Skip to content

Commit

Permalink
reconcile more psf cves
Browse files Browse the repository at this point in the history
Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
westonsteimel committed Dec 11, 2024
1 parent 8485910 commit 0742a50
Show file tree
Hide file tree
Showing 12 changed files with 286 additions and 121 deletions.
35 changes: 26 additions & 9 deletions data/anchore/2023/CVE-2023-6597.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"additionalMetadata": {
"cna": "psf",
"cveId": "CVE-2023-6597",
"description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"http://www.openwall.com/lists/oss-security/2024/03/20/5",
Expand All @@ -13,29 +14,39 @@
"https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b",
"https://github.com/python/cpython/issues/91133",
"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/",
"https://mail.python.org/archives/list/[email protected]/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/"
]
],
"upstream": {
"datePublished": "2024-03-19T15:44:28.989Z",
"dateReserved": "2023-12-07T20:59:23.246Z",
"dateUpdated": "2024-11-05T19:16:27.862Z",
"digest": "df7c3e5cf61581ef5f636432b03d35637db8da730aff8977e04fcede69c44a23"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
],
"packageName": "python/cpython",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.12.3",
"lessThan": "3.8.19",
"status": "affected",
"version": "3.12.0",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.11.9",
"lessThan": "3.9.19",
"status": "affected",
"version": "3.11.0",
"version": "3.9.0",
"versionType": "python"
},
{
Expand All @@ -45,15 +56,21 @@
"versionType": "python"
},
{
"lessThan": "3.9.19",
"lessThan": "3.11.8",
"status": "affected",
"version": "3.9.0",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.8.19",
"lessThan": "3.12.1",
"status": "affected",
"version": "0",
"version": "3.12.0",
"versionType": "python"
},
{
"lessThan": "3.13.0a3",
"status": "affected",
"version": "3.13.0a1",
"versionType": "python"
}
]
Expand Down
35 changes: 22 additions & 13 deletions data/anchore/2024/CVE-2024-0397.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@
"https://github.com/python/cpython/issues/114572",
"https://github.com/python/cpython/pull/114573",
"https://mail.python.org/archives/list/[email protected]/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/"
]
],
"upstream": {
"datePublished": "2024-06-17T15:09:40.896Z",
"dateReserved": "2024-01-10T14:05:31.635Z",
"dateUpdated": "2024-09-17T18:24:43.948Z",
"digest": "99f765ba3b813265d8ddd66035c72e0e34597d69e643886a1afda24897a2834e"
}
},
"adp": {
"affected": [
Expand All @@ -24,45 +30,48 @@
"cpes": [
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
],
"modules": [
"ssl"
],
"packageName": "python/cpython",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.0a5",
"lessThan": "3.8.20",
"status": "affected",
"version": "3.13.0a1",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.12.3",
"lessThan": "3.9.20",
"status": "affected",
"version": "3.12.0",
"version": "3.9.0",
"versionType": "python"
},
{
"lessThan": "3.11.9",
"lessThan": "3.10.14",
"status": "affected",
"version": "3.11.0",
"version": "3.10.0",
"versionType": "python"
},
{
"lessThan": "3.10.14",
"lessThan": "3.11.9",
"status": "affected",
"version": "3.10",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.9.20",
"lessThan": "3.12.3",
"status": "affected",
"version": "3.9",
"version": "3.12.0",
"versionType": "python"
},
{
"lessThan": "3.8.20",
"lessThan": "3.13.0a5",
"status": "affected",
"version": "0",
"version": "3.13.0a1",
"versionType": "python"
}
]
Expand Down
38 changes: 29 additions & 9 deletions data/anchore/2024/CVE-2024-0450.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"additionalMetadata": {
"cna": "psf",
"cveId": "CVE-2024-0450",
"description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"http://www.openwall.com/lists/oss-security/2024/03/20/5",
Expand All @@ -15,30 +16,43 @@
"https://github.com/python/cpython/issues/109858",
"https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html",
"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/",
"https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/",
"https://www.bamsoftware.com/hacks/zipbomb/"
]
],
"upstream": {
"datePublished": "2024-03-19T15:12:07.789Z",
"dateReserved": "2024-01-11T22:16:41.964Z",
"dateUpdated": "2024-08-02T15:00:26.971Z",
"digest": "224951cd4f1050eb7e52c7e8308814ceee9da5842b24a2920a204b44583026a2"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
],
"modules": [
"zipfile"
],
"packageName": "python/cpython",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.12.3",
"lessThan": "3.8.19",
"status": "affected",
"version": "3.12.0",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.11.9",
"lessThan": "3.9.19",
"status": "affected",
"version": "3.11.0",
"version": "3.9.0",
"versionType": "python"
},
{
Expand All @@ -48,15 +62,21 @@
"versionType": "python"
},
{
"lessThan": "3.9.19",
"lessThan": "3.11.8",
"status": "affected",
"version": "3.9.0",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.8.19",
"lessThan": "3.12.2",
"status": "affected",
"version": "0",
"version": "3.12.0",
"versionType": "python"
},
{
"lessThan": "3.13.0a3",
"status": "affected",
"version": "3.13.0a1",
"versionType": "python"
}
]
Expand Down
14 changes: 11 additions & 3 deletions data/anchore/2024/CVE-2024-11168.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,19 @@
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5",
"https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e",
"https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550",
"https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132",
"https://github.com/python/cpython/issues/103848",
"https://github.com/python/cpython/pull/103849",
"https://mail.python.org/archives/list/[email protected]/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"
]
],
"upstream": {
"datePublished": "2024-11-12T21:22:23.438Z",
"dateReserved": "2024-11-12T21:13:15.779Z",
"dateUpdated": "2024-12-03T20:29:59.700Z",
"digest": "f417e4591d1741fec80b6fe0b8b991dcb6d5a988b77b8bfa922bb4a27858b15d"
}
},
"adp": {
"affected": [
Expand All @@ -33,13 +41,13 @@
{
"lessThan": "3.10.16",
"status": "affected",
"version": "3.10",
"version": "3.10.0",
"versionType": "python"
},
{
"lessThan": "3.11.4",
"status": "affected",
"version": "3.11",
"version": "3.11.0",
"versionType": "python"
},
{
Expand Down
12 changes: 7 additions & 5 deletions data/anchore/2024/CVE-2024-12254.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,13 @@
],
"toDos": [
"Monitor for releases of the backported fixes to 3.12 and 3.13"
]
],
"upstream": {
"datePublished": "2024-12-06T15:19:41.576Z",
"dateReserved": "2024-12-05T16:17:55.154Z",
"dateUpdated": "2024-12-06T19:02:35.550Z",
"digest": "808bfb68443d76dcc8e725a2fe5d6e6f1929e92a89be43fdeb9592ea2232ac33"
}
},
"adp": {
"affected": [
Expand All @@ -27,10 +33,6 @@
"asyncio"
],
"packageName": "python/cpython",
"platforms": [
"Linux",
"MacOS"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
Expand Down
Loading

0 comments on commit 0742a50

Please sign in to comment.