diff --git a/README.md b/README.md index ab01118..d6cd51b 100644 --- a/README.md +++ b/README.md @@ -99,3 +99,11 @@ Each project has its own README and supporting documents. Included below is a sh - **README:** [Local Scripts README](local-scripts/README.md) - **Short Description:** _TODO_ - Ask @kurtseifried - **Depends on:** _None_ + +### GSD Project Notes + +- **Website:** _N/A_ +- **Location:** `gsd-tools/gsd-project/` +- **README:** [GSD URL Processing README](gsd-project/README.md) +- **Short Description:** Project Plans which contains all the GSD project plans and related material. +- **Depends on:** _None_ diff --git a/gsd-project/.gitignore b/gsd-project/.gitignore new file mode 100644 index 0000000..5d9e924 --- /dev/null +++ b/gsd-project/.gitignore @@ -0,0 +1,6 @@ +# Script generated content +analysis/cve/allitems.csv +analysis/cve/nvdcve-1.1-20*.json + +# Obsidian.md config +.obsidian diff --git a/gsd-project/LICENSE b/gsd-project/LICENSE new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/gsd-project/LICENSE @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/gsd-project/README.md b/gsd-project/README.md new file mode 100644 index 0000000..5e35343 --- /dev/null +++ b/gsd-project/README.md @@ -0,0 +1,110 @@ +# Global Security Database Project Plans + +The Global Security Database is a new Working Group project from the Cloud Security Alliance meant to address the gaps in the current vulnerability identifier space. + +The world of vulnerability identifiers has changed drastically in the last 20 years while the infrastructure and management of public and private vulnerability data have changed very little. This has created a sizable gap between the current needs of industry and the ability of existing projects to be effective. + +This is the Global Security Database (GSD) Project Plans which contains all the GSD project plans and related material. For more informaiton please see https://csaurl.org/gsd-quick-links. + +For more information please see https://csaurl.org/gsd-quick-links. + +## Contributing + +See the [Contribution Guide](CONTRIBUTING.md). + +## Resources + +[NIST The Bugs Framework](https://samate.nist.gov/BF/) + +# Table of contents + +*** TODO *** + +## Quick Links + +* Quick links (this section): https://csaurl.org/gsd-quick-links +* Website: https://globalsecuritydatabase.org +* Request a GSD: https://requests.globalsecuritydatabase.org/  +* Edit a GSD entry: https://edit.globalsecuritydatabase.org/ +* WG Landing Page: https://csaurl.org/gsd-landing-page +* Circle Community (Forums): https://csaurl.org/gsd-circle  +* Mailing-list: https://csaurl.org/gsd-mailing-list +* Github: https://csaurl.org/gsd-github +* WG Meeting Agenda: https://csaurl.org/gsd-agenda +* GitHub Repos: https://globalsecuritydatabase.org/repos/ +* Slack: https://csaurl.org/csa-public-slack #gsd-working-group +* Press mentions: https://globalsecuritydatabase.org/press + +## GSD Repos + +There are 2 primary repositories in GitHub. + +### gsd-database + +The gsd-database repo is the actual data for identifiers in the Global Security Database in the form of GSD-YEAR-INTEGER. To maintain easier compatibility with the CVE ecosystem we have decided to reserve numbers below 1 million for CVE data, using the same integer to make matching up entries easy. + +#### Issues + +Please file any data related issues in the gsd-database repo. If you need to file issues against the data format(s) themselves please file an issue in the gsd-project repo. + +### gsd-tools + +The gsd-tools repo is the Global Security Database (GSD) tools repo which contains all the GSD tools. For more informaiton please see https://csaurl.org/gsd-quick-links. + +### Issues + +Please file any tooling related issues in the gsd-tools repo. If you need to file issues against the data format(s) themselves please file an issue in the gsd-project repo. + +# Goals / Vision + +The goal and vision of the Global Security Database is to create a new security identifier ecosystem that complements existings standards and systems, but also allows for future growth and change. IT is constantly changing (TCP-IP, the Web, the Cloud, IoT, Blockchains, etc.) and we need vulnerability and secuerity identifiers that change with it. + +# Project Roadmap + +Currently we are working on standing up basic technology, e.g. these repos, the editing button for current entries, and so on. If you have an item for the roadmap or other ideas please file an issue in gsd-project to make us aware, or bring it up on the mailing list/circle/slack/etc. so it can be captured and discussed. + +# GSD Contacts / communications channels + +* Circle Community (Forums): https://csaurl.org/gsd-circle  +* Mailing-list: https://csaurl.org/gsd-mailing-list +* Slack: https://csaurl.org/csa-public-slack #gsd-working-group + +# Meetings + +## Meeting times and locations + +## Meeting agendas + +## Meeting recordings + +# Governance + +## Charter + +https://cloudsecurityalliance.org/artifacts/global-security-database-working-group-charter/ + +## Roles + +## Process + +## Related groups, activities and events + +### Global Security Vulnerability Summit + +https://events.linuxfoundation.org/open-source-summit-north-america/about/global-security-vulnerability-summit/ + +June 23 – 24 in Austin Texas + +## GSD Project Chairs + +# Licenses + +We use the Creative Commons Legal Code CC0 1.0 Universal for the gsd-database and gsd-project and Apache License Version 2.0, January 2004 for the gsd-tools. + +# Participation + +The GSD uses the Contributor Covenant Code of Conduct CODE_OF_CONDUCT.md *** TODO *** + +## Identity and attribution for participation + +Currently the GSD requires identity/atttribution for participation in GitHub to a GitHub account, this is a technical limitation/feature of the platform. Participation in the public email lists/Twitter/etc. for example does NOT require a GitHub account (or any identity beyond a working email address/Twitter account/etc.). Truly anonymous participation is not explicitly supported, however pseudonymity is supported and welcome. diff --git a/gsd-project/TODO.md b/gsd-project/TODO.md new file mode 100644 index 0000000..ce4cfbf --- /dev/null +++ b/gsd-project/TODO.md @@ -0,0 +1,13 @@ +# GSD Projects + +The gsd-project repo is designed to support the project, meeting times, agendas, minutes, planning, roadmaps, vision, etc. are contained here. +### Todo +- [ ] Update README.md +- [ ] Policy - Policy mostly doesn't exist today. We need to write down a lot of what's happening in the project as well as future goals. This TODO list should probably exist there too. You can find the closest thing to a policy repo here https://github.com/cloudsecurityalliance/gsd-project-plans It's very disorganized and needs organization. +- [ ] GSD needs a logo + +### In progress + +### Completed + +### Cancelled diff --git a/gsd-project/Vulnerability Identifier Landscape.md b/gsd-project/Vulnerability Identifier Landscape.md new file mode 100644 index 0000000..0d94292 --- /dev/null +++ b/gsd-project/Vulnerability Identifier Landscape.md @@ -0,0 +1,19 @@ +# Vulnerability Identifier Landscape + +This list may be incomplete. If there is a project that you feel should be listed but is currently missing, please open a pull request to add it! + +- SBOM Formats + - [CycloneDX](https://cyclonedx.org/) + - [SPDX](https://spdx.dev/) +- Software ID Formats + - [cpe](https://nvd.nist.gov/products/cpe) + - [pURL](https://github.com/package-url/purl-spec) +- Vulnerability Applicability + - [VEX](https://cyclonedx.org/capabilities/vex/) +- Vulnerability ID Formats + - [OSV Schema](https://ossf.github.io/osv-schema/) + - [CSAF](https://oasis-open.github.io/csaf-documentation/) +- Vuln ID Centralization + - [GSD](https://globalsecuritydatabase.org) + - [OSV Database](https://osv.dev) + - [GitHub Advisory Database](https://github.com/github/advisory-database) diff --git a/gsd-project/analysis/cve/CVE-Data-Sources.md b/gsd-project/analysis/cve/CVE-Data-Sources.md new file mode 100644 index 0000000..7f3ba10 --- /dev/null +++ b/gsd-project/analysis/cve/CVE-Data-Sources.md @@ -0,0 +1,36 @@ +# Notes on CVE Data Sources + +Not all CVE Data Sources are equal. + +| Data | MITRE - GitHub (JSON) | MITRE - Download page | NVD - Download page | +| --- | --- | --- | --- | +|URL | https://github.com/cveproject/cvelist | https://cve.mitre.org/data/downloads/index.html | https://nvd.nist.gov/vuln/data-feeds | +|FORMAT|JSON|CSV/HTML/TXT/XML|JSON| +|Example| https://github.com/CVEProject/cvelist/blob/master/2021/44xxx/CVE-2021-44228.json | https://cve.mitre.org/data/downloads/allitems.csv | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz | +|ID|YES|YES|YES| +|STATE|YES|In Description|ALWAYS PUBLIC| +|description|YES|YES|YES| +|MACHINE_affects|YES|NO|CPE FORMAT| +|MACHINE_credit|YES|NO|NO| +|MACHINE_impact|YES|NO|YES| +|MACHINE_cvss|YES|NO|YES| +|MACHINE_problemtype|YES|NO|YES| +|MACHINE_references|YES|YES|YES| +|MACHINE_source|YES|NO|NO| +|publishedDate|NO|Assigned|YES| +|lastmodifiedDate|NO|NO|YES| +|ASSIGNER|YES|NO|YES| +|MACHINE_CPE|NO|NO|YES| + +## NVD API + +The NVD API (https://nvd.nist.gov/developers/vulnerabilities) appears to serve identical JSON as is in the JSON downloads. + +# In summary: + +* The MITRE Download page files (CSV/HTML/TXT/XML|JSON) contain far less data than the MITRE GitHub repo and the NVD JSON files. Don't use them. +* MITRE only publishes the "publishedDate" which is whhen the CVE was assigned OR RESERVED, so it can be months in advance of the CVE actually being used +* MITRE's machine readable affected data is usually incomplete, and missing in roughly 25% of entries, NVD has analysts add affected data in CPE format +* The NVD publishedDate and the MITRE Assigned data are often different, it appears sometimes NVD uses the date of the first source becoming public (sometimes years or a decade in advance) + +The best source of CVE data that contains information (e.g. STATE is PUBLIC) is the NVD files/API. If you want to track RESERVED and so on you will want to get the MITRE GitHub JSON data. diff --git a/gsd-project/analysis/cve/cve-by-year-assigner.csv b/gsd-project/analysis/cve/cve-by-year-assigner.csv new file mode 100644 index 0000000..5f9e251 --- /dev/null +++ b/gsd-project/analysis/cve/cve-by-year-assigner.csv @@ -0,0 +1,773 @@ +count,year,assigner +6765,2002,cve@mitre.org +4,2002,secalert@redhat.com +1543,2003,cve@mitre.org +6,2003,secalert@redhat.com +1,2003,security@debian.org +2702,2004,cve@mitre.org +4,2004,secalert@redhat.com +1,2004,security@ubuntu.com +17,2005,cert@cert.org +4320,2005,cve@mitre.org +260,2005,secalert@redhat.com +6,2005,secteam@freebsd.org +49,2005,secure@microsoft.com +112,2005,security@debian.org +50,2006,PSIRT-CNA@flexerasoftware.com +21,2006,cert@cert.org +6604,2006,cve@mitre.org +268,2006,secalert@redhat.com +13,2006,secteam@freebsd.org +129,2006,secure@microsoft.com +54,2006,security@debian.org +1,2006,security@ubuntu.com +55,2007,PSIRT-CNA@flexerasoftware.com +67,2007,cert@cert.org +6081,2007,cve@mitre.org +5,2007,psirt@cisco.com +243,2007,secalert@redhat.com +1,2007,secalert_us@oracle.com +5,2007,secteam@freebsd.org +107,2007,secure@microsoft.com +12,2007,security@ubuntu.com +53,2008,PSIRT-CNA@flexerasoftware.com +36,2008,cert@cert.org +6500,2008,cve@mitre.org +77,2008,psirt@cisco.com +278,2008,secalert@redhat.com +72,2008,secalert_us@oracle.com +4,2008,secteam@freebsd.org +143,2008,secure@microsoft.com +1,2008,security@debian.org +6,2008,security@ubuntu.com +36,2009,PSIRT-CNA@flexerasoftware.com +37,2009,cert@cert.org +4177,2009,cve@mitre.org +20,2009,hp-security-alert@hp.com +31,2009,psirt@adobe.com +81,2009,psirt@cisco.com +1,2009,psirt@us.ibm.com +347,2009,secalert@redhat.com +113,2009,secalert_us@oracle.com +2,2009,secteam@freebsd.org +2,2009,secure@dell.com +169,2009,secure@microsoft.com +6,2009,security@ubuntu.com +1,2009,vultures@jpcert.or.jp +72,2010,PSIRT-CNA@flexerasoftware.com +27,2010,cert@cert.org +3098,2010,cve@mitre.org +112,2010,hp-security-alert@hp.com +1,2010,ics-cert@hq.dhs.gov +273,2010,product-security@apple.com +180,2010,psirt@adobe.com +118,2010,psirt@cisco.com +649,2010,secalert@redhat.com +324,2010,secalert_us@oracle.com +2,2010,secteam@freebsd.org +9,2010,secure@dell.com +267,2010,secure@microsoft.com +1,2010,security@apache.org +1,2010,security@suse.com +24,2010,security@ubuntu.com +32,2010,vultures@jpcert.or.jp +38,2011,PSIRT-CNA@flexerasoftware.com +106,2011,cert@cert.org +4,2011,chrome-cve-admin@google.com +2262,2011,cve@mitre.org +132,2011,hp-security-alert@hp.com +226,2011,product-security@apple.com +175,2011,psirt@adobe.com +160,2011,psirt@cisco.com +6,2011,psirt@us.ibm.com +888,2011,secalert@redhat.com +248,2011,secalert_us@oracle.com +3,2011,secteam@freebsd.org +24,2011,secure@dell.com +218,2011,secure@microsoft.com +1,2011,security@debian.org +234,2011,security@google.com +8,2011,security@suse.com +25,2011,security@ubuntu.com +69,2011,vultures@jpcert.or.jp +25,2012,PSIRT-CNA@flexerasoftware.com +210,2012,cert@cert.org +2354,2012,cve@mitre.org +109,2012,hp-security-alert@hp.com +84,2012,ics-cert@hq.dhs.gov +265,2012,product-security@apple.com +133,2012,psirt@adobe.com +223,2012,psirt@cisco.com +226,2012,psirt@us.ibm.com +1276,2012,secalert@redhat.com +415,2012,secalert_us@oracle.com +42,2012,secure@dell.com +147,2012,secure@microsoft.com +1,2012,secure@symantec.com +2,2012,security@apache.org +32,2012,security@debian.org +170,2012,security@google.com +3,2012,security@suse.com +20,2012,security@ubuntu.com +98,2012,vultures@jpcert.or.jp +111,2013,PSIRT-CNA@flexerasoftware.com +134,2013,cert@cert.org +2302,2013,cve@mitre.org +129,2013,hp-security-alert@hp.com +94,2013,ics-cert@hq.dhs.gov +3,2013,larry0@me.com +174,2013,product-security@apple.com +143,2013,psirt@adobe.com +375,2013,psirt@cisco.com +433,2013,psirt@us.ibm.com +1258,2013,secalert@redhat.com +547,2013,secalert_us@oracle.com +45,2013,secure@dell.com +3,2013,secure@intel.com +321,2013,secure@microsoft.com +30,2013,secure@symantec.com +1,2013,security@android.com +1,2013,security@apache.org +31,2013,security@debian.org +199,2013,security@google.com +162,2013,security@mozilla.org +1,2013,security@suse.com +26,2013,security@ubuntu.com +119,2013,vultures@jpcert.or.jp +1505,2014,cert@cert.org +1,2014,chrome-cve-admin@google.com +5,2014,cve-assignments@hackerone.com +3615,2014,cve@mitre.org +73,2014,hp-security-alert@hp.com +132,2014,ics-cert@hq.dhs.gov +298,2014,product-security@apple.com +132,2014,psirt@adobe.com +364,2014,psirt@cisco.com +18,2014,psirt@huawei.com +450,2014,psirt@us.ibm.com +667,2014,secalert@redhat.com +446,2014,secalert_us@oracle.com +69,2014,secure@dell.com +2,2014,secure@intel.com +347,2014,secure@microsoft.com +31,2014,secure@symantec.com +54,2014,security.cna@qualcomm.com +106,2014,security@android.com +1,2014,security@apache.org +91,2014,security@debian.org +146,2014,security@google.com +126,2014,security@mozilla.org +8,2014,security@suse.com +21,2014,security@ubuntu.com +138,2014,vultures@jpcert.or.jp +234,2015,cert@cert.org +1,2015,chrome-cve-admin@google.com +5,2015,contact@wpscan.com +12,2015,cve-assignments@hackerone.com +3421,2015,cve@mitre.org +68,2015,hp-security-alert@hp.com +147,2015,ics-cert@hq.dhs.gov +2,2015,larry0@me.com +579,2015,product-security@apple.com +488,2015,psirt@adobe.com +495,2015,psirt@cisco.com +5,2015,psirt@huawei.com +404,2015,psirt@us.ibm.com +637,2015,secalert@redhat.com +439,2015,secalert_us@oracle.com +79,2015,secure@dell.com +8,2015,secure@intel.com +527,2015,secure@microsoft.com +38,2015,secure@symantec.com +168,2015,security.cna@qualcomm.com +144,2015,security@android.com +1,2015,security@apache.org +81,2015,security@debian.org +1,2015,security@elastic.co +150,2015,security@google.com +179,2015,security@mozilla.org +31,2015,security@suse.com +4,2015,security@synology.com +33,2015,security@ubuntu.com +1,2015,security@vmware.com +1,2015,vuln@ca.com +178,2015,vultures@jpcert.or.jp +1,2016,PSIRT-CNA@flexerasoftware.com +8,2016,browser-security@yandex-team.ru +256,2016,cert@cert.org +1,2016,chrome-cve-admin@google.com +210,2016,cve-assignments@hackerone.com +3,2016,cve@checkpoint.com +3947,2016,cve@mitre.org +3,2016,cve@rapid7.com +19,2016,f5sirt@f5.com +4,2016,hp-security-alert@hp.com +206,2016,ics-cert@hq.dhs.gov +3,2016,larry0@me.com +2,2016,openssl-security@openssl.org +426,2016,product-security@apple.com +7,2016,productcert@siemens.com +537,2016,psirt@adobe.com +340,2016,psirt@cisco.com +7,2016,psirt@fortinet.com +49,2016,psirt@huawei.com +16,2016,psirt@lenovo.com +40,2016,psirt@nvidia.com +640,2016,psirt@us.ibm.com +640,2016,secalert@redhat.com +704,2016,secalert_us@oracle.com +5,2016,secure@blackberry.com +102,2016,secure@dell.com +30,2016,secure@intel.com +459,2016,secure@microsoft.com +51,2016,secure@symantec.com +43,2016,security-alert@hpe.com +1,2016,security-alert@netapp.com +1,2016,security-officer@isc.org +132,2016,security.cna@qualcomm.com +590,2016,security@android.com +47,2016,security@apache.org +125,2016,security@debian.org +5,2016,security@elastic.co +210,2016,security@google.com +177,2016,security@mozilla.org +3,2016,security@puppet.com +78,2016,security@suse.com +3,2016,security@synology.com +15,2016,security@ubuntu.com +8,2016,security@vmware.com +8,2016,sirt@brocade.com +13,2016,sirt@juniper.net +65,2016,talos-cna@cisco.com +231,2016,vultures@jpcert.or.jp +14,2017,PSIRT-CNA@flexerasoftware.com +3,2017,browser-security@yandex-team.ru +75,2017,cert@cert.org +2,2017,chrome-cve-admin@google.com +12,2017,cna@sap.com +1,2017,contact@wpscan.com +6,2017,cve-assign@distributedweaknessfiling.org +271,2017,cve-assignments@hackerone.com +1,2017,cve-coordination@incibe.es +2,2017,cve-request@iojs.org +7,2017,cve@checkpoint.com +8351,2017,cve@mitre.org +32,2017,cve@rapid7.com +4,2017,cybersecurity@dahuatech.com +25,2017,cybersecurity@schneider-electric.com +45,2017,f5sirt@f5.com +12,2017,hp-security-alert@hp.com +257,2017,ics-cert@hq.dhs.gov +34,2017,larry0@me.com +8,2017,openssl-security@openssl.org +503,2017,product-security@apple.com +36,2017,productcert@siemens.com +358,2017,psirt@adobe.com +455,2017,psirt@cisco.com +42,2017,psirt@fortinet.com +2,2017,psirt@hcl.com +330,2017,psirt@huawei.com +32,2017,psirt@lenovo.com +15,2017,psirt@mcafee.com +98,2017,psirt@nvidia.com +500,2017,psirt@us.ibm.com +8,2017,psirt@zte.com.cn +293,2017,secalert@redhat.com +828,2017,secalert_us@oracle.com +8,2017,secteam@freebsd.org +11,2017,secure@blackberry.com +111,2017,secure@dell.com +63,2017,secure@intel.com +694,2017,secure@microsoft.com +30,2017,secure@symantec.com +181,2017,security-alert@hpe.com +7,2017,security-alert@netapp.com +11,2017,security-officer@isc.org +391,2017,security.cna@qualcomm.com +632,2017,security@android.com +157,2017,security@apache.org +74,2017,security@atlassian.com +65,2017,security@debian.org +17,2017,security@drupal.org +5,2017,security@duo.com +10,2017,security@eclipse.org +24,2017,security@elastic.co +169,2017,security@google.com +3,2017,security@kubernetes.io +191,2017,security@mozilla.org +11,2017,security@puppet.com +22,2017,security@qnap.com +84,2017,security@suse.com +49,2017,security@synology.com +10,2017,security@tibco.com +40,2017,security@trendmicro.com +5,2017,security@ubuntu.com +1,2017,security@vaadin.com +56,2017,security@vmware.com +6,2017,sirt@brocade.com +73,2017,sirt@juniper.net +260,2017,talos-cna@cisco.com +2,2017,vuln@ca.com +3,2017,vulnerabilities@zephyrproject.org +9,2017,vulnerability@kaspersky.com +7,2017,vulnreport@tenable.com +266,2017,vultures@jpcert.or.jp +108,2017,zdi-disclosures@trendmicro.com +25,2018,PSIRT-CNA@flexerasoftware.com +2,2018,PSIRT@sonicwall.com +5,2018,browser-security@yandex-team.ru +31,2018,cert@cert.org +3,2018,chrome-cve-admin@google.com +5,2018,cna@mongodb.com +131,2018,cna@sap.com +1,2018,contact@wpscan.com +19,2018,cve-assign@fb.com +114,2018,cve-assignments@hackerone.com +14,2018,cve-request@iojs.org +1,2018,cve@cert.org.tw +25,2018,cve@checkpoint.com +9043,2018,cve@mitre.org +2,2018,cve@navercorp.com +6,2018,cve@rapid7.com +115,2018,cybersecurity@schneider-electric.com +76,2018,f5sirt@f5.com +6,2018,hp-security-alert@hp.com +2,2018,hsrc@hikvision.com +305,2018,ics-cert@hq.dhs.gov +15,2018,larry0@me.com +6,2018,openssl-security@openssl.org +368,2018,product-security@apple.com +74,2018,productcert@siemens.com +479,2018,psirt@adobe.com +480,2018,psirt@cisco.com +2,2018,psirt@forcepoint.com +30,2018,psirt@fortinet.com +54,2018,psirt@huawei.com +35,2018,psirt@lenovo.com +33,2018,psirt@mcafee.com +27,2018,psirt@nvidia.com +5,2018,psirt@paloaltonetworks.com +509,2018,psirt@us.ibm.com +12,2018,psirt@zte.com.cn +10,2018,report@snyk.io +297,2018,secalert@redhat.com +719,2018,secalert_us@oracle.com +18,2018,secteam@freebsd.org +5,2018,secure@blackberry.com +166,2018,secure@dell.com +143,2018,secure@intel.com +700,2018,secure@microsoft.com +30,2018,secure@symantec.com +60,2018,security-alert@hpe.com +15,2018,security-alert@netapp.com +14,2018,security-officer@isc.org +355,2018,security.cna@qualcomm.com +1,2018,security@360.cn +134,2018,security@android.com +165,2018,security@apache.org +43,2018,security@atlassian.com +22,2018,security@debian.org +3,2018,security@drupal.org +1,2018,security@duo.com +16,2018,security@eclipse.org +20,2018,security@elastic.co +225,2018,security@google.com +6,2018,security@kubernetes.io +165,2018,security@mozilla.org +9,2018,security@odoo.com +16,2018,security@puppet.com +40,2018,security@qnap.com +93,2018,security@suse.com +40,2018,security@synology.com +28,2018,security@tibco.com +63,2018,security@trendmicro.com +11,2018,security@ubuntu.com +1,2018,security@vaadin.com +27,2018,security@vmware.com +8,2018,securityalerts@avaya.com +17,2018,sirt@brocade.com +60,2018,sirt@juniper.net +238,2018,talos-cna@cisco.com +28,2018,vuln@ca.com +10,2018,vuln@krcert.or.kr +1,2018,vulnerability@cspcert.ph +53,2018,vulnerability@kaspersky.com +50,2018,vulnreport@tenable.com +246,2018,vultures@jpcert.or.jp +283,2018,zdi-disclosures@trendmicro.com +3,2019,PSIRT-CNA@flexerasoftware.com +15,2019,PSIRT@sonicwall.com +2,2019,browser-security@yandex-team.ru +6,2019,cert@airbus.com +39,2019,cert@cert.org +43,2019,chrome-cve-admin@google.com +10,2019,cna@mongodb.com +121,2019,cna@sap.com +156,2019,cve-assign@distributedweaknessfiling.org +40,2019,cve-assign@fb.com +124,2019,cve-assignments@hackerone.com +2,2019,cve-request@iojs.org +9,2019,cve-requests@bitdefender.com +27,2019,cve@cert.org.tw +12,2019,cve@checkpoint.com +7743,2019,cve@mitre.org +2,2019,cve@navercorp.com +30,2019,cve@rapid7.com +26,2019,cybersecurity@ch.abb.com +7,2019,cybersecurity@dahuatech.com +51,2019,cybersecurity@schneider-electric.com +102,2019,f5sirt@f5.com +31,2019,hp-security-alert@hp.com +187,2019,ics-cert@hq.dhs.gov +339,2019,jenkinsci-cert@googlegroups.com +6,2019,larry0@me.com +7,2019,openssl-security@openssl.org +388,2019,product-security@apple.com +157,2019,productcert@siemens.com +5,2019,productsecurity@jci.com +616,2019,psirt@adobe.com +9,2019,psirt@autodesk.com +9,2019,psirt@bosch.com +597,2019,psirt@cisco.com +8,2019,psirt@forcepoint.com +42,2019,psirt@fortinet.com +11,2019,psirt@hcl.com +104,2019,psirt@huawei.com +43,2019,psirt@lenovo.com +58,2019,psirt@mcafee.com +38,2019,psirt@nvidia.com +35,2019,psirt@paloaltonetworks.com +452,2019,psirt@us.ibm.com +23,2019,psirt@zte.com.cn +65,2019,report@snyk.io +310,2019,secalert@redhat.com +597,2019,secalert_us@oracle.com +27,2019,secteam@freebsd.org +3,2019,secure@blackberry.com +104,2019,secure@dell.com +209,2019,secure@intel.com +854,2019,secure@microsoft.com +34,2019,secure@symantec.com +29,2019,security-advisories@github.com +143,2019,security-alert@hpe.com +24,2019,security-alert@netapp.com +12,2019,security-officer@isc.org +1,2019,security-report@netflix.com +357,2019,security.cna@qualcomm.com +2,2019,security@360.cn +475,2019,security@android.com +120,2019,security@apache.org +84,2019,security@atlassian.com +9,2019,security@debian.org +9,2019,security@documentfoundation.org +5,2019,security@drupal.org +30,2019,security@eclipse.org +14,2019,security@elastic.co +186,2019,security@google.com +13,2019,security@kubernetes.io +47,2019,security@microfocus.com +130,2019,security@mozilla.org +7,2019,security@odoo.com +1,2019,security@opera.com +17,2019,security@php.net +26,2019,security@pivotal.io +2,2019,security@puppet.com +11,2019,security@qnap.com +2,2019,security@salesforce.com +9,2019,security@search-guard.com +30,2019,security@suse.com +9,2019,security@synology.com +30,2019,security@tibco.com +32,2019,security@trendmicro.com +23,2019,security@ubuntu.com +2,2019,security@vaadin.com +33,2019,security@vmware.com +7,2019,securityalerts@avaya.com +10,2019,sirt@brocade.com +73,2019,sirt@juniper.net +167,2019,talos-cna@cisco.com +11,2019,vuln@ca.com +38,2019,vuln@krcert.or.kr +45,2019,vulnerability@kaspersky.com +94,2019,vulnreport@tenable.com +120,2019,vultures@jpcert.or.jp +84,2019,zdi-disclosures@trendmicro.com +7,2020,CybersecurityCOE@eaton.com +4,2020,PSIRT-CNA@flexerasoftware.com +20,2020,PSIRT@sonicwall.com +13,2020,VulnerabilityReporting@secomea.com +2,2020,browser-security@yandex-team.ru +19,2020,cert@cert.org +287,2020,chrome-cve-admin@google.com +2,2020,cna@cloudflare.com +9,2020,cna@mongodb.com +218,2020,cna@sap.com +5,2020,contact@wpscan.com +37,2020,cve-assign@fb.com +184,2020,cve-assignments@hackerone.com +3,2020,cve-coordination@incibe.es +24,2020,cve-requests@bitdefender.com +29,2020,cve@aliasrobotics.com +58,2020,cve@cert.org.tw +17,2020,cve@checkpoint.com +117,2020,cve@gitlab.com +7896,2020,cve@mitre.org +3,2020,cve@navercorp.com +29,2020,cve@rapid7.com +4,2020,cve@zscaler.com +36,2020,cybersecurity@ch.abb.com +4,2020,cybersecurity@dahuatech.com +112,2020,cybersecurity@schneider-electric.com +4,2020,disclose@cybersecurityworks.com +9,2020,disclosures@gallagher.com +118,2020,f5sirt@f5.com +3,2020,hp-security-alert@hp.com +301,2020,ics-cert@hq.dhs.gov +33,2020,info@cert.vde.com +235,2020,jenkinsci-cert@googlegroups.com +3,2020,larry0@me.com +3,2020,openssl-security@openssl.org +4,2020,product-cna@github.com +406,2020,product-security@apple.com +126,2020,productcert@siemens.com +7,2020,productsecurity@jci.com +342,2020,psirt@adobe.com +32,2020,psirt@amd.com +7,2020,psirt@autodesk.com +17,2020,psirt@bosch.com +491,2020,psirt@cisco.com +1,2020,psirt@forcepoint.com +38,2020,psirt@fortinet.com +46,2020,psirt@hcl.com +198,2020,psirt@huawei.com +37,2020,psirt@lenovo.com +87,2020,psirt@mcafee.com +45,2020,psirt@nvidia.com +72,2020,psirt@paloaltonetworks.com +4,2020,psirt@sick.de +1,2020,psirt@tigera.io +617,2020,psirt@us.ibm.com +20,2020,psirt@zte.com.cn +236,2020,report@snyk.io +3,2020,responsibledisclosure@mattermost.com +436,2020,secalert@redhat.com +810,2020,secalert_us@oracle.com +28,2020,secteam@freebsd.org +2,2020,secure@blackberry.com +97,2020,secure@dell.com +1,2020,secure@ea.com +312,2020,secure@intel.com +1253,2020,secure@microsoft.com +23,2020,secure@symantec.com +2,2020,securities@openeuler.org +523,2020,security-advisories@github.com +124,2020,security-alert@hpe.com +19,2020,security-alert@netapp.com +10,2020,security-officer@isc.org +6,2020,security-report@netflix.com +264,2020,security.cna@qualcomm.com +3,2020,security@360.cn +527,2020,security@android.com +152,2020,security@apache.org +65,2020,security@atlassian.com +2,2020,security@craftersoftware.com +3,2020,security@debian.org +3,2020,security@documentfoundation.org +8,2020,security@drupal.org +10,2020,security@eclipse.org +13,2020,security@elastic.co +31,2020,security@google.com +7,2020,security@joomla.org +17,2020,security@kubernetes.io +33,2020,security@microfocus.com +148,2020,security@mozilla.org +1,2020,security@odoo.com +6,2020,security@openvpn.net +2,2020,security@opera.com +9,2020,security@oppo.com +15,2020,security@otrs.com +13,2020,security@php.net +32,2020,security@pivotal.io +4,2020,security@puppet.com +25,2020,security@qnap.com +3,2020,security@salesforce.com +21,2020,security@suse.com +13,2020,security@synology.com +2,2020,security@tcpdump.org +10,2020,security@teradici.com +13,2020,security@tibco.com +70,2020,security@trendmicro.com +35,2020,security@ubuntu.com +3,2020,security@vaadin.com +3,2020,security@vivo.com +64,2020,security@vmware.com +17,2020,security@xiaomi.com +9,2020,securityalerts@avaya.com +1,2020,sep@nlnetlabs.nl +19,2020,sirt@brocade.com +82,2020,sirt@juniper.net +8,2020,sirt@silver-peak.com +232,2020,talos-cna@cisco.com +14,2020,vuln@ca.com +71,2020,vuln@krcert.or.kr +11,2020,vuln@vdoo.com +28,2020,vulnerabilities@zephyrproject.org +16,2020,vulnerability@kaspersky.com +17,2020,vulnerabilitylab@whitesourcesoftware.com +93,2020,vulnreport@tenable.com +158,2020,vultures@jpcert.or.jp +220,2020,zdi-disclosures@trendmicro.com +6,2021,CybersecurityCOE@eaton.com +23,2021,Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp +1,2021,PSIRT-CNA@flexerasoftware.com +29,2021,PSIRT@sonicwall.com +2,2021,SecurityResponse@netmotionsoftware.com +3,2021,VulnerabilityReporting@secomea.com +1,2021,alibaba-cna@list.alibaba-inc.com +30,2021,audit@patchstack.com +1,2021,browser-security@yandex-team.ru +8,2021,cert@cert.org +334,2021,chrome-cve-admin@google.com +7,2021,cna@cloudflare.com +8,2021,cna@cyber.gov.il +11,2021,cna@mongodb.com +198,2021,cna@sap.com +735,2021,contact@wpscan.com +16,2021,cve-assign@fb.com +110,2021,cve-assignments@hackerone.com +18,2021,cve-coordination@incibe.es +20,2021,cve-notifications-us@f-secure.com +11,2021,cve-requests@bitdefender.com +165,2021,cve@cert.org.tw +6,2021,cve@checkpoint.com +180,2021,cve@gitlab.com +4591,2021,cve@mitre.org +3,2021,cve@navercorp.com +20,2021,cve@rapid7.com +3,2021,cve@usom.gov.tr +3,2021,cve_disclosure@tech.gov.sg +4,2021,cybersecurity@ch.abb.com +2,2021,cybersecurity@dahuatech.com +3,2021,cybersecurity@hitachi-powergrids.com +6,2021,cybersecurity@hitachienergy.com +86,2021,cybersecurity@schneider-electric.com +2,2021,disclose@cybersecurityworks.com +7,2021,disclosure@synopsys.com +13,2021,disclosures@gallagher.com +5,2021,dl_cve@linecorp.com +82,2021,f5sirt@f5.com +8,2021,hp-security-alert@hp.com +1,2021,hsrc@hikvision.com +256,2021,ics-cert@hq.dhs.gov +2,2021,iletisim@usom.gov.tr +3,2021,info@appcheck-ng.com +79,2021,info@cert.vde.com +5,2021,infosec@edk2.groups.io +103,2021,jenkinsci-cert@googlegroups.com +198,2021,mobile.security@samsung.com +8,2021,openssl-security@openssl.org +2,2021,prodsec@nozominetworks.com +10,2021,product-cna@github.com +322,2021,product-security@apple.com +4,2021,product-security@axis.com +229,2021,productcert@siemens.com +11,2021,productsecurity@jci.com +427,2021,psirt@adobe.com +23,2021,psirt@amd.com +7,2021,psirt@arista.com +25,2021,psirt@autodesk.com +16,2021,psirt@bosch.com +585,2021,psirt@cisco.com +22,2021,psirt@esri.com +1,2021,psirt@forcepoint.com +107,2021,psirt@fortinet.com +2,2021,psirt@hcl.com +305,2021,psirt@huawei.com +34,2021,psirt@lenovo.com +47,2021,psirt@mcafee.com +107,2021,psirt@nvidia.com +37,2021,psirt@paloaltonetworks.com +4,2021,psirt@sick.de +32,2021,psirt@solarwinds.com +3,2021,psirt@thalesgroup.com +401,2021,psirt@us.ibm.com +30,2021,psirt@zte.com.cn +14,2021,reefs@jfrog.com +141,2021,report@snyk.io +5,2021,responsibledisclosure@mattermost.com +259,2021,secalert@redhat.com +585,2021,secalert_us@oracle.com +6,2021,secteam@freebsd.org +9,2021,secure@blackberry.com +136,2021,secure@dell.com +102,2021,secure@intel.com +870,2021,secure@microsoft.com +2,2021,secure@symantec.com +1,2021,securities@openeuler.org +1040,2021,security-advisories@github.com +171,2021,security-alert@hpe.com +20,2021,security-alert@netapp.com +8,2021,security-alert@sophos.com +6,2021,security-officer@isc.org +2,2021,security-report@netflix.com +116,2021,security.cna@qualcomm.com +7,2021,security@acronis.com +523,2021,security@android.com +149,2021,security@apache.org +47,2021,security@atlassian.com +7,2021,security@craftersoftware.com +1,2021,security@deepsurface.com +1,2021,security@devolutions.net +4,2021,security@documentfoundation.org +26,2021,security@eclipse.org +44,2021,security@elastic.co +1,2021,security@eset.com +4,2021,security@fidelissecurity.com +17,2021,security@google.com +169,2021,security@huntr.dev +3,2021,security@jfrog.com +24,2021,security@joomla.org +6,2021,security@kubernetes.io +6,2021,security@mautic.org +30,2021,security@microfocus.com +133,2021,security@mozilla.org +8,2021,security@octopus.com +4,2021,security@openvpn.net +1,2021,security@opera.com +2,2021,security@oppo.com +17,2021,security@otrs.com +2,2021,security@pega.com +6,2021,security@php.net +9,2021,security@puppet.com +41,2021,security@qnap.com +1,2021,security@replicated.com +5,2021,security@salesforce.com +1,2021,security@snowsoftware.com +17,2021,security@suse.com +33,2021,security@synology.com +10,2021,security@teradici.com +30,2021,security@tibco.com +73,2021,security@trendmicro.com +26,2021,security@ubuntu.com +14,2021,security@vaadin.com +86,2021,security@vmware.com +155,2021,security@wordfence.com +24,2021,security@xen.org +20,2021,security@zoom.us +9,2021,security@zyxel.com.tw +8,2021,securityalerts@avaya.com +4,2021,sep@nlnetlabs.nl +5,2021,sirt@brocade.com +134,2021,sirt@juniper.net +177,2021,talos-cna@cisco.com +1,2021,vuln@ca.com +11,2021,vuln@krcert.or.kr +12,2021,vulnerabilities@zephyrproject.org +3,2021,vulnerability@kaspersky.com +17,2021,vulnerability@ncsc.ch +77,2021,vulnerabilitylab@whitesourcesoftware.com +109,2021,vulnreport@tenable.com +250,2021,vultures@jpcert.or.jp +179,2021,zdi-disclosures@trendmicro.com +1,2022,cve@mitre.org +2,2022,security@huntr.dev diff --git a/gsd-project/analysis/cve/mitre-cve-by-current-and-past-years.py b/gsd-project/analysis/cve/mitre-cve-by-current-and-past-years.py new file mode 100644 index 0000000..f673e23 --- /dev/null +++ b/gsd-project/analysis/cve/mitre-cve-by-current-and-past-years.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 + +import csv +import re +import os + +os.system("wget -q https://cve.mitre.org/data/downloads/allitems.csv.gz") +os.system("gzip -d allitems.csv.gz") + +CVEAssignedYears = {1999: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2000: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2001: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2002: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2003: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2004: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2005: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2006: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2007: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2008: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2009: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2010: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2011: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2012: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2013: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2014: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2015: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2016: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2017: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2018: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2019: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2020: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2021: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0}, + 2022: {"CVEAssignmentsforCurrentYear":0, "CVEAssignmentsForPreviousYears":0} +} + +with open('allitems.csv', newline='', encoding='ISO-8859-1') as csvfile: + cvereader= csv.reader(csvfile, delimiter=',', quotechar='"') + for row in cvereader: + if re.search('^CVE-', row[0]): + # Ignore reserved + if re.search('^\*\* RESERVED \*\* ', row[2]): + pass + else: + # Get the CVE ID Year + CVEIDYear=re.sub('^CVE-', '', row[0]) + CVEIDYear=re.sub('-[0-9]*$', '', CVEIDYear) + + # If we have an assignedDate value use it, and modify for prior reserved CVEs + if re.search('Assigned \(', row[4]): + assignedDateYear=re.sub('^Assigned \(', '', row[4]) + assignedDateYear=re.sub('[0-9][0-9][0-9][0-9]\)$', '', assignedDateYear) + + # Add logic to check for reserved IDs from prior years, if so bump it up to the CVE Year in the ID itself + if int(assignedDateYear) < int(CVEIDYear): + assignedDateYear = CVEIDYear + + # If we do not have an assignedDate use the CVE year + else: + assignedDateYear=CVEIDYear + + # Write to the correct year counter if assigned in later years + if int(assignedDateYear) > int(CVEIDYear): + CVEAssignedYears[int(assignedDateYear)]["CVEAssignmentsForPreviousYears"] += 1 + else: + CVEAssignedYears[int(assignedDateYear)]["CVEAssignmentsforCurrentYear"] += 1 + +print("Year,CVEAssignmentsForPreviousYears,CVEAssignmentsforCurrentYear") + +for entry in CVEAssignedYears: + print(str(entry) + "," + str(CVEAssignedYears[entry]["CVEAssignmentsForPreviousYears"]) + "," + str(CVEAssignedYears[entry]["CVEAssignmentsforCurrentYear"])) + +# To make this a nice excel chart +# Open this in Excel +# Select the headers and data for 1999-2020 +# Insert chart, bar, stacked +# Right click on chart, "Select Data" +# Click one orf the two Legend Entries and click "Edit" on the right side ("Horizontal (Category) Axis Labels") and select the years +# Rename "Chart Title" to "CVE Activity" diff --git a/gsd-project/analysis/cve/nvd-cve-assigner-data.py b/gsd-project/analysis/cve/nvd-cve-assigner-data.py new file mode 100644 index 0000000..eeb4656 --- /dev/null +++ b/gsd-project/analysis/cve/nvd-cve-assigner-data.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 + +# Reminder: loading all the files into json takes 30 seconds or so + +import os +import json +import pprint + +# download files true or false +download_files=False + + + +file_year_list=["2002", "2003", "2004", "2005", "2006", "2007", "2008", "2009", "2010", "2011", "2012", "2013", "2014", "2015", "2016", "2017", "2018", "2019", "2020", "2021", "2022"] + +# Ignore 2022 for now. +data_year_list=["1999", "2000", "2001", "2002", "2003", "2004", "2005", "2006", "2007", "2008", "2009", "2010", "2011", "2012", "2013", "2014", "2015", "2016", "2017", "2018", "2019", "2020", "2021"] + +file_year_data=[] + +for year in file_year_list: + file="nvdcve-1.1-" + str(year) + ".json" + url="https://nvd.nist.gov/feeds/json/cve/1.1/" + file + ".gz" + if download_files == True: + os.system("wget -q " + url) + os.system("gzip -d " + file + ".gz") + + file_handle = open(file) + json_data = json.load(file_handle) + for CVE_Items in json_data["CVE_Items"]: + assigner = CVE_Items["cve"]["CVE_data_meta"]["ASSIGNER"] + cve_id = CVE_Items["cve"]["CVE_data_meta"]["ID"] + publishedDate = CVE_Items["publishedDate"] + # use logic to assign assigned year (CVEID YEAR if > published date year) + print(assigner + "," + cve_id + "," + publishedDate) + # create an array with assigner ID's. then create sub arrays of data_year_list (1999 to now), set to 0 by default, set how many ID's assigned (count+1) + # Then analyze the array and add: + # first_year_seen (first non 0 year) + # last_year_seen (last non 0 year) + # lifespan (years in between last_year_seen and first_year_seen) + # years_since_last_id (many are dead in 2020 and later) + # cve_assigned_0 (any 0 years between first_year_seen and last_year_seen) + # cve_assigned_min lowest non 0 year + # cve_assigned_max higest year + # cve_assigned_average (so total count divided by lifespan) + # cve_assigned_last_year (last year #) diff --git a/gsd-project/analysis/cve/nvd-cve-assigner-data.sh b/gsd-project/analysis/cve/nvd-cve-assigner-data.sh new file mode 100644 index 0000000..e7abadd --- /dev/null +++ b/gsd-project/analysis/cve/nvd-cve-assigner-data.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Quick and dirty way to generate a csv of data + +wget -q -i nvd-json-urls.txt +gzip -d nvdcve-1.1-20*.gz + +echo "count,year,assigner" + +grep ASSIGNER nvdcve-1.1-20* | sort | uniq -c | sed 's/ nvdcve-1.1-/,/' | sed 's/\.json:\s*"ASSIGNER" : "/,/' | sed 's/^\s*//' | sed 's/"//' + +# TODO: convert this to python +# TODO: output data in table format for easier excel parsing +# TODO: generate some reports: +# CNAs no longer active by year (e.g. last year active), yearly average before that +# CNAs in decline, e.g. what year did they peak, what was the average, what was the last year +# CNAs in growth, e.g. what year did they peak, what was the average, what was the last year +# Reminder: ignore 2022 data for now (to early) diff --git a/gsd-project/analysis/cve/nvd-json-urls.txt b/gsd-project/analysis/cve/nvd-json-urls.txt new file mode 100644 index 0000000..08ca98f --- /dev/null +++ b/gsd-project/analysis/cve/nvd-json-urls.txt @@ -0,0 +1,21 @@ +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2022.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2018.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2017.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2016.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2015.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2012.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2009.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2008.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2007.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2006.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2005.