From 0742a50d336bfe7ede609f802baf91c4d6bb12e4 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Wed, 11 Dec 2024 16:47:52 +0000 Subject: [PATCH] reconcile more psf cves Signed-off-by: Weston Steimel --- data/anchore/2023/CVE-2023-6597.json | 35 ++++++++++++----- data/anchore/2024/CVE-2024-0397.json | 35 ++++++++++------- data/anchore/2024/CVE-2024-0450.json | 38 ++++++++++++++----- data/anchore/2024/CVE-2024-11168.json | 14 +++++-- data/anchore/2024/CVE-2024-12254.json | 12 +++--- data/anchore/2024/CVE-2024-3219.json | 54 +++++++++++++++++++-------- data/anchore/2024/CVE-2024-4030.json | 50 +++++++++++++++++-------- data/anchore/2024/CVE-2024-4032.json | 36 +++++++++++------- data/anchore/2024/CVE-2024-5642.json | 13 ++++++- data/anchore/2024/CVE-2024-6923.json | 40 +++++++++++++------- data/anchore/2024/CVE-2024-8088.json | 43 ++++++++++++++------- data/anchore/2024/CVE-2024-9287.json | 37 +++++++++++++----- 12 files changed, 286 insertions(+), 121 deletions(-) diff --git a/data/anchore/2023/CVE-2023-6597.json b/data/anchore/2023/CVE-2023-6597.json index e680ef82..38f3a06b 100644 --- a/data/anchore/2023/CVE-2023-6597.json +++ b/data/anchore/2023/CVE-2023-6597.json @@ -2,6 +2,7 @@ "additionalMetadata": { "cna": "psf", "cveId": "CVE-2023-6597", + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ "http://www.openwall.com/lists/oss-security/2024/03/20/5", @@ -13,29 +14,39 @@ "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b", "https://github.com/python/cpython/issues/91133", "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" - ] + ], + "upstream": { + "datePublished": "2024-03-19T15:44:28.989Z", + "dateReserved": "2023-12-07T20:59:23.246Z", + "dateUpdated": "2024-11-05T19:16:27.862Z", + "digest": "df7c3e5cf61581ef5f636432b03d35637db8da730aff8977e04fcede69c44a23" + } }, "adp": { "affected": [ { + "collectionURL": "https://github.com", "cpes": [ "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "packageName": "python/cpython", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.12.3", + "lessThan": "3.8.19", "status": "affected", - "version": "3.12.0", + "version": "0", "versionType": "python" }, { - "lessThan": "3.11.9", + "lessThan": "3.9.19", "status": "affected", - "version": "3.11.0", + "version": "3.9.0", "versionType": "python" }, { @@ -45,15 +56,21 @@ "versionType": "python" }, { - "lessThan": "3.9.19", + "lessThan": "3.11.8", "status": "affected", - "version": "3.9.0", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.8.19", + "lessThan": "3.12.1", "status": "affected", - "version": "0", + "version": "3.12.0", + "versionType": "python" + }, + { + "lessThan": "3.13.0a3", + "status": "affected", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-0397.json b/data/anchore/2024/CVE-2024-0397.json index 5001375d..3763c01e 100644 --- a/data/anchore/2024/CVE-2024-0397.json +++ b/data/anchore/2024/CVE-2024-0397.json @@ -15,7 +15,13 @@ "https://github.com/python/cpython/issues/114572", "https://github.com/python/cpython/pull/114573", "https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" - ] + ], + "upstream": { + "datePublished": "2024-06-17T15:09:40.896Z", + "dateReserved": "2024-01-10T14:05:31.635Z", + "dateUpdated": "2024-09-17T18:24:43.948Z", + "digest": "99f765ba3b813265d8ddd66035c72e0e34597d69e643886a1afda24897a2834e" + } }, "adp": { "affected": [ @@ -24,45 +30,48 @@ "cpes": [ "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "modules": [ + "ssl" + ], "packageName": "python/cpython", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.0a5", + "lessThan": "3.8.20", "status": "affected", - "version": "3.13.0a1", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.3", + "lessThan": "3.9.20", "status": "affected", - "version": "3.12.0", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.9", + "lessThan": "3.10.14", "status": "affected", - "version": "3.11.0", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.14", + "lessThan": "3.11.9", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.3", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0a5", "status": "affected", - "version": "0", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-0450.json