signature, affecting anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes). The light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks. This issue is patched in version 0.28.0. There are no workarounds." + } + ], + "source": { + "advisory": "GHSA-xqqc-c5gw-c5r5", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:11.476Z" + }, + "references": [ + { + "name": "Test (7615/24750) [3865/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23507" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23508", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.774Z", + "datePublished": "2023-01-09T12:56:01.495Z", + "dateUpdated": "2024-06-03T15:00:11.799Z" + }, + "containers": { + "cna": { + "title": "GitOps Run allows for Kubernetes workload injection", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-284", + "lang": "en", + "description": "CWE-284: Improper Access Control", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-538", + "lang": "en", + "description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-552", + "lang": "en", + "description": "CWE-552: Files or Directories Accessible to External Parties", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.9, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-wr3c-g326-486c", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-wr3c-g326-486c" + }, + { + "name": "https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/weaveworks/weave-gitops/pull/3102/commits/966823bbda8c539a4661e2a4f8607c9307ba6225" + }, + { + "name": "https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/weaveworks/weave-gitops/pull/3114/commits/75268c4d2c8f7e4db22c63d76b451ba6545d117f" + } + ], + "affected": [ + { + "vendor": "weaveworks", + "product": "weave-gitops", + "versions": [ + { + "version": "<= 0.11.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-09T12:56:01.495Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorized access, therefore allowing local users (and processes) on the same machine to see and alter the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster, without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster. There are no known workarounds for this issue, please upgrade. This vulnerability has been fixed by commits 75268c4 and 966823b. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022.\n\n### Workarounds\nThere is no workaround for this vulnerability.\n\n### References\nDisclosed by Paulo Gomes, Senior Software Engineer, Weaveworks.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Weave GitOps repository](https://github.com/weaveworks/weave-gitops)\n- Email us at [support@weave.works](mailto:support@weave.works)\n" + } + ], + "source": { + "advisory": "GHSA-wr3c-g326-486c", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:11.799Z" + }, + "references": [ + { + "name": "Test (7616/24750) [3866/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23508" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23509", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.775Z", + "datePublished": "2023-01-09T13:01:08.474Z", + "dateUpdated": "2024-06-03T15:00:12.181Z" + }, + "containers": { + "cna": { + "title": "Weave Gitops Run vulnerable to insecure communication", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-200", + "lang": "en", + "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.4, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/weaveworks/weave-gitops/security/advisories/GHSA-89qm-wcmw-3mgg" + }, + { + "name": "https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/weaveworks/weave-gitops/pull/3098/commits/babd91574b99b310b84aeec9f8f895bd18acb967" + }, + { + "name": "https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/weaveworks/weave-gitops/pull/3106/commits/ce2bbff0a3609c33396050ed544a5a21f8d0797f" + } + ], + "affected": [ + { + "vendor": "weaveworks", + "product": "weave-gitops", + "versions": [ + { + "version": "<= 0.11.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-09T13:01:08.474Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022.\n" + } + ], + "source": { + "advisory": "GHSA-89qm-wcmw-3mgg", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:12.181Z" + }, + "references": [ + { + "name": "Test (7617/24750) [3867/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23509" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23510", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.775Z", + "datePublished": "2022-12-09T22:12:10.191Z", + "dateUpdated": "2024-06-03T15:00:12.600Z" + }, + "containers": { + "cna": { + "title": "SQl injection in cube-js", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-89", + "lang": "en", + "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 9.6, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/cube-js/cube.js/security/advisories/GHSA-6jqm-3c9g-pch7", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/cube-js/cube.js/security/advisories/GHSA-6jqm-3c9g-pch7" + }, + { + "name": "https://github.com/cube-js/cube.js/commit/3c614674fed6ca17df08bbba8c835ef110167570", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/cube-js/cube.js/commit/3c614674fed6ca17df08bbba8c835ef110167570" + }, + { + "name": "https://github.com/cube-js/cube.js/commit/f1140de508e359970ac82b50bae1c4bf152f6041", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/cube-js/cube.js/commit/f1140de508e359970ac82b50bae1c4bf152f6041" + } + ], + "affected": [ + { + "vendor": "cube-js", + "product": "cube.js", + "versions": [ + { + "version": "= 