diff --git a/data/anchore/2023/CVE-2023-24407.json b/data/anchore/2023/CVE-2023-24407.json index 68f2079f..e1b2319f 100644 --- a/data/anchore/2023/CVE-2023-24407.json +++ b/data/anchore/2023/CVE-2023-24407.json @@ -25,7 +25,7 @@ "vendor": "WpDevArt", "versions": [ { - "lessThanOrEqual": "3.2.3", + "lessThan": "3.2.4", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3a5c4f2-22f6-45df-bf76-9dfa1d2f5f41?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2023/CVE-2023-49196.json b/data/anchore/2023/CVE-2023-49196.json index fa4c386d..77e8b69f 100644 --- a/data/anchore/2023/CVE-2023-49196.json +++ b/data/anchore/2023/CVE-2023-49196.json @@ -25,7 +25,7 @@ "vendor": "Pagelayer Team", "versions": [ { - "lessThanOrEqual": "1.7.7", + "lessThan": "1.7.8", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2023/CVE-2023-6964.json b/data/anchore/2023/CVE-2023-6964.json new file mode 100644 index 00000000..8ce3247d --- /dev/null +++ b/data/anchore/2023/CVE-2023-6964.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2023-6964", + "description": "The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadence_import_get_new_connection_data' AJAX action. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3019592%40kadence-blocks&old=2996625%40kadence-blocks&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/b01ad77f-2349-48bb-b4e9-f7cbce435de9?source=cve" + ], + "upstream": { + "datePublished": "2024-04-09T18:59:15.108Z", + "dateReserved": "2023-12-19T20:20:23.614Z", + "dateUpdated": "2024-08-02T08:50:06.683Z", + "digest": "bfccc16a6d328cb12da3bb62a4fc7cbcadf0ad463f9d5d15e01b76adc39585ed" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:kadencewp:gutenberg_blocks_with_ai:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "kadence-blocks", + "packageType": "wordpress-plugin", + "product": "Gutenberg Blocks by Kadence Blocks – Page Builder Features", + "repo": "https://plugins.svn.wordpress.org/kadence-blocks", + "vendor": "britner", + "versions": [ + { + "lessThan": "3.2.12", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-0598.json b/data/anchore/2024/CVE-2024-0598.json new file mode 100644 index 00000000..78c3b73a --- /dev/null +++ b/data/anchore/2024/CVE-2024-0598.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-0598", + "description": "The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://advisory.abay.sh/cve-2024-0598", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3023068%40kadence-blocks&new=3023068%40kadence-blocks&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/989bd778-c7b2-41c5-ac4a-2f1a4e594f0d?source=cve" + ], + "upstream": { + "datePublished": "2024-04-09T18:59:07.479Z", + "dateReserved": "2024-01-16T15:02:21.160Z", + "dateUpdated": "2024-08-01T18:11:35.656Z", + "digest": "0117b74712562c950d9d7dd64f1c29d86f9f1562ee6c35992ce9f951cd2bcc7a" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:kadencewp:gutenberg_blocks_with_ai:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "kadence-blocks", + "packageType": "wordpress-plugin", + "product": "Gutenberg Blocks by Kadence Blocks – Page Builder Features", + "repo": "https://plugins.svn.wordpress.org/kadence-blocks", + "vendor": "britner", + "versions": [ + { + "lessThan": "3.2.18", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10010.json b/data/anchore/2024/CVE-2024-10010.json new file mode 100644 index 00000000..b41c7fa8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10010.json @@ -0,0 +1,48 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-10010", + "description": "The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/8a258d33-a354-4cbb-bfcb-31b7f1b1a036/" + ], + "upstream": { + "datePublished": "2024-12-12T06:00:09.430Z", + "dateReserved": "2024-10-15T21:29:44.420Z", + "dateUpdated": "2024-12-12T15:10:49.393Z", + "digest": "396c7a7ece0d7f5cf905f53c2d10e8c578cf324eaf4699412d6e2e56fcc66de8" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "learnpress", + "packageType": "wordpress-plugin", + "product": "LearnPress", + "repo": "https://plugins.svn.wordpress.org/learnpress", + "versions": [ + { + "lessThan": "4.2.7.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68991289-acfa-4ab9-9852-755e5f1eda33?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10043.json b/data/anchore/2024/CVE-2024-10043.json new file mode 100644 index 00000000..889eaeaa --- /dev/null +++ b/data/anchore/2024/CVE-2024-10043.json @@ -0,0 +1,111 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-10043", + "description": "An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/499577", + "https://hackerone.com/reports/2774817" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:29.814Z", + "dateReserved": "2024-10-16T16:30:46.408Z", + "dateUpdated": "2024-12-12T15:44:38.834Z", + "digest": "cc8d392a3e8240200719a3b7e3c387953acfa7686f7feff28c8c8db7fc7d957c" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "14.3", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "14.3", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "14.3", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10104.json b/data/anchore/2024/CVE-2024-10104.json index ddc82dc0..0a7a3f65 100644 --- a/data/anchore/2024/CVE-2024-10104.json +++ b/data/anchore/2024/CVE-2024-10104.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bbe6b57-9c50-4515-aa62-a9d9a41bf4ce?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10111.json b/data/anchore/2024/CVE-2024-10111.json new file mode 100644 index 00000000..2bf78264 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10111.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10111", + "description": "The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wordpress.org/plugins/miniorange-login-with-eve-online-google-facebook/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddd83877-739f-4c21-8179-20de8bbc4936?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T03:23:10.001Z", + "dateReserved": "2024-10-17T22:56:59.678Z", + "dateUpdated": "2024-12-12T15:55:19.489Z", + "digest": "e491fa557f2b21c5984f6ec8124ccce7103baab1c7c9e3eab1beba845cd287f9" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "miniorange-login-with-eve-online-google-facebook", + "packageType": "wordpress-plugin", + "product": "OAuth Single Sign On – SSO (OAuth Client)", + "repo": "https://plugins.svn.wordpress.org/miniorange-login-with-eve-online-google-facebook", + "vendor": "cyberlord92", + "versions": [ + { + "lessThanOrEqual": "6.26.3", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10146.json b/data/anchore/2024/CVE-2024-10146.json index cc843e92..b49b5128 100644 --- a/data/anchore/2024/CVE-2024-10146.json +++ b/data/anchore/2024/CVE-2024-10146.json @@ -32,6 +32,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/078b58df-ca2f-4c44-896b-f0e0f7d3bf2b?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10473.json b/data/anchore/2024/CVE-2024-10473.json index 86da79fa..878952ba 100644 --- a/data/anchore/2024/CVE-2024-10473.json +++ b/data/anchore/2024/CVE-2024-10473.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa1c526d-b751-4461-9e54-e7704ca8ddc3?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10480.json b/data/anchore/2024/CVE-2024-10480.json index 438d1193..78f5a25f 100644 --- a/data/anchore/2024/CVE-2024-10480.json +++ b/data/anchore/2024/CVE-2024-10480.json @@ -32,6 +32,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c29e242-b05c-4876-8948-1278982d6fbc?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10493.json b/data/anchore/2024/CVE-2024-10493.json index 4f9b8434..e4eac71b 100644 --- a/data/anchore/2024/CVE-2024-10493.json +++ b/data/anchore/2024/CVE-2024-10493.json @@ -31,6 +31,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b77982e-15ab-4376-89d3-7a2609b118eb?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10499.json b/data/anchore/2024/CVE-2024-10499.json new file mode 100644 index 00000000..f0c5c894 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10499.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-10499", + "description": "The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/8606a93a-f61d-40df-a67e-0ac75eeadee8/" + ], + "upstream": { + "datePublished": "2024-12-12T06:00:09.432Z", + "dateReserved": "2024-10-29T17:20:09.964Z", + "dateUpdated": "2024-12-12T15:17:51.374Z", + "digest": "72b9e8cb74826913d11eb444de7cf6b3e5cb7c6c40a7ad246b13695803a54831" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:meowapps:ai_engine:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "ai-engine", + "packageType": "wordpress-plugin", + "product": "AI Engine", + "repo": "https://plugins.svn.wordpress.org/ai-engine", + "versions": [ + { + "lessThan": "2.6.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10568.json b/data/anchore/2024/CVE-2024-10568.json new file mode 100644 index 00000000..6395b97d --- /dev/null +++ b/data/anchore/2024/CVE-2024-10568.json @@ -0,0 +1,48 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-10568", + "description": "The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/1676aef0-be5d-4335-933d-dc0d54416fd4/" + ], + "upstream": { + "datePublished": "2024-12-12T06:00:18.035Z", + "dateReserved": "2024-10-30T20:53:30.022Z", + "dateUpdated": "2024-12-12T15:34:06.298Z", + "digest": "81702a2c62ac8bd3d902a4115c0031e17b0c6ff16d55c6403fd8b06ed6f44b0e" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:ajax_search_project:ajax_search:*:*:*:*:lite:wordpress:*:*" + ], + "packageName": "ajax-search-lite", + "packageType": "wordpress-plugin", + "product": "Ajax Search Lite", + "repo": "https://plugins.svn.wordpress.org/ajax-search-lite", + "versions": [ + { + "lessThan": "4.12.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10c31c9c-ada9-43b5-a595-ca00b12d6840?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10704.json b/data/anchore/2024/CVE-2024-10704.json index 7dca7820..bc3fff7e 100644 --- a/data/anchore/2024/CVE-2024-10704.json +++ b/data/anchore/2024/CVE-2024-10704.json @@ -32,6 +32,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc2300-bd8d-4e4a-8ab5-a541f62133ca?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10708.json b/data/anchore/2024/CVE-2024-10708.json index bb4be984..c9605c85 100644 --- a/data/anchore/2024/CVE-2024-10708.json +++ b/data/anchore/2024/CVE-2024-10708.json @@ -39,6 +39,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69aa2287-3d26-43e2-a2d0-4985ed17d096?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10784.json b/data/anchore/2024/CVE-2024-10784.json new file mode 100644 index 00000000..abb8a894 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10784.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10784", + "description": "The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3185683%40unlimited-elements-for-elementor&new=3185683%40unlimited-elements-for-elementor&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/0149ae49-5d40-4431-9612-04182afce2ec?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T06:46:31.717Z", + "dateReserved": "2024-11-04T13:41:15.761Z", + "dateUpdated": "2024-12-12T14:39:05.492Z", + "digest": "f9ebc185567229fd88adaa1f75c6f96d605488a86aea17058604e4273f5106ba" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:unlimited-elements:unlimited_elements_for_elementor_\\(free_widgets\\,_addons\\,_templates\\):*:*:*:*:*:wordpress:*:*" + ], + "packageName": "unlimited-elements-for-elementor", + "packageType": "wordpress-plugin", + "product": "Unlimited Elements For Elementor (Free Widgets, Addons, Templates)", + "repo": "https://plugins.svn.wordpress.org/unlimited-elements-for-elementor", + "vendor": "unitecms", + "versions": [ + { + "lessThan": "1.5.127", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10893.json b/data/anchore/2024/CVE-2024-10893.json index 91d93882..e8dfab0c 100644 --- a/data/anchore/2024/CVE-2024-10893.json +++ b/data/anchore/2024/CVE-2024-10893.json @@ -35,6 +35,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6c74bcb-b41d-4a4f-97d5-b92a3bfc794d?