b/data/anchore/2024/CVE-2024-0450.json index 0c25fbfb..f14abaa0 100644 --- a/data/anchore/2024/CVE-2024-0450.json +++ b/data/anchore/2024/CVE-2024-0450.json @@ -2,6 +2,7 @@ "additionalMetadata": { "cna": "psf", "cveId": "CVE-2024-0450", + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ "http://www.openwall.com/lists/oss-security/2024/03/20/5", @@ -15,30 +16,43 @@ "https://github.com/python/cpython/issues/109858", "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html", "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/", "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/", "https://www.bamsoftware.com/hacks/zipbomb/" - ] + ], + "upstream": { + "datePublished": "2024-03-19T15:12:07.789Z", + "dateReserved": "2024-01-11T22:16:41.964Z", + "dateUpdated": "2024-08-02T15:00:26.971Z", + "digest": "224951cd4f1050eb7e52c7e8308814ceee9da5842b24a2920a204b44583026a2" + } }, "adp": { "affected": [ { + "collectionURL": "https://github.com", "cpes": [ "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "modules": [ + "zipfile" + ], + "packageName": "python/cpython", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.12.3", + "lessThan": "3.8.19", "status": "affected", - "version": "3.12.0", + "version": "0", "versionType": "python" }, { - "lessThan": "3.11.9", + "lessThan": "3.9.19", "status": "affected", - "version": "3.11.0", + "version": "3.9.0", "versionType": "python" }, { @@ -48,15 +62,21 @@ "versionType": "python" }, { - "lessThan": "3.9.19", + "lessThan": "3.11.8", "status": "affected", - "version": "3.9.0", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.8.19", + "lessThan": "3.12.2", "status": "affected", - "version": "0", + "version": "3.12.0", + "versionType": "python" + }, + { + "lessThan": "3.13.0a3", + "status": "affected", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-11168.json b/data/anchore/2024/CVE-2024-11168.json index e535a200..a2d67e88 100644 --- a/data/anchore/2024/CVE-2024-11168.json +++ b/data/anchore/2024/CVE-2024-11168.json @@ -6,11 +6,19 @@ "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5", + "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e", "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550", + "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132", "https://github.com/python/cpython/issues/103848", "https://github.com/python/cpython/pull/103849", "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/" - ] + ], + "upstream": { + "datePublished": "2024-11-12T21:22:23.438Z", + "dateReserved": "2024-11-12T21:13:15.779Z", + "dateUpdated": "2024-12-03T20:29:59.700Z", + "digest": "f417e4591d1741fec80b6fe0b8b991dcb6d5a988b77b8bfa922bb4a27858b15d" + } }, "adp": { "affected": [ @@ -33,13 +41,13 @@ { "lessThan": "3.10.16", "status": "affected", - "version": "3.10", + "version": "3.10.0", "versionType": "python" }, { "lessThan": "3.11.4", "status": "affected", - "version": "3.11", + "version": "3.11.0", "versionType": "python" }, { diff --git a/data/anchore/2024/CVE-2024-12254.json b/data/anchore/2024/CVE-2024-12254.json index 5312ae31..8d006979 100644 --- a/data/anchore/2024/CVE-2024-12254.json +++ b/data/anchore/2024/CVE-2024-12254.json @@ -14,7 +14,13 @@ ], "toDos": [ "Monitor for releases of the backported fixes to 3.12 and 3.13" - ] + ], + "upstream": { + "datePublished": "2024-12-06T15:19:41.576Z", + "dateReserved": "2024-12-05T16:17:55.154Z", + "dateUpdated": "2024-12-06T19:02:35.550Z", + "digest": "808bfb68443d76dcc8e725a2fe5d6e6f1929e92a89be43fdeb9592ea2232ac33" + } }, "adp": { "affected": [ @@ -27,10 +33,6 @@ "asyncio" ], "packageName": "python/cpython", - "platforms": [ - "Linux", - "MacOS" - ], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", diff --git a/data/anchore/2024/CVE-2024-3219.json b/data/anchore/2024/CVE-2024-3219.json index 9161c7b7..d2699f2e 100644 --- a/data/anchore/2024/CVE-2024-3219.json +++ b/data/anchore/2024/CVE-2024-3219.json @@ -2,21 +2,45 @@ "additionalMetadata": { "cna": "psf", "cveId": "CVE-2024-3219", - "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe\n “socket” module provides a pure-Python fallback to the \nsocket.socketpair() function for platforms that don’t support AF_UNIX, \nsuch as Windows. This pure-Python implementation uses AF_INET or \nAF_INET6 to create a local connected pair of sockets. The connection \nbetween the two sockets was not verified before passing the two sockets \nback to the user, which leaves the server socket vulnerable to a \nconnection race from a malicious local peer.