0.31.23", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-09T22:12:10.191Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability." + } + ], + "source": { + "advisory": "GHSA-6jqm-3c9g-pch7", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:12.600Z" + }, + "references": [ + { + "name": "Test (7618/24750) [3868/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23510" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "state": "PUBLISHED", + "cveId": "CVE-2022-23511", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "assignerShortName": "GitHub_M", + "dateUpdated": "2024-06-03T15:00:12.908Z", + "dateReserved": "2022-01-19T00:00:00", + "datePublished": "2022-12-12T00:00:00" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-17T00:00:00" + }, + "descriptions": [ + { + "lang": "en", + "value": "A privilege escalation issue exists within the Amazon CloudWatch Agent for Windows, software for collecting metrics and logs from Amazon EC2 instances and on-premises servers, in versions up to and including v1.247354. When users trigger a repair of the Agent, a pop-up window opens with SYSTEM permissions. Users with administrative access to affected hosts may use this to create a new command prompt as NT AUTHORITY\\SYSTEM. To trigger this issue, the third party must be able to access the affected host and elevate their privileges such that they're able to trigger the agent repair process. They must also be able to install the tools required to trigger the issue. This issue does not affect the CloudWatch Agent for macOS or Linux. Agent users should upgrade to version 1.247355 of the CloudWatch Agent to address this issue. There is no recommended work around. Affected users must update the installed version of the CloudWatch Agent to address this issue." + } + ], + "affected": [ + { + "vendor": "aws", + "product": "amazon-cloudwatch-agent", + "versions": [ + { + "version": "< 1.247355", + "status": "affected" + } + ] + } + ], + "references": [ + { + "url": "https://github.com/aws/amazon-cloudwatch-agent/security/advisories/GHSA-j8x2-2m5w-j939" + }, + { + "url": "https://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52" + } + ], + "metrics": [ + { + "cvssV3_1": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "LOW", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "availabilityImpact": "LOW", + "baseScore": 7.1, + "baseSeverity": "HIGH" + } + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "type": "CWE", + "lang": "en", + "description": "CWE-274: Improper Handling of Insufficient Privileges", + "cweId": "CWE-274" + } + ] + } + ], + "source": { + "advisory": "GHSA-j8x2-2m5w-j939", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:12.908Z" + }, + "references": [ + { + "name": "Test (7619/24750) [3869/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23511" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23512", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.776Z", + "datePublished": "2022-12-14T13:09:36.800Z", + "dateUpdated": "2024-06-03T15:00:13.316Z" + }, + "containers": { + "cna": { + "title": "Metersphere is vulnerable to Path Injection.", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "lang": "en", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27" + } + ], + "affected": [ + { + "vendor": "metersphere", + "product": "metersphere", + "versions": [ + { + "version": "< 2.4.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T13:09:36.800Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + \"/\" + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1." + } + ], + "source": { + "advisory": "GHSA-5mwp-xw7p-5j27", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:13.316Z" + }, + "references": [ + { + "name": "Test (7620/24750) [3870/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23512" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23513", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.776Z", + "datePublished": "2022-12-22T23:17:19.812Z", + "dateUpdated": "2024-06-03T15:00:13.665Z" + }, + "containers": { + "cna": { + "title": "Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-284", + "lang": "en", + "description": "CWE-284: Improper Access Control", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497" + }, + { + "name": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.18", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/pi-hole/AdminLTE/releases/tag/v5.18" + }, + { + "url": "http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html" + } + ], + "affected": [ + { + "vendor": "pi-hole", + "product": "AdminLTE", + "versions": [ + { + "version": "< 5.17", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-22T23:17:19.812Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:\n`/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists. \n" + } + ], + "source": { + "advisory": "GHSA-6qh8-6rrj-7497", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:13.665Z" + }, + "references": [ + { + "name": "Test (7621/24750) [3871/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23513" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23514", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.777Z", + "datePublished": "2022-12-14T13:19:25.943Z", + "dateUpdated": "2024-06-03T15:00:14.017Z" + }, + "containers": { + "cna": { + "title": "Inefficient Regular Expression Complexity in Loofah", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-1333", + "lang": "en", + "description": "CWE-1333: Inefficient Regular Expression Complexity", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh" + }, + { + "name": "https://hackerone.com/reports/1684163", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1684163" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html" + } + ], + "affected": [ + { + "vendor": "flavorjones", + "product": "loofah", + "versions": [ + { + "version": "< 2.19.