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10896.json b/data/anchore/2024/CVE-2024-10896.json index 8a361ae5..776083c5 100644 --- a/data/anchore/2024/CVE-2024-10896.json +++ b/data/anchore/2024/CVE-2024-10896.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6cc17a6-994c-4ac4-8175-263add849b1b?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10910.json b/data/anchore/2024/CVE-2024-10910.json new file mode 100644 index 00000000..43626a05 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10910.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10910", + "description": "The The Grid Plus – Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.5/core/ajax_fe.php#L19", + "https://wordpress.org/plugins/grid-plus/#developers", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/266032a8-a139-4a14-8eda-8be7a66357df?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T04:23:10.508Z", + "dateReserved": "2024-11-06T00:21:14.957Z", + "dateUpdated": "2024-12-12T15:01:28.858Z", + "digest": "0798182f64c26bde854639c121c597f504d1abff8c920943c30f3f3b9e4cd768" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:g5theme:grid-plus:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:g5theme:grid_plus:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "grid-plus", + "packageType": "wordpress-plugin", + "product": "Grid Plus – Unlimited grid layout", + "repo": "https://plugins.svn.wordpress.org/grid-plus", + "vendor": "g5theme", + "versions": [ + { + "lessThanOrEqual": "1.3.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-10952.json b/data/anchore/2024/CVE-2024-10952.json index e999cca4..9104084e 100644 --- a/data/anchore/2024/CVE-2024-10952.json +++ b/data/anchore/2024/CVE-2024-10952.json @@ -25,7 +25,7 @@ "vendor": "wpkube", "versions": [ { - "lessThanOrEqual": "2.0.4", + "lessThan": "2.0.5", "status": "affected", "version": "0", "versionType": "semver" diff --git a/data/anchore/2024/CVE-2024-11052.json b/data/anchore/2024/CVE-2024-11052.json new file mode 100644 index 00000000..656b4fb2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11052.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11052", + "description": "The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/ninja-forms/tags/3.8.18/includes/Admin/Metaboxes/Calculations.php#L26", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3adf367-0126-4d95-b337-cc3581975113?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:24.004Z", + "dateReserved": "2024-11-09T18:33:27.725Z", + "dateUpdated": "2024-12-12T15:46:09.581Z", + "digest": "c454e82833e73db3e9d6d2006b05addf77d4a5b03de5bac023be3497bc967237" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:ninjaforms:contact_form:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "ninja-forms", + "packageType": "wordpress-plugin", + "product": "Ninja Forms – The Contact Form Builder That Grows With You", + "repo": "https://plugins.svn.wordpress.org/ninja-forms", + "vendor": "kstover", + "versions": [ + { + "lessThan": "3.8.20", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11107.json b/data/anchore/2024/CVE-2024-11107.json index 8d55ccc2..79ad707f 100644 --- a/data/anchore/2024/CVE-2024-11107.json +++ b/data/anchore/2024/CVE-2024-11107.json @@ -39,6 +39,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ed6c1c2-8fbd-4bcb-854a-492d1060364b?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11181.json b/data/anchore/2024/CVE-2024-11181.json new file mode 100644 index 00000000..4a7c1d41 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11181.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11181", + "description": "The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/settings.php#L1236", + "https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/settings.php#L43", + "https://plugins.trac.wordpress.org/changeset/3203829/greenshift-animation-and-page-builder-blocks/trunk/settings.php", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/06047667-2a24-4e1c-9389-11daceff4d23?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T06:46:32.559Z", + "dateReserved": "2024-11-13T15:16:43.061Z", + "dateUpdated": "2024-12-12T14:40:45.586Z", + "digest": "714a9a5e6b713f28604325a371358cf382405a687cd04da8e10748dd8f00a608" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:greenshiftwp:greenshift_-_animation_and_page_builder_blocks:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "greenshift-animation-and-page-builder-blocks", + "packageType": "wordpress-plugin", + "product": "Greenshift – animation and page builder blocks", + "repo": "https://plugins.svn.wordpress.org/greenshift-animation-and-page-builder-blocks", + "vendor": "wpsoul", + "versions": [ + { + "lessThan": "9.9.9.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11274.json b/data/anchore/2024/CVE-2024-11274.json new file mode 100644 index 00000000..7081418b --- /dev/null +++ b/data/anchore/2024/CVE-2024-11274.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-11274", + "description": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/504707", + "https://hackerone.com/reports/2813673" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:20.019Z", + "dateReserved": "2024-11-15T18:31:33.020Z", + "dateUpdated": "2024-12-12T15:44:45.428Z", + "digest": "6f4a6c837be5a8bd5b686cb4666b4ad9369fd918e0947cb8f4d6a67ebb2e8c67" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "16.1", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11709.json b/data/anchore/2024/CVE-2024-11709.json new file mode 100644 index 00000000..b9aa3c18 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11709.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11709", + "description": "The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L430", + "https://plugins.trac.wordpress.org/browser/ai-post-generator/trunk/inc/insert-head.php#L512", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/f00ac468-870a-4c43-af25-9febea5e4d67?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T04:23:15.579Z", + "dateReserved": "2024-11-25T16:33:45.833Z", + "dateUpdated": "2024-12-12T15:46:40.246Z", + "digest": "c783505d6b9d4e2137ad5cfd281bccace596077572c04710dfd18cfca6f7a232" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:autowriter:ai_post_generator_\\|_autowriter:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "ai-post-generator", + "packageType": "wordpress-plugin", + "product": "AI Post Generator | AutoWriter", + "repo": "https://plugins.svn.wordpress.org/ai-post-generator", + "vendor": "kekotron", + "versions": [ + { + "lessThanOrEqual": "3.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11765.json b/data/anchore/2024/CVE-2024-11765.json new file mode 100644 index 00000000..ea7516b7 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11765.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11765", + "description": "The WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_portfolio' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/gs-portfolio/tags/1.6.3/gsportfolio-files/includes/templates/gs_portfolio_sthree_kira.php#L29", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204631%40gs-portfolio&new=3204631%40gs-portfolio&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e78440d-54ab-400f-a8d2-9cb33f1ec861?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:21.216Z", + "dateReserved": "2024-11-26T15:07:44.709Z", + "dateUpdated": "2024-12-12T14:51:37.762Z", + "digest": "68877ff690e6ea339ec87a51c53506b8c7271af21924425489e37d11cc196344" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:gsplugins:gs_filterable_portfolio:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "gs-portfolio", + "packageType": "wordpress-plugin", + "product": "WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more", + "repo": "https://plugins.svn.wordpress.org/gs-portfolio", + "vendor": "samdani", + "versions": [ + { + "lessThan": "1.6.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11766.json b/data/anchore/2024/CVE-2024-11766.json new file mode 100644 index 00000000..4d562989 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11766.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11766", + "description": "The WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_book_showcase' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/gs-books-showcase/tags/1.3.1/gs-bookshowcase-files/includes/templates/gs_bookshowcase_structure_1_square.php#L24", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204642%40gs-books-showcase&new=3204642%40gs-books-showcase&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3b40b73-4dec-4a96-a634-3bd3d74616ba?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:23.655Z", + "dateReserved": "2024-11-26T15:11:47.490Z", + "dateUpdated": "2024-12-12T15:46:17.512Z", + "digest": "25b7ba86c7703d46f4aa1cc70651eb01baf1db8bfeec60b9f00815c51d395e65" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:gsplugins:gs_books_showcase:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "gs-books-showcase", + "packageType": "wordpress-plugin", + "product": "WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more", + "repo": "https://plugins.svn.wordpress.org/gs-books-showcase", + "vendor": "samdani", + "versions": [ + { + "lessThan": "1.3.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11914.json b/data/anchore/2024/CVE-2024-11914.json new file mode 100644 index 00000000..ef72d721 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11914.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11914", + "description": "The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attire-blocks/post-carousel' block in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/attire-blocks/trunk/blocks/dynamic/post-carousel/index.php#L445", + "https://wordpress.org/plugins/attire-blocks/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c7973be-cf39-4452-9e41-19d2e6aa5e97?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T03:23:06.981Z", + "dateReserved": "2024-11-27T17:17:25.944Z", + "dateUpdated": "2024-12-12T15:09:09.581Z", + "digest": "ae707f8e20890b4ecc5bd872afadfdf684b8c5d8e157c83c50deba89ce9d0833" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpattire:attire_blocks:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "attire-blocks", + "packageType": "wordpress-plugin", + "product": "Gutenberg Blocks and Page Layouts – Attire Blocks", + "repo": "https://plugins.svn.wordpress.org/attire-blocks", + "vendor": "shafayat-alam", + "versions": [ + { + "lessThanOrEqual": "1.9.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12015.json b/data/anchore/2024/CVE-2024-12015.json index 508634c7..a1efcfd9 100644 --- a/data/anchore/2024/CVE-2024-12015.json +++ b/data/anchore/2024/CVE-2024-12015.json @@ -37,6 +37,9 @@ "references": [ { "url": "https://patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-15-sql-injection-vulnerability" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c093ed6a-0f3d-4ad9-a57c-cec1c2e7bd8e?source=cve" } ] } diff --git a/data/anchore/2024/CVE-2024-12018.json b/data/anchore/2024/CVE-2024-12018.json new file mode 100644 index 00000000..309112c4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12018.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12018", + "description": "The Snippet Shortcodes plugin for WordPress is vulnerable to unauthorized Shortcode Deletion due to missing authorization in all versions up to, and including, 4.1.6. Note that a nonce is used as authentication here, but the value is leaked. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3205481/shortcode-variables/trunk/includes/hooks.php", + "https://wordpress.org/plugins/shortcode-variables/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e6e8f68-6977-478a-b62e-0ec9385eb2af?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:20.501Z", + "dateReserved": "2024-12-02T14:22:13.775Z", + "dateUpdated": "2024-12-12T14:53:56.371Z", + "digest": "e3c68fa37cc48e4c47def7ae0c5424aaa1a1c8139079b3d15360eca33563bfde" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:yeken:snippet_shortcodes:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "shortcode-variables", + "packageType": "wordpress-plugin", + "product": "Snippet Shortcodes", + "repo": "https://plugins.svn.wordpress.org/shortcode-variables", + "vendor": "aliakro", + "versions": [ + { + "lessThan": "4.1.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12059.json b/data/anchore/2024/CVE-2024-12059.json new file mode 100644 index 00000000..ecee8fb5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12059.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12059", + "description": "The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the eli_option_value shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract arbitrary options from the wp_options table.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3203139%40elementinvader-addons-for-elementor&new=3203139%40elementinvader-addons-for-elementor&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf7ec469-70b7-4ec2-83df-c788c76730b4?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:24.715Z", + "dateReserved": "2024-12-02T20:36:46.562Z", + "dateUpdated": "2024-12-12T15:45:55.699Z", + "digest": "878cb48629987b995098c12e928127e505458f28220061a6d22becdee0a7c00d" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:elementinvader:elementinvader_addons_for_elementor:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "elementinvader-addons-for-elementor", + "packageType": "wordpress-plugin", + "product": "ElementInvader Addons for Elementor", + "repo": "https://plugins.svn.wordpress.org/elementinvader-addons-for-elementor", + "vendor": "elementinvader", + "versions": [ + { + "lessThan": "1.3.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12072.json b/data/anchore/2024/CVE-2024-12072.json new file mode 100644 index 00000000..90bc18a6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12072.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12072", + "description": "The Analytics Cat – Google Analytics Made Easy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3202743%40analytics-cat&new=3202743%40analytics-cat&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/6de64a12-0f73-40e9-bcd1-963dc6499ec4?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:20.868Z", + "dateReserved": "2024-12-02T21:38:41.149Z", + "dateUpdated": "2024-12-12T14:52:25.459Z", + "digest": "2b878995c20cd6ebcdd5ec43340961bfe698d809f345159dccf008f94777e86b" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:fatcatapps:analytics_cat:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "analytics-cat", + "packageType": "wordpress-plugin", + "product": "Analytics Cat – Google Analytics Made Easy", + "repo": "https://plugins.svn.wordpress.org/analytics-cat", + "vendor": "fatcatapps", + "versions": [ + { + "lessThan": "1.1.3", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12172.json b/data/anchore/2024/CVE-2024-12172.json new file mode 100644 index 00000000..fcd69a2d --- /dev/null +++ b/data/anchore/2024/CVE-2024-12172.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12172", + "description": "The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3203679%40wp-courses&new=3203679%40wp-courses&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/760e999e-cac9-493f-9737-ad0cf055c880?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:21.551Z", + "dateReserved": "2024-12-04T15:20:15.836Z", + "dateUpdated": "2024-12-12T14:50:35.267Z", + "digest": "e80145a43795230f086baae904bc01cc5cb889b4fc35fb55adfd3ae6e54c9575" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:stratospheredigital:wp_courses_lms:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:wpcoursesplugin:wp-courses:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "wp-courses", + "packageType": "wordpress-plugin", + "product": "WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses", + "repo": "https://plugins.svn.wordpress.org/wp-courses", + "vendor": "hookandhook", + "versions": [ + { + "lessThan": "3.2.22", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12212.json b/data/anchore/2024/CVE-2024-12212.json new file mode 100644 index 00000000..5f958682 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12212.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "icscert", + "cveId": "CVE-2024-12212", + "description": "The vulnerability occurs in the parsing of CSP files. The issues result \nfrom the lack of proper validation of user-supplied data, which could \nallow reading past the end of allocated data structures, resulting in \nexecution of arbitrary code.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://hornerautomation.com/cscape-software-free/cscape-software/", + "https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05" + ], + "solutions": [ + "Horner Automation recommends users update to Cscape v10 SP1 https://hornerautomation.com/cscape-software-free/cscape-software/ or later." + ], + "upstream": { + "datePublished": "2024-12-13T00:50:45.290Z", + "dateReserved": "2024-12-04T21:11:42.412Z", + "dateUpdated": "2024-12-13T00:50:45.290Z", + "digest": "f00fbdfb1d187cf6187254a9f90754379f8f49155893c76b0b9b62c3b3f9858e" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:hornerautomation:cscape:*:*:*:*:*:*:*:*", + "cpe:2.3:a:hornerautomation:cscape_envisionrv:*:*:*:*:*:*:*:*" + ], + "product": "Cscape", + "vendor": "Horner Automation", + "versions": [ + { + "lessThanOrEqual": "10.0.363.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12263.json b/data/anchore/2024/CVE-2024-12263.json new file mode 100644 index 00000000..c7083db2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12263.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12263", + "description": "The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cloud_delete() and cloud_update() functions in all versions up to, and including, 1.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete cloud snippets. Please note that this vulnerability was present in the Cloud Library Addon used by the plugin and not in the plugin itself, the cloud library has been removed entirely.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205672%40orbisius-child-theme-creator&new=3205672%40orbisius-child-theme-creator&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd0eb569-b526-48bd-8198-ff883860e040?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T05:24:25.112Z", + "dateReserved": "2024-12-05T16:41:59.433Z", + "dateUpdated": "2024-12-12T15:45:50.712Z", + "digest": "e6e826970fcecc78b2f32821d7c7ca63198eef1595d60f148c5956910a302dad" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:orbisius:child_theme_creator:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "orbisius-child-theme-creator", + "packageType": "wordpress-plugin", + "product": "Child Theme Creator by Orbisius", + "repo": "https://plugins.svn.wordpress.org/orbisius-child-theme-creator", + "vendor": "lordspace", + "versions": [ + { + "lessThan": "1.5.6", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12289.json b/data/anchore/2024/CVE-2024-12289.json new file mode 100644 index 00000000..dc6af24f --- /dev/null +++ b/data/anchore/2024/CVE-2024-12289.json @@ -0,0 +1,85 @@ +{ + "additionalMetadata": { + "cna": "hashicorp", + "cveId": "CVE-2024-12289", + "description": "Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process.\n\nThis vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://discuss.hashicorp.com/t/hcsec-2024-28-boundary-controller-incorrectly-handles-http-requests-on-initialization-which-may-lead-to-a-denial-of-service" + ], + "upstream": { + "datePublished": "2024-12-12T22:42:01.595Z", + "dateReserved": "2024-12-05T22:09:25.315Z", + "dateUpdated": "2024-12-12T22:42:01.595Z", + "digest": "585481795b94f0b915df179e0dcb5508d8a6c7f14f075fbd9459e1d7fb39e3b8" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:hashicorp:boundary:*:*:*:*:community:*:*:*" + ], + "packageName": "hashicorp/boundary", + "product": "Boundary", + "repo": "https://github.com/hashicorp/boundary", + "vendor": "HashiCorp", + "versions": [ + { + "lessThan": "0.18.2", + "status": "affected", + "version": "0.18.0", + "versionType": "semver" + }, + { + "lessThan": "0.17.3", + "status": "affected", + "version": "0.17.0", + "versionType": "semver" + }, + { + "lessThan": "0.16.4", + "status": "affected", + "version": "0.8.0", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:hashicorp:boundary:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:hashicorp:boundary_enterprise:*:*:*:*:enterprise:*:*:*" + ], + "packageName": "hashicorp/boundary", + "product": "Boundary Enterprise", + "vendor": "HashiCorp", + "versions": [ + { + "lessThan": "0.18.2", + "status": "affected", + "version": "0.8.0", + "versionType": "semver" + }, + { + "lessThan": "0.17.3", + "status": "affected", + "version": "0.17.0", + "versionType": "semver" + }, + { + "lessThan": "0.16.4", + "status": "affected", + "version": "0.8.0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12292.json b/data/anchore/2024/CVE-2024-12292.json new file mode 100644 index 00000000..3a5a5f87 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12292.json @@ -0,0 +1,194 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-12292", + "description": "An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/475211" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T11:30:39.823Z", + "dateReserved": "2024-12-05T23:02:19.825Z", + "dateUpdated": "2024-12-12T15:44:52.213Z", + "digest": "0a837c4029ce57d865c556912da368b710350291ea47b6b90ed1adf12a90b660" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.0", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12329.json b/data/anchore/2024/CVE-2024-12329.json new file mode 100644 index 00000000..3d177b12 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12329.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12329", + "description": "The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204549%40essential-real-estate&new=3204549%40essential-real-estate&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa5b1bf3-344e-4ae6-87b9-2dcaafd417a5?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T06:46:35.297Z", + "dateReserved": "2024-12-06T21:32:09.785Z", + "dateUpdated": "2024-12-12T14:46:16.727Z", + "digest": "3620f9c410aefc81558b1d6748be5e8fbbf9101cbb41a3cc91cfcf911e5a9766" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:g5plus:essential_real_estate:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "essential-real-estate", + "packageType": "wordpress-plugin", + "product": "Essential Real Estate", + "repo": "https://plugins.svn.wordpress.org/essential-real-estate", + "vendor": "g5theme", + "versions": [ + { + "lessThan": "5.1.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12333.json b/data/anchore/2024/CVE-2024-12333.json new file mode 100644 index 00000000..1c8d11c6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12333.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12333", + "description": "The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_instagram_ajax_query AJAX action. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/1caa8baa-0783-4bc9-af03-46a3a2cf3538?source=cve" + ], + "upstream": { + "datePublished": "2024-12-12T08:22:34.360Z", + "dateReserved": "2024-12-06T22:28:54.364Z", + "dateUpdated": "2024-12-12T14:47:05.955Z", + "digest": "dfa9a1ec0bbcaa536ab639ff23b59549f3aa399550375288257763344e806ca3" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:xtemos:woodmart:*:*:*:*:*:wordpress:*:*", + "cpe:2.3:a:xtemos:woodmart_theme:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "woodmart", + "packageType": "wordpress-theme", + "product": "Woodmart", + "repo": "https://plugins.svn.wordpress.org/woodmart", + "vendor": "xTemos", + "versions": [ + { + "lessThan": "8.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12381.json b/data/anchore/2024/CVE-2024-12381.json new file mode 100644 index 00000000..e437e469 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12381.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12381", + "description": "Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html", + "https://issues.chromium.org/issues/381696874" + ], + "upstream": { + "datePublished": "2024-12-11T17:52:05.116Z", + "dateReserved": "2024-12-09T19:19:18.713Z", + "dateUpdated": "2024-12-12T17:33:51.537Z", + "digest": "dfaeef76cecfde6d0b71727350ce05f04e46c3641c98cce9462d74d6ba91ebc9" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.139", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12382.json b/data/anchore/2024/CVE-2024-12382.json new file mode 100644 index 00000000..41cbde0e --- /dev/null +++ b/data/anchore/2024/CVE-2024-12382.json @@ -0,0 +1,41 @@ +{ + "additionalMetadata": { + "cna": "chrome", + "cveId": "CVE-2024-12382", + "description": "Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html", + "https://issues.chromium.org/issues/379516109" + ], + "upstream": { + "datePublished": "2024-12-11T17:52:05.545Z", + "dateReserved": "2024-12-09T19:19:18.928Z", + "dateUpdated": "2024-12-12T17:59:30.634Z", + "digest": "dfaeef76cecfde6d0b71727350ce05f04e46c3641c98cce9462d74d6ba91ebc9" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*" + ], + "product": "Chrome", + "vendor": "Google", + "versions": [ + { + "lessThan": "131.0.6778.139", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12570.json b/data/anchore/2024/CVE-2024-12570.json new file mode 100644 index 00000000..1f921383 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12570.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-12570", + "description": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/494694", + "https://hackerone.com/reports/2724948" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T11:30:44.818Z", + "dateReserved": "2024-12-12T11:30:35.012Z", + "dateUpdated": "2024-12-12T15:27:30.051Z", + "digest": "ff8670e3c49417dd80eb1a46053af902f209a134d086305867fee79ba47df52f" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.7", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-1999.json b/data/anchore/2024/CVE-2024-1999.json new file mode 100644 index 00000000..8059fcaf --- /dev/null +++ b/data/anchore/2024/CVE-2024-1999.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-1999", + "description": "The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget's anchor style parameter in all versions up to, and including, 3.2.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.25/includes/blocks/class-kadence-blocks-testimonial-block.php#L88", + "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3047463%40kadence-blocks%2Ftrunk&old=3042198%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail=", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4dbe-6f44-45ef-9d49-4bc624fdcc57?source=cve" + ], + "upstream": { + "datePublished": "2024-04-09T18:59:15.564Z", + "dateReserved": "2024-02-28T21:59:01.048Z", + "dateUpdated": "2024-08-01T18:56:22.554Z", + "digest": "bfb09d1ff6e4ce3a3056275186f837285cb1399cc27a3f30d7d5fe05dcb5cf99" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:kadencewp:gutenberg_blocks_with_ai:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "kadence-blocks", + "packageType": "wordpress-plugin", + "product": "Gutenberg Blocks by Kadence Blocks – Page Builder Features", + "repo": "https://plugins.svn.wordpress.org/kadence-blocks", + "vendor": "britner", + "versions": [ + { + "lessThan": "3.2.26", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-37250.json b/data/anchore/2024/CVE-2024-37250.json index 6645bf23..e426ecb3 100644 --- a/data/anchore/2024/CVE-2024-37250.json +++ b/data/anchore/2024/CVE-2024-37250.json @@ -36,6 +36,14 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16f40b76-8f69-46de-a3e0-b7124dc74c00?source=cve" + }, + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8c1823c-72be-4342-b4e9-0dc18afbb4a8?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-37377.json b/data/anchore/2024/CVE-2024-37377.json new file mode 100644 index 00000000..b1df7379 --- /dev/null +++ b/data/anchore/2024/CVE-2024-37377.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "hackerone", + "cveId": "CVE-2024-37377", + "description": "A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs" + ], + "upstream": { + "datePublished": "2024-12-11T18:52:27.462Z", + "dateReserved": "2024-06-07T01:04:06.870Z", + "dateUpdated": "2024-12-12T14:46:24.352Z", + "digest": "014da56a429eeb55e90b4e6145743cf633e5048cd027baec2ae0b6ad2783bce1" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*" + ], + "product": "Connect Secure", + "vendor": "Ivanti", + "versions": [ + { + "lessThan": "22.7r2.3", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-37401.json b/data/anchore/2024/CVE-2024-37401.json new file mode 100644 index 00000000..c68f3955 --- /dev/null +++ b/data/anchore/2024/CVE-2024-37401.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "hackerone", + "cveId": "CVE-2024-37401", + "description": "An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs" + ], + "upstream": { + "datePublished": "2024-12-11T18:52:27.527Z", + "dateReserved": "2024-06-08T01:04:07.093Z", + "dateUpdated": "2024-12-12T14:39:24.747Z", + "digest": "7923ab76c2a81c90a0cb992df80e004b27452024b4fbc6981e8822d62eeeab1f" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*" + ], + "product": "Connect Secure", + "vendor": "Ivanti", + "versions": [ + { + "lessThan": "22.7r2.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45337.json b/data/anchore/2024/CVE-2024-45337.json new file mode 100644 index 00000000..195e81ae --- /dev/null +++ b/data/anchore/2024/CVE-2024-45337.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "go", + "cveId": "CVE-2024-45337", + "description": "Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909", + "https://go.dev/cl/635315", + "https://go.dev/issue/70779", + "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ", + "https://pkg.go.dev/vuln/GO-2024-3321" + ], + "upstream": { + "datePublished": "2024-12-11T18:55:58.506Z", + "dateReserved": "2024-08-27T19:41:58.555Z", + "dateUpdated": "2024-12-12T20:48:37.700Z", + "digest": "abe84a9a748618f5248233a1f6bc4e47c8c617be7191c34e20c7d8a9cb3fcaba" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:golang:package_ssh:*:*:*:*:*:go:*:*", + "cpe:2.3:a:golang:ssh:*:*:*:*:*:go:*:*" + ], + "packageName": "golang.org/x/crypto/ssh", + "packageType": "go-module", + "product": "golang.org/x/crypto/ssh", + "programRoutines": [ + { + "name": "ServerConfig.PublicKeyCallback" + } + ], + "vendor": "golang.org/x/crypto", + "versions": [ + { + "lessThan": "0.31.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45404.json b/data/anchore/2024/CVE-2024-45404.json new file mode 100644 index 00000000..cf3c5a1b --- /dev/null +++ b/data/anchore/2024/CVE-2024-45404.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-45404", + "description": "OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7" + ], + "upstream": { + "datePublished": "2024-12-11T22:01:46.667Z", + "dateReserved": "2024-08-28T20:21:32.804Z", + "dateUpdated": "2024-12-12T16:36:11.908Z", + "digest": "7277e853ff9e28af993ee4d40d42573a5c35acf836750cc9ff85c24bc95cb242" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*" + ], + "packageName": "opencti-platform/opencti", + "product": "opencti", + "repo": "https://github.com/opencti-platform/opencti", + "vendor": "OpenCTI-Platform", + "versions": [ + { + "lessThan": "6.2.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47537.json b/data/anchore/2024/CVE-2024-47537.json new file mode 100644 index 00000000..ece76e7c --- /dev/null +++ b/data/anchore/2024/CVE-2024-47537.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47537", + "description": "GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0005.html", + "https://securitylab.github.com/advisories/GHSL-2024-094_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:51:56.158Z", + "dateReserved": "2024-09-25T21:46:10.929Z", + "dateUpdated": "2024-12-11T19:15:49.449Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47538.json b/data/anchore/2024/CVE-2024-47538.json new file mode 100644 index 00000000..db59e3d3 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47538.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47538", + "description": "GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0022.html", + "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:52:30.622Z", + "dateReserved": "2024-09-25T21:46:10.929Z", + "dateUpdated": "2024-12-12T14:36:43.608Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47539.json b/data/anchore/2024/CVE-2024-47539.json new file mode 100644 index 00000000..a7317827 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47539.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47539", + "description": "GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0007.html", + "https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:53:00.750Z", + "dateReserved": "2024-09-25T21:46:10.930Z", + "dateUpdated": "2024-12-11T21:41:10.528Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47540.json b/data/anchore/2024/CVE-2024-47540.json new file mode 100644 index 00000000..d60d7f1b --- /dev/null +++ b/data/anchore/2024/CVE-2024-47540.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47540", + "description": "GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0017.html", + "https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:54:04.383Z", + "dateReserved": "2024-09-25T21:46:10.930Z", + "dateUpdated": "2024-12-12T14:34:59.985Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47541.json b/data/anchore/2024/CVE-2024-47541.json new file mode 100644 index 00000000..f180f87e --- /dev/null +++ b/data/anchore/2024/CVE-2024-47541.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47541", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket \"}\" appears before an opening curly bracket \"{\" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0023.html", + "https://securitylab.github.com/advisories/GHSL-2024-228_GStreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:54:33.099Z", + "dateReserved": "2024-09-25T21:46:10.930Z", + "dateUpdated": "2024-12-12T14:33:13.881Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47542.json b/data/anchore/2024/CVE-2024-47542.json new file mode 100644 index 00000000..b7f41ee3 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47542.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47542", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0008.html", + "https://securitylab.github.com/advisories/GHSL-2024-235_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:55:18.069Z", + "dateReserved": "2024-09-25T21:46:10.931Z", + "dateUpdated": "2024-12-12T14:31:09.320Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47543.json b/data/anchore/2024/CVE-2024-47543.json new file mode 100644 index 00000000..5f62f7a3 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47543.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47543", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0009.html", + "https://securitylab.github.com/advisories/GHSL-2024-236_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:55:50.210Z", + "dateReserved": "2024-09-25T21:46:10.931Z", + "dateUpdated": "2024-12-12T14:30:04.325Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47544.json b/data/anchore/2024/CVE-2024-47544.json new file mode 100644 index 00000000..c1721896 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47544.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47544", + "description": "GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0011.html", + "https://securitylab.github.com/advisories/GHSL-2024-238_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:57:31.268Z", + "dateReserved": "2024-09-25T21:46:10.931Z", + "dateUpdated": "2024-12-12T16:37:40.731Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47545.json b/data/anchore/2024/CVE-2024-47545.json new file mode 100644 index 00000000..a3092be9 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47545.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47545", + "description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0010.html", + "https://securitylab.github.com/advisories/GHSL-2024-242_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T18:58:14.462Z", + "dateReserved": "2024-09-25T21:46:10.931Z", + "dateUpdated": "2024-12-11T18:58:14.462Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47546.json b/data/anchore/2024/CVE-2024-47546.json new file mode 100644 index 00000000..90333d8e --- /dev/null +++ b/data/anchore/2024/CVE-2024-47546.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47546", + "description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0013.html", + "https://securitylab.github.com/advisories/GHSL-2024-243_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:01:05.831Z", + "dateReserved": "2024-09-25T21:46:10.931Z", + "dateUpdated": "2024-12-11T19:01:05.831Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47596.json b/data/anchore/2024/CVE-2024-47596.json new file mode 100644 index 00000000..8618183d --- /dev/null +++ b/data/anchore/2024/CVE-2024-47596.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47596", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0015.html", + "https://securitylab.github.com/advisories/GHSL-2024-244_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:01:23.353Z", + "dateReserved": "2024-09-27T20:37:22.118Z", + "dateUpdated": "2024-12-11T19:01:23.353Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47597.json b/data/anchore/2024/CVE-2024-47597.json new file mode 100644 index 00000000..4c6c1db0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47597.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47597", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0012.html", + "https://securitylab.github.com/advisories/GHSL-2024-245_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:01:50.820Z", + "dateReserved": "2024-09-27T20:37:22.118Z", + "dateUpdated": "2024-12-11T21:51:28.160Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47598.json b/data/anchore/2024/CVE-2024-47598.json new file mode 100644 index 00000000..d6ced1bc --- /dev/null +++ b/data/anchore/2024/CVE-2024-47598.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47598", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size of the stts buffer isn’t properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated bounds of the stts array. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0006.html", + "https://securitylab.github.com/advisories/GHSL-2024-246_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:02:32.029Z", + "dateReserved": "2024-09-27T20:37:22.118Z", + "dateUpdated": "2024-12-11T21:42:50.530Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47599.json b/data/anchore/2024/CVE-2024-47599.json new file mode 100644 index 00000000..2cf9c886 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47599.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47599", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0016.html", + "https://securitylab.github.com/advisories/GHSL-2024-247_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:02:52.412Z", + "dateReserved": "2024-09-27T20:37:22.118Z", + "dateUpdated": "2024-12-11T21:38:01.666Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47600.json b/data/anchore/2024/CVE-2024-47600.json new file mode 100644 index 00000000..917d7b56 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47600.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47600", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8034.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0018.html", + "https://securitylab.github.com/advisories/GHSL-2024-248_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:03:13.938Z", + "dateReserved": "2024-09-27T20:37:22.118Z", + "dateUpdated": "2024-12-12T14:27:55.278Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47601.json b/data/anchore/2024/CVE-2024-47601.json new file mode 100644 index 00000000..5cf84d05 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47601.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47601", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0020.html", + "https://securitylab.github.com/advisories/GHSL-2024-249_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:03:36.650Z", + "dateReserved": "2024-09-27T20:37:22.119Z", + "dateUpdated": "2024-12-12T14:26:05.938Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47602.json b/data/anchore/2024/CVE-2024-47602.json new file mode 100644 index 00000000..90b4058c --- /dev/null +++ b/data/anchore/2024/CVE-2024-47602.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47602", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0019.html", + "https://securitylab.github.com/advisories/GHSL-2024-250_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:10:31.683Z", + "dateReserved": "2024-09-27T20:37:22.119Z", + "dateUpdated": "2024-12-12T14:24:27.067Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47603.json b/data/anchore/2024/CVE-2024-47603.json new file mode 100644 index 00000000..e8f4b32f --- /dev/null +++ b/data/anchore/2024/CVE-2024-47603.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47603", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values. If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer. Attempting to dereference the size field of this null pointer results in a null pointer dereference. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0021.html", + "https://securitylab.github.com/advisories/GHSL-2024-251_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:11:51.382Z", + "dateReserved": "2024-09-27T20:37:22.119Z", + "dateUpdated": "2024-12-11T20:42:29.146Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47606.json b/data/anchore/2024/CVE-2024-47606.json new file mode 100644 index 00000000..193031ad --- /dev/null +++ b/data/anchore/2024/CVE-2024-47606.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47606", + "description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0014.html", + "https://securitylab.github.com/advisories/GHSL-2024-166_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:12:40.186Z", + "dateReserved": "2024-09-27T20:37:22.119Z", + "dateUpdated": "2024-12-11T20:44:29.587Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47607.json b/data/anchore/2024/CVE-2024-47607.json new file mode 100644 index 00000000..91b977f2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47607.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47607", + "description": "GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0024.html", + "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:13:27.569Z", + "dateReserved": "2024-09-27T20:37:22.119Z", + "dateUpdated": "2024-12-12T14:22:58.305Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47613.json b/data/anchore/2024/CVE-2024-47613.json new file mode 100644 index 00000000..f38a90ad --- /dev/null +++ b/data/anchore/2024/CVE-2024-47613.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47613", + "description": "GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0025.html", + "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:14:02.436Z", + "dateReserved": "2024-09-27T20:37:22.120Z", + "dateUpdated": "2024-12-12T14:17:51.293Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47615.json b/data/anchore/2024/CVE-2024-47615.json new file mode 100644 index 00000000..41a54f4c --- /dev/null +++ b/data/anchore/2024/CVE-2024-47615.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47615", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0026.html", + "https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:13:47.894Z", + "dateReserved": "2024-09-27T20:37:22.120Z", + "dateUpdated": "2024-12-12T14:18:50.580Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47774.json b/data/anchore/2024/CVE-2024-47774.json new file mode 100644 index 00000000..98e6aeac --- /dev/null +++ b/data/anchore/2024/CVE-2024-47774.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47774", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/github/securitylab-vulnerabilities/issues/1826", + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patch", + "https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:15:18.259Z", + "dateReserved": "2024-09-30T21:28:53.234Z", + "dateUpdated": "2024-12-12T14:15:07.785Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47775.json b/data/anchore/2024/CVE-2024-47775.json new file mode 100644 index 00000000..355b1488 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47775.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47775", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0027.html", + "https://securitylab.github.com/advisories/GHSL-2024-261_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:15:44.607Z", + "dateReserved": "2024-09-30T21:28:53.234Z", + "dateUpdated": "2024-12-11T21:06:33.799Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47776.json b/data/anchore/2024/CVE-2024-47776.json new file mode 100644 index 00000000..dd386abf --- /dev/null +++ b/data/anchore/2024/CVE-2024-47776.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47776", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0027.html", + "https://securitylab.github.com/advisories/GHSL-2024-260_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:16:04.573Z", + "dateReserved": "2024-09-30T21:28:53.234Z", + "dateUpdated": "2024-12-11T21:06:56.613Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47777.json b/data/anchore/2024/CVE-2024-47777.json new file mode 100644 index 00000000..d7a133b6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47777.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47777", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0027.html", + "https://securitylab.github.com/advisories/GHSL-2024-259_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:16:33.169Z", + "dateReserved": "2024-09-30T21:28:53.235Z", + "dateUpdated": "2024-12-11T21:07:34.497Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47778.json b/data/anchore/2024/CVE-2024-47778.json new file mode 100644 index 00000000..8d4a85e4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47778.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47778", + "description": "GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0027.html", + "https://securitylab.github.com/advisories/GHSL-2024-258_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:16:58.215Z", + "dateReserved": "2024-09-30T21:28:53.235Z", + "dateUpdated": "2024-12-11T21:12:34.879Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47834.json b/data/anchore/2024/CVE-2024-47834.json new file mode 100644 index 00000000..4c775af5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47834.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47834", + "description": "GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0030.html", + "https://securitylab.github.com/advisories/GHSL-2024-280_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:18:04.069Z", + "dateReserved": "2024-10-03T14:06:12.643Z", + "dateUpdated": "2024-12-11T21:15:31.525Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47835.json b/data/anchore/2024/CVE-2024-47835.json new file mode 100644 index 00000000..1dc20050 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47835.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47835", + "description": "GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8039.patch", + "https://gstreamer.freedesktop.org/security/sa-2024-0029.html", + "https://securitylab.github.com/advisories/GHSL-2024-263_Gstreamer/" + ], + "upstream": { + "datePublished": "2024-12-11T19:17:26.688Z", + "dateReserved": "2024-10-03T14:06:12.644Z", + "dateUpdated": "2024-12-11T21:14:10.881Z", + "digest": "2c7b9391c81eab88d539dd27beb56ed4affd948d4ba4afd25c9c86cb8ed84cfb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:gstreamer_project:gstreamer:*:*:*:*:*:*:*:*" + ], + "packageName": "gstreamer/gstreamer", + "product": "gstreamer", + "repo": "https://github.com/gstreamer/gstreamer", + "vendor": "gstreamer", + "versions": [ + { + "lessThan": "1.24.10", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50339.json b/data/anchore/2024/CVE-2024-50339.json new file mode 100644 index 00000000..c397426d --- /dev/null +++ b/data/anchore/2024/CVE-2024-50339.json @@ -0,0 +1,44 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-50339", + "description": "GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/glpi-project/glpi/releases/tag/10.0.17", + "https://github.com/glpi-project/glpi/security/advisories/GHSA-v977-g4r9-6r72" + ], + "upstream": { + "datePublished": "2024-12-11T17:48:42.230Z", + "dateReserved": "2024-10-22T17:54:40.954Z", + "dateUpdated": "2024-12-11T18:31:59.719Z", + "digest": "0d97137549a5ce161a554031804c7d55313d54ae8abf686c447ea2f6e38555fb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*" + ], + "packageName": "glpi-project/glpi", + "product": "glpi", + "repo": "https://github.com/glpi-project/glpi", + "vendor": "glpi-project", + "versions": [ + { + "lessThan": "10.0.17", + "status": "affected", + "version": "9.5.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50423.json b/data/anchore/2024/CVE-2024-50423.json index 7f524b44..5cdecaa5 100644 --- a/data/anchore/2024/CVE-2024-50423.json +++ b/data/anchore/2024/CVE-2024-50423.json @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63ea8485-8a3f-4d83-91ee-85591077464f?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50513.json b/data/anchore/2024/CVE-2024-50513.json index 377f073e..11df29c7 100644 --- a/data/anchore/2024/CVE-2024-50513.json +++ b/data/anchore/2024/CVE-2024-50513.json @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97df0ac7-3240-4d2b-aa2c-779c8e9359e8?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50514.json b/data/anchore/2024/CVE-2024-50514.json index 77daf6a9..c4479bd3 100644 --- a/data/anchore/2024/CVE-2024-50514.json +++ b/data/anchore/2024/CVE-2024-50514.json @@ -37,6 +37,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/949ea4e6-420a-437d-8e71-ee20119343f3?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50515.json b/data/anchore/2024/CVE-2024-50515.json index 3c499ec3..64e985d3 100644 --- a/data/anchore/2024/CVE-2024-50515.json +++ b/data/anchore/2024/CVE-2024-50515.json @@ -37,6 +37,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00dc3911-c29e-4f4f-973c-8e4da5dd0e35?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50516.json b/data/anchore/2024/CVE-2024-50516.json index f99bccad..23912eac 100644 --- a/data/anchore/2024/CVE-2024-50516.json +++ b/data/anchore/2024/CVE-2024-50516.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99a24c92-b6e5-4bbd-8cd8-1f95f47d3675?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-50550.json b/data/anchore/2024/CVE-2024-50550.json index 01e8acb6..8c8a7c44 100644 --- a/data/anchore/2024/CVE-2024-50550.json +++ b/data/anchore/2024/CVE-2024-50550.json @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91365d3b-8e93-4202-8d44-9d217aaae0a4?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52423.json b/data/anchore/2024/CVE-2024-52423.json index 2a79a891..63a98c00 100644 --- a/data/anchore/2024/CVE-2024-52423.json +++ b/data/anchore/2024/CVE-2024-52423.json @@ -23,7 +23,7 @@ "vendor": "Themify", "versions": [ { - "lessThanOrEqual": "7.6.3", + "lessThan": "7.6.6", "status": "affected", "version": "0", "versionType": "custom" diff --git a/data/anchore/2024/CVE-2024-53278.json b/data/anchore/2024/CVE-2024-53278.json index ff19bad9..9c3fee88 100644 --- a/data/anchore/2024/CVE-2024-53278.json +++ b/data/anchore/2024/CVE-2024-53278.json @@ -16,6 +16,8 @@ "cpes": [ "cpe:2.3:a:wp_admin_ui_customize_project:wp_admin_ui_customize:*:*:*:*:*:wordpress:*:*" ], + "packageName": "wp-admin-ui-customize", + "packageType": "wordpress-plugin", "product": "WP Admin UI Customize", "vendor": "gqevu6bsiz", "versions": [ @@ -31,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e8f03f4-f7a6-408c-a79e-f9cd03d77a76?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53737.json b/data/anchore/2024/CVE-2024-53737.json index a7371df1..d6ce7d39 100644 --- a/data/anchore/2024/CVE-2024-53737.json +++ b/data/anchore/2024/CVE-2024-53737.json @@ -25,7 +25,7 @@ "vendor": "WP Mailster", "versions": [ { - "lessThanOrEqual": "1.8.16.0", + "lessThan": "1.8.17.0", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e451df35-8448-4791-859e-969dc97a1aa8?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53738.json b/data/anchore/2024/CVE-2024-53738.json index b4c85b59..55d3f2c6 100644 --- a/data/anchore/2024/CVE-2024-53738.json +++ b/data/anchore/2024/CVE-2024-53738.json @@ -22,7 +22,7 @@ "vendor": "Gabe Livan", "versions": [ { - "lessThanOrEqual": "1.3.9.8", + "lessThan": "1.3.9.9", "status": "affected", "version": "0", "versionType": "custom" @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5617f917-ecb5-4c64-b421-e4af14c17eb7?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53803.json b/data/anchore/2024/CVE-2024-53803.json index 28b2087a..7a5bcade 100644 --- a/data/anchore/2024/CVE-2024-53803.json +++ b/data/anchore/2024/CVE-2024-53803.json @@ -25,7 +25,7 @@ "vendor": "brandtoss", "versions": [ { - "lessThanOrEqual": "1.8.16.0", + "lessThan": "1.8.17.0", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/900cfb6d-61c8-4696-9a5d-1ff03cd76a22?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53804.json b/data/anchore/2024/CVE-2024-53804.json index d589c61f..14d2bfc9 100644 --- a/data/anchore/2024/CVE-2024-53804.json +++ b/data/anchore/2024/CVE-2024-53804.json @@ -25,7 +25,7 @@ "vendor": "brandtoss", "versions": [ { - "lessThanOrEqual": "1.8.16.0", + "lessThan": "1.8.17.0", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e31ecd7e-95ea-4a35-ae6d-ad3c61b1cae9?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53805.json b/data/anchore/2024/CVE-2024-53805.json index 5556d54a..444cbe72 100644 --- a/data/anchore/2024/CVE-2024-53805.json +++ b/data/anchore/2024/CVE-2024-53805.json @@ -25,7 +25,7 @@ "vendor": "brandtoss", "versions": [ { - "lessThanOrEqual": "1.8.16.0", + "lessThan": "1.8.17.0", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/697105e6-3155-4199-9fee-914830674023?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53807.json b/data/anchore/2024/CVE-2024-53807.json index 5d198cf9..b53992c1 100644 --- a/data/anchore/2024/CVE-2024-53807.json +++ b/data/anchore/2024/CVE-2024-53807.json @@ -25,7 +25,7 @@ "vendor": "brandtoss", "versions": [ { - "lessThanOrEqual": "1.8.16.0", + "lessThan": "1.8.17.0", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9baf0a14-600b-4c0e-9121-71c28653e530?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53808.json b/data/anchore/2024/CVE-2024-53808.json index 3155b25e..8b6889f3 100644 --- a/data/anchore/2024/CVE-2024-53808.json +++ b/data/anchore/2024/CVE-2024-53808.json @@ -26,7 +26,7 @@ "vendor": "Basix", "versions": [ { - "lessThanOrEqual": "8.7.8", + "lessThan": "8.7.9", "status": "affected", "version": "0", "versionType": "custom" @@ -37,6 +37,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f0406ad-8f4e-49a2-87dd-a6e319904652?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53815.json b/data/anchore/2024/CVE-2024-53815.json index 24dbde9e..7a7b1a19 100644 --- a/data/anchore/2024/CVE-2024-53815.json +++ b/data/anchore/2024/CVE-2024-53815.json @@ -25,7 +25,7 @@ "vendor": "PINPOINT.WORLD", "versions": [ { - "lessThanOrEqual": "2.9.9.5.1", + "lessThan": "2.9.9.5.2", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f673e463-5ef0-4704-91a1-76e375df9d1c?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53817.json b/data/anchore/2024/CVE-2024-53817.json index be8cc027..264bc369 100644 --- a/data/anchore/2024/CVE-2024-53817.json +++ b/data/anchore/2024/CVE-2024-53817.json @@ -25,7 +25,7 @@ "vendor": "Acowebs", "versions": [ { - "lessThanOrEqual": "1.5.8", + "lessThan": "1.5.9", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbe5bfa-7680-452e-bb18-ea9fbbb07b8e?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53818.json b/data/anchore/2024/CVE-2024-53818.json index 3c07cdf6..60480f13 100644 --- a/data/anchore/2024/CVE-2024-53818.json +++ b/data/anchore/2024/CVE-2024-53818.json @@ -25,7 +25,7 @@ "vendor": "Post Grid Team by WPXPO", "versions": [ { - "lessThanOrEqual": "4.1.15", + "lessThan": "4.1.16", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af55ea6c-01f6-4c87-91bb-a0ff98e92256?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53819.json b/data/anchore/2024/CVE-2024-53819.json index f2235130..ab90a153 100644 --- a/data/anchore/2024/CVE-2024-53819.json +++ b/data/anchore/2024/CVE-2024-53819.json @@ -25,7 +25,7 @@ "vendor": "Sprout Invoices", "versions": [ { - "lessThanOrEqual": "20.8.0", + "lessThan": "20.8.1", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/326e168d-c2ae-485f-93ff-ed59d5b6061e?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53823.json b/data/anchore/2024/CVE-2024-53823.json index 9f1cd01c..7b6737f3 100644 --- a/data/anchore/2024/CVE-2024-53823.json +++ b/data/anchore/2024/CVE-2024-53823.json @@ -26,7 +26,7 @@ "vendor": "POSIMYTH", "versions": [ { - "lessThanOrEqual": "5.6.14", + "lessThan": "6.0.1", "status": "affected", "version": "0", "versionType": "custom" @@ -37,6 +37,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30c6a24-1ec8-4816-b467-c1122b9a8ce1?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53824.json b/data/anchore/2024/CVE-2024-53824.json index 86db45e8..4aadaf8c 100644 --- a/data/anchore/2024/CVE-2024-53824.json +++ b/data/anchore/2024/CVE-2024-53824.json @@ -25,7 +25,7 @@ "vendor": "AREOI", "versions": [ { - "lessThanOrEqual": "1.3.19", + "lessThan": "1.3.20", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2cf896-7cb8-4a1e-bd8c-4da339965138?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-53845.json b/data/anchore/2024/CVE-2024-53845.json new file mode 100644 index 00000000..c5538d92 --- /dev/null +++ b/data/anchore/2024/CVE-2024-53845.json @@ -0,0 +1,69 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-53845", + "description": "ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2", + "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2", + "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db", + "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8", + "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2", + "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9", + "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7", + "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr", + "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi" + ], + "upstream": { + "datePublished": "2024-12-11T22:35:48.528Z", + "dateReserved": "2024-11-22T17:30:02.139Z", + "dateUpdated": "2024-12-12T16:35:00.685Z", + "digest": "1cf97dd9ef7ab1d198198fbf0d41b1ba9e023f22945269a966b38d57fa96883d" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*" + ], + "packageName": "espressif/esp-idf", + "product": "esp-idf", + "repo": "https://github.com/espressif/esp-idf", + "vendor": "espressif", + "versions": [ + { + "lessThan": "5.3.2", + "status": "affected", + "version": "5.3.0", + "versionType": "custom" + }, + { + "lessThan": "5.2.4", + "status": "affected", + "version": "5.2.0", + "versionType": "custom" + }, + { + "lessThan": "5.1.6", + "status": "affected", + "version": "5.1.0", + "versionType": "custom" + }, + { + "lessThan": "5.0.8", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54212.json b/data/anchore/2024/CVE-2024-54212.json index 0e64e83d..d48371a4 100644 --- a/data/anchore/2024/CVE-2024-54212.json +++ b/data/anchore/2024/CVE-2024-54212.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b421d80f-408e-4fb0-9894-b7e5707d8d5f?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54223.json b/data/anchore/2024/CVE-2024-54223.json index 20b46543..55e10e79 100644 --- a/data/anchore/2024/CVE-2024-54223.json +++ b/data/anchore/2024/CVE-2024-54223.json @@ -26,7 +26,7 @@ "vendor": "Contact Form - Repute InfoSystems", "versions": [ { - "lessThanOrEqual": "1.7.1", + "lessThan": "1.7.2", "status": "affected", "version": "0", "versionType": "custom" @@ -37,6 +37,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f800bc0-5b1b-43fa-a267-d8db444d0c2c?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54224.json b/data/anchore/2024/CVE-2024-54224.json index 2659f269..37b92473 100644 --- a/data/anchore/2024/CVE-2024-54224.json +++ b/data/anchore/2024/CVE-2024-54224.json @@ -25,7 +25,7 @@ "vendor": "QuomodoSoft", "versions": [ { - "lessThanOrEqual": "6.4.7", + "lessThan": "6.4.8", "status": "affected", "version": "0", "versionType": "custom" @@ -36,6 +36,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a33c0e7e-42d3-442e-886e-e0a71cdbf628?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54255.json b/data/anchore/2024/CVE-2024-54255.json index 9edce207..c4663b0b 100644 --- a/data/anchore/2024/CVE-2024-54255.json +++ b/data/anchore/2024/CVE-2024-54255.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ce819fa-5c94-4116-9361-1de24619c27b?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54260.json b/data/anchore/2024/CVE-2024-54260.json index 74618e97..3e4433bd 100644 --- a/data/anchore/2024/CVE-2024-54260.json +++ b/data/anchore/2024/CVE-2024-54260.json @@ -33,6 +33,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df96f58a-bc6e-47e7-a465-4aebdb264512?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55633.json b/data/anchore/2024/CVE-2024-55633.json new file mode 100644 index 00000000..f0ff24cd --- /dev/null +++ b/data/anchore/2024/CVE-2024-55633.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-55633", + "description": "Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. \n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb" + ], + "upstream": { + "datePublished": "2024-12-12T14:36:02.325Z", + "dateReserved": "2024-12-09T21:48:12.343Z", + "dateUpdated": "2024-12-12T18:03:30.295Z", + "digest": "5789f79d5b2d17c780d2f48fdbea0d87d2d41343001f148e4b0617b39d7291ba" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pypi.org", + "cpes": [ + "cpe:2.3:a:apache:superset:*:*:*:*:*:python:*:*" + ], + "packageName": "apache-superset", + "packageType": "python", + "product": "Apache Superset", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "4.1.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55652.json b/data/anchore/2024/CVE-2024-55652.json new file mode 100644 index 00000000..2af072ab --- /dev/null +++ b/data/anchore/2024/CVE-2024-55652.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55652", + "description": "PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the contents of the template document is able to execute arbitrary code on the system. By default, only users with the `admin` role are able to create or update templates. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 patches the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/pwndoc/pwndoc/blob/main/backend/src/lib/report-filters.js#L258-L260", + "https://github.com/pwndoc/pwndoc/commit/1d4219c596f4f518798492e48386a20c6e9a2fe6", + "https://github.com/pwndoc/pwndoc/security/advisories/GHSA-jw5r-6927-hwpc" + ], + "upstream": { + "datePublished": "2024-12-11T22:41:16.664Z", + "dateReserved": "2024-12-10T14:47:08.666Z", + "dateUpdated": "2024-12-12T16:32:39.666Z", + "digest": "7a7d03d807a1e02ae628efa7daf71db70372089584a7bae068e148f0c55c27d6" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*" + ], + "packageName": "pwndoc/pwndoc", + "product": "pwndoc", + "repo": "https://github.com/pwndoc/pwndoc", + "vendor": "pwndoc", + "versions": [ + { + "lessThan": "1d4219c596f4f518798492e48386a20c6e9a2fe6", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55662.json b/data/anchore/2024/CVE-2024-55662.json new file mode 100644 index 00000000..91e76116 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55662.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55662", + "description": "XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8", + "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5", + "https://jira.xwiki.org/browse/XWIKI-21890" + ], + "upstream": { + "datePublished": "2024-12-12T17:25:26.297Z", + "dateReserved": "2024-12-10T15:33:57.416Z", + "dateUpdated": "2024-12-12T17:25:26.297Z", + "digest": "43143b82c21874bf5ff31ba581a8368f7c0b35066b1a9f1b767fcb8ba5cfa5cb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.xwiki.platform:xwiki-platform-repository-server-ui:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.xwiki.platform:xwiki-platform-repository-server-ui", + "packageType": "maven", + "product": "xwiki-platform", + "repo": "https://github.com/xwiki/xwiki-platform", + "vendor": "xwiki", + "versions": [ + { + "lessThan": "15.10.9", + "status": "affected", + "version": "3.3-milestone-1", + "versionType": "maven" + }, + { + "lessThan": "16.3.0", + "status": "affected", + "version": "16.0.0-rc-1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55663.json b/data/anchore/2024/CVE-2024-55663.json new file mode 100644 index 00000000..be817eb8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55663.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55663", + "description": "XWiki Platform is a generic wiki platform. Starting in version 11.10.6 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0", + "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398", + "https://jira.xwiki.org/browse/XWIKI-17568" + ], + "upstream": { + "datePublished": "2024-12-12T18:53:49.491Z", + "dateReserved": "2024-12-10T15:33:57.417Z", + "dateUpdated": "2024-12-12T18:53:49.491Z", + "digest": "e7724c6afde6bb4a421d50a955bc4626b5e6178753d407b782b9b874cb2d04a0" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.xwiki.platform:xwiki-platform-distribution-war:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.xwiki.platform:xwiki-platform-distribution-war", + "packageType": "maven", + "product": "xwiki-platform", + "repo": "https://github.com/xwiki/xwiki-platform", + "vendor": "xwiki", + "versions": [ + { + "lessThan": "13.10.5", + "status": "affected", + "version": "11.10.6", + "versionType": "maven" + }, + { + "lessThan": "14.3-rc-1", + "status": "affected", + "version": "14.0-rc-1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55876.json b/data/anchore/2024/CVE-2024-55876.json new file mode 100644 index 00000000..8d4d9eaa --- /dev/null +++ b/data/anchore/2024/CVE-2024-55876.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55876", + "description": "XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331", + "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6", + "https://jira.xwiki.org/browse/XWIKI-21663" + ], + "upstream": { + "datePublished": "2024-12-12T18:59:49.733Z", + "dateReserved": "2024-12-11T15:46:36.421Z", + "dateUpdated": "2024-12-12T18:59:49.733Z", + "digest": "8a1e0d7b2b07c71c4cd65aebfd7a7b1550dcc4e70c3159aab0fd54be1eb90182" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.xwiki.platform:xwiki-platform-scheduler-ui:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.xwiki.platform:xwiki-platform-scheduler-ui", + "packageType": "maven", + "product": "xwiki-platform", + "repo": "https://github.com/xwiki/xwiki-platform", + "vendor": "xwiki", + "versions": [ + { + "lessThan": "15.10.9", + "status": "affected", + "version": "1.2-milestone-2", + "versionType": "maven" + }, + { + "lessThan": "16.3.0", + "status": "affected", + "version": "16.0.0-rc-1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55877.json b/data/anchore/2024/CVE-2024-55877.json new file mode 100644 index 00000000..94cfd370 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55877.json @@ -0,0 +1,59 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55877", + "description": "XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3", + "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c", + "https://jira.xwiki.org/browse/XWIKI-22030" + ], + "upstream": { + "datePublished": "2024-12-12T19:13:43.128Z", + "dateReserved": "2024-12-11T15:46:36.421Z", + "dateUpdated": "2024-12-12T19:15:53.684Z", + "digest": "eb56c631c1bf4b43b857cbbb9d5bf9173cdc79ee47800a2ff20eb89da55dde51" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.xwiki.platform:xwiki-platform-help-ui:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.xwiki.platform:xwiki-platform-help-ui", + "packageType": "maven", + "product": "xwiki-platform", + "repo": "https://github.com/xwiki/xwiki-platform", + "vendor": "xwiki", + "versions": [ + { + "lessThan": "15.10.11", + "status": "affected", + "version": "9.7-rc-1", + "versionType": "maven" + }, + { + "lessThan": "16.4.1", + "status": "affected", + "version": "16.0.0-rc-1", + "versionType": "maven" + }, + { + "lessThan": "16.5.0", + "status": "affected", + "version": "16.5.0-rc-1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55879.json b/data/anchore/2024/CVE-2024-55879.json new file mode 100644 index 00000000..3a96d954 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55879.json @@ -0,0 +1,53 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55879", + "description": "XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d", + "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr", + "https://jira.xwiki.org/browse/XWIKI-21207" + ], + "upstream": { + "datePublished": "2024-12-12T19:17:38.138Z", + "dateReserved": "2024-12-11T15:46:36.421Z", + "dateUpdated": "2024-12-12T19:17:38.138Z", + "digest": "1cf924946a2eda275314064970c83055f701304a2b57364c32ff645912c79d32" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:org.xwiki.platform:xwiki-platform-administration-ui:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.xwiki.platform:xwiki-platform-administration-ui", + "packageType": "maven", + "product": "xwiki-platform", + "repo": "https://github.com/xwiki/xwiki-platform", + "vendor": "xwiki", + "versions": [ + { + "lessThan": "15.10.9", + "status": "affected", + "version": "2.3", + "versionType": "maven" + }, + { + "lessThan": "16.3.0", + "status": "affected", + "version": "16.0.0-rc-1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55885.json b/data/anchore/2024/CVE-2024-55885.json new file mode 100644 index 00000000..e8cd0d01 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55885.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55885", + "description": "beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/beego/beego/commit/e7fa4835f71f47ab1d13afd638cebf661800d5a4", + "https://github.com/beego/beego/security/advisories/GHSA-9j3m-fr7q-jxfw" + ], + "upstream": { + "datePublished": "2024-12-12T19:23:14.239Z", + "dateReserved": "2024-12-12T15:00:38.901Z", + "dateUpdated": "2024-12-12T19:23:14.239Z", + "digest": "d707d858df7a404e9483370d20dcb8f44f042cceb358c49d43e034a2fc2498bb" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://pkg.go.dev", + "cpes": [ + "cpe:2.3:a:beego:beego:*:*:*:*:*:go:*:*" + ], + "packageName": "beego/beego", + "packageType": "go-module", + "product": "beego", + "repo": "https://github.com/beego/beego", + "vendor": "beego", + "versions": [ + { + "lessThan": "2.3.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55886.json b/data/anchore/2024/CVE-2024-55886.json new file mode 100644 index 00000000..2d769d37 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55886.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55886", + "description": "OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data Prepper starting inversion 2.1.0 and prior to version 2.10.2 where some custom authentication plugins will not perform authentication. This allows unauthorized users to ingest OpenTelemetry Logs data under certain conditions. This vulnerability does not affect the built-in `http_basic` authentication provider in Data Prepper. Pipelines which use the `http_basic` authentication provider continue to require authentication. The vulnerability exists only for custom implementations of Data Prepper’s `GrpcAuthenticationProvider` authentication plugin which implement the `getHttpAuthenticationService()` method instead of `getAuthenticationInterceptor()`. Data Prepper 2.10.2 contains a fix for this issue. For those unable to upgrade, one may use the built-in `http_basic` authentication provider in Data Prepper and/or add an authentication proxy in front of one's Data Prepper instances running the OpenTelemetry Logs source.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-725p-63vv-v948" + ], + "upstream": { + "datePublished": "2024-12-12T19:25:43.988Z", + "dateReserved": "2024-12-12T15:00:38.902Z", + "dateUpdated": "2024-12-12T19:25:43.988Z", + "digest": "d86d392ef0592593abe9964509dd850b8d08b3d10fb88a75fd5eecf7bbb78651" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:amazon:opensearch_data_prepper:*:*:*:*:*:*:*:*" + ], + "packageName": "opensearch-project/data-prepper", + "product": "data-prepper", + "repo": "https://github.com/opensearch-project/data-prepper", + "vendor": "opensearch-project", + "versions": [ + { + "lessThan": "2.10.2", + "status": "affected", + "version": "2.1.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-55888.json b/data/anchore/2024/CVE-2024-55888.json new file mode 100644 index 00000000..34b1a810 --- /dev/null +++ b/data/anchore/2024/CVE-2024-55888.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-55888", + "description": "Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/scidsg/hushline/security/advisories/GHSA-m592-g8qv-hrqx" + ], + "upstream": { + "datePublished": "2024-12-12T19:28:15.795Z", + "dateReserved": "2024-12-12T15:00:38.902Z", + "dateUpdated": "2024-12-12T19:28:15.795Z", + "digest": "34732e28adcd20243c63a3c802e016bcc8651890926b797e42ac84beea6fd492" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:hushline:hush_line:*:*:*:*:*:*:*:*" + ], + "packageName": "scidsg/hushline", + "product": "hushline", + "repo": "https://github.com/scidsg/hushline", + "vendor": "scidsg", + "versions": [ + { + "lessThan": "0.3.5", + "status": "affected", + "version": "0.1.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8179.json b/data/anchore/2024/CVE-2024-8179.json new file mode 100644 index 00000000..098b46c2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8179.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-8179", + "description": "An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/480718", + "https://hackerone.com/reports/2665929" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:03:04.799Z", + "dateReserved": "2024-08-26T15:01:57.308Z", + "dateUpdated": "2024-12-12T15:44:09.211Z", + "digest": "6ddda878288bee3bf29160abce8e84927bd9037226f716e54d9d22204847b155" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.4.6", + "status": "affected", + "version": "17.3", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8233.json b/data/anchore/2024/CVE-2024-8233.json new file mode 100644 index 00000000..72c81852 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8233.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-8233", + "description": "An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/480867", + "https://hackerone.com/reports/2650086" + ], + "solutions": [ + "Upgrade to versions 17.6.2, 17.5.4, 17.4.6 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:59.800Z", + "dateReserved": "2024-08-27T14:30:53.997Z", + "dateUpdated": "2024-12-12T15:44:14.399Z", + "digest": "5548de8d27c098d8c6caea099a401a5424c357d9d5154ad9ece6eebeef352db7" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "9.4", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8378.json b/data/anchore/2024/CVE-2024-8378.json index f3e0fa6b..57222abe 100644 --- a/data/anchore/2024/CVE-2024-8378.json +++ b/data/anchore/2024/CVE-2024-8378.json @@ -31,6 +31,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5d42dc6-047f-45ff-9a7a-5a7738f7dcb5?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8444.json b/data/anchore/2024/CVE-2024-8444.json index 70578980..10977d65 100644 --- a/data/anchore/2024/CVE-2024-8444.json +++ b/data/anchore/2024/CVE-2024-8444.json @@ -32,6 +32,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df93727c-2d2f-4e13-8c89-3ffb93975180?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-8647.json b/data/anchore/2024/CVE-2024-8647.json new file mode 100644 index 00000000..9aef6563 --- /dev/null +++ b/data/anchore/2024/CVE-2024-8647.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-8647", + "description": "An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/486051", + "https://hackerone.com/reports/2666341" + ], + "solutions": [ + "Upgrade to versions 17.6.2, 17.5.4, 17.4.6 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:54.888Z", + "dateReserved": "2024-09-10T09:01:52.178Z", + "dateUpdated": "2024-12-12T15:44:19.905Z", + "digest": "efb0594fdd8f45fd27cff2e600df5d309d24619163ed6807a786b7b8d8f533ed" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "15.2", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9186.json b/data/anchore/2024/CVE-2024-9186.json index 5e91f2bb..66e43966 100644 --- a/data/anchore/2024/CVE-2024-9186.json +++ b/data/anchore/2024/CVE-2024-9186.json @@ -31,6 +31,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/011d654a-637f-418c-8bd3-e87fd889f1ab?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9367.json b/data/anchore/2024/CVE-2024-9367.json new file mode 100644 index 00000000..d03ffd59 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9367.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-9367", + "description": "An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/496631", + "https://hackerone.com/reports/2735311" + ], + "solutions": [ + "Upgrade to versions 17.6.2, 17.5.4, 17.4.6 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:44.837Z", + "dateReserved": "2024-09-30T20:01:54.639Z", + "dateUpdated": "2024-12-12T15:44:25.438Z", + "digest": "d6d2693860bafba44977e5b96a27251078d55d6c7ad80be79dbdff3e36341727" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "13.9", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9387.json b/data/anchore/2024/CVE-2024-9387.json new file mode 100644 index 00000000..667448a1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9387.json @@ -0,0 +1,195 @@ +{ + "additionalMetadata": { + "cna": "gitlab", + "cveId": "CVE-2024-9387", + "description": "An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://gitlab.com/gitlab-org/gitlab/-/issues/496659", + "https://hackerone.com/reports/2732235" + ], + "solutions": [ + "Upgrade to versions 17.4.6, 17.5.4, 17.6.2 or above." + ], + "upstream": { + "datePublished": "2024-12-12T12:02:39.825Z", + "dateReserved": "2024-09-30T22:30:39.828Z", + "dateUpdated": "2024-12-12T15:44:32.221Z", + "digest": "d493484f17f6c4699853dd876021cacdca26e8e08427e003aa6c034b7729f6ed" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" + ], + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", + "cpe:2.3:a:gitlab:gitlab_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "semver" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "semver" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "semver" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "deb", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee", + "packageName": "gitlab-ee", + "packageType": "rpm", + "product": "GitLab Enterprise", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "deb", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "deb" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "deb" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "deb" + } + ] + }, + { + "collectionURL": "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce", + "packageName": "gitlab-ce", + "packageType": "rpm", + "product": "GitLab", + "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", + "vendor": "GitLab", + "versions": [ + { + "lessThan": "17.4.6", + "status": "affected", + "version": "11.8", + "versionType": "rpm" + }, + { + "lessThan": "17.5.4", + "status": "affected", + "version": "17.5", + "versionType": "rpm" + }, + { + "lessThan": "17.6.2", + "status": "affected", + "version": "17.6", + "versionType": "rpm" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9428.json b/data/anchore/2024/CVE-2024-9428.json new file mode 100644 index 00000000..230062e4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9428.json @@ -0,0 +1,48 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-9428", + "description": "The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/6e246547-e509-48db-88ae-b2f943398377/" + ], + "upstream": { + "datePublished": "2024-12-12T06:00:18.844Z", + "dateReserved": "2024-10-02T04:30:05.742Z", + "dateUpdated": "2024-12-12T17:22:46.068Z", + "digest": "65b8e26e4149776061f2345c5cf5dc2bff1997d5fd4069076f5c98d88bc5872b" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "popup-builder", + "packageType": "wordpress-plugin", + "product": "Popup Builder", + "repo": "https://plugins.svn.wordpress.org/popup-builder", + "versions": [ + { + "lessThan": "4.3.5", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e5a29d8-f40e-4711-aaae-1aa01ebd11fe?source=cve" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9508.json b/data/anchore/2024/CVE-2024-9508.json new file mode 100644 index 00000000..4649e3ce --- /dev/null +++ b/data/anchore/2024/CVE-2024-9508.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "icscert", + "cveId": "CVE-2024-9508", + "description": "Horner Automation Cscape contains a memory corruption vulnerability, which \ncould allow an attacker to disclose information and execute arbitrary \ncode.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://hornerautomation.com/cscape-software-free/cscape-software/", + "https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05" + ], + "solutions": [ + "Horner Automation recommends users update to Cscape v10 SP1 https://hornerautomation.com/cscape-software-free/cscape-software/ or later." + ], + "upstream": { + "datePublished": "2024-12-13T00:49:03.188Z", + "dateReserved": "2024-10-03T23:27:07.486Z", + "dateUpdated": "2024-12-13T00:49:03.188Z", + "digest": "f00fbdfb1d187cf6187254a9f90754379f8f49155893c76b0b9b62c3b3f9858e" + } + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:hornerautomation:cscape:*:*:*:*:*:*:*:*", + "cpe:2.3:a:hornerautomation:cscape_envisionrv:*:*:*:*:*:*:*:*" + ], + "product": "Cscape", + "vendor": "Horner Automation", + "versions": [ + { + "lessThanOrEqual": "10.0.363.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9768.json b/data/anchore/2024/CVE-2024-9768.json index 071e6c05..e000d77e 100644 --- a/data/anchore/2024/CVE-2024-9768.json +++ b/data/anchore/2024/CVE-2024-9768.json @@ -34,6 +34,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f93f3c4-555c-4fb5-b4ad-b03cdba82fb8?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9835.json b/data/anchore/2024/CVE-2024-9835.json index 8c3859f8..41561d15 100644 --- a/data/anchore/2024/CVE-2024-9835.json +++ b/data/anchore/2024/CVE-2024-9835.json @@ -31,6 +31,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbd6a4ee-49ea-4008-83ac-1a3c3ccdd4d4?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9836.json b/data/anchore/2024/CVE-2024-9836.json index b7098d8b..5525e45c 100644 --- a/data/anchore/2024/CVE-2024-9836.json +++ b/data/anchore/2024/CVE-2024-9836.json @@ -31,6 +31,11 @@ "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da3b8de2-f620-40a7-a44a-c4fcb6d57d8c?source=cve" + } + ] } } \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9881.json b/data/anchore/2024/CVE-2024-9881.json new file mode 100644 index 00000000..b11574d9 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9881.json @@ -0,0 +1,43 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-9881", + "description": "The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/ec76f73a-7ad4-432d-8216-7cdb5603cef9/" + ], + "upstream": { + "datePublished": "2024-12-12T06:00:19.491Z", + "dateReserved": "2024-10-11T18:28:41.417Z", + "dateUpdated": "2024-12-12T17:21:08.999Z", + "digest": "396c7a7ece0d7f5cf905f53c2d10e8c578cf324eaf4699412d6e2e56fcc66de8" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "learnpress", + "packageType": "wordpress-plugin", + "product": "LearnPress", + "repo": "https://plugins.svn.wordpress.org/learnpress", + "versions": [ + { + "lessThan": "4.2.7.2", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file