\n\nPlatforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.", + "description": "The\n “socket” module provides a pure-Python fallback to the \nsocket.socketpair() function for platforms that don’t support AF_UNIX, \nsuch as Windows. This pure-Python implementation uses AF_INET or \nAF_INET6 to create a local connected pair of sockets. The connection \nbetween the two sockets was not verified before passing the two sockets \nback to the user, which leaves the server socket vulnerable to a \nconnection race from a malicious local peer.\n\nPlatforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ "http://www.openwall.com/lists/oss-security/2024/07/29/3", + "https://github.com/python/cpython/commit/06fa244666ec6335a3b9bf2367e31b42b9a89b20", + "https://github.com/python/cpython/commit/0b65c8bf5367625673eafb92f85046a1b31259f2", + "https://github.com/python/cpython/commit/220e31adeaaa8436c9ff234cba1398bc49e2bb6c", + "https://github.com/python/cpython/commit/2621a8a40ba4b2c68ca564671b7daa5da80a4508", + "https://github.com/python/cpython/commit/31302f5fc24eecd693f0c8aaba7c2840b09b594d", + "https://github.com/python/cpython/commit/3f5d9d12c74787fbf3f5891835c85cc15526c86d", + "https://github.com/python/cpython/commit/5df322e91a40909e6904bbdbc0c3a6b6a9eead39", + "https://github.com/python/cpython/commit/5f90abaa786f994db3907fc31e2ee00ea2cf0929", + "https://github.com/python/cpython/commit/b252317956b7fc035bb3774ef6a177e227f9fc54", + "https://github.com/python/cpython/commit/c21a36112a0028d7ac3cf8f480e0dc88dba5922c", + "https://github.com/python/cpython/commit/c5655aa6ad120d2ed7f255bebd6e8b71a9c07dde", + "https://github.com/python/cpython/commit/e319f774f9e766a2b92949444a2d46081df3363a", + "https://github.com/python/cpython/commit/f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660", "https://github.com/python/cpython/issues/122133", "https://github.com/python/cpython/pull/122134", "https://mail.python.org/archives/list/security-announce@python.org/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B/" - ] + ], + "upstream": { + "datePublished": "2024-07-29T21:54:05.830Z", + "dateReserved": "2024-04-02T18:03:22.557Z", + "dateUpdated": "2024-11-04T21:44:46.150Z", + "digest": "d8a2b3e526e1974d0f6246a60cc6820c4e5d6922b58c6e6a4607fe89168bea6e" + } }, "adp": { "affected": [ { + "collectionURL": "https://github.com", "cpes": [ - "cpe:2.3:a:python:python:*:*:*:*:*:windows:*:*" + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ], + "modules": [ + "socket" ], + "packageName": "python/cpython", "platforms": [ "Windows" ], @@ -25,39 +49,39 @@ "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.0rc1", + "lessThan": "3.8.20", "status": "affected", - "version": "3.13.0a1", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.5", + "lessThan": "3.9.20", "status": "affected", - "version": "3.12", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.10", + "lessThan": "3.10.15", "status": "affected", - "version": "3.11", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.15", + "lessThan": "3.11.10", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.5", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0rc1", "status": "affected", - "version": "3.5", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-4030.json b/data/anchore/2024/CVE-2024-4030.json index e41cdc79..5575b5ea 100644 --- a/data/anchore/2024/CVE-2024-4030.json +++ b/data/anchore/2024/CVE-2024-4030.json @@ -2,20 +2,40 @@ "additionalMetadata": { "cna": "psf", "cveId": "CVE-2024-4030", + "description": "On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions.\n\nIf you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user.