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T13:19:25.943Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1." + } + ], + "source": { + "advisory": "GHSA-486f-hjj9-9vhh", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:14.017Z" + }, + "references": [ + { + "name": "Test (7622/24750) [3872/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23514" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23515", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.777Z", + "datePublished": "2022-12-14T13:23:02.054Z", + "dateUpdated": "2024-06-03T15:00:14.386Z" + }, + "containers": { + "cna": { + "title": "Improper neutralization of data URIs may allow XSS in Loofah", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx" + }, + { + "name": "https://github.com/flavorjones/loofah/issues/101", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/flavorjones/loofah/issues/101" + }, + { + "name": "https://hackerone.com/reports/1694173", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1694173" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html" + } + ], + "affected": [ + { + "vendor": "flavorjones", + "product": "loofah", + "versions": [ + { + "version": ">= 2.1.0, < 2.19.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T13:23:02.054Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1." + } + ], + "source": { + "advisory": "GHSA-228g-948r-83gx", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:14.386Z" + }, + "references": [ + { + "name": "Test (7623/24750) [3873/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23515" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23516", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.778Z", + "datePublished": "2022-12-14T13:26:11.741Z", + "dateUpdated": "2024-06-03T15:00:14.802Z" + }, + "containers": { + "cna": { + "title": "Uncontrolled Recursion in Loofah", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-674", + "lang": "en", + "description": "CWE-674: Uncontrolled Recursion", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html" + } + ], + "affected": [ + { + "vendor": "flavorjones", + "product": "loofah", + "versions": [ + { + "version": ">= 2.2.0, < 2.19.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T13:26:11.741Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized." + } + ], + "source": { + "advisory": "GHSA-3x8r-x6xp-q4vm", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:14.802Z" + }, + "references": [ + { + "name": "Test (7624/24750) [3874/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23516" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23517", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.778Z", + "datePublished": "2022-12-14T16:10:22.304Z", + "dateUpdated": "2024-06-03T15:00:15.108Z" + }, + "containers": { + "cna": { + "title": "Inefficient Regular Expression Complexity in rails-html-sanitizer", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-1333", + "lang": "en", + "description": "CWE-1333: Inefficient Regular Expression Complexity", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w" + }, + { + "name": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979" + }, + { + "name": "https://hackerone.com/reports/1684163", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1684163" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html" + } + ], + "affected": [ + { + "vendor": "rails", + "product": "rails-html-sanitizer", + "versions": [ + { + "version": "< 1.4.4", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T16:10:22.304Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4." + } + ], + "source": { + "advisory": "GHSA-5x79-w82f-gw8w", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:15.108Z" + }, + "references": [ + { + "name": "Test (7625/24750) [3875/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23517" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23518", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.779Z", + "datePublished": "2022-12-14T16:22:34.460Z", + "dateUpdated": "2024-06-03T15:00:15.495Z" + }, + "containers": { + "cna": { + "title": "Improper neutralization of data URIs allows XSS in rails-html-sanitizer", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_0": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + } + ], + "references": [ + { + "name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m" + }, + { + "name": "https://github.com/rails/rails-html-sanitizer/issues/135", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/rails/rails-html-sanitizer/issues/135" + }, + { + "name": "https://hackerone.com/reports/1694173", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1694173" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html" + } + ], + "affected": [ + { + "vendor": "rails", + "product": "rails-html-sanitizer", + "versions": [ + { + "version": ">= 1.0.3, < 1.4.4", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T16:22:34.460Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4." + } + ], + "source": { + "advisory": "GHSA-mcvf-2q2m-x72m", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:15.495Z" + }, + "references": [ + { + "name": "Test (7626/24750) [3876/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23518" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23519", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.779Z", + "datePublished": "2022-12-14T16:50:14.949Z", + "dateUpdated": "2024-06-03T15:00:15.822Z" + }, + "containers": { + "cna": { + "title": "Possible XSS vulnerability