Skip to content

Commit

Permalink
Add GitHub Advisory Database identifiers to external reports (#138)
Browse files Browse the repository at this point in the history 
See also (github/advisory-database#3536)
  • Loading branch information
@briandfoy
briandfoy committed Feb 17, 2024
1 parent cc7ef3d commit 3fcd993
Show file tree
Hide file tree
Showing 47 changed files with 13,085 additions and 13,692 deletions.
107 changes: 53 additions & 54 deletions external_reports/angular.yml
View file
Original file line number Diff line number Diff line change
@@ -1,57 +1,56 @@
---
advisories:
- affected_versions: <=1.7.9
cve: CVE-2019-10768
description: |
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.
fixed_versions: ~
github_security_advisory:
- GHSA-89mq-4x47-5v83
references:
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
reported: 2019-11-19
severity: high
- affected_versions: <1.5.1
cve: CVE-2019-14863
description: |
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
fixed_versions: ~
github_security_advisory:
- GHSA-r5fx-8r73-v86c
references:
- https://snyk.io/vuln/npm:angular:20150807
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
reported: 2020-01-02
severity: medium
- affected_versions: <1.8.0
cve: CVE-2020-7676
description: |
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
fixed_versions: '>1.8.0'
github_security_advisory:
- GHSA-mhp6-pxh8-r675
references:
- https://github.com/angular/angular.js/pull/17028
- https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E
reported: 2020-06-08
severity: medium
cpansa_version: 2
name: angular
url: https://github.com/angular/angular
perl_distributions:
- name: Zonemaster-GUI
affected:
- perl_module_versions: '>=1.0.7,<=1.0.11'
distributed_library_version: '1.2.22'
advisories:
- cve: CVE-2019-10768
description: >
In AngularJS before 1.7.9 the function `merge()` could be tricked
into adding or modifying properties of `Object.prototype` using a
`__proto__` payload.
affected_versions: '<=1.7.9'
fixed_versions: ~
references:
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
reported: 2019-11-19
severity: high
- cve: CVE-2019-14863
description: >
There is a vulnerability in all angular versions before
1.5.0-beta.0, where after escaping the context of the web application,
the web application delivers data to its users along with other
trusted dynamic content, without validating it.
affected_versions: '<1.5.1'
fixed_versions: ~
references:
- https://snyk.io/vuln/npm:angular:20150807
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
reported: 2020-01-02
severity: medium
- cve: CVE-2020-7676
description: >
angular.js prior to 1.8.0 allows cross site scripting. The
regex-based input HTML replacement may turn sanitized code into
unsanitized one. Wrapping "<option>" elements in "<select>" ones
changes parsing behavior, leading to possibly unsanitizing code.
affected_versions: '<1.8.0'
fixed_versions: '>1.8.0'
references:
- https://github.com/angular/angular.js/pull/17028
- https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E
reported: 2020-06-08
severity: medium
- affected:
- distributed_library_version: 1.2.22
perl_module_versions: '>=1.0.7,<=1.0.11'
name: Zonemaster-GUI
url: https://github.com/angular/angular
141 changes: 70 additions & 71 deletions external_reports/boost.yml
View file
Original file line number Diff line number Diff line change
@@ -1,74 +1,73 @@
---
advisories:
- affected_versions: '>=1.33,<=1.34'
cve: CVE-2008-0171
description: |
regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression.
fixed_versions: '>1.34'
github_security_advisory:
- GHSA-mc8j-3vrc-57vf
references:
- http://bugs.gentoo.org/show_bug.cgi?id=205955
- http://svn.boost.org/trac/boost/changeset/42674
- http://svn.boost.org/trac/boost/changeset/42745
- https://issues.rpath.com/browse/RPL-2143
- http://www.ubuntu.com/usn/usn-570-1
- http://www.securityfocus.com/bid/27325
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
- http://secunia.com/advisories/28545
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
- http://secunia.com/advisories/28705
- http://secunia.com/advisories/28511
- http://secunia.com/advisories/28527
- http://wiki.rpath.com/Advisories:rPSA-2008-0063
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
- http://secunia.com/advisories/28943
- http://secunia.com/advisories/28860
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
- http://secunia.com/advisories/29323
- http://www.vupen.com/english/advisories/2008/0249
- http://secunia.com/advisories/48099
- http://www.securityfocus.com/archive/1/488102/100/0/threaded
reported: 2008-01-17
severity: ~
- affected_versions: '>=1.33,<=1.34'
cve: CVE-2008-0172
description: |
The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.
fixed_versions: '>1.34'
github_security_advisory:
- GHSA-6rjv-3558-988c
references:
- http://bugs.gentoo.org/show_bug.cgi?id=205955
- http://svn.boost.org/trac/boost/changeset/42674
- http://svn.boost.org/trac/boost/changeset/42745
- https://issues.rpath.com/browse/RPL-2143
- http://www.ubuntu.com/usn/usn-570-1
- http://www.securityfocus.com/bid/27325
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
- http://secunia.com/advisories/28545
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
- http://secunia.com/advisories/28705
- http://secunia.com/advisories/28511
- http://secunia.com/advisories/28527
- http://wiki.rpath.com/Advisories:rPSA-2008-0063
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
- http://secunia.com/advisories/28943
- http://secunia.com/advisories/28860
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
- http://secunia.com/advisories/29323
- http://www.vupen.com/english/advisories/2008/0249
- http://secunia.com/advisories/48099
- http://www.securityfocus.com/archive/1/488102/100/0/threaded
reported: 2008-01-17
severity: ~
cpansa_version: 2
name: boost