\n\nThis issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ + "https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a", + "https://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd", + "https://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee", + "https://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e", "https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e", "https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d", + "https://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee", + "https://github.com/python/cpython/commit/94591dca510c796c7d40e9b4167ea56f2fdf28ca", + "https://github.com/python/cpython/commit/c8f868dc52f98011d0f9b459b6487920bfb0ac4d", + "https://github.com/python/cpython/commit/d86b49411753bf2c83291e3a14ae43fefded2f84", + "https://github.com/python/cpython/commit/e1dfa978b1ad210d551385ad8073ec6154f53763", + "https://github.com/python/cpython/commit/eb29e2f5905da93333d1ce78bc98b151e763ff46", "https://github.com/python/cpython/issues/118486", - "https://mail.python.org/archives/list/security-announce@python.org/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/" - ] + "https://mail.python.org/archives/list/security-announce@python.org/thread/PRGS5OR3N3PNPT4BMV2VAGN5GMUI5636/", + "https://security.netapp.com/advisory/ntap-20240705-0005/" + ], + "upstream": { + "datePublished": "2024-05-07T21:02:55.284Z", + "dateReserved": "2024-04-22T14:49:13.316Z", + "dateUpdated": "2024-09-07T02:44:36.613Z", + "digest": "da7e2764a286dacb3b987e89413d1ea9c8075bf500dd653f97a73a6d31ded162" + } }, "adp": { "affected": [ { + "collectionURL": "https://github.com", "cpes": [ - "cpe:2.3:a:python:python:*:*:*:*:*:windows:*:*" + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "packageName": "python/cpython", "platforms": [ "Windows" ], @@ -24,39 +44,39 @@ "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.0b1", + "lessThan": "3.8.20", "status": "affected", - "version": "3.13.0a1", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.4", + "lessThan": "3.9.20", "status": "affected", - "version": "3.12", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.10", + "lessThan": "3.10.15", "status": "affected", - "version": "3.11", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.15", + "lessThan": "3.11.10", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.4", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0b1", "status": "affected", - "version": "0", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-4032.json b/data/anchore/2024/CVE-2024-4032.json index 0c68881d..9e4ac8d2 100644 --- a/data/anchore/2024/CVE-2024-4032.json +++ b/data/anchore/2024/CVE-2024-4032.json @@ -15,9 +15,16 @@ "https://github.com/python/cpython/issues/113171", "https://github.com/python/cpython/pull/113179", "https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/", + "https://security.netapp.com/advisory/ntap-20240726-0004/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml" - ] + ], + "upstream": { + "datePublished": "2024-06-17T15:05:58.827Z", + "dateReserved": "2024-04-22T17:15:47.895Z", + "dateUpdated": "2024-09-17T15:55:55.506Z", + "digest": "5d9a58ca68fda4b5553b8d7a9b656d4cbe10956cbc56269e3c8af65d4b3aaa73" + } }, "adp": { "affected": [ @@ -26,45 +33,48 @@ "cpes": [ "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "modules": [ + "ipaddress" + ], "packageName": "python/cpython", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.12.4", + "lessThan": "3.8.20", "status": "affected", - "version": "3.12", + "version": "0", "versionType": "python" }, { - "lessThan": "3.13.0a6", + "lessThan": "3.9.20", "status": "affected", - "version": "3.13.0a1", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.10", + "lessThan": "3.10.15", "status": "affected", - "version": "3.11", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.15", + "lessThan": "3.11.10", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.4", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0a6", "status": "affected", - "version": "0", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-5642.json