with certain configurations of rails-html-sanitizer", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h" + }, + { + "name": "https://hackerone.com/reports/1656627", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1656627" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html" + } + ], + "affected": [ + { + "vendor": "rails", + "product": "rails-html-sanitizer", + "versions": [ + { + "version": "< 1.4.4", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T16:50:14.949Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both \"math\" and \"style\" elements, or allow both \"svg\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include \"math\" or \"svg\" and \"style\" should either upgrade or use the following workaround immediately: Remove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n" + } + ], + "source": { + "advisory": "GHSA-9h9g-93gc-623h", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:15.822Z" + }, + "references": [ + { + "name": "Test (7627/24750) [3877/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23519" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23520", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.780Z", + "datePublished": "2022-12-14T17:07:31.954Z", + "dateUpdated": "2024-06-03T15:00:16.153Z" + }, + "containers": { + "cna": { + "title": "rails-html-sanitizer contains an incomplete fix for an XSS vulnerability", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-79", + "lang": "en", + "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8" + }, + { + "name": "https://hackerone.com/reports/1654310", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://hackerone.com/reports/1654310" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html" + } + ], + "affected": [ + { + "vendor": "rails", + "product": "rails-html-sanitizer", + "versions": [ + { + "version": "< 1.4.4", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T17:07:31.954Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both \"select\" and \"style\" should either upgrade or use this workaround: Remove either \"select\" or \"style\" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize.\n" + } + ], + "source": { + "advisory": "GHSA-rrfc-7g8p-99q8", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:16.153Z" + }, + "references": [ + { + "name": "Test (7628/24750) [3878/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23520" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23521", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.781Z", + "datePublished": "2023-01-17T22:17:17.765Z", + "dateUpdated": "2024-06-03T15:00:16.489Z" + }, + "containers": { + "cna": { + "title": "gitattributes parsing integer overflow in git", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-190", + "lang": "en", + "description": "CWE-190: Integer Overflow or Wraparound", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89" + }, + { + "name": "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76" + }, + { + "url": "https://security.gentoo.org/glsa/202312-15" + } + ], + "affected": [ + { + "vendor": "git", + "product": "git", + "versions": [ + { + "version": "< 2.30.7", + "status": "affected" + }, + { + "version": ">= 2.31.0, < 2.31.6", + "status": "affected" + }, + { + "version": ">= 2.32.0, < 2.32.5", + "status": "affected" + }, + { + "version": ">= 2.33.0, < 2.33.6", + "status": "affected" + }, + { + "version": ">= 2.34.0, < 2.34.6", + "status": "affected" + }, + { + "version": ">= 2.35.0, < 2.35.6", + "status": "affected" + }, + { + "version": ">= 2.36.0, < 2.36.4", + "status": "affected" + }, + { + "version": ">= 2.37.0, < 2.37.5", + "status": "affected" + }, + { + "version": ">= 2.38.0, < 2.38.3", + "status": "affected" + }, + { + "version": "= 2.39.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-17T22:17:17.765Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue." + } + ], + "source": { + "advisory": "GHSA-c738-c5qq-xg89", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:16.489Z" + }, + "references": [ + { + "name": "Test (7629/24750) [3879/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23521" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23522", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.782Z", + "datePublished": "2023-03-30T18:04:56.599Z", + "dateUpdated": "2024-06-03T15:00:16.798Z" + }, + "containers": { + "cna": { + "title": "Arbitrary File Write when Extracting Tarballs retrieved from a remote location using in mindsdb", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "lang": "en", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-7x45-phmr-9wqp", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/mindsdb/mindsdb/security/advisories/GHSA-7x45-phmr-9wqp" + } + ], + "affected": [ + { + "vendor": "mindsdb", + "product": "mindsdb", + "versions": [ + { + "version": "< 22.11.4.