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2003.json.gz +https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.json.gz diff --git a/gsd-project/comments-on-docs/Comments-on-NIST-SP-800-216.md b/gsd-project/comments-on-docs/Comments-on-NIST-SP-800-216.md new file mode 100644 index 0000000..72a0727 --- /dev/null +++ b/gsd-project/comments-on-docs/Comments-on-NIST-SP-800-216.md @@ -0,0 +1,220 @@ +# Comments on NIST SP 800-216 + +https://csrc.nist.gov/publications/detail/sp/800-216/draft + +https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-216-draft.pdf + +Public comment period: June 7, 2021 through August 9, 2021 + +Email: sp800-216-comments@nist.gov + +Please put the section name and line numbers when quoting text. + +# General comments + +The language in this draft is not clear, e.g. is SHOULD/MUST being used in accordance with RFC2119? + +The draft appears to focus exclusively on traditional software products run by end users and appears to ignore cloud services and other newer technologies and delivery methods. + +# Specific comments below + +Section: 234 1. U.S. Government Vulnerability Disclosure + +``` +235 Thousands of security vulnerabilities in computer software and systems are discovered and +236 publicly disclosed every year. Likely, even more are discovered by developers and quietly fixed +``` +Thousands is on the low end, there are ~16000 CVEs assigned yearly (by CVE Identifier YEAR, for the last 4 years. For example a quick search of GitHub shows hundreds of thousands: https://github.com/search?q=%22security+fix%22 and this ignores the cloud services, and non english speaking world largely. + +``` +237 without anyone ever being aware. In 2020 alone, there were over 18,000 publicly listed +``` + +This number is unclear. By Assigned data and by YEAR in the CVE ID: + +``` +curl https://cve.mitre.org/data/downloads/allitems.csv | grep -a "^CVE-2020-" | grep -v "\* RESERVED \*" | wc -l +17802 + +curl https://cve.mitre.org/data/downloads/allitems.csv | grep -a "Assigned (2020[0-9][0-9][0-9][0-9]" | grep -v "\* RESERVED \*" | wc -l +17000 +``` + +The git repo may have different data but walking all the files to extract the time they actually went public with data needs to be done at some point. + +Section: 334 1.1. Usage of Document Terminology + +``` +335 In the context of this document, the term “vulnerability” refers to a security vulnerability in a +336 digital product. It does not refer to other kinds of vulnerabilities that may pertain to, for example, +337 physical security, economic security, or foreign policy issues. +``` + +Assuming digital products includes cloud services then physical security is a valid concern. Please note that the word "cloud" only occurs once in the document in a reference to ISO IEC 27017. This creates a significant blindspot as 1) many government agencuies use cloud services and 2) many software and "digital products" make use of cloud services (licensing management, updates, data storage and processing, etc.). + +Section: 396 2.1.1. Create Vulnerability Report Receipt Capability + +``` +397 Each FCB participant should develop the ability to receive vulnerability reports from reporters, +398 maintain a database of received reports, and engage in secure communications (e.g., using a +399 report tracking system). The expectation for communication should be established, including the +400 initial acknowledgment, status updates, and agreed method of communication. The actual receipt +401 of a vulnerability report may take multiple forms (e.g., email, web forms, or a phone hotline) and +402 should be stated in a public policy +``` + +Where will these policies be published, and how will people find them? There are no generally accepted standards here, e.g. do they use domain.tld/security/ or domain.tld/.well-known/security.txt (https://securitytxt.org/) or simply rely on al ink in the front page or the "contact us" page? Discovery of how to report an issue is problematic and can result in people giving up and not reporting issues, or extra time being required during an emergency to find out whom to contact and how to contact them. + +``` +408 Vulnerability reports should include a description of the product or service affected; how the +409 potential vulnerability can be identified, demonstrated, or reproduced; and what type of +410 functional impact the vulnerability allows. Due to the sensitivity of the information, agencies +411 should provide mechanisms for confidentially receiving additional information within the reports +412 (e.g., web forms, bug or issue tracking systems, vulnerability reporting services, email, or role +413 address independent of any individual). To facilitate verification of the vulnerability, agencies +414 should design the reporting mechanisms that lead to better information in assessing the validity, +415 severity, scope, and impact of vulnerabilities. This information could include: +``` + +No mention is made of reporting formats or standards, e.g. CVE JSON format? CSAF? OSV? UVI? + +Section: 429 2.1.2. Determine Scope and Obtain Contacts + +``` +430 Prior to the receipt of any vulnerabilities, each FCB participant will determine which government +431 VDPOs fall within the scope of their services. The FCB entity will then obtain and maintain a list +432 of VDPO contacts within the relevant government agencies that receive and handle vulnerability +``` + +This appears to assume a traditional top down pyramid structure, is there any thought giving to lateral reporting or more of a matrix style layout to allow multiple pathways? Top-down reporting strucutres tend to suffer from the fact they are entirely comprised of a chain of single paths of failure. + +Section: 516 2.7.1. Determination of Public Disclosure + +``` +521 Public disclosure may be considered if: +522 • The specific vulnerability is not publicly known (i.e., does not have a CVE number); +``` + +It is not clear if this advice implies that a CVE identifier should be obtained or not. + +``` +531 In many cases, public disclosure might not be necessary or even recommended. For example, +532 publication is likely unnecessary if the vulnerable system is a service that government staff have +533 fixed and they can verify that the vulnerability was not exploited. Vulnerabilities that have been +534 fixed and had no impact on the system userbase should likely not be publicly disclosed in order +535 to enable the advisory systems to focus on vulnerabilities that require user action for continued +536 security and privacy. +``` + +This may create an incentive to cover security vulnerabilities up with a "we fixed it and we're pretty sure nobody exploited it" creating a false sense of security for end users. I would suggest it is better to report incidents, even onces that have been fully handled and pose no significant risk, and 1) label them as such "no action required" and 2) it allows for the creation of actual data and statistics, e.g. a system has 100 security vulnerabilities that were closed out before they became a problem, is this an indication of a security team that is really on the ball, or a team that is covering up real vulnerabilities as "not a problem" and so on? Without any data and reporting there is a strong possibility for institutional rot to set in. + +Section: 627 2.7.3.2. National Vulnerability Database + +``` +628 The National Vulnerability Database [NVD] is the U.S. Government repository of standards- +629 based vulnerability management data. It contains a database of almost all publicly disclosed +630 vulnerabilities — more specifically, all vulnerabilities included within the Common +631 Vulnerabilities and Exposures (CVE) dictionary [CVE]. NVD staff analyzes vulnerability +``` + +The CVE database is missing a huge amount of content: + +1) CVEs that have been assigned, but the data not pushed back to the database (some of which is over 10 years old): https://github.com/distributedweaknessfiling/distributedweaknessfiling.org/tree/main/reserved-but-public +2) Many CNAs have security vulnerabilities and advisories with no CVE IDs, e.g. XEN (goto https://xenbits.xen.org/xsa/ and look for "none (yet) assigned") +3) Non CNA data sources with in scope content +4) Non CNA sources with "out of scope" but useful data (e.g. services, malware, backdoors, etc.) + +Section: 683 2.9. Technical Approaches and Resources + +``` +689 The CVE naming scheme should be used when referencing publicly disclosed vulnerabilities. +690 The CVE website is focused on providing unique identification for each vulnerability to maintain +691 the CVE list. It is not intended to act as an advisory service. When referencing a CVE +692 vulnerability, the NVD link should be used since it provides an analysis of each CVE and any +693 referenced information. +``` + +This will require the CVE system to be much more responsive and cover a much wider scope of vulnerabilities. It's also not clear on what will happen if a CNA refuses to create CVE identifiers, I can only assume the CVE dispute process will be invoked. The reality is the US Government uses a LOT of OpenSource software for which there is poor, if any, CVE coverage currently. + + +Section: 794 3.2.2. Monitoring of Vulnerability Reports + +``` +795 VDPOs should monitor their reporting mechanisms for new reports and communications related +796 to existing reports. VDPOs should also monitor public sources for vulnerability reports and +797 organizational communications channels that are likely to receive vulnerability reports, such as +798 customer service and support. +``` + +The CVE database doesn't support this well, witness the 20,000+ missing SUSE URLs: https://github.com/distributedweaknessfiling/securitylist/commit/b690b4b1de7afba26c849e12b4aaadafc95e7e81 and 20,000+ missing Red Hat URLs: https://github.com/distributedweaknessfiling/securitylist/commit/e0a8925c90b1b4e6203fecbc6f61dcefe1b4accc and the hundreds (thousands?) of publicly used CVEs that are not in the database https://github.com/distributedweaknessfiling/securitylist/blob/main/missing-data/cvelist-missing-items-RESERVED-found-in-allitems.csv or the CVEs in wide use for days or weeks (by the press even) prior to being entered into the CVE database. + +Section: 799 3.2.3. Development of the Capability to Receive Vulnerability Disclosure Reports + +``` +800 Each VDPO should develop the capability to receive vulnerability reports from their associated +801 FCB participant. This includes the ability to communicate and enable coordination in +802 vulnerability reporting resolution, which requires the development of both technical and +803 personnel/procedural capabilities. If the FCB participant provides technical mechanisms to +804 streamline this process, the VDPO should use the provided mechanisms. +``` + +Where will these policies be published, and how will people find them? There are no generally accepted standards here, e.g. do they use domain.tld/security/ or domain.tld/.well-known/security.txt (https://securitytxt.org/) or simply rely on al ink in the front page or the "contact us" page? Discovery of how to report an issue is problematic and can result in people giving up and not reporting issues, or extra time being required during an emergency to find out whom to contact and how to contact them. + +Section: 819 3.2.4. Development of Vulnerability Disclosure Handling Policies + +``` +820 Each VDPO should develop and maintain an internal vulnerability handling policy to define and +821 clarify its intentions for investigating and remediating vulnerabilities as part of a vulnerability +822 handling process. +``` + +Is there any prescriptive help here, e.g. beyond ISO standards, any best practices for governments/agencies? It seems like a lot of reinventing the wheel will take place here, not all of it compatible or good. + +Section: 838 3.2.5.1. Receipt of Vulnerability Disclosure Reports + +``` +841 to identify the potentially vulnerable systems and software. Every vulnerability report should +842 have a priority rating, assigned by the FCB participant, that is used to optimize resource +843 allocations and determine the urgency of handling each report. If a VDPO permits the direct +``` + +No mention is made of any system to prioritize reports, e.g. is it severity times number of deployed systems times impact? There is no generally accepted guidance here, nor even a good list of the metrics or dimensions, e.g. vulnerability impact, PII exposure, operational requirements, etc. While prioritization is critical to direct resourcing appropriately the complete lack of any framework or guidelines is problematic. + +Section: 773 3.2.1. Development of Vulnerability Disclosure Report Acceptance Policies + +``` +786 The internal policy details the rules and procedures for handling, coordinating, and resolving +787 received vulnerability reports (further described in Section 3.1); the mechanisms used to track +788 reports; and expectations for communication with reporters and other stakeholders. It should +789 specify expected response and remediation timelines when handling vulnerability reports as well +``` + +No mention is made of dealing with externally imposed deadlines, e.g. Google project 0 https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html and the lack of any guidance in the public policy may be problematic. This also dovetails with the publishing of metrics which are useful when reporting, e.g. is the entity responsive or slow? + +Section: 846 3.2.5.2. Identification of Potentially Vulnerable Systems and Software + +``` +847 The first step to addressing a received vulnerability report is to identify the potentially vulnerable +848 software as well as the agency IT systems to which the report belongs. To enable this, each +849 VDPO should maintain a current list or database of contacts for each system within its purview. +850 In some cases, A VDPO that has received a vulnerability report may need to coordinate with +851 multiple system owners (or their security officer) to determine which system or software is +852 potentially vulnerable. This step does not involve verifying the existence of the vulnerability but +853 merely identifying to which system the report belongs. +854 Many products are complex systems that include or are dependent on other products or +855 components. Therefore, the initial analysis may not result in a clear understanding of which +856 products are affected by the vulnerability. It may take multiple iterations of discovery and +857 research before a determination can be made that the vulnerability exists within government858 produced software or commercial/open-source software used by the Government. +``` + +The lack of any prescriptive guidance or standards here is problematic and should be addressed (as evidenced by the direct mention of this very problem in the 2021-05-12 "Executive Order on Improving the Nation’s Cybersecurity" https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ which mentions SBOM/etc. + +Section: 955 3.3.4. Integration of Contractor Support into the VDPO + +``` +956 Policy considerations pertaining to the handling, resolution, and correction of vulnerability +957 disclosure information should be developed to include in any contracts that support an +958 information system in order to mitigate or resolve the vulnerability. +``` + +Guidance around the use of bug bounties especially will be needed here. diff --git a/gsd-project/data-formats/Thoughts-on-data-formats.md b/gsd-project/data-formats/Thoughts-on-data-formats.md new file mode 100644 index 0000000..30a5d2f --- /dev/null +++ b/gsd-project/data-formats/Thoughts-on-data-formats.md @@ -0,0 +1,140 @@ +# Thoughts on data formats + +This is not a final document nor an official statement on the data format(s) used by the GSD. This is designed to help structure and encourage discussion around vulnerbaility identifer data formats. + +The GSD can use other peoples data formats, especially if we clearly label them as such. We can also provide mappings, e.g. OSV:affected:package:name maps to CVE:product:product_name to translate the data and make it easier to consume. + +# Compariong data formats + +[Google Sheet - Data Formats and versions Compared](https://docs.google.com/spreadsheets/d/14VHXigdynIGB8okW3jyvtNj-LE0fxEsoBNMvswX4Kwg/edit?usp=sharing) + +# GSD Identifer data components + +What data components MUST/SHOULD/CAN a GSD identifier have, what is the bare minimum to make these useful? + +## a GSD Identifier MUST have: + +* Identifier +* Meta data (time assigned, who requested it, etc.) +* Reference URL (optional: type of URL, copy of data, etc.) OR Source (e.g. a namespace and an identifier, "redhat.com:RHSA-2021-1234" OR known exploit OR known exploitation + +Essentially we need some path of discoverability and some data with a degree of confidence indicated (e.g. confirmed, rumour, etc.). + +## a GSD Identifier SHOULD have + +* Affected / Fixed / Vulnerable / Not Vulnerable products/services (CPE? JSON? Purl?) +* Vulnerbaility information/type (e.g. CWE) +* An overall confidence score between 0 and 10 based on sources, confirmation, etc. + +And ideally we want some information to make the security identifier directly useful for systems and humans beings that consume the data. + +## a GSD Identifier CAN have: + +* Text description +* Severity scores +* Relationship data (parent/child/sibling/etc of) +* Exploits (code/reproducers) +* Exploitation (knowledge of exploitation) +* Patches +* Workarounds +* Configuration related information + +# String and value handling - multiple values + +Anything that is a string or a value that can be more than one value needs to be a list so that multiple values can be clearly supported. A perfect example of this is [GSD-2021-1002352.json](https://github.com/cloudsecurityalliance/gsd-database/blob/main/2021/1002xxx/GSD-2021-1002352.json) which is called "log4j" and "log4j2" by Apache and other organizations use the names interchangeably it appears. This means that anything that is not clearly defined as having only a single possible value (e.g. the GSD ID itself, the assigned time) must be assumed to potentially be a list of values. + +# Human-readable vs machine-readable data + +The JSON data should contain both the human and machine readable data. Ideally a strong distinction should be made, e.g. machine readable affected product data should be highly structured, but a human readable text description should be allowed (e.g. the current style of CVE text description), and any human readable data MUST allow basic formatting, I think standardizing on Markdown is the most sensible solution. The current mess that is CVE text descriptions (overly short, some unreadable due to "ths is not CVE-FOO" and so on) and the experience of turning the text description in GSD-2021-1002352 into something more readable comes to mind. It should be noted that MITRE doesn't even allow line returns to split text up into paragraphs/etc (if you submit a CVE JSON entry they strip the line returns). + +# Types of fields + +## Unique vs multiple occurances + +Some fields must be unique across the GSD database, e.g. the GSD identifier for a specific GSD must be unique. But for example relationship data could contain multiple instances of a GSD identiifier across multiple different GSD identifiers + +Some fields are expected to have non unique values, e.g. timestamps, lists of affected products, etc. + +## Human-readable vs machine-readable + +All fields should be assumed to be primarily machine readable (and ideally machine generated) except where specifically noted such as the description, or notes fields. + +## Generated vs manually created + +Ideally fields should be generated with tools rather than being manually entered where possible, e.g. timestamps, or extracting data from a vendor advisory. + +Many fields SHOULD (MUST?) support manual overrides, e.g. affected product lists, very few fields should not allow a manual override (GSD Identifier even? Timestamps?) + +# Namespacing + +All data must exist within a namespace, the two primary ones are "GSD" and "OSV", additional namespaces would typically be represented by a domain name, an email address, a URL, or a GitHub username/id combination (since names can change). Namespaces are available for entities, and entity can be an individual, a group, a company, an organization, an automated tool/AI/ML, etc. + +# Other security data format examples: + +* CSAF2 https://docs.oasis-open.org/csaf/csaf/v2.0/csd01/csaf-v2.0-csd01.html +* CVE https://github.com/CVEProject/cve-schema/tree/master/schema +* CVRF https://www.icasi.org/cvrf/ +* OSV https://ossf.github.io/osv-schema/ +* OVAL https://oval.mitre.org/ + +# Other security data format examples for specific subtypes of data: + +* CPE https://nvd.nist.gov/products/cpe (Product ID) +* CVSS https://www.first.org/cvss/ (Vulnerability Impact) +* CWE https://cwe.mitre.org/community/submissions/guidelines.html (Vulnerability Type) +* EPSS https://www.first.org/epss/ (Exploitation Prediction) +* purl https://github.com/package-url/purl-spec (Product ID) +* NIST Vulnerability Ontology https://github.com/usnistgov/vulntology +* VEX https://github.com/CycloneDX/bom-examples/tree/master/VEX https://cyclonedx.org/capabilities/vex/ + +# Top Level Tagging + +I think some top level tagging such as "vulnerability" would be useful to allow people to more easily sort/view data, some clusters: + +* exposure +* vulnerability +* weakness + +* availability +* confidentiality +* integrity + +* backdoor +* deceptive software +* malware + +* closed source +* cloud +* on premises +* open source +* service + +* could have been worse + +* exploit +* exploitation +* exploit code +* exposure +* incident +* ioc + +* rugpull +* scam +* spam + +* state actor + +* configuration +* hardening +* enhancement +* patch +* removal of unsafe feature +* workaround + +* project +* publisher +* researcher +* vendor + + + diff --git a/gsd-project/examples/GSD-2021-1002352-description.txt b/gsd-project/examples/GSD-2021-1002352-description.txt new file mode 100644 index 0000000..43467e3 --- /dev/null +++ b/gsd-project/examples/GSD-2021-1002352-description.txt @@ -0,0 +1,60 @@ +This vulnerability was not correctly fixed "in certain non-default configuration" and a new vulnerability and patch have been released, please see GSD-2021-1002353 (CVE-2021-45046). Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. + +In log4j 2.15.1 and later JNDI will be disabled by default: + +"Dealing with CVE-2021-44228 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it. Those who are will need to specify -Dlog4j2.enableJndi=true or the environment variable form of it to use any JNDI components." (https://issues.apache.org/jira/browse/LOG4J2-3208) + +In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". + +Later versions of the Oracle Java JDK are not affected by the LDAP attack vector, but other vectors are available for exploitation: "JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector but please note this still leaves other attack vectors. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to "false" meaning JNDI cannot load remote code using LDAP." (https://www.lunasec.io/docs/blog/log4j-zero-day/) + +Also please note that log4j version 1.x is not affected by this specific vulnerability it does have a number of known serious security flaws and likely also contains Remote Code Execution vulnerabilities, upgrading it should be investigated. + +Hot patches: + +There are currently several projects providing hot patches that can modify a running system to remove the vulnerability and are OpenSource licensed allowing them to be easily audited: + +Log4jHotPatch + +This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the lookup() method of all loaded org.apache.logging.log4j.core.lookup.JndiLookup instances to unconditionally return the string "Patched JndiLookup::lookup()". It is designed to address the CVE-2021-44228 remote code execution vulnerability in Log4j without restarting the Java process. The dynamic and static agents are known to run on JDK 8 & 11 on Linux whereas on JDK 17 only the static agent is working (see below)" (https://github.com/corretto/hotpatch-for-apache-log4j2) + +Logout4Shell + +"However, enabling these system property requires access to the vulnerable servers as well as a restart. The Cybereason research team has developed the following code that exploits the same vulnerability and the payload therein forces the logger to reconfigure itself with the vulnerable setting disabled - this effectively blocks any further attempt to exploit Log4Shell on this server." (https://github.com/Cybereason/Logout4Shell) + +Detection + +Please see the GSD reference links tagged with "DETECTION" for more information (there are to many to list here). + +TOP LINKS: + +Best list of vulnerable software: https://github.com/NCSC-NL/log4shell/tree/main/software + +Best list of vulnerable services: https://github.com/YfryTchsGD/Log4jAttackSurface + +Best hotpatch: + +https://github.com/corretto/hotpatch-for-apache-log4j2 + +Best detection: + +grep: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b + +jarhashes: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes + +semgrep: https://github.com/returntocorp/semgrep-rules/pull/1650/commits/ecfc32623eec718d61ec83b9196574f333191008/ + +yara: https://github.com/timb-machine/log4j/ + +burpsuite: https://github.com/silentsignal/burp-log4shell + +Nmap NSE: https://github.com/Diverto/nse-log4shell + +Scanners: +https://github.com/alexbakker/log4shell-tools +https://github.com/fullhunt/log4j-scan +https://github.com/takito1812/log4j-detect + +Exploitation: + +An exploit kit is available at https://github.com/pimps/JNDI-Exploit-Kit and it has also been reported that omitting the closing } can result in data from other requests being sent as some servers with log4j2 will apparently keep sending data until they find a closing }. diff --git a/gsd-project/gsd-experimental/README.md b/gsd-project/gsd-experimental/README.md new file mode 100644 index 0000000..58f86c1 --- /dev/null +++ b/gsd-project/gsd-experimental/README.md @@ -0,0 +1,2 @@ +# gsd-experimental +GSD Experimentation Repo diff --git a/gsd-project/gsd-experimental/experiment_1/MVP Requirements.md b/gsd-project/gsd-experimental/experiment_1/MVP Requirements.md new file mode 100644 index 0000000..d0a583d --- /dev/null +++ b/gsd-project/gsd-experimental/experiment_1/MVP Requirements.md @@ -0,0 +1,65 @@ +# MVP Requirements +## NOT a requirement + +- Machine readable changelog / git blame + +## Data format + +[We use OSV by default, and may use other data formats or unspecified formats as well.](https://github.com/cloudsecurityalliance/gsd-project/blob/main/data-formats/Thoughts-on-data-formats.md) We will indicate what format we're using within the GSD, e.g.: + +**Generalized format:** +```json +{ + "data_format": "NAMESPACE", + "data_type": "NAME_OF_DATA_FORMAT", + "data_version": "x.y.z" +} +``` + +**OSV Format example:** +```json +{ + "data_format": "osv.dev", + "data_type": "OSV", + "data_version": "1.0" +} +``` + +**CVE Format example:** +```json +{ + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0" +} +``` + +## Human Web Interface + +Example identifiers: +- GSD ID - https://globalsecuritydatabase.org/identifier/GSD-2021-1000XXX +- CVE ID - https://globalsecuritydatabase.org/identifier/CVE-2021-1337 +- GHSA ID - https://globalsecuritydatabase.org/identifier/GHSA-jc8m-cxhj-668x +- Git commit hash - https://globalsecuritydatabase.org/identifier/d3a83576378b4c904f711598dde2c5e881c4295c +- Named vuln + - Heartbleed - https://globalsecuritydatabase.org/identifier/Heartbleed + - BigSig - https://globalsecuritydatabase.org/identifier/BigSig + - Log4Shell - https://globalsecuritydatabase.org/identifier/Log4Shell + +--- + +- [ ] Present the data, in a nice / well formatted manner +- [ ] Allow updates/corrections of the data (from web interface) + - Requires Github login & Github ID attached to update/data (via OAuth) + - Show the GSD updates by default, and show the original data (we can discuss presentation options) +- [ ] Search GSDs + - Present single/multiple results if exists + - Otherwise allow creation of new GSD + - When searching by identifier, match GSDs by "equivalent" not by "related" +- [ ] Guided process / web form for creation of new GSDs + +## Machine Readable API + +- [ ] Parsed json blob (GSD world view w/ GSD updates to referenced data by default) + - https://api.globalsecuritydatabase.io/GSD-2021-1000XXX + diff --git a/gsd-project/gsd-experimental/experiment_1/Tracking Changes.md b/gsd-project/gsd-experimental/experiment_1/Tracking Changes.md new file mode 100644 index 0000000..1d2f982 --- /dev/null +++ b/gsd-project/gsd-experimental/experiment_1/Tracking Changes.md @@ -0,0 +1,20 @@ +Don't do this: + +```json +{ + "GSD-ID": "GSD-2021-1234567" + "CHANGE_LOG": { + "id": "GSD-2021-1234567", + "changes": [ + { + "OLD": {}, + "NEW": {}, + "CHANGED_BY": {}, + "TIMESTAMP": "" + } + ] + } +} +``` + +For now we'll rely entirely on Git for version control/history/blame related data. Long term we don't want to cement ourselves within Git, but it serves our needs for now. \ No newline at end of file diff --git a/gsd-project/gsd-experimental/experiment_1/UVI-2021-1000001.json b/gsd-project/gsd-experimental/experiment_1/UVI-2021-1000001.json new file mode 100644 index 0000000..7058168 --- /dev/null +++ b/gsd-project/gsd-experimental/experiment_1/UVI-2021-1000001.json @@ -0,0 +1,143 @@ +{ + "UVI": { + "vendor_name": "https://github.com/justdan96/tsMuxer", + "product_name": "tsMuxer", + "product_version": "2.6.16", + "vulnerability_type": "Denial of service", + "affected_component": "tsMuxer", + "attack_vector": "mp4", + "impact": "DoS", + "credit": "huangxiao", + "references": [ + "https://github.com/justdan96/tsMuxer/issues/395" + ], + "reporter": "NigelX", + "notes": "", + "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-26805. Reason: This candidate is a duplicate of CVE-2021-26805. Notes: All CVE users should reference CVE-2021-26805 instead of this candidate.", + "EXPERIMENTAL_UPDATE": { + "cve.org": { + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "justdan96", + "product": { + "product_data": [ + { + "product_name": "tsMuxer", + "version": { + "version_data": [ + { + "version_value": "2.6.16" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "invalid delete error" + } + ] + } + ] + } + } + } + }, + "OSV": { + "id": "UVI-2021-1000001", + "summary": "Denial of service in tsMuxer version 2.6.16", + "details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-26805. Reason: This candidate is a duplicate of CVE-2021-26805. Notes: All CVE users should reference CVE-2021-26805 instead of this candidate.", + "modified": "2021-06-24T22:55:39.024188Z", + "published": "2021-05-31T15:39:45.031586Z", + "references": [ + { + "type": "WEB", + "url": "https://github.com/justdan96/tsMuxer/issues/395" + } + ], + "affected": [ + { + "package": { + "name": "tsMuxer", + "ecosystem": "DWF" + }, + "versions": [ + "2.6.16" + ] + } + ] + }, + "cve.org": { + "CVE_data_meta": { + "ASSIGNER": "cve@mitre.org", + "ID": "CVE-2021-26805", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "n/a", + "version": { + "version_data": [ + { + "version_value": "n/a" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a malicious WAV file." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "n/a" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/justdan96/tsMuxer/issues/395", + "refsource": "MISC", + "name": "https://github.com/justdan96/tsMuxer/issues/395" + } + ] + } + } +} diff --git a/gsd-project/gsd-experimental/experiment_1/UVI-2021-1002351.json b/gsd-project/gsd-experimental/experiment_1/UVI-2021-1002351.json new file mode 100644 index 0000000..019abc1 --- /dev/null +++ b/gsd-project/gsd-experimental/experiment_1/UVI-2021-1002351.json @@ -0,0 +1,70 @@ +{ + "uvi": { + "vendor_name": "Linux", + "product_name": "Kernel", + "product_version": "versions from to before v5.15.4", + "vulnerability_type": "unspecified", + "affected_component": "unspecified", + "attack_vector": "unspecified", + "impact": "unspecified", + "credit": "", + "references": [ + "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef2590a5305e0b8e9342f84c2214aa478ee7f28e" + ], + "extended_references": [ + { + "type": "commit", + "value": "ef2590a5305e0b8e9342f84c2214aa478ee7f28e", + "note": "fixed" + } + ], + "reporter": "joshbressers", + "reporter_id": 1692786, + "notes": "", + "description": "thermal: Fix NULL pointer dereferences in of_thermal_ functions\n\nThis is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven.\nThis ID is fixed in Linux Kernel version v5.15.4 by commit ef2590a5305e0b8e9342f84c2214aa478ee7f28e. For more details please see the references link.", + "EXPERIMENTAL_UPDATE": { + "OSV": { + "affected": [ + { + "package": { + "name": "Kernel", + "ecosystem": "Linux" + }, + "versions": ["5.15.3" + ] + } + ] + } + } + }, + "OSV": { + "id": "UVI-2021-1002351", + "summary": "thermal: Fix NULL pointer dereferences in of_thermal_ functions", + "details": "thermal: Fix NULL pointer dereferences in of_thermal_ functions\n\nThis is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven.\nThis ID is fixed in Linux Kernel version v5.15.4 by commit ef2590a5305e0b8e9342f84c2214aa478ee7f28e. For more details please see the references link.", + "modified": "2021-11-29T02:40:01.773239Z", + "published": "2021-11-29T02:40:01.773239Z", + "affected": [ + { + "package": { + "name": "Kernel", + "ecosystem": "Linux" + }, + "ranges": [ + { + "type": "GIT", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/", + "events": [ + { + "introduced": "0" + }, + { + "limit": "ef2590a5305e0b8e9342f84c2214aa478ee7f28e" + } + ] + } + ], + "versions": [] + } + ] + } +} diff --git a/gsd-project/postmortems/CVE 2021 no affected version in data raw list.md b/gsd-project/postmortems/CVE 2021 no affected version in data raw list.md new file mode 100644 index 0000000..b7e7813 --- /dev/null +++ b/gsd-project/postmortems/CVE 2021 no affected version in data raw list.md @@ -0,0 +1,11 @@ +# CVE 2021 no affected version in data raw list + +Many 2021 CVE's contain no meta data about the affected product/version. A raw list is: + +CVE-2021-no-affected-version-raw-list.txt + +Many do not have vulnerability text in the CVE description either, meaning you must go to the original source material to determine what is/is not affected. + +# Reccomendations: + +1. Ensure meta data is present or explain why it is not present (e.g. Cloud services may legitimately have no version data) diff --git a/gsd-project/postmortems/CVE-2021-38467.md b/gsd-project/postmortems/CVE-2021-38467.md new file mode 100644 index 0000000..b1d4121 --- /dev/null +++ b/gsd-project/postmortems/CVE-2021-38467.md @@ -0,0 +1,130 @@ +# Postmortem on CVE-2021-38467 + +While reviewing CVEs I ran across CVE-2021-38467 which has a number of problems + +## Lack of vendor, product, vulnerability and fixed data: + +The CVE text description reads: + +> A specific function code receives a raw pointer supplied by the user and deallocates this pointer. The user can then control what memory regions will be freed and cause use-after-free condition. + +I was under the impression that the text description must include this data (CVE CNA rules 2.0 https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf specifically "Appendix B CVE Information Format") + +This is no longer the case, under the CVE CNA rules 3.0 (https://cve.mitre.org/cve/cna/rules.html specifically "8.2 Prose Description Requirements") this is no longer the case: + +> 8.2.1 MUST provide enough information for a reader to have a reasonable understanding of what products are affected. If the affected products are not explicitly listed in the description, then the CNA MUST provide a reference that points to the known affected products. + +> 8.2.2 SHOULD include the affected or fixed version(s). + +> 8.2.3 MUST include one of the following: + +> Vulnerability Type +> Root Cause +> Impact + +As such the text description with no vendor, product or affected version is allowed. + +## Information about affected version + +Obviously which product and version are affected by a CVE are a central and critical issue (is this a Windows issue? Apache? Some OpenSource library? A commercial product?). + +Also the version affected is critical, are you running an affected version? Do you need to upgrade, and if so to what version specifically? + +### https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38467 + +No data, you must click original reference to find it + +AFFECTED: "NO DATA" +FIXED: "NO DATA" + +### https://www.cve.org/CVERecord?id=CVE-2021-38467 + +> Vendor: AUVESY +> Product: Versiondog +> Versions Affected: +> <=8.0: affects 8.0 and prior versions + +Note the web page includes the JSON, but it is not displayed by default + +AFFECTED: "<=8.0" +FIXED: ">=8.1" (you must manually open and read the JSON data) + +### https://github.com/CVEProject/cvelist/blob/master/2021/38xxx/CVE-2021-38467.json + +The JSON data says: + +> { +> "vendor": { +> "vendor_data": [ +> { +> "vendor_name": "AUVESY", +> "product": { +> "product_data": [ +> { +> "product_name": "Versiondog", +> "version": { +> "version_data": [ +> { +> "version_affected": "<=", +> "version_name": "All", +> "version_value": "8.0" + +and later on: + +> "solution": [ +> { +> "lang": "eng", +> "value": "AUVESY recommends upgrading Versiondog to Version 8.1 or later (login required)." + +AFFECTED: "<=8.0.0" +FIXED: ">=8.1" + +### https://nvd.nist.gov/vuln/detail/CVE-2021-38467 + +The CPE data says: + +> cpe:2.3:a:auvesy:versiondog:*:*:*:*:*:*:*:* +> Up to (excluding) +> 8.0.0 + +AFFECTED: "<8.0.0" +FIXED: "NO DATA" + +### https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 + +The original report says: + +> 3.1 AFFECTED PRODUCTS +> The following versions of Versiondog, a data management software for automated production, are affected: +> Versiondog: All versions prior to v8.0 + +But it also says later on: + +> 4. MITIGATIONS +> AUVESY recommends upgrading Versiondog to Version 8.1 or later (login required). + +AFFECTED: "<8.0" +FIXED: ">=8.1" + +## Conclusion about product/version affected + +Based on the original source material form CISA: + +Versiondog prior to 8.0 is definitely affected. + +Versiondog 8.1 and later are definitely fixed. + +Verisondog 8.0 is probably vulnerable, but we can't be sure, someone needs to contact CISA, clarify this, and update the CVE. + +Verisondog 8.0.0 is probably vulnerable, but we can't be sure, someone needs to contact CISA, clarify this, and update the CVE. It is probably the same as 8.0. + +Based on the data from Mitre/NVD/etc. it's clear that there are problems in the parsing and interpretation of the data and that original source data is not being checked or verified. + +Based on the CISA and CVE/JSON data it's clear that CISA/MITRE has some mismatch in the source data and the CVE data. + +## Recommendations: + +1. Have a feedback method to indicate there is a problem +2. Have a feedback method to provide feedback on the problem +3. Have a feedback method to provide a solution for the problem (if applicable) +4. Provide links to contact original vulnerability reporter, vulnerability id requestor, and source material reporter, direct links (e.g. mailto) will result in a lack of transparency and no idea if the person has been contacted or not, so some form of ticketing system that also pushes out email/etc. diff --git a/gsd-project/postmortems/CVE-2021-41773.md b/gsd-project/postmortems/CVE-2021-41773.md new file mode 100644 index 0000000..ac794c6 --- /dev/null +++ b/gsd-project/postmortems/CVE-2021-41773.md @@ -0,0 +1,96 @@ +# CVE-2021-41773 Post mortem + +## Raw data + +Raw data + +### Apache Security Web Page +https://httpd.apache.org/security/vulnerabilities_24.html + +CVE-2021-41773 +https://web.archive.org/web/2021 10 05 192245/https://httpd.apache.org/security/vulnerabilities_24.html +important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) + +CVE-2021-42013 +https://web.archive.org/web/2021 10 07 164605/https://httpd.apache.org/security/vulnerabilities_24.html +critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013) + +### Apache mailing list + +http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/browser + +CVE-2021-41773 +Tue, 05 Oct, 2021 09:03 GMT +http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/ajax/%3Ce377474b-8d81-035a-bd74-3c20e4a7c144%40apache.org%3E + +CVE-2021-42013 +Thu, 07 Oct 2021 15:24:32 GMT +http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/ajax/%3C7c4d9498-09ce-c4b4-b1c7-d55512fdc0b0%40apache.org%3E + +### https://github.com/CVEProject/cvelist/ + +This reflects the website cve.mitre.org but has better time stamps + +https://github.com/CVEProject/cvelist/commits/master/2021/41xxx/CVE-2021-41773.json + +CVE-2021-41773 +https://github.com/CVEProject/cvelist/commit/04bf0a13d49b1b3fd57bee42b35c531d81474a60#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +RCE (source info, no text) +https://github.com/CVEProject/cvelist/commit/8f86aac9105e481cab7ff0fb074201e781a2bbc9#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +RCE (source info, no text, RCE in url) +https://github.com/CVEProject/cvelist/commit/4e45ffec8edeb016fb28f22ab8ed1fb0989b4f47#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +Incomplete fix (source info, no text) +https://github.com/CVEProject/cvelist/commit/354f1e56fa8e0dd2ba63baef34e3ef22891870bc#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +RCE added to CVE text +https://github.com/CVEProject/cvelist/commit/d1cf3ee6d81501890347071bb47f115eeed55671#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +RCE added to CVE text pushed to repo +https://github.com/CVEProject/cvelist/commit/951178fb7dd7b866e724923301d4f08439a02b23#diff-239e714021457d8852d0204b478dc59f66c90c48ff079a37f777af0cdbb22e32 + +### https://nvd.nist.gov/vuln/detail/CVE-2021-41773 + +https://nvd.nist.gov/vuln/detail/CVE-2021-41773#VulnChangeHistorySection + +### OSS-Security + +CVE-2021-41773 +Date: Tue, 05 Oct 2021 09:03:14 +0000 +https://www.openwall.com/lists/oss-security/2021/10/05/2 + +RCE +Date: Thu, 7 Oct 2021 06:01:43 +0000 +https://www.openwall.com/lists/oss-security/2021/10/07/1 + +CVE-2021-42013 +Date: Thu, 07 Oct 2021 15:24:32 +0000 +https://www.openwall.com/lists/oss-security/2021/10/07/6 + +RCE +Date: Fri, 8 Oct 2021 03:18:14 +0200 +https://www.openwall.com/lists/oss-security/2021/10/08/1 + +### Twitter + +Change times to GMT -7 offset + +File inclusion +9:34 AM · Oct 5, 2021 +https://twitter.com/HackerGautam/status/1445412108863041544 + +RCE +5:30 PM · Oct 5, 2021 +https://twitter.com/hackerfantastic/status/1445531829985968137 + +### Another postmortem: + +https://twitter.com/icing/status/1446504661448593408 +https://github.com/icing/blog/blob/main/httpd-2.4.50.md + +# Recommendations: + +1. Lack of updated text about Apache httpd 2.4.49 gave the impression that the vulnerability was only an inclusion in 2.4.49, and an RCE in 2.4.50 when in fact it was an RCE in 2.4.49. +2. Watching "official" sources meant 2 days before learning it was an RCE, also that the RCE fits into a tweet diff --git a/gsd-project/postmortems/CVE-2021-no-affected-version-in-data-raw-list.txt b/gsd-project/postmortems/CVE-2021-no-affected-version-in-data-raw-list.txt new file mode 100644 index 0000000..da10c17 --- /dev/null +++ b/gsd-project/postmortems/CVE-2021-no-affected-version-in-data-raw-list.txt @@ -0,0 +1,4085 @@ +CVE-2021-1126 +CVE-2021-1127 +CVE-2021-1128 +CVE-2021-1129 +CVE-2021-1130 +CVE-2021-1131 +CVE-2021-1133 +CVE-2021-1134 +CVE-2021-1135 +CVE-2021-1136 +CVE-2021-1137 +CVE-2021-1138 +CVE-2021-1139 +CVE-2021-1140 +CVE-2021-1141 +CVE-2021-1142 +CVE-2021-1143 +CVE-2021-1144 +CVE-2021-1145 +CVE-2021-1146 +CVE-2021-1147 +CVE-2021-1148 +CVE-2021-1149 +CVE-2021-1150 +CVE-2021-1151 +CVE-2021-1152 +CVE-2021-1153 +CVE-2021-1154 +CVE-2021-1155 +CVE-2021-1156 +CVE-2021-1157 +CVE-2021-1158 +CVE-2021-1159 +CVE-2021-1160 +CVE-2021-1161 +CVE-2021-1162 +CVE-2021-1163 +CVE-2021-1164 +CVE-2021-1165 +CVE-2021-1166 +CVE-2021-1167 +CVE-2021-1168 +CVE-2021-1169 +CVE-2021-1170 +CVE-2021-1171 +CVE-2021-1172 +CVE-2021-1173 +CVE-2021-1174 +CVE-2021-1175 +CVE-2021-1176 +CVE-2021-1177 +CVE-2021-1178 +CVE-2021-1179 +CVE-2021-1180 +CVE-2021-1181 +CVE-2021-1182 +CVE-2021-1183 +CVE-2021-1184 +CVE-2021-1185 +CVE-2021-1186 +CVE-2021-1187 +CVE-2021-1188 +CVE-2021-1189 +CVE-2021-1190 +CVE-2021-1191 +CVE-2021-1192 +CVE-2021-1193 +CVE-2021-1194 +CVE-2021-1195 +CVE-2021-1196 +CVE-2021-1197 +CVE-2021-1198 +CVE-2021-1199 +CVE-2021-1200 +CVE-2021-1201 +CVE-2021-1202 +CVE-2021-1203 +CVE-2021-1204 +CVE-2021-1205 +CVE-2021-1206 +CVE-2021-1207 +CVE-2021-1208 +CVE-2021-1209 +CVE-2021-1210 +CVE-2021-1211 +CVE-2021-1212 +CVE-2021-1213 +CVE-2021-1214 +CVE-2021-1215 +CVE-2021-1216 +CVE-2021-1217 +CVE-2021-1218 +CVE-2021-1219 +CVE-2021-1220 +CVE-2021-1221 +CVE-2021-1222 +CVE-2021-1223 +CVE-2021-1224 +CVE-2021-1225 +CVE-2021-1226 +CVE-2021-1227 +CVE-2021-1228 +CVE-2021-1229 +CVE-2021-1230 +CVE-2021-1231 +CVE-2021-1233 +CVE-2021-1235 +CVE-2021-1236 +CVE-2021-1237 +CVE-2021-1238 +CVE-2021-1239 +CVE-2021-1240 +CVE-2021-1241 +CVE-2021-1242 +CVE-2021-1243 +CVE-2021-1244 +CVE-2021-1245 +CVE-2021-1246 +CVE-2021-1247 +CVE-2021-1248 +CVE-2021-1249 +CVE-2021-1250 +CVE-2021-1251 +CVE-2021-1253 +CVE-2021-1254 +CVE-2021-1255 +CVE-2021-1256 +CVE-2021-1257 +CVE-2021-1258 +CVE-2021-1259 +CVE-2021-1260 +CVE-2021-1261 +CVE-2021-1262 +CVE-2021-1263 +CVE-2021-1264 +CVE-2021-1265 +CVE-2021-1266 +CVE-2021-1267 +CVE-2021-1268 +CVE-2021-1269 +CVE-2021-1270 +CVE-2021-1271 +CVE-2021-1272 +CVE-2021-1273 +CVE-2021-1274 +CVE-2021-1275 +CVE-2021-1276 +CVE-2021-1277 +CVE-2021-1278 +CVE-2021-1279 +CVE-2021-1280 +CVE-2021-1281 +CVE-2021-1282 +CVE-2021-1283 +CVE-2021-1284 +CVE-2021-1286 +CVE-2021-1287 +CVE-2021-1288 +CVE-2021-1289 +CVE-2021-1290 +CVE-2021-1291 +CVE-2021-1292 +CVE-2021-1293 +CVE-2021-1294 +CVE-2021-1295 +CVE-2021-1296 +CVE-2021-1297 +CVE-2021-1298 +CVE-2021-1299 +CVE-2021-1300 +CVE-2021-1301 +CVE-2021-1302 +CVE-2021-1303 +CVE-2021-1304 +CVE-2021-1305 +CVE-2021-1306 +CVE-2021-1307 +CVE-2021-1308 +CVE-2021-1309 +CVE-2021-1310 +CVE-2021-1311 +CVE-2021-1312 +CVE-2021-1313 +CVE-2021-1314 +CVE-2021-1315 +CVE-2021-1316 +CVE-2021-1317 +CVE-2021-1318 +CVE-2021-1319 +CVE-2021-1320 +CVE-2021-1321 +CVE-2021-1322 +CVE-2021-1323 +CVE-2021-1324 +CVE-2021-1325 +CVE-2021-1326 +CVE-2021-1327 +CVE-2021-1328 +CVE-2021-1329 +CVE-2021-1330 +CVE-2021-1331 +CVE-2021-1332 +CVE-2021-1333 +CVE-2021-1334 +CVE-2021-1335 +CVE-2021-1336 +CVE-2021-1337 +CVE-2021-1338 +CVE-2021-1339 +CVE-2021-1340 +CVE-2021-1341 +CVE-2021-1342 +CVE-2021-1343 +CVE-2021-1344 +CVE-2021-1345 +CVE-2021-1346 +CVE-2021-1347 +CVE-2021-1348 +CVE-2021-1349 +CVE-2021-1350 +CVE-2021-1351 +CVE-2021-1352 +CVE-2021-1353 +CVE-2021-1354 +CVE-2021-1355 +CVE-2021-1356 +CVE-2021-1357 +CVE-2021-1358 +CVE-2021-1359 +CVE-2021-1360 +CVE-2021-1361 +CVE-2021-1362 +CVE-2021-1363 +CVE-2021-1364 +CVE-2021-1365 +CVE-2021-1366 +CVE-2021-1367 +CVE-2021-1368 +CVE-2021-1369 +CVE-2021-1370 +CVE-2021-1371 +CVE-2021-1372 +CVE-2021-1373 +CVE-2021-1374 +CVE-2021-1375 +CVE-2021-1376 +CVE-2021-1377 +CVE-2021-1378 +CVE-2021-1380 +CVE-2021-1381 +CVE-2021-1382 +CVE-2021-1383 +CVE-2021-1384 +CVE-2021-1385 +CVE-2021-1386 +CVE-2021-1387 +CVE-2021-1388 +CVE-2021-1389 +CVE-2021-1390 +CVE-2021-1391 +CVE-2021-1392 +CVE-2021-1393 +CVE-2021-1394 +CVE-2021-1395 +CVE-2021-1396 +CVE-2021-1397 +CVE-2021-1398 +CVE-2021-1399 +CVE-2021-1400 +CVE-2021-1401 +CVE-2021-1402 +CVE-2021-1403 +CVE-2021-1406 +CVE-2021-1407 +CVE-2021-1408 +CVE-2021-1409 +CVE-2021-1411 +CVE-2021-1412 +CVE-2021-1413 +CVE-2021-1414 +CVE-2021-1415 +CVE-2021-1416 +CVE-2021-1417 +CVE-2021-1418 +CVE-2021-1419 +CVE-2021-1420 +CVE-2021-1421 +CVE-2021-1422 +CVE-2021-1423 +CVE-2021-1426 +CVE-2021-1427 +CVE-2021-1428 +CVE-2021-1429 +CVE-2021-1430 +CVE-2021-1431 +CVE-2021-1432 +CVE-2021-1433 +CVE-2021-1434 +CVE-2021-1435 +CVE-2021-1436 +CVE-2021-1437 +CVE-2021-1438 +CVE-2021-1439 +CVE-2021-1441 +CVE-2021-1442 +CVE-2021-1443 +CVE-2021-1445 +CVE-2021-1446 +CVE-2021-1447 +CVE-2021-1448 +CVE-2021-1449 +CVE-2021-1450 +CVE-2021-1451 +CVE-2021-1452 +CVE-2021-1453 +CVE-2021-1454 +CVE-2021-1455 +CVE-2021-1456 +CVE-2021-1457 +CVE-2021-1458 +CVE-2021-1459 +CVE-2021-1460 +CVE-2021-1463 +CVE-2021-1467 +CVE-2021-1468 +CVE-2021-1469 +CVE-2021-1471 +CVE-2021-1472 +CVE-2021-1473 +CVE-2021-1474 +CVE-2021-1475 +CVE-2021-1476 +CVE-2021-1477 +CVE-2021-1478 +CVE-2021-1479 +CVE-2021-1480 +CVE-2021-1485 +CVE-2021-1486 +CVE-2021-1487 +CVE-2021-1488 +CVE-2021-1489 +CVE-2021-1490 +CVE-2021-1493 +CVE-2021-1495 +CVE-2021-1496 +CVE-2021-1497 +CVE-2021-1498 +CVE-2021-1499 +CVE-2021-1501 +CVE-2021-1502 +CVE-2021-1503 +CVE-2021-1504 +CVE-2021-1505 +CVE-2021-1506 +CVE-2021-1507 +CVE-2021-1508 +CVE-2021-1509 +CVE-2021-1510 +CVE-2021-1511 +CVE-2021-1512 +CVE-2021-1513 +CVE-2021-1514 +CVE-2021-1515 +CVE-2021-1516 +CVE-2021-1517 +CVE-2021-1518 +CVE-2021-1519 +CVE-2021-1520 +CVE-2021-1521 +CVE-2021-1522 +CVE-2021-1523 +CVE-2021-1524 +CVE-2021-1525 +CVE-2021-1526 +CVE-2021-1527 +CVE-2021-1528 +CVE-2021-1529 +CVE-2021-1530 +CVE-2021-1531 +CVE-2021-1532 +CVE-2021-1534 +CVE-2021-1535 +CVE-2021-1536 +CVE-2021-1537 +CVE-2021-1538 +CVE-2021-1539 +CVE-2021-1540 +CVE-2021-1541 +CVE-2021-1542 +CVE-2021-1543 +CVE-2021-1544 +CVE-2021-1546 +CVE-2021-1547 +CVE-2021-1548 +CVE-2021-1549 +CVE-2021-1550 +CVE-2021-1551 +CVE-2021-1552 +CVE-2021-1553 +CVE-2021-1554 +CVE-2021-1555 +CVE-2021-1557 +CVE-2021-1558 +CVE-2021-1559 +CVE-2021-1560 +CVE-2021-1561 +CVE-2021-1562 +CVE-2021-1563 +CVE-2021-1564 +CVE-2021-1565 +CVE-2021-1566 +CVE-2021-1567 +CVE-2021-1568 +CVE-2021-1569 +CVE-2021-1570 +CVE-2021-1571 +CVE-2021-1572 +CVE-2021-1574 +CVE-2021-1575 +CVE-2021-1576 +CVE-2021-1577 +CVE-2021-1578 +CVE-2021-1579 +CVE-2021-1580 +CVE-2021-1581 +CVE-2021-1582 +CVE-2021-1583 +CVE-2021-1584 +CVE-2021-1585 +CVE-2021-1586 +CVE-2021-1587 +CVE-2021-1588 +CVE-2021-1589 +CVE-2021-1590 +CVE-2021-1591 +CVE-2021-1592 +CVE-2021-1593 +CVE-2021-1594 +CVE-2021-1595 +CVE-2021-1596 +CVE-2021-1597 +CVE-2021-1598 +CVE-2021-1599 +CVE-2021-1600 +CVE-2021-1601 +CVE-2021-1602 +CVE-2021-1603 +CVE-2021-1604 +CVE-2021-1605 +CVE-2021-1606 +CVE-2021-1607 +CVE-2021-1609 +CVE-2021-1610 +CVE-2021-1611 +CVE-2021-1612 +CVE-2021-1614 +CVE-2021-1615 +CVE-2021-1616 +CVE-2021-1617 +CVE-2021-1618 +CVE-2021-1619 +CVE-2021-1620 +CVE-2021-1621 +CVE-2021-1622 +CVE-2021-1623 +CVE-2021-1624 +CVE-2021-1625 +CVE-2021-1639 +CVE-2021-1643 +CVE-2021-1644 +CVE-2021-1663 +CVE-2021-1670 +CVE-2021-1677 +CVE-2021-1691 +CVE-2021-1703 +CVE-2021-1705 +CVE-2021-1724 +CVE-2021-1725 +CVE-2021-1728 +CVE-2021-1730 +CVE-2021-1733 +CVE-2021-20441 +CVE-2021-20442 +CVE-2021-21494 +CVE-2021-21495 +CVE-2021-22144 +CVE-2021-22145 +CVE-2021-22146 +CVE-2021-22152 +CVE-2021-22153 +CVE-2021-22154 +CVE-2021-22155 +CVE-2021-22157 +CVE-2021-22158 +CVE-2021-22159 +CVE-2021-22161 +CVE-2021-22267 +CVE-2021-22492 +CVE-2021-22494 +CVE-2021-22495 +CVE-2021-22543 +CVE-2021-23018 +CVE-2021-23239 +CVE-2021-23240 +CVE-2021-23241 +CVE-2021-23242 +CVE-2021-23270 +CVE-2021-23827 +CVE-2021-23835 +CVE-2021-23836 +CVE-2021-23837 +CVE-2021-23838 +CVE-2021-23899 +CVE-2021-23900 +CVE-2021-23906 +CVE-2021-23907 +CVE-2021-23908 +CVE-2021-23909 +CVE-2021-23910 +CVE-2021-23921 +CVE-2021-23922 +CVE-2021-23923 +CVE-2021-23924 +CVE-2021-23925 +CVE-2021-23927 +CVE-2021-23928 +CVE-2021-23929 +CVE-2021-23930 +CVE-2021-23931 +CVE-2021-23932 +CVE-2021-23933 +CVE-2021-23934 +CVE-2021-23935 +CVE-2021-23936 +CVE-2021-24075 +CVE-2021-24085 +CVE-2021-24087 +CVE-2021-24089 +CVE-2021-24090 +CVE-2021-24100 +CVE-2021-24105 +CVE-2021-24109 +CVE-2021-24110 +CVE-2021-24113 +CVE-2021-24114 +CVE-2021-24115 +CVE-2021-24116 +CVE-2021-24117 +CVE-2021-24119 +CVE-2021-25173 +CVE-2021-25174 +CVE-2021-25175 +CVE-2021-25176 +CVE-2021-25177 +CVE-2021-25178 +CVE-2021-25179 +CVE-2021-25197 +CVE-2021-25200 +CVE-2021-25201 +CVE-2021-25202 +CVE-2021-25203 +CVE-2021-25204 +CVE-2021-25205 +CVE-2021-25206 +CVE-2021-25207 +CVE-2021-25208 +CVE-2021-25209 +CVE-2021-25210 +CVE-2021-25211 +CVE-2021-25212 +CVE-2021-25213 +CVE-2021-25274 +CVE-2021-25275 +CVE-2021-25276 +CVE-2021-25277 +CVE-2021-25278 +CVE-2021-25281 +CVE-2021-25282 +CVE-2021-25283 +CVE-2021-25284 +CVE-2021-25287 +CVE-2021-25288 +CVE-2021-25289 +CVE-2021-25290 +CVE-2021-25291 +CVE-2021-25292 +CVE-2021-25293 +CVE-2021-25294 +CVE-2021-25295 +CVE-2021-25296 +CVE-2021-25297 +CVE-2021-25298 +CVE-2021-25299 +CVE-2021-25306 +CVE-2021-25309 +CVE-2021-25310 +CVE-2021-25311 +CVE-2021-25312 +CVE-2021-25323 +CVE-2021-25324 +CVE-2021-25325 +CVE-2021-25326 +CVE-2021-25327 +CVE-2021-25328 +CVE-2021-25643 +CVE-2021-25644 +CVE-2021-25645 +CVE-2021-25647 +CVE-2021-25648 +CVE-2021-25679 +CVE-2021-25680 +CVE-2021-25681 +CVE-2021-25693 +CVE-2021-25694 +CVE-2021-25755 +CVE-2021-25756 +CVE-2021-25757 +CVE-2021-25758 +CVE-2021-25759 +CVE-2021-25760 +CVE-2021-25761 +CVE-2021-25762 +CVE-2021-25763 +CVE-2021-25764 +CVE-2021-25765 +CVE-2021-25766 +CVE-2021-25767 +CVE-2021-25768 +CVE-2021-25769 +CVE-2021-25770 +CVE-2021-25771 +CVE-2021-25772 +CVE-2021-25773 +CVE-2021-25774 +CVE-2021-25775 +CVE-2021-25776 +CVE-2021-25777 +CVE-2021-25778 +CVE-2021-25779 +CVE-2021-25780 +CVE-2021-25790 +CVE-2021-25791 +CVE-2021-25801 +CVE-2021-25802 +CVE-2021-25803 +CVE-2021-25804 +CVE-2021-25808 +CVE-2021-25809 +CVE-2021-25810 +CVE-2021-25811 +CVE-2021-25812 +CVE-2021-25829 +CVE-2021-25830 +CVE-2021-25831 +CVE-2021-25832 +CVE-2021-25833 +CVE-2021-25834 +CVE-2021-25835 +CVE-2021-25836 +CVE-2021-25837 +CVE-2021-25838 +CVE-2021-25839 +CVE-2021-25845 +CVE-2021-25846 +CVE-2021-25847 +CVE-2021-25848 +CVE-2021-25849 +CVE-2021-25863 +CVE-2021-25864 +CVE-2021-25893 +CVE-2021-25894 +CVE-2021-25898 +CVE-2021-25899 +CVE-2021-25900 +CVE-2021-25901 +CVE-2021-25902 +CVE-2021-25903 +CVE-2021-25904 +CVE-2021-25905 +CVE-2021-25906 +CVE-2021-25907 +CVE-2021-25908 +CVE-2021-26023 +CVE-2021-26024 +CVE-2021-26025 +CVE-2021-26026 +CVE-2021-26119 +CVE-2021-26120 +CVE-2021-26122 +CVE-2021-26123 +CVE-2021-26194 +CVE-2021-26195 +CVE-2021-26197 +CVE-2021-26198 +CVE-2021-26199 +CVE-2021-26200 +CVE-2021-26201 +CVE-2021-26215 +CVE-2021-26216 +CVE-2021-26220 +CVE-2021-26221 +CVE-2021-26222 +CVE-2021-26223 +CVE-2021-26224 +CVE-2021-26226 +CVE-2021-26227 +CVE-2021-26228 +CVE-2021-26229 +CVE-2021-26230 +CVE-2021-26231 +CVE-2021-26232 +CVE-2021-26233 +CVE-2021-26234 +CVE-2021-26235 +CVE-2021-26236 +CVE-2021-26237 +CVE-2021-26266 +CVE-2021-26267 +CVE-2021-26271 +CVE-2021-26272 +CVE-2021-26273 +CVE-2021-26274 +CVE-2021-26275 +CVE-2021-26276 +CVE-2021-26293 +CVE-2021-26294 +CVE-2021-26303 +CVE-2021-26304 +CVE-2021-26305 +CVE-2021-26306 +CVE-2021-26307 +CVE-2021-26308 +CVE-2021-26309 +CVE-2021-26310 +CVE-2021-26421 +CVE-2021-26422 +CVE-2021-26428 +CVE-2021-26429 +CVE-2021-26430 +CVE-2021-26431 +CVE-2021-26434 +CVE-2021-26436 +CVE-2021-26437 +CVE-2021-26439 +CVE-2021-26444 +CVE-2021-26471 +CVE-2021-26472 +CVE-2021-26473 +CVE-2021-26474 +CVE-2021-26475 +CVE-2021-26476 +CVE-2021-26528 +CVE-2021-26529 +CVE-2021-26530 +CVE-2021-26539 +CVE-2021-26540 +CVE-2021-26541 +CVE-2021-26543 +CVE-2021-26549 +CVE-2021-26550 +CVE-2021-26551 +CVE-2021-26593 +CVE-2021-26594 +CVE-2021-26595 +CVE-2021-26596 +CVE-2021-26597 +CVE-2021-26675 +CVE-2021-26676 +CVE-2021-26687 +CVE-2021-26688 +CVE-2021-26689 +CVE-2021-26698 +CVE-2021-26699 +CVE-2021-26700 +CVE-2021-26702 +CVE-2021-26703 +CVE-2021-26704 +CVE-2021-26705 +CVE-2021-26707 +CVE-2021-26708 +CVE-2021-26709 +CVE-2021-26710 +CVE-2021-26711 +CVE-2021-26712 +CVE-2021-26713 +CVE-2021-26714 +CVE-2021-26715 +CVE-2021-26716 +CVE-2021-26717 +CVE-2021-26719 +CVE-2021-26720 +CVE-2021-26722 +CVE-2021-26723 +CVE-2021-26746 +CVE-2021-26747 +CVE-2021-26750 +CVE-2021-26751 +CVE-2021-26752 +CVE-2021-26753 +CVE-2021-26754 +CVE-2021-26758 +CVE-2021-26762 +CVE-2021-26764 +CVE-2021-26765 +CVE-2021-26776 +CVE-2021-26788 +CVE-2021-26794 +CVE-2021-26795 +CVE-2021-26797 +CVE-2021-26799 +CVE-2021-26804 +CVE-2021-26805 +CVE-2021-26807 +CVE-2021-26809 +CVE-2021-26810 +CVE-2021-26812 +CVE-2021-26813 +CVE-2021-26814 +CVE-2021-26822 +CVE-2021-26824 +CVE-2021-26825 +CVE-2021-26826 +CVE-2021-26827 +CVE-2021-26828 +CVE-2021-26829 +CVE-2021-26830 +CVE-2021-26832 +CVE-2021-26833 +CVE-2021-26834 +CVE-2021-26835 +CVE-2021-26843 +CVE-2021-26845 +CVE-2021-26859 +CVE-2021-26867 +CVE-2021-26900 +CVE-2021-26902 +CVE-2021-26903 +CVE-2021-26904 +CVE-2021-26905 +CVE-2021-26906 +CVE-2021-26910 +CVE-2021-26911 +CVE-2021-26912 +CVE-2021-26913 +CVE-2021-26914 +CVE-2021-26915 +CVE-2021-26916 +CVE-2021-26917 +CVE-2021-26918 +CVE-2021-26921 +CVE-2021-26923 +CVE-2021-26924 +CVE-2021-26925 +CVE-2021-26928 +CVE-2021-26929 +CVE-2021-26930 +CVE-2021-26931 +CVE-2021-26932 +CVE-2021-26933 +CVE-2021-26934 +CVE-2021-26935 +CVE-2021-26936 +CVE-2021-26937 +CVE-2021-26938 +CVE-2021-26939 +CVE-2021-26943 +CVE-2021-26951 +CVE-2021-26952 +CVE-2021-26953 +CVE-2021-26954 +CVE-2021-26955 +CVE-2021-26956 +CVE-2021-26957 +CVE-2021-26958 +CVE-2021-27047 +CVE-2021-27048 +CVE-2021-27049 +CVE-2021-27050 +CVE-2021-27051 +CVE-2021-27058 +CVE-2021-27060 +CVE-2021-27061 +CVE-2021-27062 +CVE-2021-27064 +CVE-2021-27066 +CVE-2021-27068 +CVE-2021-27070 +CVE-2021-27074 +CVE-2021-27075 +CVE-2021-27080 +CVE-2021-27081 +CVE-2021-27082 +CVE-2021-27083 +CVE-2021-27084 +CVE-2021-27090 +CVE-2021-27097 +CVE-2021-27098 +CVE-2021-27099 +CVE-2021-27101 +CVE-2021-27102 +CVE-2021-27103 +CVE-2021-27104 +CVE-2021-27112 +CVE-2021-27113 +CVE-2021-27114 +CVE-2021-27124 +CVE-2021-27129 +CVE-2021-27130 +CVE-2021-27132 +CVE-2021-27135 +CVE-2021-27138 +CVE-2021-27139 +CVE-2021-27140 +CVE-2021-27141 +CVE-2021-27142 +CVE-2021-27143 +CVE-2021-27144 +CVE-2021-27145 +CVE-2021-27146 +CVE-2021-27147 +CVE-2021-27148 +CVE-2021-27149 +CVE-2021-27150 +CVE-2021-27151 +CVE-2021-27152 +CVE-2021-27153 +CVE-2021-27154 +CVE-2021-27155 +CVE-2021-27156 +CVE-2021-27157 +CVE-2021-27158 +CVE-2021-27159 +CVE-2021-27160 +CVE-2021-27161 +CVE-2021-27162 +CVE-2021-27163 +CVE-2021-27164 +CVE-2021-27165 +CVE-2021-27166 +CVE-2021-27167 +CVE-2021-27168 +CVE-2021-27169 +CVE-2021-27170 +CVE-2021-27171 +CVE-2021-27172 +CVE-2021-27173 +CVE-2021-27174 +CVE-2021-27175 +CVE-2021-27176 +CVE-2021-27177 +CVE-2021-27178 +CVE-2021-27179 +CVE-2021-27180 +CVE-2021-27181 +CVE-2021-27182 +CVE-2021-27183 +CVE-2021-27184 +CVE-2021-27185 +CVE-2021-27186 +CVE-2021-27187 +CVE-2021-27188 +CVE-2021-27189 +CVE-2021-27190 +CVE-2021-27191 +CVE-2021-27192 +CVE-2021-27193 +CVE-2021-27194 +CVE-2021-27195 +CVE-2021-27196 +CVE-2021-27197 +CVE-2021-27198 +CVE-2021-27200 +CVE-2021-27201 +CVE-2021-27203 +CVE-2021-27204 +CVE-2021-27205 +CVE-2021-27208 +CVE-2021-27209 +CVE-2021-27210 +CVE-2021-27211 +CVE-2021-27212 +CVE-2021-27213 +CVE-2021-27214 +CVE-2021-27215 +CVE-2021-27216 +CVE-2021-27217 +CVE-2021-27218 +CVE-2021-27219 +CVE-2021-27220 +CVE-2021-27221 +CVE-2021-27222 +CVE-2021-27224 +CVE-2021-27225 +CVE-2021-27228 +CVE-2021-27229 +CVE-2021-27230 +CVE-2021-27231 +CVE-2021-27232 +CVE-2021-27233 +CVE-2021-27234 +CVE-2021-27235 +CVE-2021-27236 +CVE-2021-27237 +CVE-2021-27279 +CVE-2021-27288 +CVE-2021-27290 +CVE-2021-27291 +CVE-2021-27292 +CVE-2021-27293 +CVE-2021-27306 +CVE-2021-27308 +CVE-2021-27309 +CVE-2021-27310 +CVE-2021-27314 +CVE-2021-27315 +CVE-2021-27316 +CVE-2021-27317 +CVE-2021-27318 +CVE-2021-27319 +CVE-2021-27320 +CVE-2021-27328 +CVE-2021-27329 +CVE-2021-27330 +CVE-2021-27332 +CVE-2021-27335 +CVE-2021-27338 +CVE-2021-27340 +CVE-2021-27341 +CVE-2021-27342 +CVE-2021-27343 +CVE-2021-27345 +CVE-2021-27347 +CVE-2021-27349 +CVE-2021-27351 +CVE-2021-27352 +CVE-2021-27357 +CVE-2021-27358 +CVE-2021-27362 +CVE-2021-27363 +CVE-2021-27364 +CVE-2021-27365 +CVE-2021-27367 +CVE-2021-27368 +CVE-2021-27369 +CVE-2021-27370 +CVE-2021-27371 +CVE-2021-27372 +CVE-2021-27374 +CVE-2021-27375 +CVE-2021-27376 +CVE-2021-27377 +CVE-2021-27378 +CVE-2021-27379 +CVE-2021-27400 +CVE-2021-27401 +CVE-2021-27402 +CVE-2021-27403 +CVE-2021-27404 +CVE-2021-27405 +CVE-2021-27506 +CVE-2021-27509 +CVE-2021-27513 +CVE-2021-27514 +CVE-2021-27515 +CVE-2021-27516 +CVE-2021-27517 +CVE-2021-27519 +CVE-2021-27520 +CVE-2021-27522 +CVE-2021-27526 +CVE-2021-27527 +CVE-2021-27528 +CVE-2021-27529 +CVE-2021-27530 +CVE-2021-27531 +CVE-2021-27544 +CVE-2021-27545 +CVE-2021-27549 +CVE-2021-27550 +CVE-2021-27556 +CVE-2021-27557 +CVE-2021-27558 +CVE-2021-27559 +CVE-2021-27561 +CVE-2021-27562 +CVE-2021-27564 +CVE-2021-27565 +CVE-2021-27568 +CVE-2021-27569 +CVE-2021-27570 +CVE-2021-27571 +CVE-2021-27572 +CVE-2021-27573 +CVE-2021-27574 +CVE-2021-27579 +CVE-2021-27581 +CVE-2021-27582 +CVE-2021-27583 +CVE-2021-27645 +CVE-2021-27668 +CVE-2021-27670 +CVE-2021-27671 +CVE-2021-27672 +CVE-2021-27673 +CVE-2021-27676 +CVE-2021-27677 +CVE-2021-27678 +CVE-2021-27679 +CVE-2021-27691 +CVE-2021-27692 +CVE-2021-27695 +CVE-2021-27697 +CVE-2021-27698 +CVE-2021-27705 +CVE-2021-27706 +CVE-2021-27707 +CVE-2021-27708 +CVE-2021-27710 +CVE-2021-27730 +CVE-2021-27731 +CVE-2021-27733 +CVE-2021-27734 +CVE-2021-27736 +CVE-2021-27741 +CVE-2021-27746 +CVE-2021-27799 +CVE-2021-27803 +CVE-2021-27804 +CVE-2021-27811 +CVE-2021-27815 +CVE-2021-27817 +CVE-2021-27821 +CVE-2021-27822 +CVE-2021-27823 +CVE-2021-27828 +CVE-2021-27839 +CVE-2021-27845 +CVE-2021-27847 +CVE-2021-27876 +CVE-2021-27877 +CVE-2021-27878 +CVE-2021-27884 +CVE-2021-27885 +CVE-2021-27886 +CVE-2021-27887 +CVE-2021-27888 +CVE-2021-27889 +CVE-2021-27890 +CVE-2021-27891 +CVE-2021-27892 +CVE-2021-27893 +CVE-2021-27899 +CVE-2021-27900 +CVE-2021-27901 +CVE-2021-27902 +CVE-2021-27903 +CVE-2021-27904 +CVE-2021-27918 +CVE-2021-27919 +CVE-2021-27921 +CVE-2021-27922 +CVE-2021-27923 +CVE-2021-27924 +CVE-2021-27925 +CVE-2021-27927 +CVE-2021-27928 +CVE-2021-27930 +CVE-2021-27931 +CVE-2021-27933 +CVE-2021-27935 +CVE-2021-27938 +CVE-2021-27940 +CVE-2021-27941 +CVE-2021-27942 +CVE-2021-27943 +CVE-2021-27944 +CVE-2021-27945 +CVE-2021-27946 +CVE-2021-27947 +CVE-2021-27948 +CVE-2021-27949 +CVE-2021-27950 +CVE-2021-27952 +CVE-2021-27953 +CVE-2021-27954 +CVE-2021-27956 +CVE-2021-27962 +CVE-2021-27963 +CVE-2021-27964 +CVE-2021-27965 +CVE-2021-27969 +CVE-2021-27973 +CVE-2021-27989 +CVE-2021-27990 +CVE-2021-27999 +CVE-2021-28000 +CVE-2021-28001 +CVE-2021-28002 +CVE-2021-28006 +CVE-2021-28007 +CVE-2021-28021 +CVE-2021-28026 +CVE-2021-28027 +CVE-2021-28028 +CVE-2021-28029 +CVE-2021-28030 +CVE-2021-28031 +CVE-2021-28032 +CVE-2021-28033 +CVE-2021-28034 +CVE-2021-28035 +CVE-2021-28036 +CVE-2021-28037 +CVE-2021-28038 +CVE-2021-28039 +CVE-2021-28040 +CVE-2021-28041 +CVE-2021-28042 +CVE-2021-28047 +CVE-2021-28048 +CVE-2021-28053 +CVE-2021-28054 +CVE-2021-28055 +CVE-2021-28060 +CVE-2021-28070 +CVE-2021-28075 +CVE-2021-28079 +CVE-2021-28088 +CVE-2021-28089 +CVE-2021-28090 +CVE-2021-28091 +CVE-2021-28092 +CVE-2021-28093 +CVE-2021-28094 +CVE-2021-28095 +CVE-2021-28098 +CVE-2021-28109 +CVE-2021-28110 +CVE-2021-28111 +CVE-2021-28112 +CVE-2021-28113 +CVE-2021-28114 +CVE-2021-28115 +CVE-2021-28116 +CVE-2021-28117 +CVE-2021-28119 +CVE-2021-28121 +CVE-2021-28122 +CVE-2021-28123 +CVE-2021-28124 +CVE-2021-28126 +CVE-2021-28127 +CVE-2021-28128 +CVE-2021-28130 +CVE-2021-28132 +CVE-2021-28133 +CVE-2021-28134 +CVE-2021-28135 +CVE-2021-28136 +CVE-2021-28139 +CVE-2021-28141 +CVE-2021-28142 +CVE-2021-28143 +CVE-2021-28144 +CVE-2021-28145 +CVE-2021-28146 +CVE-2021-28147 +CVE-2021-28148 +CVE-2021-28149 +CVE-2021-28150 +CVE-2021-28151 +CVE-2021-28152 +CVE-2021-28153 +CVE-2021-28154 +CVE-2021-28155 +CVE-2021-28156 +CVE-2021-28157 +CVE-2021-28160 +CVE-2021-28233 +CVE-2021-28242 +CVE-2021-28245 +CVE-2021-28246 +CVE-2021-28247 +CVE-2021-28248 +CVE-2021-28249 +CVE-2021-28250 +CVE-2021-28269 +CVE-2021-28271 +CVE-2021-28280 +CVE-2021-28293 +CVE-2021-28294 +CVE-2021-28295 +CVE-2021-28300 +CVE-2021-28302 +CVE-2021-28305 +CVE-2021-28306 +CVE-2021-28307 +CVE-2021-28308 +CVE-2021-28324 +CVE-2021-28361 +CVE-2021-28362 +CVE-2021-28363 +CVE-2021-28372 +CVE-2021-28373 +CVE-2021-28374 +CVE-2021-28375 +CVE-2021-28378 +CVE-2021-28379 +CVE-2021-28380 +CVE-2021-28381 +CVE-2021-28382 +CVE-2021-28399 +CVE-2021-28417 +CVE-2021-28418 +CVE-2021-28419 +CVE-2021-28420 +CVE-2021-28423 +CVE-2021-28424 +CVE-2021-28448 +CVE-2021-28457 +CVE-2021-28458 +CVE-2021-28459 +CVE-2021-28460 +CVE-2021-28461 +CVE-2021-28464 +CVE-2021-28465 +CVE-2021-28466 +CVE-2021-28468 +CVE-2021-28469 +CVE-2021-28470 +CVE-2021-28471 +CVE-2021-28472 +CVE-2021-28473 +CVE-2021-28475 +CVE-2021-28477 +CVE-2021-28484 +CVE-2021-28490 +CVE-2021-28492 +CVE-2021-28543 +CVE-2021-28650 +CVE-2021-28651 +CVE-2021-28652 +CVE-2021-28653 +CVE-2021-28658 +CVE-2021-28660 +CVE-2021-28661 +CVE-2021-28662 +CVE-2021-28663 +CVE-2021-28664 +CVE-2021-28665 +CVE-2021-28667 +CVE-2021-28668 +CVE-2021-28669 +CVE-2021-28670 +CVE-2021-28671 +CVE-2021-28672 +CVE-2021-28673 +CVE-2021-28674 +CVE-2021-28675 +CVE-2021-28676 +CVE-2021-28677 +CVE-2021-28678 +CVE-2021-28681 +CVE-2021-28682 +CVE-2021-28683 +CVE-2021-28684 +CVE-2021-28685 +CVE-2021-28686 +CVE-2021-28789 +CVE-2021-28790 +CVE-2021-28791 +CVE-2021-28792 +CVE-2021-28793 +CVE-2021-28794 +CVE-2021-28796 +CVE-2021-28831 +CVE-2021-28832 +CVE-2021-28833 +CVE-2021-28834 +CVE-2021-28838 +CVE-2021-28839 +CVE-2021-28840 +CVE-2021-28841 +CVE-2021-28842 +CVE-2021-28843 +CVE-2021-28844 +CVE-2021-28845 +CVE-2021-28846 +CVE-2021-28847 +CVE-2021-28848 +CVE-2021-28855 +CVE-2021-28856 +CVE-2021-28857 +CVE-2021-28858 +CVE-2021-28860 +CVE-2021-28874 +CVE-2021-28875 +CVE-2021-28876 +CVE-2021-28877 +CVE-2021-28878 +CVE-2021-28879 +CVE-2021-28890 +CVE-2021-28899 +CVE-2021-28901 +CVE-2021-28902 +CVE-2021-28903 +CVE-2021-28904 +CVE-2021-28905 +CVE-2021-28906 +CVE-2021-28909 +CVE-2021-28910 +CVE-2021-28911 +CVE-2021-28912 +CVE-2021-28913 +CVE-2021-28914 +CVE-2021-28918 +CVE-2021-28924 +CVE-2021-28925 +CVE-2021-28927 +CVE-2021-28931 +CVE-2021-28935 +CVE-2021-28936 +CVE-2021-28937 +CVE-2021-28938 +CVE-2021-28940 +CVE-2021-28941 +CVE-2021-28950 +CVE-2021-28951 +CVE-2021-28952 +CVE-2021-28953 +CVE-2021-28954 +CVE-2021-28955 +CVE-2021-28956 +CVE-2021-28957 +CVE-2021-28958 +CVE-2021-28959 +CVE-2021-28960 +CVE-2021-28961 +CVE-2021-28963 +CVE-2021-28964 +CVE-2021-28965 +CVE-2021-28966 +CVE-2021-28967 +CVE-2021-28968 +CVE-2021-28969 +CVE-2021-28970 +CVE-2021-28971 +CVE-2021-28972 +CVE-2021-28973 +CVE-2021-28975 +CVE-2021-28976 +CVE-2021-28977 +CVE-2021-28979 +CVE-2021-28993 +CVE-2021-28994 +CVE-2021-29002 +CVE-2021-29003 +CVE-2021-29004 +CVE-2021-29005 +CVE-2021-29006 +CVE-2021-29008 +CVE-2021-29009 +CVE-2021-29010 +CVE-2021-29011 +CVE-2021-29012 +CVE-2021-29022 +CVE-2021-29023 +CVE-2021-29024 +CVE-2021-29025 +CVE-2021-29026 +CVE-2021-29027 +CVE-2021-29028 +CVE-2021-29029 +CVE-2021-29030 +CVE-2021-29031 +CVE-2021-29032 +CVE-2021-29033 +CVE-2021-29039 +CVE-2021-29040 +CVE-2021-29041 +CVE-2021-29043 +CVE-2021-29044 +CVE-2021-29045 +CVE-2021-29046 +CVE-2021-29047 +CVE-2021-29048 +CVE-2021-29049 +CVE-2021-29051 +CVE-2021-29052 +CVE-2021-29053 +CVE-2021-29054 +CVE-2021-29056 +CVE-2021-29059 +CVE-2021-29060 +CVE-2021-29061 +CVE-2021-29063 +CVE-2021-29065 +CVE-2021-29066 +CVE-2021-29067 +CVE-2021-29068 +CVE-2021-29069 +CVE-2021-29070 +CVE-2021-29071 +CVE-2021-29072 +CVE-2021-29073 +CVE-2021-29074 +CVE-2021-29075 +CVE-2021-29076 +CVE-2021-29077 +CVE-2021-29078 +CVE-2021-29079 +CVE-2021-29080 +CVE-2021-29081 +CVE-2021-29082 +CVE-2021-29133 +CVE-2021-29136 +CVE-2021-29154 +CVE-2021-29155 +CVE-2021-29156 +CVE-2021-29157 +CVE-2021-29158 +CVE-2021-29159 +CVE-2021-29238 +CVE-2021-29239 +CVE-2021-29240 +CVE-2021-29241 +CVE-2021-29242 +CVE-2021-29245 +CVE-2021-29246 +CVE-2021-29247 +CVE-2021-29248 +CVE-2021-29249 +CVE-2021-29250 +CVE-2021-29251 +CVE-2021-29252 +CVE-2021-29253 +CVE-2021-29255 +CVE-2021-29256 +CVE-2021-29258 +CVE-2021-29261 +CVE-2021-29263 +CVE-2021-29264 +CVE-2021-29265 +CVE-2021-29266 +CVE-2021-29267 +CVE-2021-29271 +CVE-2021-29272 +CVE-2021-29274 +CVE-2021-29279 +CVE-2021-29280 +CVE-2021-29294 +CVE-2021-29295 +CVE-2021-29296 +CVE-2021-29297 +CVE-2021-29298 +CVE-2021-29300 +CVE-2021-29302 +CVE-2021-29313 +CVE-2021-29337 +CVE-2021-29338 +CVE-2021-29343 +CVE-2021-29349 +CVE-2021-29350 +CVE-2021-29357 +CVE-2021-29358 +CVE-2021-29360 +CVE-2021-29361 +CVE-2021-29362 +CVE-2021-29363 +CVE-2021-29364 +CVE-2021-29365 +CVE-2021-29366 +CVE-2021-29367 +CVE-2021-29369 +CVE-2021-29370 +CVE-2021-29376 +CVE-2021-29377 +CVE-2021-29379 +CVE-2021-29387 +CVE-2021-29388 +CVE-2021-29399 +CVE-2021-29400 +CVE-2021-29414 +CVE-2021-29415 +CVE-2021-29416 +CVE-2021-29417 +CVE-2021-29418 +CVE-2021-29421 +CVE-2021-29424 +CVE-2021-29641 +CVE-2021-29642 +CVE-2021-29643 +CVE-2021-29644 +CVE-2021-29645 +CVE-2021-29646 +CVE-2021-29647 +CVE-2021-29648 +CVE-2021-29649 +CVE-2021-29650 +CVE-2021-29651 +CVE-2021-29652 +CVE-2021-29653 +CVE-2021-29654 +CVE-2021-29657 +CVE-2021-29658 +CVE-2021-29659 +CVE-2021-29660 +CVE-2021-29661 +CVE-2021-29662 +CVE-2021-29663 +CVE-2021-29921 +CVE-2021-29922 +CVE-2021-29923 +CVE-2021-29929 +CVE-2021-29930 +CVE-2021-29931 +CVE-2021-29932 +CVE-2021-29933 +CVE-2021-29934 +CVE-2021-29935 +CVE-2021-29936 +CVE-2021-29937 +CVE-2021-29938 +CVE-2021-29939 +CVE-2021-29940 +CVE-2021-29941 +CVE-2021-29942 +CVE-2021-29995 +CVE-2021-29996 +CVE-2021-29997 +CVE-2021-29998 +CVE-2021-29999 +CVE-2021-30000 +CVE-2021-30002 +CVE-2021-30003 +CVE-2021-30004 +CVE-2021-30005 +CVE-2021-30006 +CVE-2021-30014 +CVE-2021-30015 +CVE-2021-30019 +CVE-2021-3002 +CVE-2021-30020 +CVE-2021-30022 +CVE-2021-30027 +CVE-2021-3003 +CVE-2021-30030 +CVE-2021-30034 +CVE-2021-30039 +CVE-2021-3004 +CVE-2021-30042 +CVE-2021-30044 +CVE-2021-30045 +CVE-2021-30046 +CVE-2021-30048 +CVE-2021-30049 +CVE-2021-3005 +CVE-2021-30055 +CVE-2021-30056 +CVE-2021-30057 +CVE-2021-30058 +CVE-2021-3006 +CVE-2021-3007 +CVE-2021-30072 +CVE-2021-30074 +CVE-2021-30081 +CVE-2021-30082 +CVE-2021-30083 +CVE-2021-30086 +CVE-2021-3010 +CVE-2021-30108 +CVE-2021-30109 +CVE-2021-3011 +CVE-2021-30110 +CVE-2021-30111 +CVE-2021-30112 +CVE-2021-30113 +CVE-2021-30114 +CVE-2021-30116 +CVE-2021-30117 +CVE-2021-30118 +CVE-2021-30119 +CVE-2021-3012 +CVE-2021-30120 +CVE-2021-30121 +CVE-2021-30123 +CVE-2021-30124 +CVE-2021-30125 +CVE-2021-30126 +CVE-2021-30127 +CVE-2021-3013 +CVE-2021-30130 +CVE-2021-30133 +CVE-2021-30137 +CVE-2021-30139 +CVE-2021-3014 +CVE-2021-30140 +CVE-2021-30141 +CVE-2021-30144 +CVE-2021-30145 +CVE-2021-30146 +CVE-2021-30147 +CVE-2021-30149 +CVE-2021-30150 +CVE-2021-30151 +CVE-2021-30152 +CVE-2021-30154 +CVE-2021-30155 +CVE-2021-30156 +CVE-2021-30157 +CVE-2021-30158 +CVE-2021-30159 +CVE-2021-30161 +CVE-2021-30162 +CVE-2021-30163 +CVE-2021-30164 +CVE-2021-3017 +CVE-2021-30175 +CVE-2021-30176 +CVE-2021-30177 +CVE-2021-30178 +CVE-2021-3018 +CVE-2021-30183 +CVE-2021-30184 +CVE-2021-30185 +CVE-2021-30186 +CVE-2021-30187 +CVE-2021-30188 +CVE-2021-30189 +CVE-2021-3019 +CVE-2021-30190 +CVE-2021-30191 +CVE-2021-30192 +CVE-2021-30193 +CVE-2021-30194 +CVE-2021-30195 +CVE-2021-30199 +CVE-2021-30201 +CVE-2021-30209 +CVE-2021-3021 +CVE-2021-30211 +CVE-2021-30212 +CVE-2021-30213 +CVE-2021-30214 +CVE-2021-30218 +CVE-2021-30219 +CVE-2021-3022 +CVE-2021-30224 +CVE-2021-30227 +CVE-2021-30228 +CVE-2021-30229 +CVE-2021-30230 +CVE-2021-30231 +CVE-2021-30232 +CVE-2021-30233 +CVE-2021-30234 +CVE-2021-3024 +CVE-2021-30246 +CVE-2021-3025 +CVE-2021-3026 +CVE-2021-3027 +CVE-2021-3028 +CVE-2021-3029 +CVE-2021-30454 +CVE-2021-30455 +CVE-2021-30456 +CVE-2021-30457 +CVE-2021-30458 +CVE-2021-30459 +CVE-2021-30461 +CVE-2021-30462 +CVE-2021-30463 +CVE-2021-30464 +CVE-2021-30465 +CVE-2021-30473 +CVE-2021-30474 +CVE-2021-30475 +CVE-2021-30476 +CVE-2021-30477 +CVE-2021-30478 +CVE-2021-30479 +CVE-2021-30480 +CVE-2021-30481 +CVE-2021-30482 +CVE-2021-30483 +CVE-2021-30485 +CVE-2021-30486 +CVE-2021-30487 +CVE-2021-30493 +CVE-2021-30494 +CVE-2021-30496 +CVE-2021-30502 +CVE-2021-30503 +CVE-2021-30504 +CVE-2021-30606 +CVE-2021-30607 +CVE-2021-30608 +CVE-2021-30609 +CVE-2021-30610 +CVE-2021-30611 +CVE-2021-30612 +CVE-2021-30613 +CVE-2021-30614 +CVE-2021-30615 +CVE-2021-30616 +CVE-2021-30617 +CVE-2021-30618 +CVE-2021-30619 +CVE-2021-30620 +CVE-2021-30621 +CVE-2021-30622 +CVE-2021-30623 +CVE-2021-30624 +CVE-2021-30635 +CVE-2021-30637 +CVE-2021-3109 +CVE-2021-3110 +CVE-2021-3111 +CVE-2021-3113 +CVE-2021-3114 +CVE-2021-3115 +CVE-2021-31152 +CVE-2021-31153 +CVE-2021-31154 +CVE-2021-31155 +CVE-2021-31158 +CVE-2021-31159 +CVE-2021-3116 +CVE-2021-31160 +CVE-2021-31162 +CVE-2021-31165 +CVE-2021-31166 +CVE-2021-31168 +CVE-2021-31169 +CVE-2021-3118 +CVE-2021-31185 +CVE-2021-3119 +CVE-2021-31192 +CVE-2021-3120 +CVE-2021-31200 +CVE-2021-31205 +CVE-2021-31208 +CVE-2021-3121 +CVE-2021-31211 +CVE-2021-31213 +CVE-2021-31214 +CVE-2021-31215 +CVE-2021-31216 +CVE-2021-31217 +CVE-2021-3122 +CVE-2021-31220 +CVE-2021-31221 +CVE-2021-31222 +CVE-2021-31223 +CVE-2021-31224 +CVE-2021-31225 +CVE-2021-31226 +CVE-2021-31227 +CVE-2021-31228 +CVE-2021-31229 +CVE-2021-31231 +CVE-2021-31232 +CVE-2021-3124 +CVE-2021-31245 +CVE-2021-31249 +CVE-2021-3125 +CVE-2021-31250 +CVE-2021-31251 +CVE-2021-31252 +CVE-2021-31254 +CVE-2021-31255 +CVE-2021-31256 +CVE-2021-31257 +CVE-2021-31258 +CVE-2021-31259 +CVE-2021-31260 +CVE-2021-31261 +CVE-2021-31262 +CVE-2021-3127 +CVE-2021-31272 +CVE-2021-31274 +CVE-2021-3128 +CVE-2021-3129 +CVE-2021-31292 +CVE-2021-3130 +CVE-2021-3131 +CVE-2021-31315 +CVE-2021-31316 +CVE-2021-31317 +CVE-2021-31318 +CVE-2021-31319 +CVE-2021-31320 +CVE-2021-31321 +CVE-2021-31322 +CVE-2021-31323 +CVE-2021-31324 +CVE-2021-31327 +CVE-2021-31329 +CVE-2021-3133 +CVE-2021-3134 +CVE-2021-31347 +CVE-2021-31348 +CVE-2021-3135 +CVE-2021-3137 +CVE-2021-3138 +CVE-2021-3139 +CVE-2021-31399 +CVE-2021-31400 +CVE-2021-31401 +CVE-2021-31402 +CVE-2021-3141 +CVE-2021-31414 +CVE-2021-3144 +CVE-2021-3145 +CVE-2021-3146 +CVE-2021-3148 +CVE-2021-3149 +CVE-2021-3150 +CVE-2021-3151 +CVE-2021-3152 +CVE-2021-31523 +CVE-2021-31525 +CVE-2021-3153 +CVE-2021-31530 +CVE-2021-31531 +CVE-2021-31532 +CVE-2021-31535 +CVE-2021-31537 +CVE-2021-31538 +CVE-2021-31539 +CVE-2021-3154 +CVE-2021-31540 +CVE-2021-31542 +CVE-2021-31545 +CVE-2021-31546 +CVE-2021-31547 +CVE-2021-31548 +CVE-2021-31549 +CVE-2021-31550 +CVE-2021-31551 +CVE-2021-31552 +CVE-2021-31553 +CVE-2021-31554 +CVE-2021-31555 +CVE-2021-31556 +CVE-2021-3156 +CVE-2021-31571 +CVE-2021-31572 +CVE-2021-31583 +CVE-2021-31584 +CVE-2021-31585 +CVE-2021-31586 +CVE-2021-3159 +CVE-2021-31590 +CVE-2021-31597 +CVE-2021-31598 +CVE-2021-3160 +CVE-2021-31604 +CVE-2021-31605 +CVE-2021-31606 +CVE-2021-31607 +CVE-2021-31609 +CVE-2021-31610 +CVE-2021-31611 +CVE-2021-31612 +CVE-2021-31613 +CVE-2021-31615 +CVE-2021-31616 +CVE-2021-3162 +CVE-2021-31624 +CVE-2021-31627 +CVE-2021-3163 +CVE-2021-31630 +CVE-2021-3164 +CVE-2021-31641 +CVE-2021-31642 +CVE-2021-31643 +CVE-2021-31646 +CVE-2021-31649 +CVE-2021-3165 +CVE-2021-31655 +CVE-2021-31658 +CVE-2021-31659 +CVE-2021-3166 +CVE-2021-31660 +CVE-2021-31661 +CVE-2021-31662 +CVE-2021-31663 +CVE-2021-31664 +CVE-2021-3167 +CVE-2021-31671 +CVE-2021-31682 +CVE-2021-31684 +CVE-2021-3169 +CVE-2021-31698 +CVE-2021-31701 +CVE-2021-31702 +CVE-2021-31703 +CVE-2021-31712 +CVE-2021-31718 +CVE-2021-31721 +CVE-2021-31726 +CVE-2021-31727 +CVE-2021-31728 +CVE-2021-31731 +CVE-2021-31737 +CVE-2021-31738 +CVE-2021-31755 +CVE-2021-31756 +CVE-2021-31757 +CVE-2021-31758 +CVE-2021-3176 +CVE-2021-31760 +CVE-2021-31761 +CVE-2021-31762 +CVE-2021-31769 +CVE-2021-3177 +CVE-2021-31771 +CVE-2021-31776 +CVE-2021-31777 +CVE-2021-31778 +CVE-2021-31779 +CVE-2021-3178 +CVE-2021-31780 +CVE-2021-31783 +CVE-2021-31784 +CVE-2021-31785 +CVE-2021-31786 +CVE-2021-31791 +CVE-2021-31792 +CVE-2021-31793 +CVE-2021-31794 +CVE-2021-31795 +CVE-2021-31796 +CVE-2021-31797 +CVE-2021-31798 +CVE-2021-31799 +CVE-2021-31800 +CVE-2021-31802 +CVE-2021-31803 +CVE-2021-31804 +CVE-2021-31806 +CVE-2021-31807 +CVE-2021-31808 +CVE-2021-3181 +CVE-2021-31810 +CVE-2021-31813 +CVE-2021-31815 +CVE-2021-3182 +CVE-2021-31826 +CVE-2021-31827 +CVE-2021-31828 +CVE-2021-31829 +CVE-2021-3183 +CVE-2021-3184 +CVE-2021-31855 +CVE-2021-31856 +CVE-2021-31857 +CVE-2021-31859 +CVE-2021-3186 +CVE-2021-31862 +CVE-2021-31863 +CVE-2021-31864 +CVE-2021-31865 +CVE-2021-31866 +CVE-2021-31870 +CVE-2021-31871 +CVE-2021-31872 +CVE-2021-31873 +CVE-2021-31874 +CVE-2021-31875 +CVE-2021-31876 +CVE-2021-31878 +CVE-2021-31879 +CVE-2021-3188 +CVE-2021-3189 +CVE-2021-31897 +CVE-2021-31898 +CVE-2021-31899 +CVE-2021-3190 +CVE-2021-31900 +CVE-2021-31901 +CVE-2021-31902 +CVE-2021-31903 +CVE-2021-31904 +CVE-2021-31905 +CVE-2021-31906 +CVE-2021-31907 +CVE-2021-31908 +CVE-2021-31909 +CVE-2021-3191 +CVE-2021-31910 +CVE-2021-31911 +CVE-2021-31912 +CVE-2021-31913 +CVE-2021-31914 +CVE-2021-31915 +CVE-2021-31919 +CVE-2021-31920 +CVE-2021-31921 +CVE-2021-31922 +CVE-2021-31924 +CVE-2021-31925 +CVE-2021-31926 +CVE-2021-31927 +CVE-2021-31928 +CVE-2021-31929 +CVE-2021-3193 +CVE-2021-31930 +CVE-2021-31933 +CVE-2021-31934 +CVE-2021-31935 +CVE-2021-31936 +CVE-2021-31938 +CVE-2021-31942 +CVE-2021-31943 +CVE-2021-31944 +CVE-2021-31945 +CVE-2021-31946 +CVE-2021-31947 +CVE-2021-3195 +CVE-2021-3196 +CVE-2021-31960 +CVE-2021-31967 +CVE-2021-3197 +CVE-2021-31978 +CVE-2021-31980 +CVE-2021-31983 +CVE-2021-31984 +CVE-2021-31985 +CVE-2021-3199 +CVE-2021-31996 +CVE-2021-3200 +CVE-2021-32012 +CVE-2021-32013 +CVE-2021-32014 +CVE-2021-32015 +CVE-2021-32016 +CVE-2021-32017 +CVE-2021-32018 +CVE-2021-32019 +CVE-2021-32020 +CVE-2021-32030 +CVE-2021-32032 +CVE-2021-32033 +CVE-2021-3204 +CVE-2021-32051 +CVE-2021-32052 +CVE-2021-32053 +CVE-2021-32054 +CVE-2021-32055 +CVE-2021-32056 +CVE-2021-32062 +CVE-2021-32066 +CVE-2021-32067 +CVE-2021-32068 +CVE-2021-32069 +CVE-2021-32070 +CVE-2021-32071 +CVE-2021-32072 +CVE-2021-32073 +CVE-2021-32074 +CVE-2021-32075 +CVE-2021-32077 +CVE-2021-32078 +CVE-2021-32089 +CVE-2021-32090 +CVE-2021-32091 +CVE-2021-32092 +CVE-2021-32093 +CVE-2021-32094 +CVE-2021-32095 +CVE-2021-32096 +CVE-2021-32098 +CVE-2021-32099 +CVE-2021-3210 +CVE-2021-32100 +CVE-2021-32101 +CVE-2021-32102 +CVE-2021-32103 +CVE-2021-32104 +CVE-2021-32106 +CVE-2021-32122 +CVE-2021-32132 +CVE-2021-32134 +CVE-2021-32135 +CVE-2021-32136 +CVE-2021-32137 +CVE-2021-32138 +CVE-2021-32139 +CVE-2021-32172 +CVE-2021-32198 +CVE-2021-32202 +CVE-2021-3223 +CVE-2021-32233 +CVE-2021-32234 +CVE-2021-32238 +CVE-2021-3224 +CVE-2021-32243 +CVE-2021-32244 +CVE-2021-32245 +CVE-2021-32263 +CVE-2021-32265 +CVE-2021-32268 +CVE-2021-32269 +CVE-2021-32270 +CVE-2021-32271 +CVE-2021-32272 +CVE-2021-32273 +CVE-2021-32274 +CVE-2021-32275 +CVE-2021-32276 +CVE-2021-32277 +CVE-2021-32278 +CVE-2021-32280 +CVE-2021-32281 +CVE-2021-32282 +CVE-2021-32283 +CVE-2021-32284 +CVE-2021-32285 +CVE-2021-32286 +CVE-2021-32287 +CVE-2021-32288 +CVE-2021-32289 +CVE-2021-3229 +CVE-2021-32294 +CVE-2021-32297 +CVE-2021-32298 +CVE-2021-32299 +CVE-2021-32305 +CVE-2021-3239 +CVE-2021-32399 +CVE-2021-32402 +CVE-2021-32403 +CVE-2021-32424 +CVE-2021-32426 +CVE-2021-3243 +CVE-2021-32437 +CVE-2021-32438 +CVE-2021-32439 +CVE-2021-32440 +CVE-2021-3246 +CVE-2021-32470 +CVE-2021-32471 +CVE-2021-32484 +CVE-2021-32485 +CVE-2021-32486 +CVE-2021-32487 +CVE-2021-32489 +CVE-2021-3252 +CVE-2021-32558 +CVE-2021-32559 +CVE-2021-3256 +CVE-2021-32560 +CVE-2021-32561 +CVE-2021-32563 +CVE-2021-32569 +CVE-2021-32571 +CVE-2021-32572 +CVE-2021-32573 +CVE-2021-32574 +CVE-2021-32575 +CVE-2021-32576 +CVE-2021-32577 +CVE-2021-32578 +CVE-2021-32579 +CVE-2021-3258 +CVE-2021-32580 +CVE-2021-32581 +CVE-2021-32582 +CVE-2021-32604 +CVE-2021-32605 +CVE-2021-32606 +CVE-2021-32607 +CVE-2021-32608 +CVE-2021-32610 +CVE-2021-32611 +CVE-2021-32612 +CVE-2021-32615 +CVE-2021-3264 +CVE-2021-3271 +CVE-2021-3272 +CVE-2021-3273 +CVE-2021-3275 +CVE-2021-3277 +CVE-2021-3278 +CVE-2021-3279 +CVE-2021-3281 +CVE-2021-3282 +CVE-2021-3283 +CVE-2021-3285 +CVE-2021-3286 +CVE-2021-3287 +CVE-2021-3291 +CVE-2021-32917 +CVE-2021-32918 +CVE-2021-32919 +CVE-2021-32920 +CVE-2021-32921 +CVE-2021-32923 +CVE-2021-32924 +CVE-2021-32925 +CVE-2021-3293 +CVE-2021-3294 +CVE-2021-3297 +CVE-2021-3298 +CVE-2021-33026 +CVE-2021-33027 +CVE-2021-33031 +CVE-2021-33032 +CVE-2021-33033 +CVE-2021-33034 +CVE-2021-33038 +CVE-2021-3304 +CVE-2021-33041 +CVE-2021-33054 +CVE-2021-33055 +CVE-2021-33056 +CVE-2021-3308 +CVE-2021-3309 +CVE-2021-3310 +CVE-2021-3311 +CVE-2021-3312 +CVE-2021-3313 +CVE-2021-3314 +CVE-2021-3315 +CVE-2021-3317 +CVE-2021-3318 +CVE-2021-33185 +CVE-2021-33186 +CVE-2021-33194 +CVE-2021-33195 +CVE-2021-33196 +CVE-2021-33197 +CVE-2021-33198 +CVE-2021-33199 +CVE-2021-33200 +CVE-2021-33203 +CVE-2021-33204 +CVE-2021-33205 +CVE-2021-33211 +CVE-2021-33212 +CVE-2021-33213 +CVE-2021-33214 +CVE-2021-33215 +CVE-2021-33216 +CVE-2021-33217 +CVE-2021-33218 +CVE-2021-33219 +CVE-2021-33220 +CVE-2021-33221 +CVE-2021-3325 +CVE-2021-33256 +CVE-2021-3326 +CVE-2021-3327 +CVE-2021-3328 +CVE-2021-33285 +CVE-2021-33286 +CVE-2021-33287 +CVE-2021-33289 +CVE-2021-3331 +CVE-2021-3332 +CVE-2021-33320 +CVE-2021-33321 +CVE-2021-33322 +CVE-2021-33323 +CVE-2021-33324 +CVE-2021-33325 +CVE-2021-33326 +CVE-2021-33327 +CVE-2021-33328 +CVE-2021-3333 +CVE-2021-33330 +CVE-2021-33331 +CVE-2021-33332 +CVE-2021-33333 +CVE-2021-33334 +CVE-2021-33335 +CVE-2021-33336 +CVE-2021-33337 +CVE-2021-33338 +CVE-2021-33339 +CVE-2021-33346 +CVE-2021-33347 +CVE-2021-33348 +CVE-2021-33356 +CVE-2021-33357 +CVE-2021-33358 +CVE-2021-33359 +CVE-2021-3336 +CVE-2021-33361 +CVE-2021-33362 +CVE-2021-33363 +CVE-2021-33364 +CVE-2021-33365 +CVE-2021-33366 +CVE-2021-3337 +CVE-2021-3339 +CVE-2021-33393 +CVE-2021-33394 +CVE-2021-3340 +CVE-2021-33403 +CVE-2021-33408 +CVE-2021-3341 +CVE-2021-3342 +CVE-2021-33425 +CVE-2021-3345 +CVE-2021-3346 +CVE-2021-33469 +CVE-2021-3347 +CVE-2021-33470 +CVE-2021-33477 +CVE-2021-33478 +CVE-2021-3348 +CVE-2021-33483 +CVE-2021-33484 +CVE-2021-33485 +CVE-2021-33486 +CVE-2021-3349 +CVE-2021-33496 +CVE-2021-33497 +CVE-2021-3350 +CVE-2021-33500 +CVE-2021-33501 +CVE-2021-33502 +CVE-2021-33503 +CVE-2021-33505 +CVE-2021-33506 +CVE-2021-33507 +CVE-2021-33508 +CVE-2021-33509 +CVE-2021-3351 +CVE-2021-33510 +CVE-2021-33511 +CVE-2021-33512 +CVE-2021-33513 +CVE-2021-33514 +CVE-2021-33515 +CVE-2021-33516 +CVE-2021-3352 +CVE-2021-33525 +CVE-2021-3355 +CVE-2021-33557 +CVE-2021-33558 +CVE-2021-33560 +CVE-2021-33561 +CVE-2021-33562 +CVE-2021-33563 +CVE-2021-33564 +CVE-2021-33570 +CVE-2021-33571 +CVE-2021-33574 +CVE-2021-33575 +CVE-2021-33576 +CVE-2021-33577 +CVE-2021-33578 +CVE-2021-33582 +CVE-2021-33583 +CVE-2021-33586 +CVE-2021-33587 +CVE-2021-33590 +CVE-2021-33617 +CVE-2021-33618 +CVE-2021-33620 +CVE-2021-33622 +CVE-2021-33623 +CVE-2021-33624 +CVE-2021-33626 +CVE-2021-33629 +CVE-2021-33739 +CVE-2021-3374 +CVE-2021-33741 +CVE-2021-3375 +CVE-2021-33753 +CVE-2021-33760 +CVE-2021-33762 +CVE-2021-33767 +CVE-2021-33768 +CVE-2021-3377 +CVE-2021-33772 +CVE-2021-33775 +CVE-2021-33776 +CVE-2021-33777 +CVE-2021-33778 +CVE-2021-3378 +CVE-2021-33790 +CVE-2021-33792 +CVE-2021-33793 +CVE-2021-33794 +CVE-2021-33795 +CVE-2021-3380 +CVE-2021-33806 +CVE-2021-33807 +CVE-2021-33813 +CVE-2021-33815 +CVE-2021-33816 +CVE-2021-33818 +CVE-2021-3382 +CVE-2021-33820 +CVE-2021-33822 +CVE-2021-33823 +CVE-2021-33824 +CVE-2021-33829 +CVE-2021-33831 +CVE-2021-33833 +CVE-2021-33838 +CVE-2021-33839 +CVE-2021-3384 +CVE-2021-33840 +CVE-2021-33879 +CVE-2021-33880 +CVE-2021-33881 +CVE-2021-33882 +CVE-2021-33883 +CVE-2021-33884 +CVE-2021-33885 +CVE-2021-33886 +CVE-2021-33887 +CVE-2021-33889 +CVE-2021-33894 +CVE-2021-33895 +CVE-2021-33896 +CVE-2021-33898 +CVE-2021-33903 +CVE-2021-33904 +CVE-2021-33909 +CVE-2021-3391 +CVE-2021-33910 +CVE-2021-33911 +CVE-2021-33923 +CVE-2021-33924 +CVE-2021-33928 +CVE-2021-33929 +CVE-2021-33930 +CVE-2021-33938 +CVE-2021-3394 +CVE-2021-3395 +CVE-2021-3396 +CVE-2021-33981 +CVE-2021-33982 +CVE-2021-33988 +CVE-2021-3401 +CVE-2021-34066 +CVE-2021-34067 +CVE-2021-34068 +CVE-2021-34069 +CVE-2021-34070 +CVE-2021-34071 +CVE-2021-34074 +CVE-2021-34075 +CVE-2021-34110 +CVE-2021-34128 +CVE-2021-34129 +CVE-2021-34143 +CVE-2021-34144 +CVE-2021-34145 +CVE-2021-34146 +CVE-2021-34147 +CVE-2021-34148 +CVE-2021-34149 +CVE-2021-34150 +CVE-2021-34165 +CVE-2021-34166 +CVE-2021-34170 +CVE-2021-34173 +CVE-2021-34174 +CVE-2021-34183 +CVE-2021-34184 +CVE-2021-34185 +CVE-2021-34187 +CVE-2021-34190 +CVE-2021-34201 +CVE-2021-34202 +CVE-2021-34203 +CVE-2021-34204 +CVE-2021-34207 +CVE-2021-34215 +CVE-2021-34218 +CVE-2021-34220 +CVE-2021-34223 +CVE-2021-34228 +CVE-2021-34243 +CVE-2021-34244 +CVE-2021-34254 +CVE-2021-34259 +CVE-2021-34260 +CVE-2021-34261 +CVE-2021-34262 +CVE-2021-34267 +CVE-2021-34268 +CVE-2021-34270 +CVE-2021-34272 +CVE-2021-34273 +CVE-2021-34280 +CVE-2021-34363 +CVE-2021-34364 +CVE-2021-34369 +CVE-2021-34370 +CVE-2021-34371 +CVE-2021-34451 +CVE-2021-34453 +CVE-2021-34461 +CVE-2021-34464 +CVE-2021-34471 +CVE-2021-34474 +CVE-2021-34477 +CVE-2021-34479 +CVE-2021-34481 +CVE-2021-34513 +CVE-2021-34521 +CVE-2021-34522 +CVE-2021-34528 +CVE-2021-34529 +CVE-2021-34539 +CVE-2021-34540 +CVE-2021-34546 +CVE-2021-34547 +CVE-2021-34548 +CVE-2021-34549 +CVE-2021-34550 +CVE-2021-34551 +CVE-2021-34552 +CVE-2021-34553 +CVE-2021-34555 +CVE-2021-34556 +CVE-2021-34557 +CVE-2021-34558 +CVE-2021-34675 +CVE-2021-34676 +CVE-2021-34679 +CVE-2021-34682 +CVE-2021-34683 +CVE-2021-34687 +CVE-2021-34688 +CVE-2021-34689 +CVE-2021-34690 +CVE-2021-34691 +CVE-2021-34692 +CVE-2021-34693 +CVE-2021-34696 +CVE-2021-34697 +CVE-2021-34698 +CVE-2021-34699 +CVE-2021-34700 +CVE-2021-34702 +CVE-2021-34703 +CVE-2021-34705 +CVE-2021-34706 +CVE-2021-34707 +CVE-2021-34708 +CVE-2021-34709 +CVE-2021-34710 +CVE-2021-34711 +CVE-2021-34712 +CVE-2021-34713 +CVE-2021-34714 +CVE-2021-34715 +CVE-2021-34716 +CVE-2021-34718 +CVE-2021-34719 +CVE-2021-34720 +CVE-2021-34721 +CVE-2021-34722 +CVE-2021-34723 +CVE-2021-34724 +CVE-2021-34725 +CVE-2021-34726 +CVE-2021-34727 +CVE-2021-34728 +CVE-2021-34729 +CVE-2021-34730 +CVE-2021-34732 +CVE-2021-34733 +CVE-2021-34734 +CVE-2021-34735 +CVE-2021-34736 +CVE-2021-34737 +CVE-2021-34738 +CVE-2021-34740 +CVE-2021-34742 +CVE-2021-34743 +CVE-2021-34744 +CVE-2021-34746 +CVE-2021-34748 +CVE-2021-34749 +CVE-2021-34754 +CVE-2021-34755 +CVE-2021-34756 +CVE-2021-34757 +CVE-2021-34758 +CVE-2021-34759 +CVE-2021-34760 +CVE-2021-34761 +CVE-2021-34762 +CVE-2021-34763 +CVE-2021-34764 +CVE-2021-34765 +CVE-2021-34766 +CVE-2021-34767 +CVE-2021-34768 +CVE-2021-34769 +CVE-2021-34770 +CVE-2021-34771 +CVE-2021-34772 +CVE-2021-34775 +CVE-2021-34776 +CVE-2021-34777 +CVE-2021-34778 +CVE-2021-34779 +CVE-2021-34780 +CVE-2021-34781 +CVE-2021-34782 +CVE-2021-34783 +CVE-2021-34785 +CVE-2021-34786 +CVE-2021-34787 +CVE-2021-34788 +CVE-2021-34789 +CVE-2021-34790 +CVE-2021-34791 +CVE-2021-34792 +CVE-2021-34793 +CVE-2021-34794 +CVE-2021-34801 +CVE-2021-34802 +CVE-2021-34803 +CVE-2021-34807 +CVE-2021-34813 +CVE-2021-34814 +CVE-2021-34815 +CVE-2021-34816 +CVE-2021-34817 +CVE-2021-34820 +CVE-2021-34821 +CVE-2021-34823 +CVE-2021-34824 +CVE-2021-34825 +CVE-2021-35037 +CVE-2021-35039 +CVE-2021-35041 +CVE-2021-35042 +CVE-2021-35043 +CVE-2021-35045 +CVE-2021-35046 +CVE-2021-35054 +CVE-2021-35056 +CVE-2021-35059 +CVE-2021-35060 +CVE-2021-35061 +CVE-2021-35062 +CVE-2021-35063 +CVE-2021-35064 +CVE-2021-35066 +CVE-2021-35067 +CVE-2021-35193 +CVE-2021-35196 +CVE-2021-35197 +CVE-2021-35198 +CVE-2021-35199 +CVE-2021-35200 +CVE-2021-35201 +CVE-2021-35202 +CVE-2021-35203 +CVE-2021-35204 +CVE-2021-35205 +CVE-2021-35206 +CVE-2021-35207 +CVE-2021-35208 +CVE-2021-35209 +CVE-2021-35210 +CVE-2021-35265 +CVE-2021-35266 +CVE-2021-35267 +CVE-2021-35268 +CVE-2021-35269 +CVE-2021-35296 +CVE-2021-35297 +CVE-2021-35298 +CVE-2021-35299 +CVE-2021-35300 +CVE-2021-35301 +CVE-2021-35302 +CVE-2021-35303 +CVE-2021-35306 +CVE-2021-35307 +CVE-2021-35312 +CVE-2021-35323 +CVE-2021-35324 +CVE-2021-35325 +CVE-2021-35326 +CVE-2021-35327 +CVE-2021-35331 +CVE-2021-35336 +CVE-2021-35337 +CVE-2021-35342 +CVE-2021-35343 +CVE-2021-35358 +CVE-2021-35360 +CVE-2021-35361 +CVE-2021-35392 +CVE-2021-35393 +CVE-2021-35394 +CVE-2021-35395 +CVE-2021-35397 +CVE-2021-35438 +CVE-2021-35440 +CVE-2021-35448 +CVE-2021-35449 +CVE-2021-35450 +CVE-2021-35451 +CVE-2021-35456 +CVE-2021-35458 +CVE-2021-35463 +CVE-2021-35464 +CVE-2021-35465 +CVE-2021-35469 +CVE-2021-35472 +CVE-2021-35475 +CVE-2021-35477 +CVE-2021-35478 +CVE-2021-35479 +CVE-2021-35482 +CVE-2021-35491 +CVE-2021-35492 +CVE-2021-35501 +CVE-2021-35502 +CVE-2021-35503 +CVE-2021-35504 +CVE-2021-35505 +CVE-2021-35506 +CVE-2021-35508 +CVE-2021-35512 +CVE-2021-35513 +CVE-2021-35514 +CVE-2021-35520 +CVE-2021-35521 +CVE-2021-35522 +CVE-2021-35523 +CVE-2021-35525 +CVE-2021-35941 +CVE-2021-35942 +CVE-2021-35943 +CVE-2021-35944 +CVE-2021-35945 +CVE-2021-35946 +CVE-2021-35947 +CVE-2021-35948 +CVE-2021-35949 +CVE-2021-35955 +CVE-2021-35956 +CVE-2021-35957 +CVE-2021-35958 +CVE-2021-35959 +CVE-2021-35970 +CVE-2021-35971 +CVE-2021-35973 +CVE-2021-35976 +CVE-2021-35977 +CVE-2021-35979 +CVE-2021-36080 +CVE-2021-36081 +CVE-2021-36082 +CVE-2021-36083 +CVE-2021-36084 +CVE-2021-36085 +CVE-2021-36086 +CVE-2021-36087 +CVE-2021-36088 +CVE-2021-36089 +CVE-2021-36121 +CVE-2021-36122 +CVE-2021-36123 +CVE-2021-36124 +CVE-2021-36125 +CVE-2021-36126 +CVE-2021-36127 +CVE-2021-36128 +CVE-2021-36129 +CVE-2021-36130 +CVE-2021-36131 +CVE-2021-36132 +CVE-2021-36134 +CVE-2021-36143 +CVE-2021-36144 +CVE-2021-36145 +CVE-2021-36146 +CVE-2021-36147 +CVE-2021-36148 +CVE-2021-36150 +CVE-2021-36153 +CVE-2021-36154 +CVE-2021-36155 +CVE-2021-36156 +CVE-2021-36157 +CVE-2021-36158 +CVE-2021-36159 +CVE-2021-36165 +CVE-2021-36209 +CVE-2021-36212 +CVE-2021-36213 +CVE-2021-36218 +CVE-2021-36219 +CVE-2021-36221 +CVE-2021-36222 +CVE-2021-36230 +CVE-2021-36231 +CVE-2021-36232 +CVE-2021-36233 +CVE-2021-36234 +CVE-2021-36235 +CVE-2021-36260 +CVE-2021-36351 +CVE-2021-36352 +CVE-2021-36356 +CVE-2021-36357 +CVE-2021-36359 +CVE-2021-36363 +CVE-2021-36364 +CVE-2021-36365 +CVE-2021-36366 +CVE-2021-36367 +CVE-2021-36370 +CVE-2021-36371 +CVE-2021-36376 +CVE-2021-36377 +CVE-2021-36380 +CVE-2021-36381 +CVE-2021-36382 +CVE-2021-36383 +CVE-2021-36385 +CVE-2021-36386 +CVE-2021-36387 +CVE-2021-36388 +CVE-2021-36389 +CVE-2021-36440 +CVE-2021-36454 +CVE-2021-36455 +CVE-2021-36483 +CVE-2021-36512 +CVE-2021-36513 +CVE-2021-36530 +CVE-2021-36531 +CVE-2021-36542 +CVE-2021-36543 +CVE-2021-36547 +CVE-2021-36548 +CVE-2021-36550 +CVE-2021-36551 +CVE-2021-36563 +CVE-2021-36581 +CVE-2021-36582 +CVE-2021-36584 +CVE-2021-36601 +CVE-2021-36605 +CVE-2021-36621 +CVE-2021-36622 +CVE-2021-36623 +CVE-2021-36624 +CVE-2021-36654 +CVE-2021-36690 +CVE-2021-36691 +CVE-2021-36692 +CVE-2021-36695 +CVE-2021-36696 +CVE-2021-36701 +CVE-2021-36702 +CVE-2021-36703 +CVE-2021-36705 +CVE-2021-36706 +CVE-2021-36707 +CVE-2021-36708 +CVE-2021-36716 +CVE-2021-36740 +CVE-2021-36746 +CVE-2021-36747 +CVE-2021-36748 +CVE-2021-36753 +CVE-2021-36754 +CVE-2021-36755 +CVE-2021-36756 +CVE-2021-36758 +CVE-2021-36762 +CVE-2021-36763 +CVE-2021-36764 +CVE-2021-36765 +CVE-2021-36766 +CVE-2021-36767 +CVE-2021-36769 +CVE-2021-36770 +CVE-2021-36771 +CVE-2021-36772 +CVE-2021-36773 +CVE-2021-36785 +CVE-2021-36786 +CVE-2021-36787 +CVE-2021-36788 +CVE-2021-36789 +CVE-2021-36790 +CVE-2021-36791 +CVE-2021-36792 +CVE-2021-36793 +CVE-2021-36795 +CVE-2021-36797 +CVE-2021-36798 +CVE-2021-36799 +CVE-2021-36921 +CVE-2021-36928 +CVE-2021-36929 +CVE-2021-36930 +CVE-2021-36931 +CVE-2021-36943 +CVE-2021-36945 +CVE-2021-36946 +CVE-2021-36949 +CVE-2021-36952 +CVE-2021-36956 +CVE-2021-36958 +CVE-2021-36976 +CVE-2021-36977 +CVE-2021-36978 +CVE-2021-36979 +CVE-2021-36980 +CVE-2021-36981 +CVE-2021-36982 +CVE-2021-36983 +CVE-2021-37144 +CVE-2021-37145 +CVE-2021-37146 +CVE-2021-37152 +CVE-2021-37153 +CVE-2021-37154 +CVE-2021-37155 +CVE-2021-37156 +CVE-2021-37157 +CVE-2021-37158 +CVE-2021-37159 +CVE-2021-37160 +CVE-2021-37161 +CVE-2021-37162 +CVE-2021-37163 +CVE-2021-37164 +CVE-2021-37165 +CVE-2021-37166 +CVE-2021-37167 +CVE-2021-37218 +CVE-2021-37219 +CVE-2021-37220 +CVE-2021-37221 +CVE-2021-37222 +CVE-2021-37223 +CVE-2021-37231 +CVE-2021-37232 +CVE-2021-37254 +CVE-2021-37267 +CVE-2021-37270 +CVE-2021-37271 +CVE-2021-37273 +CVE-2021-37274 +CVE-2021-37326 +CVE-2021-37330 +CVE-2021-37331 +CVE-2021-37333 +CVE-2021-37334 +CVE-2021-37343 +CVE-2021-37344 +CVE-2021-37345 +CVE-2021-37346 +CVE-2021-37347 +CVE-2021-37348 +CVE-2021-37349 +CVE-2021-37350 +CVE-2021-37351 +CVE-2021-37352 +CVE-2021-37353 +CVE-2021-37358 +CVE-2021-37363 +CVE-2021-37364 +CVE-2021-37365 +CVE-2021-37366 +CVE-2021-37367 +CVE-2021-37371 +CVE-2021-37372 +CVE-2021-37381 +CVE-2021-37388 +CVE-2021-37389 +CVE-2021-37390 +CVE-2021-37391 +CVE-2021-37392 +CVE-2021-37393 +CVE-2021-37394 +CVE-2021-37402 +CVE-2021-37403 +CVE-2021-37412 +CVE-2021-37414 +CVE-2021-37415 +CVE-2021-37416 +CVE-2021-37417 +CVE-2021-37419 +CVE-2021-37420 +CVE-2021-37421 +CVE-2021-37422 +CVE-2021-37423 +CVE-2021-37424 +CVE-2021-37425 +CVE-2021-37436 +CVE-2021-37439 +CVE-2021-37440 +CVE-2021-37441 +CVE-2021-37442 +CVE-2021-37443 +CVE-2021-37444 +CVE-2021-37445 +CVE-2021-37446 +CVE-2021-37447 +CVE-2021-37448 +CVE-2021-37449 +CVE-2021-37450 +CVE-2021-37451 +CVE-2021-37452 +CVE-2021-37453 +CVE-2021-37454 +CVE-2021-37455 +CVE-2021-37456 +CVE-2021-37457 +CVE-2021-37458 +CVE-2021-37459 +CVE-2021-37460 +CVE-2021-37461 +CVE-2021-37462 +CVE-2021-37463 +CVE-2021-37464 +CVE-2021-37465 +CVE-2021-37466 +CVE-2021-37467 +CVE-2021-37468 +CVE-2021-37469 +CVE-2021-37470 +CVE-2021-37471 +CVE-2021-37473 +CVE-2021-37475 +CVE-2021-37476 +CVE-2021-37477 +CVE-2021-37478 +CVE-2021-37534 +CVE-2021-37538 +CVE-2021-37539 +CVE-2021-37540 +CVE-2021-37541 +CVE-2021-37542 +CVE-2021-37543 +CVE-2021-37544 +CVE-2021-37545 +CVE-2021-37546 +CVE-2021-37547 +CVE-2021-37548 +CVE-2021-37549 +CVE-2021-37550 +CVE-2021-37551 +CVE-2021-37552 +CVE-2021-37553 +CVE-2021-37554 +CVE-2021-37555 +CVE-2021-37556 +CVE-2021-37557 +CVE-2021-37558 +CVE-2021-37573 +CVE-2021-37576 +CVE-2021-37586 +CVE-2021-37587 +CVE-2021-37588 +CVE-2021-37593 +CVE-2021-37594 +CVE-2021-37595 +CVE-2021-37596 +CVE-2021-37597 +CVE-2021-37598 +CVE-2021-37599 +CVE-2021-37600 +CVE-2021-37601 +CVE-2021-37604 +CVE-2021-37605 +CVE-2021-37606 +CVE-2021-37614 +CVE-2021-37741 +CVE-2021-37742 +CVE-2021-37743 +CVE-2021-37746 +CVE-2021-37748 +CVE-2021-37749 +CVE-2021-37750 +CVE-2021-37759 +CVE-2021-37760 +CVE-2021-37761 +CVE-2021-37762 +CVE-2021-37777 +CVE-2021-37786 +CVE-2021-37788 +CVE-2021-37794 +CVE-2021-37803 +CVE-2021-37805 +CVE-2021-37806 +CVE-2021-37807 +CVE-2021-37808 +CVE-2021-37832 +CVE-2021-37833 +CVE-2021-37840 +CVE-2021-37841 +CVE-2021-37843 +CVE-2021-37847 +CVE-2021-37848 +CVE-2021-37914 +CVE-2021-37915 +CVE-2021-37916 +CVE-2021-37918 +CVE-2021-37919 +CVE-2021-37920 +CVE-2021-37921 +CVE-2021-37922 +CVE-2021-37923 +CVE-2021-37924 +CVE-2021-37925 +CVE-2021-37926 +CVE-2021-37927 +CVE-2021-37928 +CVE-2021-37929 +CVE-2021-37930 +CVE-2021-37931 +CVE-2021-37933 +CVE-2021-38084 +CVE-2021-38085 +CVE-2021-38086 +CVE-2021-38087 +CVE-2021-38088 +CVE-2021-38090 +CVE-2021-38091 +CVE-2021-38092 +CVE-2021-38093 +CVE-2021-38094 +CVE-2021-38095 +CVE-2021-38096 +CVE-2021-38097 +CVE-2021-38098 +CVE-2021-38099 +CVE-2021-38100 +CVE-2021-38101 +CVE-2021-38102 +CVE-2021-38103 +CVE-2021-38104 +CVE-2021-38105 +CVE-2021-38106 +CVE-2021-38107 +CVE-2021-38108 +CVE-2021-38109 +CVE-2021-38110 +CVE-2021-38111 +CVE-2021-38112 +CVE-2021-38113 +CVE-2021-38114 +CVE-2021-38115 +CVE-2021-38136 +CVE-2021-38137 +CVE-2021-38138 +CVE-2021-38140 +CVE-2021-38142 +CVE-2021-38143 +CVE-2021-38144 +CVE-2021-38145 +CVE-2021-38148 +CVE-2021-38149 +CVE-2021-38151 +CVE-2021-38152 +CVE-2021-38154 +CVE-2021-38155 +CVE-2021-38156 +CVE-2021-38157 +CVE-2021-38159 +CVE-2021-38160 +CVE-2021-38165 +CVE-2021-38166 +CVE-2021-38167 +CVE-2021-38168 +CVE-2021-38169 +CVE-2021-38171 +CVE-2021-38173 +CVE-2021-38174 +CVE-2021-38185 +CVE-2021-38186 +CVE-2021-38187 +CVE-2021-38188 +CVE-2021-38189 +CVE-2021-38190 +CVE-2021-38191 +CVE-2021-38192 +CVE-2021-38193 +CVE-2021-38194 +CVE-2021-38195 +CVE-2021-38196 +CVE-2021-38197 +CVE-2021-38198 +CVE-2021-38199 +CVE-2021-38200 +CVE-2021-38201 +CVE-2021-38202 +CVE-2021-38203 +CVE-2021-38204 +CVE-2021-38205 +CVE-2021-38206 +CVE-2021-38207 +CVE-2021-38208 +CVE-2021-38209 +CVE-2021-38258 +CVE-2021-38260 +CVE-2021-38290 +CVE-2021-38291 +CVE-2021-38297 +CVE-2021-38298 +CVE-2021-38299 +CVE-2021-38300 +CVE-2021-38302 +CVE-2021-38303 +CVE-2021-38304 +CVE-2021-38305 +CVE-2021-38306 +CVE-2021-38311 +CVE-2021-38365 +CVE-2021-38366 +CVE-2021-38370 +CVE-2021-38371 +CVE-2021-38372 +CVE-2021-38373 +CVE-2021-38379 +CVE-2021-38380 +CVE-2021-38381 +CVE-2021-38382 +CVE-2021-38383 +CVE-2021-38384 +CVE-2021-38385 +CVE-2021-38386 +CVE-2021-38387 +CVE-2021-38490 +CVE-2021-38511 +CVE-2021-38512 +CVE-2021-38513 +CVE-2021-38514 +CVE-2021-38515 +CVE-2021-38516 +CVE-2021-38517 +CVE-2021-38518 +CVE-2021-38519 +CVE-2021-38520 +CVE-2021-38521 +CVE-2021-38522 +CVE-2021-38523 +CVE-2021-38524 +CVE-2021-38525 +CVE-2021-38526 +CVE-2021-38527 +CVE-2021-38528 +CVE-2021-38529 +CVE-2021-38530 +CVE-2021-38531 +CVE-2021-38532 +CVE-2021-38533 +CVE-2021-38534 +CVE-2021-38535 +CVE-2021-38536 +CVE-2021-38537 +CVE-2021-38538 +CVE-2021-38539 +CVE-2021-38543 +CVE-2021-38544 +CVE-2021-38545 +CVE-2021-38546 +CVE-2021-38547 +CVE-2021-38548 +CVE-2021-38549 +CVE-2021-38553 +CVE-2021-38554 +CVE-2021-38556 +CVE-2021-38557 +CVE-2021-38559 +CVE-2021-38562 +CVE-2021-38563 +CVE-2021-38564 +CVE-2021-38565 +CVE-2021-38566 +CVE-2021-38567 +CVE-2021-38568 +CVE-2021-38569 +CVE-2021-38570 +CVE-2021-38571 +CVE-2021-38572 +CVE-2021-38573 +CVE-2021-38574 +CVE-2021-38583 +CVE-2021-38584 +CVE-2021-38585 +CVE-2021-38586 +CVE-2021-38587 +CVE-2021-38588 +CVE-2021-38589 +CVE-2021-38590 +CVE-2021-38591 +CVE-2021-38592 +CVE-2021-38593 +CVE-2021-38597 +CVE-2021-38598 +CVE-2021-38599 +CVE-2021-38602 +CVE-2021-38603 +CVE-2021-38604 +CVE-2021-38606 +CVE-2021-38607 +CVE-2021-38608 +CVE-2021-38611 +CVE-2021-38612 +CVE-2021-38613 +CVE-2021-38614 +CVE-2021-38615 +CVE-2021-38616 +CVE-2021-38617 +CVE-2021-38618 +CVE-2021-38619 +CVE-2021-38621 +CVE-2021-38623 +CVE-2021-38641 +CVE-2021-38642 +CVE-2021-38644 +CVE-2021-38645 +CVE-2021-38647 +CVE-2021-38648 +CVE-2021-38649 +CVE-2021-38656 +CVE-2021-38657 +CVE-2021-38659 +CVE-2021-38661 +CVE-2021-38669 +CVE-2021-38672 +CVE-2021-38698 +CVE-2021-38699 +CVE-2021-38702 +CVE-2021-38703 +CVE-2021-38704 +CVE-2021-38705 +CVE-2021-38706 +CVE-2021-38707 +CVE-2021-38708 +CVE-2021-38709 +CVE-2021-38710 +CVE-2021-38711 +CVE-2021-38712 +CVE-2021-38713 +CVE-2021-38714 +CVE-2021-38721 +CVE-2021-38723 +CVE-2021-38725 +CVE-2021-38727 +CVE-2021-38751 +CVE-2021-38752 +CVE-2021-38753 +CVE-2021-38754 +CVE-2021-38755 +CVE-2021-38756 +CVE-2021-38757 +CVE-2021-38758 +CVE-2021-38822 +CVE-2021-38823 +CVE-2021-38833 +CVE-2021-38840 +CVE-2021-38841 +CVE-2021-39240 +CVE-2021-39241 +CVE-2021-39242 +CVE-2021-39243 +CVE-2021-39244 +CVE-2021-39245 +CVE-2021-39246 +CVE-2021-39247 +CVE-2021-39248 +CVE-2021-39249 +CVE-2021-39250 +CVE-2021-39251 +CVE-2021-39252 +CVE-2021-39253 +CVE-2021-39254 +CVE-2021-39255 +CVE-2021-39256 +CVE-2021-39257 +CVE-2021-39258 +CVE-2021-39259 +CVE-2021-39260 +CVE-2021-39261 +CVE-2021-39262 +CVE-2021-39263 +CVE-2021-39267 +CVE-2021-39268 +CVE-2021-39271 +CVE-2021-39272 +CVE-2021-39273 +CVE-2021-39274 +CVE-2021-39278 +CVE-2021-39279 +CVE-2021-39282 +CVE-2021-39283 +CVE-2021-39285 +CVE-2021-39286 +CVE-2021-39289 +CVE-2021-39290 +CVE-2021-39291 +CVE-2021-39296 +CVE-2021-39302 +CVE-2021-39303 +CVE-2021-39304 +CVE-2021-39307 +CVE-2021-39358 +CVE-2021-39359 +CVE-2021-39360 +CVE-2021-39361 +CVE-2021-39362 +CVE-2021-39365 +CVE-2021-39367 +CVE-2021-39368 +CVE-2021-39371 +CVE-2021-39373 +CVE-2021-39375 +CVE-2021-39376 +CVE-2021-39377 +CVE-2021-39378 +CVE-2021-39379 +CVE-2021-39391 +CVE-2021-39392 +CVE-2021-39402 +CVE-2021-39404 +CVE-2021-39433 +CVE-2021-39458 +CVE-2021-39459 +CVE-2021-39474 +CVE-2021-39486 +CVE-2021-39496 +CVE-2021-39497 +CVE-2021-39499 +CVE-2021-39500 +CVE-2021-39501 +CVE-2021-39503 +CVE-2021-39509 +CVE-2021-39510 +CVE-2021-39514 +CVE-2021-39515 +CVE-2021-39516 +CVE-2021-39517 +CVE-2021-39518 +CVE-2021-39519 +CVE-2021-39520 +CVE-2021-39521 +CVE-2021-39522 +CVE-2021-39523 +CVE-2021-39525 +CVE-2021-39527 +CVE-2021-39528 +CVE-2021-39530 +CVE-2021-39531 +CVE-2021-39532 +CVE-2021-39533 +CVE-2021-39534 +CVE-2021-39535 +CVE-2021-39536 +CVE-2021-39537 +CVE-2021-39538 +CVE-2021-39539 +CVE-2021-39540 +CVE-2021-39541 +CVE-2021-39542 +CVE-2021-39543 +CVE-2021-39544 +CVE-2021-39545 +CVE-2021-39546 +CVE-2021-39547 +CVE-2021-39548 +CVE-2021-39549 +CVE-2021-39550 +CVE-2021-39551 +CVE-2021-39552 +CVE-2021-39553 +CVE-2021-39554 +CVE-2021-39555 +CVE-2021-39556 +CVE-2021-39557 +CVE-2021-39558 +CVE-2021-39559 +CVE-2021-39561 +CVE-2021-39562 +CVE-2021-39563 +CVE-2021-39564 +CVE-2021-39569 +CVE-2021-39574 +CVE-2021-39575 +CVE-2021-39577 +CVE-2021-39579 +CVE-2021-39582 +CVE-2021-39583 +CVE-2021-39584 +CVE-2021-39585 +CVE-2021-39587 +CVE-2021-39588 +CVE-2021-39589 +CVE-2021-39590 +CVE-2021-39591 +CVE-2021-39592 +CVE-2021-39593 +CVE-2021-39594 +CVE-2021-39595 +CVE-2021-39596 +CVE-2021-39597 +CVE-2021-39598 +CVE-2021-39599 +CVE-2021-39602 +CVE-2021-39608 +CVE-2021-39609 +CVE-2021-39613 +CVE-2021-39614 +CVE-2021-39615 +CVE-2021-40083 +CVE-2021-40084 +CVE-2021-40085 +CVE-2021-40086 +CVE-2021-40087 +CVE-2021-40088 +CVE-2021-40089 +CVE-2021-40097 +CVE-2021-40098 +CVE-2021-40099 +CVE-2021-40100 +CVE-2021-40102 +CVE-2021-40103 +CVE-2021-40104 +CVE-2021-40105 +CVE-2021-40106 +CVE-2021-40108 +CVE-2021-40109 +CVE-2021-40114 +CVE-2021-40116 +CVE-2021-40117 +CVE-2021-40118 +CVE-2021-40121 +CVE-2021-40122 +CVE-2021-40123 +CVE-2021-40125 +CVE-2021-40142 +CVE-2021-40143 +CVE-2021-40145 +CVE-2021-40147 +CVE-2021-40153 +CVE-2021-40172 +CVE-2021-40173 +CVE-2021-40174 +CVE-2021-40175 +CVE-2021-40176 +CVE-2021-40177 +CVE-2021-40178 +CVE-2021-40188 +CVE-2021-40189 +CVE-2021-40191 +CVE-2021-40214 +CVE-2021-40222 +CVE-2021-40223 +CVE-2021-40238 +CVE-2021-40239 +CVE-2021-40284 +CVE-2021-40292 +CVE-2021-40309 +CVE-2021-40310 +CVE-2021-40323 +CVE-2021-40324 +CVE-2021-40325 +CVE-2021-40330 +CVE-2021-40343 +CVE-2021-40344 +CVE-2021-40345 +CVE-2021-40346 +CVE-2021-40347 +CVE-2021-40349 +CVE-2021-40350 +CVE-2021-40352 +CVE-2021-40353 +CVE-2021-40371 +CVE-2021-40373 +CVE-2021-40377 +CVE-2021-40378 +CVE-2021-40379 +CVE-2021-40380 +CVE-2021-40381 +CVE-2021-40382 +CVE-2021-40385 +CVE-2021-40387 +CVE-2021-40440 +CVE-2021-40448 +CVE-2021-40457 +CVE-2021-40468 +CVE-2021-40490 +CVE-2021-40491 +CVE-2021-40492 +CVE-2021-40493 +CVE-2021-40494 +CVE-2021-40509 +CVE-2021-40516 +CVE-2021-40517 +CVE-2021-40518 +CVE-2021-40519 +CVE-2021-40520 +CVE-2021-40521 +CVE-2021-40523 +CVE-2021-40524 +CVE-2021-40526 +CVE-2021-40527 +CVE-2021-40528 +CVE-2021-40529 +CVE-2021-40530 +CVE-2021-40531 +CVE-2021-40532 +CVE-2021-40537 +CVE-2021-40539 +CVE-2021-40540 +CVE-2021-40541 +CVE-2021-40542 +CVE-2021-40543 +CVE-2021-40577 +CVE-2021-40617 +CVE-2021-40618 +CVE-2021-40639 +CVE-2021-40651 +CVE-2021-40654 +CVE-2021-40655 +CVE-2021-40669 +CVE-2021-40670 +CVE-2021-40674 +CVE-2021-40683 +CVE-2021-40684 +CVE-2021-40797 +CVE-2021-40812 +CVE-2021-40814 +CVE-2021-40818 +CVE-2021-40823 +CVE-2021-40824 +CVE-2021-40825 +CVE-2021-40839 +CVE-2021-40842 +CVE-2021-40843 +CVE-2021-40845 +CVE-2021-40847 +CVE-2021-40854 +CVE-2021-40862 +CVE-2021-40864 +CVE-2021-40866 +CVE-2021-40867 +CVE-2021-40868 +CVE-2021-40870 +CVE-2021-40871 +CVE-2021-40872 +CVE-2021-40873 +CVE-2021-40875 +CVE-2021-40881 +CVE-2021-40884 +CVE-2021-40886 +CVE-2021-40887 +CVE-2021-40888 +CVE-2021-40889 +CVE-2021-40921 +CVE-2021-40922 +CVE-2021-40923 +CVE-2021-40924 +CVE-2021-40925 +CVE-2021-40926 +CVE-2021-40927 +CVE-2021-40928 +CVE-2021-40960 +CVE-2021-40964 +CVE-2021-40965 +CVE-2021-40966 +CVE-2021-40968 +CVE-2021-40969 +CVE-2021-40970 +CVE-2021-40971 +CVE-2021-40972 +CVE-2021-40973 +CVE-2021-40975 +CVE-2021-40978 +CVE-2021-40981 +CVE-2021-41054 +CVE-2021-41055 +CVE-2021-41057 +CVE-2021-41061 +CVE-2021-41072 +CVE-2021-41073 +CVE-2021-41075 +CVE-2021-41077 +CVE-2021-41078 +CVE-2021-41080 +CVE-2021-41081 +CVE-2021-41285 +CVE-2021-41286 +CVE-2021-41288 +CVE-2021-41314 +CVE-2021-41315 +CVE-2021-41316 +CVE-2021-41317 +CVE-2021-41318 +CVE-2021-41320 +CVE-2021-41322 +CVE-2021-41323 +CVE-2021-41324 +CVE-2021-41325 +CVE-2021-41326 +CVE-2021-41329 +CVE-2021-41334 +CVE-2021-41336 +CVE-2021-41339 +CVE-2021-41346 +CVE-2021-41348 +CVE-2021-41350 +CVE-2021-41351 +CVE-2021-41352 +CVE-2021-41355 +CVE-2021-41357 +CVE-2021-41363 +CVE-2021-41372 +CVE-2021-41373 +CVE-2021-41374 +CVE-2021-41375 +CVE-2021-41376 +CVE-2021-41380 +CVE-2021-41381 +CVE-2021-41382 +CVE-2021-41383 +CVE-2021-41385 +CVE-2021-41387 +CVE-2021-41390 +CVE-2021-41391 +CVE-2021-41392 +CVE-2021-41393 +CVE-2021-41394 +CVE-2021-41395 +CVE-2021-41426 +CVE-2021-41427 +CVE-2021-41456 +CVE-2021-41457 +CVE-2021-41459 +CVE-2021-41461 +CVE-2021-41462 +CVE-2021-41463 +CVE-2021-41464 +CVE-2021-41465 +CVE-2021-41467 +CVE-2021-41503 +CVE-2021-41504 +CVE-2021-41511 +CVE-2021-41525 +CVE-2021-41553 +CVE-2021-41554 +CVE-2021-41555 +CVE-2021-41558 +CVE-2021-41573 +CVE-2021-41578 +CVE-2021-41579 +CVE-2021-41580 +CVE-2021-41581 +CVE-2021-41583 +CVE-2021-41584 +CVE-2021-41586 +CVE-2021-41587 +CVE-2021-41588 +CVE-2021-41589 +CVE-2021-41590 +CVE-2021-41591 +CVE-2021-41592 +CVE-2021-41593 +CVE-2021-41595 +CVE-2021-41596 +CVE-2021-41611 +CVE-2021-41617 +CVE-2021-41619 +CVE-2021-41643 +CVE-2021-41644 +CVE-2021-41645 +CVE-2021-41647 +CVE-2021-41648 +CVE-2021-41649 +CVE-2021-41651 +CVE-2021-41653 +CVE-2021-41674 +CVE-2021-41675 +CVE-2021-41676 +CVE-2021-41720 +CVE-2021-41728 +CVE-2021-41729 +CVE-2021-41732 +CVE-2021-41744 +CVE-2021-41745 +CVE-2021-41747 +CVE-2021-41753 +CVE-2021-41764 +CVE-2021-41765 +CVE-2021-41770 +CVE-2021-41790 +CVE-2021-41791 +CVE-2021-41792 +CVE-2021-41794 +CVE-2021-41795 +CVE-2021-41798 +CVE-2021-41799 +CVE-2021-41800 +CVE-2021-41801 +CVE-2021-41802 +CVE-2021-41821 +CVE-2021-41824 +CVE-2021-41825 +CVE-2021-41826 +CVE-2021-41827 +CVE-2021-41828 +CVE-2021-41829 +CVE-2021-41833 +CVE-2021-41845 +CVE-2021-41847 +CVE-2021-41861 +CVE-2021-41862 +CVE-2021-41864 +CVE-2021-41865 +CVE-2021-41866 +CVE-2021-41867 +CVE-2021-41868 +CVE-2021-41869 +CVE-2021-41872 +CVE-2021-41873 +CVE-2021-41878 +CVE-2021-41916 +CVE-2021-41917 +CVE-2021-41918 +CVE-2021-41919 +CVE-2021-41920 +CVE-2021-41931 +CVE-2021-41947 +CVE-2021-41950 +CVE-2021-41951 +CVE-2021-41990 +CVE-2021-41991 +CVE-2021-42002 +CVE-2021-42006 +CVE-2021-42008 +CVE-2021-42040 +CVE-2021-42041 +CVE-2021-42042 +CVE-2021-42043 +CVE-2021-42044 +CVE-2021-42053 +CVE-2021-42054 +CVE-2021-42055 +CVE-2021-42071 +CVE-2021-42084 +CVE-2021-42085 +CVE-2021-42086 +CVE-2021-42087 +CVE-2021-42088 +CVE-2021-42089 +CVE-2021-42090 +CVE-2021-42091 +CVE-2021-42092 +CVE-2021-42093 +CVE-2021-42094 +CVE-2021-42095 +CVE-2021-42096 +CVE-2021-42097 +CVE-2021-42109 +CVE-2021-42111 +CVE-2021-42112 +CVE-2021-42134 +CVE-2021-42135 +CVE-2021-42137 +CVE-2021-42139 +CVE-2021-42169 +CVE-2021-42223 +CVE-2021-42224 +CVE-2021-42227 +CVE-2021-42228 +CVE-2021-42237 +CVE-2021-42252 +CVE-2021-42257 +CVE-2021-42258 +CVE-2021-42260 +CVE-2021-42261 +CVE-2021-42286 +CVE-2021-42296 +CVE-2021-42298 +CVE-2021-42300 +CVE-2021-42301 +CVE-2021-42302 +CVE-2021-42303 +CVE-2021-42304 +CVE-2021-42319 +CVE-2021-42321 +CVE-2021-42322 +CVE-2021-42323 +CVE-2021-42325 +CVE-2021-42326 +CVE-2021-42327 +CVE-2021-42341 +CVE-2021-42342 +CVE-2021-42343 +CVE-2021-42369 +CVE-2021-42556 +CVE-2021-42563 +CVE-2021-42565 +CVE-2021-42566 +CVE-2021-42574 +CVE-2021-42575 +CVE-2021-42576 +CVE-2021-42580 +CVE-2021-42650 +CVE-2021-42662 +CVE-2021-42664 +CVE-2021-42666 +CVE-2021-42670 +CVE-2021-42715 +CVE-2021-42716 +CVE-2021-42739 +CVE-2021-42740 +CVE-2021-42762 +CVE-2021-42764 +CVE-2021-42765 +CVE-2021-42766 +CVE-2021-42771 +CVE-2021-42772 +CVE-2021-42773 +CVE-2021-42774 +CVE-2021-42775 +CVE-2021-42836 +CVE-2021-42840 +CVE-2021-42847 +CVE-2021-42954 +CVE-2021-42955 +CVE-2021-42956 +CVE-2021-43056 +CVE-2021-43057 +CVE-2021-43130 +CVE-2021-43136 +CVE-2021-43140 +CVE-2021-43208 +CVE-2021-43209 +CVE-2021-43272 +CVE-2021-43273 +CVE-2021-43274 +CVE-2021-43275 +CVE-2021-43276 +CVE-2021-43277 +CVE-2021-43278 +CVE-2021-43279 +CVE-2021-43280 +CVE-2021-43331 +CVE-2021-43332 +CVE-2021-43336 +CVE-2021-43337 +CVE-2021-43339 +CVE-2021-43390 +CVE-2021-43391 +CVE-2021-43396 +CVE-2021-43397 +CVE-2021-43492 +CVE-2021-43493 +CVE-2021-43494 +CVE-2021-43495 +CVE-2021-43496 +CVE-2021-43523 +CVE-2021-43561 +CVE-2021-43562 +CVE-2021-43563 +CVE-2021-43564 +CVE-2021-43573 +CVE-2021-43574 +CVE-2021-43610 +CVE-2021-43611 +CVE-2021-43616 +CVE-2021-43617 +CVE-2021-43618 +CVE-2021-43620 +CVE-2021-43975 +CVE-2021-43976 +CVE-2021-43977 diff --git a/gsd-project/postmortems/README.md b/gsd-project/postmortems/README.md new file mode 100644 index 0000000..4498c1b --- /dev/null +++ b/gsd-project/postmortems/README.md @@ -0,0 +1,44 @@ +# Postmortems + +Use #postmortemCVE on Twitter if it's a CVE postmortem + +Each one is fun and unique. + +## CVE 2021 no affected version in data raw list + +No machine readable data for affected version. The human text description may or may not contain the data. + +[CVE 2021 no affected version in data raw list](CVE 2021 no affected version in data raw list.md) + +[The raw data](CVE-2021-no-affected-version-in-data-raw-list.txt) + +## CVE-2021-38467 + +Affected version is different across several CVE datasets and original data. + +[CVE-2021-38467](CVE-2021-38467.md) + +## CVE-2021-41773 + +Apache timeline + +[CVE-2021-41773](CVE-2021-41773.md) + +## Use of CVE to differentiate text + +The text based descriptions contain no real data other than "this is different than CVE X" + +[Use of CVE to differentiate text](Use%20of%20CVE%20to%20differentiate%20text.md) + +## Use of the exact same text + +The exact same description text is used, in one case 61 times. + +[Use of the exact same text](Use%20of%20the%20exact%20same%20text.md) + +## vim is vulnerable to Heap-based Buffer Overflow + +Trickling out of results in order to get multiple CVEs, and there is no linking data to indicate they are related. + +[vim is vulnerable to Heap-based Buffer Overflow](vim%20is%20vulnerable%20to%20Heap-based%20Buffer%20Overflow.md) + diff --git a/gsd-project/postmortems/Use of CVE to differentiate text.md b/gsd-project/postmortems/Use of CVE to differentiate text.md new file mode 100644 index 0000000..2c2fed6 --- /dev/null +++ b/gsd-project/postmortems/Use of CVE to differentiate text.md @@ -0,0 +1,32 @@ +# Use of CVE ID to differentiate text describing CVE ID + +A lot of CVE text descriptions (especially from Microsoft) are now largely devoid of information, so much so that they must list other CVE ID's in order to differentiate the ID's: + +``` +wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz +gzip -d nvdcve-1.1-2021.json.gz +grep -A 2 "\"description_data\"" nvdcve-1.1-2021.json | grep "\"value\"" | grep "CVE-2021-" | grep -v " REJECT " | grep "\(unique\|different\|similar\)" | sort +``` +Example data: + +Search for: "Storage Spaces Controller Elevation of Privilege Vulnerability" (https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Storage+Spaces+Controller+Elevation+of+Privilege+Vulnerability&search_type=all&isCpeNameSearch=false) + +|CVE ID|Text Description| +|------|----------------| +|CVE-2021-41345|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26441, CVE-2021-40478, CVE-2021-40488, CVE-2021-40489.| +|CVE-2021-40489|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26441, CVE-2021-40478, CVE-2021-40488, CVE-2021-41345.| +|CVE-2021-40488|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26441, CVE-2021-40478, CVE-2021-40489, CVE-2021-41345.| +|CVE-2021-40478|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26441, CVE-2021-40488, CVE-2021-40489, CVE-2021-41345.| +|CVE-2021-26441|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-40478, CVE-2021-40488, CVE-2021-40489, CVE-2021-41345.| +|CVE-2021-34536|Storage Spaces Controller Elevation of Privilege Vulnerability| +|CVE-2021-34460|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513.| +|CVE-2021-34513|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512.| +|CVE-2021-34512|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34510, CVE-2021-34513.| +|CVE-2021-34510|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33751, CVE-2021-34460, CVE-2021-34512, CVE-2021-34513.| +|CVE-2021-33751|Storage Spaces Controller Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513.| +|CVE-2021-26880|Storage Spaces Controller Elevation of Privilege Vulnerability| + +# Recommendations: + +1. Ensure Security Identifiers have sufficient original sourcing in order to determine what they are/apply to. +2. For many Security ID's the description text doesn't matter that much diff --git a/gsd-project/postmortems/Use of the exact same text.md b/gsd-project/postmortems/Use of the exact same text.md new file mode 100644 index 0000000..6fb97a0 --- /dev/null +++ b/gsd-project/postmortems/Use of the exact same text.md @@ -0,0 +1,33 @@ +# Use of the exact same text + +Please note this is just 2021 data, I haven't bothered to look at older data. + +Many CVEs are now using the exact same text, here is a sample of those using the same text 10 times or more in 2021. For 2021 there are 371 CVE text descriptions used more than once for 1429 CVE entries (as of 2021-11-15). + +``` +wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.gz +gzip -d nvdcve-1.1-2021.json.gz +grep -A 2 "\"description_data\"" nvdcve-1.1-2021.json | grep "\"value\"" | sort | uniq -d | wc -l +grep -A 2 "\"description_data\"" nvdcve-1.1-2021.json | grep "\"value\"" | sort | uniq -cd | cut -d"\"" -f1 | sed 's/ //g' | awk '{s+=$1} END {print s}' +``` + +## Specific examples of same text + +|# of occurances | CVE description text | +| ------------- | ------------- | +|11|"Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution."| +|13|"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."| +|13|"Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)."| +|15|"Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."| +|20|"Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Filters). The supported version that is affected is 8.5.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS Base Score depend on the software that uses Outside In Technology. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology, but if data is not received over a network the CVSS score may be lower. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."| +|30|"Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device."| +|61|"Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities."| + +To search for these just cut and paste the entire text into the NIST NVD search page https://nvd.nist.gov/vuln/search and click "Exact Match" to get the results: + +https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Multiple+vulnerabilities+in+the+web-based+management+interface+of+Cisco+Small+Business+RV110W%2C+RV130%2C+RV130W%2C+and+RV215W+Routers+could+allow+an+authenticated%2C+remote+attacker+to+execute+arbitrary+code+or+cause+an+affected+device+to+restart+unexpectedly.+The+vulnerabilities+are+due+to+improper+validation+of+user-supplied+input+in+the+web-based+management+interface.+An+attacker+could+exploit+these+vulnerabilities+by+sending+crafted+HTTP+requests+to+an+affected+device.+A+successful+exploit+could+allow+the+atta&queryType=phrase&search_type=all&isCpeNameSearch=false + +# Recommendations: + +1. CVE text descriptions are no longer important, under CNA 3.0 rules they don't even need to have a Vendor/Product/Version. Ironically you must use CVE ID's to differentiate CVE ID's from each other using the description text since there is no relational data included in the CVE data. +2. The CNA rule changes from 2 to 3 now mean that for many CVE ID's you must go to the JSON data or the original source material in order to determine what is going on (affected versions, vulnerability, etc.) diff --git a/gsd-project/postmortems/Wrong-description-for-CVE-2021-25978.md b/gsd-project/postmortems/Wrong-description-for-CVE-2021-25978.md new file mode 100644 index 0000000..6456ebb --- /dev/null +++ b/gsd-project/postmortems/Wrong-description-for-CVE-2021-25978.md @@ -0,0 +1,17 @@ +# Wrong description for CVE-2021-25978 + +Add CVE-2021-25978 +Date: Sun Nov 7 18:51:38 2021 +0200 +https://github.com/CVEProject/cvelist/commit/6b7303286d9b9f008a5f8805eb192f759f53aaf5#diff-6e7fe5fcf7616300514ee62059e29deafddaa4ee65276e5adadc31dde8dee997 + +"value": "Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed." + +Revert +Date: Sun Nov 7 19:07:01 2021 +0200 +https://github.com/CVEProject/cvelist/commit/d4743e1a03ee6a7ad9507286ce29ec8d793970c0#diff-6e7fe5fcf7616300514ee62059e29deafddaa4ee65276e5adadc31dde8dee997 + +Add CVE-2021-25979 +Date: Mon Nov 8 16:15:09 2021 +0200 +https://github.com/CVEProject/cvelist/commit/1aa30aa67748717c182c22ca06c5f25f513edfa3 + +"value": "Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insufficient session expiration vulnerability, which allows unauthenticated remote attackers to hijack recently logged-in users' sessions." diff --git a/gsd-project/postmortems/abnormal-gsd-entries.md b/gsd-project/postmortems/abnormal-gsd-entries.md new file mode 100644 index 0000000..f4284ce --- /dev/null +++ b/gsd-project/postmortems/abnormal-gsd-entries.md @@ -0,0 +1,57 @@ +# Abnormal GSD entries that need cleanup: + +## 2021/1002xxx/GSD-2021-1002352.json + +Duplicate of GSD-2021-44228 needs better meta data + +## 2021/1002xxx/GSD-2021-1002353.json + +Duplicate of GSD-2021-45105 needs better meta data + +## 2022/1000xxx/GSD-2022-1000000.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000001.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000002.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000003.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000004.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000005.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000006.json + +GSD-2021-42392 + +## 2022/1000xxx/GSD-2022-1000066.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000067.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000068.json + +Needs conversion to OSV format + +## 2022/1000xxx/GSD-2022-1000292.json + +Duplicate of GSD-2022-1000293 needs better meta data + +## 2022/1002xxx/GSD-2022-1002526.json + +Duplicate of GSD-2022-2274 needs better meta data diff --git a/gsd-project/postmortems/accidental-deletions.md b/gsd-project/postmortems/accidental-deletions.md new file mode 100644 index 0000000..7834c2d --- /dev/null +++ b/gsd-project/postmortems/accidental-deletions.md @@ -0,0 +1,11 @@ +# Accidental deletions of data + +https://github.com/CVEProject/cvelist/commits/master/2021/43xxx/CVE-2021-43566.json + +On Nov 9, 2021 MSRC accientally deleted around 1,028 files from the cvelist git repo as well as a lot of content, it appears they forgot to use a branch? + +https://github.com/CVEProject/cvelist/commit/938debeed0dc5ff4eff0a7b3a8b4f39c8881b6bd#diff-7e001bbd4c1efff3745bc4f2c5dcfa7ab2d192fef03253754eee5134003fae3f + +And then a week later MITRE reverted the commit to fix it mostly: + +https://github.com/CVEProject/cvelist/commit/df296d9e014bf68ef22c0583c98da3fbe42ea316#diff-7e001bbd4c1efff3745bc4f2c5dcfa7ab2d192fef03253754eee5134003fae3f diff --git a/gsd-project/postmortems/cves-with-inconsistent-json-formatting.md b/gsd-project/postmortems/cves-with-inconsistent-json-formatting.md new file mode 100644 index 0000000..c4f6b16 --- /dev/null +++ b/gsd-project/postmortems/cves-with-inconsistent-json-formatting.md @@ -0,0 +1,85 @@ +# CVEs with inconsistent JSON formatting + +The typical JSON formatting in MITRE's CVE JSON is + +``` +"foo": "bar" +``` + +However the following CVEs have spaces, e.g.: + +``` +"data_type" : "CVE", +``` + +CVE-2021-1052 +CVE-2021-1053 +CVE-2021-1054 +CVE-2021-1055 +CVE-2021-1057 +CVE-2021-1058 +CVE-2021-1059 +CVE-2021-1060 +CVE-2021-1061 +CVE-2021-1062 +CVE-2021-1063 +CVE-2021-1064 +CVE-2021-1065 +CVE-2021-1066 +CVE-2021-1067 +CVE-2021-1068 +CVE-2021-1070 +CVE-2021-1071 +CVE-2021-1074 +CVE-2021-1075 +CVE-2021-1077 +CVE-2021-1078 +CVE-2021-1088 +CVE-2021-1105 +CVE-2021-1115 +CVE-2021-1116 +CVE-2021-1117 +CVE-2021-1118 +CVE-2021-1119 +CVE-2021-1120 +CVE-2021-1121 +CVE-2021-1122 +CVE-2021-1123 +CVE-2021-1125 +CVE-2021-20336 +CVE-2021-20392 +CVE-2021-20403 +CVE-2021-20439 +CVE-2021-20474 +CVE-2021-20487 +CVE-2021-20576 +CVE-2021-23175 +CVE-2021-23201 +CVE-2021-23217 +CVE-2021-23219 +CVE-2021-29665 +CVE-2021-29677 +CVE-2021-29696 +CVE-2021-29697 +CVE-2021-29704 +CVE-2021-29713 +CVE-2021-29725 +CVE-2021-29735 +CVE-2021-29753 +CVE-2021-29800 +CVE-2021-29802 +CVE-2021-29844 +CVE-2021-34399 +CVE-2021-34400 +CVE-2021-34401 +CVE-2021-34402 +CVE-2021-34403 +CVE-2021-34404 +CVE-2021-34405 +CVE-2021-34406 +CVE-2021-38972 +CVE-2021-38973 +CVE-2021-38985 +CVE-2021-38999 + +These CVEs are all from 2 CNAs: psirt@nvidia.com and psirt@us.ibm.com, and represent a subset of all their CVEs, so it appear either tooling was broken for a while or there was some error for a period of time (but not for any other CNAs). diff --git a/gsd-project/postmortems/vim is vulnerable to Heap-based Buffer Overflow.md b/gsd-project/postmortems/vim is vulnerable to Heap-based Buffer Overflow.md new file mode 100644 index 0000000..5ae3aad --- /dev/null +++ b/gsd-project/postmortems/vim is vulnerable to Heap-based Buffer Overflow.md @@ -0,0 +1,22 @@ +# "vim is vulnerable to Heap-based Buffer Overflow" + +https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=vim+is+vulnerable+to+Heap-based+Buffer+Overflow&search_type=all&isCpeNameSearch=false + +These CVE's all have the exact same description: + +* CVE-2021-3927 - https://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0/ - Oct 26th 2021 +* CVE-2021-3903 - https://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8/ - Oct 24th 2021 +* CVE-2021-3872 - https://huntr.dev/bounties/c958013b-1c09-4939-92ca-92f50aa169e8/ - Oct 7th 2021 +* CVE-2021-3875 - https://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53/ - Oct 5th 2021 +* CVE-2021-3778 - https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273/ - Sep 7th 2021 +* CVE-2021-3770 - https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ - Sep 3rd 2021 + +It appears someone fuzzed vim and then released the results piecemeal resul;ting in multiple CVEs rather than a single CVE for multiple issues within the same version/vulnerability type, etc. + +TODO: confirm same reporter, timelines + +TODO: The CVSS scores are all different, this needs investigation. + +# Recommendations: + +1. Include data about related Security Identifiers and what the relationship is (e.g. parent/child/sibling?) diff --git a/gsd-project/scope-coverage/examples.md b/gsd-project/scope-coverage/examples.md new file mode 100644 index 0000000..91775af --- /dev/null +++ b/gsd-project/scope-coverage/examples.md @@ -0,0 +1,13 @@ +# Crypto scams + +https://twitter.com/brianmcmichael/status/1473318960674312206 + +Email with public and private key, to retrieve the value you need to transfer some money in, but then it gets taken by the attacker. Classic scam. + +IOC:Includes wallet addresses + +# SMS phishing + +Do we want to cover phishing scams such as SMS messages (you have a refund/etc.)? + +IOC: includes website URL diff --git a/gsd-project/wardley-maps/vulnerability-handling-2022-02-26.png.png b/gsd-project/wardley-maps/vulnerability-handling-2022-02-26.png.png new file mode 100644 index 0000000..7d77d0e Binary files /dev/null and b/gsd-project/wardley-maps/vulnerability-handling-2022-02-26.png.png differ diff --git a/gsd-project/wardley-maps/vulnerability-handling.wm b/gsd-project/wardley-maps/vulnerability-handling.wm new file mode 100644 index 0000000..0dfac71 --- /dev/null +++ b/gsd-project/wardley-maps/vulnerability-handling.wm @@ -0,0 +1,56 @@ +title Mapping vulnerabilities to components + +component Vulnerability to componentt mapping with actionable information [0.95, 0.26] + +component Vendor Security Contact [0.20, 0.13] +component Vendor ChangeLog [0.35, 0.21] +component GitHub SECURITY.md [0.14, 0.42] +component Bug Bounty [0.66, 0.66] +component Security Scanner [0.80, 0.66] + + +component Machine Readable Presentation [0.65, 0.50] +component Human Readable Presentation [0.78, 0.47] + +component Vendor Advisory [0.42, 0.22] +component Vendor Advisory GitHub [0.44, 0.51] + +component Vendor Issue [0.08, 0.22] +component Vendor Issue GitHub [0.12, 0.51] + +component ID Vendor [0.14, 0.27] +component ID GitHub [0.20, 0.38] +component ID CVE [0.51, 0.30] +component ID GSD [0.57, 0.57] + +component SBOM [0.71, 0.28] +component DepChain [0.75, 0.20] + +Vendor Issue->ID Vendor +Vendor Issue->Vendor Advisory +Vendor Issue->Vendor ChangeLog +ID Vendor->ID 3rd Party +ID Vendor->ID CVE +ID Vendor->ID GitHub +ID Vendor->ID GSD +ID GSD->Machine Readable Presentation +Machine Readable Presentation->Human Readable Presentation +Machine Readable Presentation->Vulnerability to componentt mapping with actionable information +Human Readable Presentation->Vulnerability to componentt mapping with actionable information +SBOM->Vulnerability to componentt mapping with actionable information +SBOM->DepChain + + +component Security Patch [0.66, 0.11] +component New Release [0.78, 0.32] + +component Press Articles [0.85, 0.46] +Human Readable Presentation->Press Articles + +townplanners [0.46, 0.37, 0.09, 0.55] +pioneers [0.45, 0.10, 0.05, 0.30] +settlers [0.80, 0.44, 0.55, 0.60] + +note GlobalSecurityDatabase [0.81, 0.43] +note OSSF/LinuxFoundation [0.46, 0.10] +note GitHub/GitLabs [0.47, 0.40] diff --git a/gsd-project/wardley-maps/vulnerability-info.wm b/gsd-project/wardley-maps/vulnerability-info.wm new file mode 100644 index 0000000..1ee17c2 --- /dev/null +++ b/gsd-project/wardley-maps/vulnerability-info.wm @@ -0,0 +1,36 @@ +title Vulnerability Info + +component MachineReadableData [0.91, 0.36] inertia label [10, -20] +evolve MachineReadableData 0.9 label [10, -20] + +component HumanReadableData [0.90, 0.20] + +component SourceURL [0.56, 0.55] +component Affected [0.12, 0.53] +component Fixed [0.37, 0.53] + +component Workaround [0.81, 0.27] label [5, -10] +component VendorFix [0.98, 0.51] + +component VulnDetails [0.67, 0.35] +component ExploitCode [0.39, 0.27] +component Severity [0.30, 0.37] + +component SBOM [0.21, 0.34] +component DepChain [0.28, 0.23] + +MachineReadableData->HumanReadableData +SourceURL->VulnDetails +VulnDetails->MachineReadableData +VulnDetails->Workaround +Affected->VulnDetails +Fixed->VulnDetails +ExploitCode->VulnDetails +Severity->ExploitCode +Severity->VulnDetails +Affected->Fixed +VendorFix->MachineReadable +Affected->SBOM +SBOM->DepChain + +