b/data/anchore/2024/CVE-2024-5642.json index 8f0a4439..03356525 100644 --- a/data/anchore/2024/CVE-2024-5642.json +++ b/data/anchore/2024/CVE-2024-5642.json @@ -5,11 +5,20 @@ "description": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ + "http://www.openwall.com/lists/oss-security/2024/06/28/4", "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e", + "https://github.com/python/cpython/issues/121227", "https://github.com/python/cpython/pull/23014", "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html", - "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/" - ] + "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/", + "https://security.netapp.com/advisory/ntap-20240726-0005/" + ], + "upstream": { + "datePublished": "2024-06-27T21:05:31.281Z", + "dateReserved": "2024-06-04T18:40:21.539Z", + "dateUpdated": "2024-11-06T20:14:30.590Z", + "digest": "c0c92103b58398a55b31b5ee2ff97e9f71564e75062ed8eb70e6d75a3dc680ca" + } }, "adp": { "affected": [ diff --git a/data/anchore/2024/CVE-2024-6923.json b/data/anchore/2024/CVE-2024-6923.json index 7a15e022..4c9be21e 100644 --- a/data/anchore/2024/CVE-2024-6923.json +++ b/data/anchore/2024/CVE-2024-6923.json @@ -5,17 +5,31 @@ "description": "There is a MEDIUM severity vulnerability affecting CPython.\n\nThe \nemail module didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ + "https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147", + "https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7", + "https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0", + "https://github.com/python/cpython/commit/b158a76ce094897c870fb6b3de62887b7ccc33f1", + "https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6", + "https://github.com/python/cpython/commit/f7c0f09e69e950cf3c5ada9dbde93898eb975533", "https://github.com/python/cpython/issues/121650", "https://github.com/python/cpython/pull/122233", "https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/" - ] + ], + "upstream": { + "datePublished": "2024-08-01T13:40:11.069Z", + "dateReserved": "2024-07-19T15:32:46.458Z", + "dateUpdated": "2024-09-26T15:03:13.133Z", + "digest": "9af165ab5494e2bda41138e39204c4185d9a147f2a0facfd8e414f60e52ff368" + } }, "adp": { "affected": [ { + "collectionURL": "https://github.com", "cpes": [ "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" ], + "packageName": "python/cpython", "modules": [ "email" ], @@ -24,39 +38,39 @@ "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.0rc2", + "lessThan": "3.8.20", "status": "affected", - "version": "3.13.0a1", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.5", + "lessThan": "3.9.20", "status": "affected", - "version": "3.12", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.10", + "lessThan": "3.10.15", "status": "affected", - "version": "3.11", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.15", + "lessThan": "3.11.10", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.5", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0rc2", "status": "affected", - "version": "0", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-8088.json b/data/anchore/2024/CVE-2024-8088.json index b4d3f20d..b71712f3 100644 --- a/data/anchore/2024/CVE-2024-8088.json +++ b/data/anchore/2024/CVE-2024-8088.json @@ -2,16 +2,31 @@ "additionalMetadata": { "cna": "psf", "cveId": "CVE-2024-8088", - "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.ZipFile\" like \"namelist()\", \"iterdir()\", \"extractall()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", + "description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\"\nmodule affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected.\n\n\n\n\n\nWhen iterating over names of entries in a zip archive (for example, methods\nof \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc)\nthe process can be put into an infinite loop with a maliciously crafted\nzip archive. This defect applies when reading only metadata or extracting\nthe contents of the zip archive. Programs that are not handling\nuser-controlled zip archives are not affected.