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-03-30T18:04:56.599Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "MindsDB is an open source machine learning platform. An unsafe extraction is being performed using `shutil.unpack_archive()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a **TarSlip** or a **ZipSlip variant**. Unpacking files using the high-level function `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path remained within the intended destination directory may cause files to be overwritten outside the destination directory. An attacker could craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely using a personal bucket `s3`, thus, retrieve the tarball through **mindsdb** and overwrite the system files of the hosting server. This issue has been addressed in version 22.11.4.3. Users are advised to upgrade. Users unable to upgrade should avoid ingesting archives from untrusted sources." + } + ], + "source": { + "advisory": "GHSA-7x45-phmr-9wqp", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:16.798Z" + }, + "references": [ + { + "name": "Test (7630/24750) [3880/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23522" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23523", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.782Z", + "datePublished": "2022-12-13T07:41:47.047Z", + "dateUpdated": "2024-06-03T15:00:17.172Z" + }, + "containers": { + "cna": { + "title": "rust-vmm linux-loader vulnerable to Out-of-bounds Read", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-125", + "lang": "en", + "description": "CWE-125: Out-of-bounds Read", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-119", + "lang": "en", + "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/rust-vmm/linux-loader/security/advisories/GHSA-52h2-m2cf-9jh6", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/rust-vmm/linux-loader/security/advisories/GHSA-52h2-m2cf-9jh6" + }, + { + "name": "https://github.com/rust-vmm/linux-loader/pull/125", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/rust-vmm/linux-loader/pull/125" + } + ], + "affected": [ + { + "vendor": "rust-vmm", + "product": "linux-loader", + "versions": [ + { + "version": "< 0.8.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-13T07:41:47.047Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "In versions prior to 0.8.1, the linux-loader crate uses the offsets and sizes provided in the ELF headers to determine the offsets to read from. If those offsets point beyond the end of the file this could lead to Virtual Machine Monitors using the `linux-loader` crate entering an infinite loop if the ELF header of the kernel they are loading was modified in a malicious manner. This issue has been addressed in 0.8.1. The issue can be mitigated by ensuring that only trusted kernel images are loaded or by verifying that the headers do not point beyond the end of the file." + } + ], + "source": { + "advisory": "GHSA-52h2-m2cf-9jh6", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:17.172Z" + }, + "references": [ + { + "name": "Test (7631/24750) [3881/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23523" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23524", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.783Z", + "datePublished": "2022-12-15T00:28:34.540Z", + "dateUpdated": "2024-06-03T15:00:17.483Z" + }, + "containers": { + "cna": { + "title": "Helm vulnerable to Denial of service through string value parsing", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-400", + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/helm/helm/security/advisories/GHSA-6rx9-889q-vv2r" + } + ], + "affected": [ + { + "vendor": "helm", + "product": "helm", + "versions": [ + { + "version": "< v3.10.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-15T00:28:34.540Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions." + } + ], + "source": { + "advisory": "GHSA-6rx9-889q-vv2r", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:17.483Z" + }, + "references": [ + { + "name": "Test (7632/24750) [3882/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23524" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23525", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.783Z", + "datePublished": "2022-12-15T00:38:09.873Z", + "dateUpdated": "2024-06-03T15:00:17.811Z" + }, + "containers": { + "cna": { + "title": "Helm vulnerable to Denial of service via NULL Pointer Dereference", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "lang": "en", + "description": "CWE-476: NULL Pointer Dereference", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/helm/helm/security/advisories/GHSA-53c4-hhmh-vw5q" + }, + { + "name": "https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b" + } + ], + "affected": [ + { + "vendor": "helm", + "product": "helm", + "versions": [ + { + "version": "< v3.10.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-15T00:38:09.873Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions." + } + ], + "source": { + "advisory": "GHSA-53c4-hhmh-vw5q", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:17.811Z" + }, + "references": [ + { + "name": "Test (7633/24750) [3883/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23525" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23526", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.784Z", + "datePublished": "2022-12-15T00:43:40.383Z", + "dateUpdated": "2024-06-03T15:00:18.189Z" + }, + "containers": { + "cna": { + "title": "Helm contains Denial of service through schema file", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-476", + "lang": "en", + "description": "CWE-476: NULL Pointer Dereference", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/helm/helm/security/advisories/GHSA-67fx-wx78-jx33" + }, + { + "name": "https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d" + } + ], + "affected": [ + { + "vendor": "helm", + "product": "helm", + "versions": [ + { + "version": "< v3.10.3", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-15T00:43:40.383Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions." + } + ], + "source": { + "advisory": "GHSA-67fx-wx78-jx33", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:18.189Z" + }, + "references": [ + { + "name": "Test (7634/24750) [3884/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23526" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23527", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.784Z", + "datePublished": "2022-12-14T17:22:30.105Z", + "dateUpdated": "2024-06-03T15:00:18.524Z" + }, + "containers": { + "cna": { + "title": "Open Redirect in oidc_validate_redirect_url() ", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-601", + "lang": "en", + "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.7, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53" + }, + { + "name": "https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00020.html" + } + ], + "affected": [ + { + "vendor": "zmartzone", + "product": "mod_auth_openidc", + "versions": [ + { + "version": "< 2.4.12.2", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-14T17:22:30.105Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed." + } + ], + "source": { + "advisory": "GHSA-q6f2-285m-gr53", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:18.524Z" + }, + "references": [ + { + "name": "Test (7635/24750) [3885/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23527" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23530", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.786Z", + "datePublished": "2022-12-16T22:56:33.204Z", + "dateUpdated": "2024-06-03T15:00:19.404Z" + }, + "containers": { + "cna": { + "title": "GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "lang": "en", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v" + }, + { + "name": "https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c" + }, + { + "name": "https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158" + } + ], + "affected": [ + { + "vendor": "DataDog", + "product": "guarddog", + "versions": [ + { + "version": "< 0.1.8", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-16T22:56:33.204Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths." + } + ], + "source": { + "advisory": "GHSA-78m5-jpmf-ch7v", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:19.404Z" + }, + "references": [ + { + "name": "Test (7637/24750) [3887/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23530" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23531", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", + "dateReserved": "2022-01-19T21:23:53.786Z", + "datePublished": "2022-12-16T23:41:15.078Z", + "dateUpdated": "2024-06-03T15:00:19.737Z" + }, + "containers": { + "cna": { + "title": "Arbitrary file write when scanning a specially-crafted local PyPI package", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-23", + "lang": "en", + "description": "CWE-23: Relative Path Traversal", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq" + }, + { + "name": "https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306" + }, + { + "name": "https://github.com/DataDog/guarddog/releases/tag/v0.1.5", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/DataDog/guarddog/releases/tag/v0.1.5" + } + ], + "affected": [ + { + "vendor": "DataDog", + "product": "guarddog", + "versions": [ + { + "version": "< 0.1.5", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-16T23:41:15.078Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5." + } + ], + "source": { + "advisory": "GHSA-rp2v-v467-q9vq", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:19.737Z" + }, + "references": [ + { + "name": "Test (7638/24750) [3888/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23531" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23532", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.787Z", + "datePublished": "2023-01-14T00:29:27.365Z", + "dateUpdated": "2024-06-03T15:00:20.063Z" + }, + "containers": { + "cna": { + "title": "neo4j-apoc-procedures is vulnerable to path traversal", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-22", + "lang": "en", + "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-5v8v-gwmw-qw97", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-5v8v-gwmw-qw97" + }, + { + "name": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522" + } + ], + "affected": [ + { + "vendor": "neo4j-contrib", + "product": "neo4j-apoc-procedures", + "versions": [ + { + "version": "< 4.3.0.12", + "status": "affected" + }, + { + "version": ">= 4.4.0.0, < 4.4.0.12", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-14T00:29:27.365Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false." + } + ], + "source": { + "advisory": "GHSA-5v8v-gwmw-qw97", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:20.063Z" + }, + "references": [ + { + "name": "Test (7639/24750) [3889/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23532" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23535", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.793Z", + "datePublished": "2023-02-24T22:40:06.444Z", + "dateUpdated": "2024-06-03T15:00:20.475Z" + }, + "containers": { + "cna": { + "title": "LiteDB contains Deserialization of Untrusted Data", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-502", + "lang": "en", + "description": "CWE-502: Deserialization of Untrusted Data", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/mbdavid/LiteDB/security/advisories/GHSA-3x49-g6rc-c284" + }, + { + "name": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/mbdavid/LiteDB/commit/4382ff4dd0dd8b8b16a4e37dfd29727c5f70f93f" + } + ], + "affected": [ + { + "vendor": "mbdavid", + "product": "LiteDB", + "versions": [ + { + "version": "< 5.0.13", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-02-24T22:40:06.444Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object are not the same of class, `BsonMapper` use a special field `_type` string info with full class name with