url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html
perl_distributions:
- name: Boost-Graph
last_version_checked: '1.4'
affected:
- perl_module_versions: '>=1,1,<=1.4'
distributed_library_version: '1.33'
advisories:
- cve: CVE-2008-0171
description: >
regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library
(aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent
attackers to cause a denial of service (failed assertion and crash)
via an invalid regular expression.
affected_versions: '>=1.33,<=1.34'
fixed_versions: '>1.34'
references:
- http://bugs.gentoo.org/show_bug.cgi?id=205955
- http://svn.boost.org/trac/boost/changeset/42674
- http://svn.boost.org/trac/boost/changeset/42745
- https://issues.rpath.com/browse/RPL-2143
- http://www.ubuntu.com/usn/usn-570-1
- http://www.securityfocus.com/bid/27325
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
- http://secunia.com/advisories/28545
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
- http://secunia.com/advisories/28705
- http://secunia.com/advisories/28511
- http://secunia.com/advisories/28527
- http://wiki.rpath.com/Advisories:rPSA-2008-0063
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
- http://secunia.com/advisories/28943
- http://secunia.com/advisories/28860
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
- http://secunia.com/advisories/29323
- http://www.vupen.com/english/advisories/2008/0249
- http://secunia.com/advisories/48099
- http://www.securityfocus.com/archive/1/488102/100/0/threaded
reported: 2008-01-17
severity: ~
- cve: CVE-2008-0172
description: >
The get_repeat_type function in basic_regex_creator.hpp in the
Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows
context-dependent attackers to cause a denial of service (NULL
dereference and crash) via an invalid regular expression.
affected_versions: '>=1.33,<=1.34'
fixed_versions: '>1.34'
references:
- http://bugs.gentoo.org/show_bug.cgi?id=205955
- http://svn.boost.org/trac/boost/changeset/42674
- http://svn.boost.org/trac/boost/changeset/42745
- https://issues.rpath.com/browse/RPL-2143
- http://www.ubuntu.com/usn/usn-570-1
- http://www.securityfocus.com/bid/27325
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
- http://secunia.com/advisories/28545
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
- http://secunia.com/advisories/28705
- http://secunia.com/advisories/28511
- http://secunia.com/advisories/28527
- http://wiki.rpath.com/Advisories:rPSA-2008-0063
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
- http://secunia.com/advisories/28943
- http://secunia.com/advisories/28860
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
- http://secunia.com/advisories/29323
- http://www.vupen.com/english/advisories/2008/0249
- http://secunia.com/advisories/48099
- http://www.securityfocus.com/archive/1/488102/100/0/threaded
reported: 2008-01-17
severity: ~
- affected:
- distributed_library_version: '1.33'
perl_module_versions: '>=1,1,<=1.4'
last_version_checked: '1.4'
name: Boost-Graph
url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html
38 changes: 20 additions & 18 deletions external_reports/bootstrap-markdown.yml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,23 @@
---
advisories:
- affected_versions: '>=0'
cve: X-CVE-2014-0001
description: |
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the editor box.
fixed_versions: ~
github_security_advisory:
- ~
references:
- https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826
- https://cwe.mitre.org/data/definitions/79.html
reported: 2014-08-25
severity: ~
cpansa_version: 2
name: bootstrap-markdown-editor
url: https://github.com/inacho/bootstrap-markdown-editor
perl_distributions:
- name: MySQL-Admin
last_version_checked: '1.18'
affected:
- perl_module_versions: '>=1.14,<=1.18'
distributed_library_version: '2.0.2'
advisories:
- cve: X-CVE-2014-0001
description: >
Affected versions of the package are vulnerable to Cross-site
Scripting (XSS) via the editor box.
affected_versions: '>=0'
fixed_versions: ~
references:
- https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826
- https://cwe.mitre.org/data/definitions/79.html
reported: 2014-08-25
severity: ~
- affected:
- distributed_library_version: 2.0.2
perl_module_versions: '>=1.14,<=1.18'
last_version_checked: '1.18'
name: MySQL-Admin
url: https://github.com/inacho/bootstrap-markdown-editor
41 changes: 21 additions & 20 deletions external_reports/bootstrap-select.yml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,24 @@
---
advisories:
- affected_versions: <1.13.6
cve: CVE-2019-20921
description: |
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
fixed_versions: '>=1.13.6'
github_security_advisory:
- GHSA-7c82-mp33-r854
references:
- https://github.com/advisories/GHSA-9r7h-6639-v5mw
- https://github.com/snapappointments/bootstrap-select/issues/2199
- https://www.npmjs.com/advisories/1522
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
reported: 2020-09-30
severity: medium
cpansa_version: 2
name: bootstrap-select
url:
perl_distributions:
- name: MySQL-Admin
affected:
- perl_module_versions: '>=1.16,<=1.18'
distributed_library_version: '1.12.4'
advisories:
- cve: CVE-2019-20921
description: >
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS).
It does not escape title values in OPTION elements. This may allow
attackers to execute arbitrary JavaScript in a victim's browser.
affected_versions: '<1.13.6'
fixed_versions: '>=1.13.6'
references:
- https://github.com/advisories/GHSA-9r7h-6639-v5mw
- https://github.com/snapappointments/bootstrap-select/issues/2199
- https://www.npmjs.com/advisories/1522
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
reported: 2020-09-30
severity: medium
- affected:
- distributed_library_version: 1.12.4
perl_module_versions: '>=1.16,<=1.18'
name: MySQL-Admin
url: ~
Loading

0 comments on commit 3fcd993

Please sign in to comment.