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ + "https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1", + "https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6", "https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e", + "https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814", + "https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4", "https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64", + "https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a", + "https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7", "https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea", + "https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db", + "https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798", "https://github.com/python/cpython/issues/122905", + "https://github.com/python/cpython/issues/123270", "https://github.com/python/cpython/pull/122906", "https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/" - ] + ], + "upstream": { + "datePublished": "2024-08-22T18:45:31.807Z", + "dateReserved": "2024-08-22T12:42:32.661Z", + "dateUpdated": "2024-10-11T22:03:20.370Z", + "digest": "71e2e3c3438c64f28a2d121686a0032c23cca592632bc4c1ae2315cc1f1054ae" + } }, "adp": { "affected": [ @@ -29,39 +44,39 @@ "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.0rc2", + "lessThan": "3.8.20", "status": "affected", - "version": "3.13.0a1", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.6", + "lessThan": "3.9.20", "status": "affected", - "version": "3.12", + "version": "3.9.0", "versionType": "python" }, { - "lessThan": "3.11.10", + "lessThan": "3.10.15", "status": "affected", - "version": "3.11", + "version": "3.10.0", "versionType": "python" }, { - "lessThan": "3.10.15", + "lessThan": "3.11.10", "status": "affected", - "version": "3.10", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.9.20", + "lessThan": "3.12.6", "status": "affected", - "version": "3.9", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.8.20", + "lessThan": "3.13.0rc2", "status": "affected", - "version": "0", + "version": "3.13.0a1", "versionType": "python" } ] diff --git a/data/anchore/2024/CVE-2024-9287.json b/data/anchore/2024/CVE-2024-9287.json index 748fabe2..9133b919 100644 --- a/data/anchore/2024/CVE-2024-9287.json +++ b/data/anchore/2024/CVE-2024-9287.json @@ -5,10 +5,21 @@ "description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "reason": "Added CPE configurations because not yet analyzed by NVD.", "references": [ + "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7", + "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db", + "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8", + "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97", + "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483", "https://github.com/python/cpython/issues/124651", "https://github.com/python/cpython/pull/124712", "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/" - ] + ], + "upstream": { + "datePublished": "2024-10-22T16:34:39.210Z", + "dateReserved": "2024-09-27T14:48:44.181Z", + "dateUpdated": "2024-12-06T16:08:08.818Z", + "digest": "502fad263466bd5f7fe71c7cbccc43ba68ab732f8e1c4b57cbbb97771f1ce6e5" + } }, "adp": { "affected": [ @@ -26,33 +37,39 @@ "vendor": "Python Software Foundation", "versions": [ { - "lessThan": "3.13.1", + "lessThan": "3.9.21", "status": "affected", - "version": "3.13", + "version": "0", "versionType": "python" }, { - "lessThan": "3.12.8", + "lessThan": "3.10.16", "status": "affected", - "version": "3.12", + "version": "3.10.0", "versionType": "python" }, { "lessThan": "3.11.11", "status": "affected", - "version": "3.11", + "version": "3.11.0", "versionType": "python" }, { - "lessThan": "3.10.16", + "lessThan": "3.12.8", "status": "affected", - "version": "3.10", + "version": "3.12.0", "versionType": "python" }, { - "lessThan": "3.9.21", + "lessThan": "3.13.1", "status": "affected", - "version": "0", + "version": "3.13.0", + "versionType": "python" + }, + { + "lessThan": "3.14.0a2", + "status": "affected", + "version": "3.14.0a1", "versionType": "python" } ]