assembly to be loaded and fit into your model. If your end-user can send to your app a plain JSON string, deserialization can load an unsafe object to fit into your model. This issue is patched in version 5.0.13 with some basic fixes to avoid this, but is not 100% guaranteed when using `Object` type. The next major version will contain an allow-list to select what kind of Assembly can be loaded. Workarounds are detailed in the vendor advisory." + } + ], + "source": { + "advisory": "GHSA-3x49-g6rc-c284", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:20.475Z" + }, + "references": [ + { + "name": "Test (7640/24750) [3890/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23535" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23536", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.793Z", + "datePublished": "2022-12-19T21:10:21.977Z", + "dateUpdated": "2024-06-03T15:00:20.827Z" + }, + "containers": { + "cna": { + "title": "Alertmanager can expose local files content via specially crafted config", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-73", + "lang": "en", + "description": "CWE-73: External Control of File Name or Path", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-184", + "lang": "en", + "description": "CWE-184: Incomplete List of Disallowed Inputs", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-641", + "lang": "en", + "description": "CWE-641: Improper Restriction of Names for Files and Other Resources", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j" + }, + { + "name": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration" + }, + { + "name": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2" + }, + { + "name": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1" + } + ], + "affected": [ + { + "vendor": "cortexproject", + "product": "cortex", + "versions": [ + { + "version": ">= 1.13.0, <= 1.13.1", + "status": "affected" + }, + { + "version": "= 1.14.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-19T21:10:21.977Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.\n" + } + ], + "source": { + "advisory": "GHSA-cq2g-pw6q-hf7j", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:20.827Z" + }, + "references": [ + { + "name": "Test (7641/24750) [3891/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23536" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23537", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.794Z", + "datePublished": "2022-12-20T18:50:45.398Z", + "dateUpdated": "2024-06-03T15:00:21.289Z" + }, + "containers": { + "cna": { + "title": "PJSIP vulnerable to heap buffer overflow when decoding STUN message", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-122", + "lang": "en", + "description": "CWE-122: Heap-based Buffer Overflow", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w" + }, + { + "name": "https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html" + } + ], + "affected": [ + { + "vendor": "pjsip", + "product": "pjproject", + "versions": [ + { + "version": "<= 2.13", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-20T18:50:45.398Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1)." + } + ], + "source": { + "advisory": "GHSA-9pfh-r8x4-w26w", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:21.289Z" + }, + "references": [ + { + "name": "Test (7642/24750) [3892/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23537" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23538", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.794Z", + "datePublished": "2023-01-17T20:06:25.244Z", + "dateUpdated": "2024-06-03T15:00:21.712Z" + }, + "containers": { + "cna": { + "title": "User credentials leaked to third-party service via HTTP redirect in scs-library-client", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-522", + "lang": "en", + "description": "CWE-522: Insufficiently Protected Credentials", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7" + }, + { + "name": "https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa" + }, + { + "name": "https://github.com/sylabs/scs-library-client/commit/b5db2aacba6bf1231f42dd475cc32e6355ab47b2", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sylabs/scs-library-client/commit/b5db2aacba6bf1231f42dd475cc32e6355ab47b2" + }, + { + "name": "https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c" + } + ], + "affected": [ + { + "vendor": "sylabs", + "product": "scs-library-client", + "versions": [ + { + "version": "< 1.34", + "status": "affected" + }, + { + "version": ">= 1.4.0, < 1.4.2", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2023-01-17T20:06:25.244Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time." + } + ], + "source": { + "advisory": "GHSA-7p8m-22h4-9pj7", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:21.712Z" + }, + "references": [ + { + "name": "Test (7643/24750) [3893/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23538" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23539", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.795Z", + "datePublished": "2022-12-22T23:20:47.855Z", + "dateUpdated": "2024-06-03T15:00:22.111Z" + }, + "containers": { + "cna": { + "title": "jsonwebtoken unrestricted key type could lead to legacy keys usage ", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-327", + "lang": "en", + "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.9, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33" + }, + { + "name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3" + } + ], + "affected": [ + { + "vendor": "auth0", + "product": "node-jsonwebtoken", + "versions": [ + { + "version": "<= 8.5.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-22T23:20:47.855Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions." + } + ], + "source": { + "advisory": "GHSA-8cf7-32gw-wr33", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:22.111Z" + }, + "references": [ + { + "name": "Test (7644/24750) [3894/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23539" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23540", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.795Z", + "datePublished": "2022-12-22T18:02:24.770Z", + "dateUpdated": "2024-06-03T15:00:22.491Z" + }, + "containers": { + "cna": { + "title": "jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-287", + "lang": "en", + "description": "CWE-287: Improper Authentication", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6" + }, + { + "name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3" + } + ], + "affected": [ + { + "vendor": "auth0", + "product": "node-jsonwebtoken", + "versions": [ + { + "version": "<= 8.5.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-22T18:02:24.770Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n" + } + ], + "source": { + "advisory": "GHSA-qwph-4952-7xr6", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:22.491Z" + }, + "references": [ + { + "name": "Test (7645/24750) [3895/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23540" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23541", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.796Z", + "datePublished": "2022-12-22T17:52:22.173Z", + "dateUpdated": "2024-06-03T15:00:22.907Z" + }, + "containers": { + "cna": { + "title": "jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-287", + "lang": "en", + "description": "CWE-287: Improper Authentication", + "type": "CWE" + } + ] + }, + { + "descriptions": [ + { + "cweId": "CWE-1259", + "lang": "en", + "description": "CWE-1259: Improper Restriction of Security Token Assignment", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959" + }, + { + "name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3" + }, + { + "name": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0" + } + ], + "affected": [ + { + "vendor": "auth0", + "product": "node-jsonwebtoken", + "versions": [ + { + "version": "<= 8.5.1", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-22T17:52:22.173Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0." + } + ], + "source": { + "advisory": "GHSA-hjrf-2m68-5959", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:22.907Z" + }, + "references": [ + { + "name": "Test (7646/24750) [3896/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23541" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23542", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.796Z", + "datePublished": "2022-12-20T20:15:16.628Z", + "dateUpdated": "2024-06-03T15:00:23.248Z" + }, + "containers": { + "cna": { + "title": "OpenFGA Authorization Bypass", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-285", + "lang": "en", + "description": "CWE-285: Improper Authorization", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 7.7, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m" + }, + { + "name": "https://github.com/openfga/openfga/pull/422", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/openfga/openfga/pull/422" + }, + { + "name": "https://github.com/openfga/openfga/releases/tag/v0.3.1", + "tags": [ + "x_refsource_MISC" + ], + "url": "https://github.com/openfga/openfga/releases/tag/v0.3.1" + } + ], + "affected": [ + { + "vendor": "openfga", + "product": "openfga", + "versions": [ + { + "version": "= 0.3.0", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-20T20:15:16.628Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n" + } + ], + "source": { + "advisory": "GHSA-m3q4-7qmj-657m", + "discovery": "UNKNOWN" + } + }, + "adp": [ + { + "providerMetadata": { + "orgId": "96f1cf3c-f80a-4e0f-a063-99a91e3f1325", + "shortName": "secretariat-reference", + "dateUpdated": "2024-06-03T15:00:23.248Z" + }, + "references": [ + { + "name": "Test (7647/24750) [3897/5000] <2/4>", + "tags": [ + "x_test_run_data", + "x_cve_prog_secretariat_snapshot" + ], + "url": "https://example.org/CVE-2022-23542" + } + ] + } + ] + } + }, + { + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2022-23543", + "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "state": "PUBLISHED", + "assignerShortName": "GitHub_M", + "dateReserved": "2022-01-19T21:23:53.796Z", + "datePublished": "2022-12-19T21:30:09.836Z", + "dateUpdated": "2024-06-03T15:00:23.551Z" + }, + "containers": { + "cna": { + "title": "HTML attributes when attaching a YouTube link to the post", + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-80", + "lang": "en", + "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", + "type": "CWE" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + } + ], + "references": [ + { + "name": "https://github.com/mesosoi/silverwaregames-io-issue-tracker/security/advisories/GHSA-62r9-4v3r-rw89", + "tags": [ + "x_refsource_CONFIRM" + ], + "url": "https://github.com/mesosoi/silverwaregames-io-issue-tracker/security/advisories/GHSA-62r9-4v3r-rw89" + } + ], + "affected": [ + { + "vendor": "mesosoi", + "product": "silverwaregames-io-issue-tracker", + "versions": [ + { + "version": "< 1.1.34", + "status": "affected" + } + ] + } + ], + "providerMetadata": { + "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", + "shortName": "GitHub_M", + "dateUpdated": "2022-12-19T21:30:09.836Z" + }, + "descriptions": [ + { + "lang": "en", + "value": "Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `