From 8d38b7264907108a9e3de441cd2ee50cfcdd2c65 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Fri, 5 Jan 2024 12:14:01 +0000 Subject: [PATCH] fix(rhel): filter flatpak entries Signed-off-by: Weston Steimel --- src/vunnel/providers/rhel/parser.py | 27 +- .../input/cve/full/CVE-2019-25059 | 45 +++ .../input/cve/full/CVE-2020-16587 | 42 +++ .../input/cve/full/CVE-2020-16588 | 42 +++ .../input/cve/full/CVE-2021-20298 | 41 +++ .../input/cve/full/CVE-2021-20299 | 41 +++ .../input/cve/full/CVE-2022-1921 | 58 ++++ .../input/cve/full/CVE-2022-1922 | 58 ++++ .../input/cve/full/CVE-2022-1923 | 58 ++++ .../input/cve/full/CVE-2022-1924 | 58 ++++ .../input/cve/full/CVE-2022-1925 | 58 ++++ .../input/cve/full/CVE-2022-2309 | 52 ++++ .../input/cve/full/CVE-2023-4863 | 256 +++++++++++++++++ .../input/cve/full/CVE-2023-5129 | 233 ++++++++++++++++ .../input/cve/full/CVE-2023-5217 | 257 ++++++++++++++++++ .../input/cve/min/CVE-2019-25059 | 1 + .../input/cve/min/CVE-2020-16587 | 1 + .../input/cve/min/CVE-2020-16588 | 1 + .../input/cve/min/CVE-2021-20298 | 1 + .../input/cve/min/CVE-2021-20299 | 1 + .../test-fixtures/input/cve/min/CVE-2022-1921 | 1 + .../test-fixtures/input/cve/min/CVE-2022-1922 | 1 + .../test-fixtures/input/cve/min/CVE-2022-1923 | 1 + .../test-fixtures/input/cve/min/CVE-2022-1924 | 1 + .../test-fixtures/input/cve/min/CVE-2022-1925 | 1 + .../test-fixtures/input/cve/min/CVE-2022-2309 | 1 + .../test-fixtures/input/cve/min/CVE-2023-4863 | 1 + .../test-fixtures/input/cve/min/CVE-2023-5129 | 1 + .../test-fixtures/input/cve/min/CVE-2023-5217 | 1 + .../input/rhsa/com.redhat.rhsa-all.xml | 144 ++++++++++ .../rhsa/com.redhat.rhsa-all.xml.sha256sum | 2 +- .../snapshots/rhel:6/cve-2020-16587.json | 1 + .../snapshots/rhel:6/cve-2020-16588.json | 1 + .../snapshots/rhel:6/cve-2021-20298.json | 1 + .../snapshots/rhel:6/cve-2021-20299.json | 1 + .../snapshots/rhel:6/cve-2022-1921.json | 1 + .../snapshots/rhel:6/cve-2022-1922.json | 1 + .../snapshots/rhel:6/cve-2022-1923.json | 1 + .../snapshots/rhel:6/cve-2022-1924.json | 1 + .../snapshots/rhel:6/cve-2022-1925.json | 1 + .../snapshots/rhel:6/cve-2023-4863.json | 1 + .../snapshots/rhel:6/cve-2023-5129.json | 1 + .../snapshots/rhel:6/cve-2023-5217.json | 1 + .../snapshots/rhel:7/cve-2020-16587.json | 1 + .../snapshots/rhel:7/cve-2020-16588.json | 1 + .../snapshots/rhel:7/cve-2021-20298.json | 1 + .../snapshots/rhel:7/cve-2021-20299.json | 1 + .../snapshots/rhel:7/cve-2022-1921.json | 1 + .../snapshots/rhel:7/cve-2022-1922.json | 1 + .../snapshots/rhel:7/cve-2022-1923.json | 1 + .../snapshots/rhel:7/cve-2022-1924.json | 1 + .../snapshots/rhel:7/cve-2022-1925.json | 1 + .../snapshots/rhel:7/cve-2023-4863.json | 1 + .../snapshots/rhel:7/cve-2023-5129.json | 1 + .../snapshots/rhel:7/cve-2023-5217.json | 1 + .../snapshots/rhel:8/cve-2019-25059.json | 1 + .../snapshots/rhel:8/cve-2020-16587.json | 1 + .../snapshots/rhel:8/cve-2021-20298.json | 1 + .../snapshots/rhel:8/cve-2021-20299.json | 1 + .../snapshots/rhel:8/cve-2022-1921.json | 1 + .../snapshots/rhel:8/cve-2022-1922.json | 1 + .../snapshots/rhel:8/cve-2022-1923.json | 1 + .../snapshots/rhel:8/cve-2022-1924.json | 1 + .../snapshots/rhel:8/cve-2022-1925.json | 1 + .../snapshots/rhel:8/cve-2023-4863.json | 1 + .../snapshots/rhel:8/cve-2023-5129.json | 1 + .../snapshots/rhel:8/cve-2023-5217.json | 1 + .../snapshots/rhel:9/cve-2019-25059.json | 1 + .../snapshots/rhel:9/cve-2022-1921.json | 1 + .../snapshots/rhel:9/cve-2022-1922.json | 1 + .../snapshots/rhel:9/cve-2022-1923.json | 1 + .../snapshots/rhel:9/cve-2022-1924.json | 1 + .../snapshots/rhel:9/cve-2022-1925.json | 1 + .../snapshots/rhel:9/cve-2022-2309.json | 1 + .../snapshots/rhel:9/cve-2023-4863.json | 1 + .../snapshots/rhel:9/cve-2023-5129.json | 1 + .../snapshots/rhel:9/cve-2023-5217.json | 1 + tests/unit/providers/rhel/test_rhel.py | 23 +- 78 files changed, 1524 insertions(+), 31 deletions(-) create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1923 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1924 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1925 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-2309 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-4863 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5129 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5217 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2019-25059 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16587 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16588 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20298 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20299 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1921 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1922 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1923 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1924 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1925 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-2309 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-4863 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5129 create mode 100644 tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5217 create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16587.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16588.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20298.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20299.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1921.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1922.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1923.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1924.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1925.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-4863.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5129.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5217.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16587.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16588.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20298.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20299.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1921.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1922.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1923.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1924.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1925.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-4863.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5129.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5217.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2019-25059.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2020-16587.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20298.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20299.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1921.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1922.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1923.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1924.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1925.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-4863.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5129.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5217.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2019-25059.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1921.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1922.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1923.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1924.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1925.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-2309.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-4863.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5129.json create mode 100644 tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5217.json diff --git a/src/vunnel/providers/rhel/parser.py b/src/vunnel/providers/rhel/parser.py index 17496603..2f7a617b 100644 --- a/src/vunnel/providers/rhel/parser.py +++ b/src/vunnel/providers/rhel/parser.py @@ -610,7 +610,18 @@ def _parse_affected_release(self, cve_id: str, content) -> list[FixedIn]: # noq return fixed_ins - def _parse_package_state(self, cve_id: str, fixed: list[FixedIn], content) -> list[FixedIn]: # noqa: C901 + def _parse_package_name_and_module(self, item: dict) -> tuple[str | None, str | None]: + package_name = item.get("package_name", None) + module = None + + if package_name and "/" in package_name: + components = package_name.split("/") + package_name = components[1] + module = components[0] + + return package_name, module + + def _parse_package_state(self, cve_id: str, content) -> list[FixedIn]: # noqa: C901 affected: list[FixedIn] = [] out_of_support: list[FixedIn] = [] # Track items out of support to be able to add them if others are affected pss = content.get("package_state", []) @@ -628,18 +639,16 @@ def _parse_package_state(self, cve_id: str, fixed: list[FixedIn], content) -> li if not platform or f"{namespace}:{platform}" in self.skip_namespaces: continue - package_name = item.get("package_name", None) - module = None - - if "/" in package_name: - components = package_name.split("/") - package_name = components[1] - module = components[0] + package_name, module = self._parse_package_name_and_module(item) if not package_name: self.logger.debug(f"package state package_name missing for {cve_id} platform {platform}") continue + if module and module.endswith(":flatpak"): + self.logger.debug(f"skipping flatpak entry {package_name} for {cve_id} platform {platform}") + continue + state = item.get("fix_state", None) if state in ["Affected", "Fix deferred"]: affected.append( @@ -713,7 +722,7 @@ def _parse_cve(self, cve_id, content): # noqa: C901, PLR0912, PLR0915 results = [] platform_artifacts = {} fins = self._parse_affected_release(cve_id, content) - nfins = self._parse_package_state(cve_id, fins, content) + nfins = self._parse_package_state(cve_id, content) platform_package_module_tuples = set() if fins or nfins: diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059 new file mode 100644 index 00000000..99809463 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059 @@ -0,0 +1,45 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-04-25T00:00:00Z", + "bugzilla" : { + "description" : "Mishandling of .completefont (incomplete fix for CVE-2019-3839)", + "id" : "2078491", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2078491" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "draft" + }, + "cwe" : "CWE-1173", + "details" : [ "Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839." ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Not affected", + "package_name" : "ghostscript", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Not affected", + "package_name" : "ghostscript", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "ghostscript", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gimp:flatpak/ghostscript", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Will not fix", + "package_name" : "ghostscript", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-25059\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25059" ], + "name" : "CVE-2019-25059", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587 new file mode 100644 index 00000000..8e2589fd --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587 @@ -0,0 +1,42 @@ +{ + "threat_severity" : "Low", + "public_date" : "2020-12-10T00:00:00Z", + "bugzilla" : { + "description" : "CVE-2020-16587 OpenEXR: A heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp could result in a DOS via a crafted EXR file", + "id" : "1929320", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1929320" + }, + "cvss3" : { + "cvss3_base_score" : "5.5", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "status" : "draft" + }, + "cwe" : "CWE-787", + "details" : [ "A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file." ], + "statement" : "This flaw is out of support scope for OpenEXR as shipped with Red Hat Enterprise Linux 6 and 7. For more information on Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .", + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gimp:flatpak/OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + } ], + "upstream_fix" : "openexr 2.4.0", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16587\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16587\nhttps://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a" ], + "name" : "CVE-2020-16587", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588 new file mode 100644 index 00000000..f7869959 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588 @@ -0,0 +1,42 @@ +{ + "threat_severity" : "Low", + "public_date" : "2020-12-10T00:00:00Z", + "bugzilla" : { + "description" : "CVE-2020-16588 OpenEXR: A Null Pointer Deference in generatePreview in makePreview.cpp could result in a DOS via a crafted EXR file", + "id" : "1929315", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1929315" + }, + "cvss3" : { + "cvss3_base_score" : "5.5", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "status" : "draft" + }, + "cwe" : "CWE-476", + "details" : [ "A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file." ], + "statement" : "This flaw does not affect Red Hat Enterprise Linux 8 because the vulnerable exrmakepreview program is not shipped.", + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gimp:flatpak/OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Not affected", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + } ], + "upstream_fix" : "openexr 2.4.0", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16588\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16588\nhttps://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f\nhttps://github.com/AcademySoftwareFoundation/openexr/issues/493" ], + "name" : "CVE-2020-16588", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298 new file mode 100644 index 00000000..6577921d --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298 @@ -0,0 +1,41 @@ +{ + "threat_severity" : "Low", + "public_date" : "2021-02-15T00:00:00Z", + "bugzilla" : { + "description" : "CVE-2021-20298 OpenEXR: Out-of-memory in B44Compressor", + "id" : "1939156", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1939156" + }, + "cvss3" : { + "cvss3_base_score" : "7.5", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "status" : "draft" + }, + "cwe" : "CWE-787", + "details" : [ "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.", "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability." ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gimp:flatpak/OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + } ], + "upstream_fix" : "OpenEXR 3.0.0-beta", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20298\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20298" ], + "name" : "CVE-2021-20298", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299 new file mode 100644 index 00000000..fdac3f46 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299 @@ -0,0 +1,41 @@ +{ + "threat_severity" : "Low", + "public_date" : "2021-02-15T00:00:00Z", + "bugzilla" : { + "description" : "CVE-2021-20299 OpenEXR: Null-dereference READ in Imf_2_5::Header::operator", + "id" : "1939154", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1939154" + }, + "cvss3" : { + "cvss3_base_score" : "7.5", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "status" : "draft" + }, + "cwe" : "CWE-476", + "details" : [ "A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.", "A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability." ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gimp:flatpak/OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "OpenEXR", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + } ], + "upstream_fix" : "OpenEXR 3.0.0-beta", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20299\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20299" ], + "name" : "CVE-2021-20299", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921 new file mode 100644 index 00000000..27f41600 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921 @@ -0,0 +1,58 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-05-17T00:00:00Z", + "bugzilla" : { + "description" : "Heap-based buffer overflow in the avi demuxer when handling certain AVI files", + "id" : "2130949", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130949" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-190", + "details" : [ "Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-05-09T00:00:00Z", + "advisory" : "RHSA-2023:2260", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "gstreamer-plugins-good 1.20.3", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1921\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1921\nhttps://gstreamer.freedesktop.org/security/sa-2022-0001.html" ], + "name" : "CVE-2022-1921", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922 new file mode 100644 index 00000000..5cd435ca --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922 @@ -0,0 +1,58 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-05-18T00:00:00Z", + "bugzilla" : { + "description" : "Potential heap overwrite in mkv demuxing using zlib decompression", + "id" : "2130955", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130955" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-190", + "details" : [ "DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-05-09T00:00:00Z", + "advisory" : "RHSA-2023:2260", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "gstreamer-plugins-good 1.20.3", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1922\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1922\nhttps://gstreamer.freedesktop.org/security/sa-2022-0002.html" ], + "name" : "CVE-2022-1922", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1923 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1923 new file mode 100644 index 00000000..f65c602a --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1923 @@ -0,0 +1,58 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-05-18T00:00:00Z", + "bugzilla" : { + "description" : "Potential heap overwrite in mkv demuxing using bz2 decompression", + "id" : "2130959", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130959" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-190", + "details" : [ "DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using bzip decompression. This vulnerability can result in application crash, memory corruption, and code execution." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-05-09T00:00:00Z", + "advisory" : "RHSA-2023:2260", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "gstreamer-plugins-good 1.20.3", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1923\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1923\nhttps://gstreamer.freedesktop.org/security/sa-2022-0002.html" ], + "name" : "CVE-2022-1923", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1924 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1924 new file mode 100644 index 00000000..7faf60b1 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1924 @@ -0,0 +1,58 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-05-18T00:00:00Z", + "bugzilla" : { + "description" : "Potential heap overwrite in mkv demuxing using lzo decompression", + "id" : "2131003", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2131003" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-190", + "details" : [ "DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using lzo decompression. This vulnerability can result in application crash, memory corruption, and code execution." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-05-09T00:00:00Z", + "advisory" : "RHSA-2023:2260", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "gstreamer-plugins-good 1.20.3", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1924\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1924\nhttps://gstreamer.freedesktop.org/security/sa-2022-0002.html" ], + "name" : "CVE-2022-1924", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1925 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1925 new file mode 100644 index 00000000..24ee82a8 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1925 @@ -0,0 +1,58 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-05-18T00:00:00Z", + "bugzilla" : { + "description" : "Potential heap overwrite in mkv demuxing using HEADERSTRIP decompression", + "id" : "2131007", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2131007" + }, + "cvss3" : { + "cvss3_base_score" : "7.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-190->CWE-122", + "details" : [ "DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using HEADERSTRIP decompression. This vulnerability can result in application crash, memory corruption, and code execution." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-05-09T00:00:00Z", + "advisory" : "RHSA-2023:2260", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Out of support scope", + "package_name" : "gstreamer-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Will not fix", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "gstreamer-plugins-good 1.20.3", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1925\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1925\nhttps://gstreamer.freedesktop.org/security/sa-2022-0002.html" ], + "name" : "CVE-2022-1925", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-2309 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-2309 new file mode 100644 index 00000000..79541735 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-2309 @@ -0,0 +1,52 @@ +{ + "threat_severity" : "Moderate", + "public_date" : "2022-07-05T00:00:00Z", + "bugzilla" : { + "description" : "CVE-2022-2309 lxml: NULL Pointer Dereference in lxml", + "id" : "2107571", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2107571" + }, + "cvss3" : { + "cvss3_base_score" : "7.5", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "status" : "verified" + }, + "cwe" : "CWE-476", + "details" : [ "NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.", "A NULL Pointer dereference vulnerability found in lxml, caused by the iterwalk function (also used by the canonicalize function). This flaw can lead to a crash when the incorrect parser input occurs together with usages." ], + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2022-11-15T00:00:00Z", + "advisory" : "RHSA-2022:8226", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "python-lxml-0:4.6.5-3.el9" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Not affected", + "package_name" : "python38:3.8/python-lxml", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Not affected", + "package_name" : "python39:3.9/python-lxml", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "fix_state" : "Not affected", + "package_name" : "python-lxml", + "cpe" : "cpe:/o:redhat:enterprise_linux:8" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "inkscape:flatpak/python-lxml", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + }, { + "product_name" : "Red Hat Software Collections", + "fix_state" : "Not affected", + "package_name" : "rh-python38-python-lxml", + "cpe" : "cpe:/a:redhat:rhel_software_collections:3" + } ], + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2309\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2309" ], + "name" : "CVE-2022-2309", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-4863 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-4863 new file mode 100644 index 00000000..c3c27a2d --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-4863 @@ -0,0 +1,256 @@ +{ + "threat_severity" : "Important", + "public_date" : "2023-09-11T00:00:00Z", + "bugzilla" : { + "description" : "libwebp: Heap buffer overflow in WebP Codec", + "id" : "2238431", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2238431" + }, + "cvss3" : { + "cvss3_base_score" : "9.6", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-122", + "details" : [ "Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)", "A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library." ], + "statement" : "This security issue has been classified as having an Important security impact. Desktop users are at a high risk of exploitation of this flaw with very minimal interaction. It may compromise the confidentiality, integrity, or availability of resources.\nCustomers using this application, which does server-side image processing by linking to the libwebp library, are also potentially impacted by this flaw and are advised to update to the fixed versions of the package.", + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5191", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "thunderbird-0:102.15.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5197", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "firefox-0:102.15.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5184", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "firefox-0:102.15.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5201", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "thunderbird-0:102.15.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-20T00:00:00Z", + "advisory" : "RHSA-2023:5309", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "libwebp-0:1.0.0-8.el8_8.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5183", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "firefox-0:102.15.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5188", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "thunderbird-0:102.15.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5236", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "libwebp-0:1.0.0-5.2.el8_1.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5222", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "libwebp-0:1.0.0-7.el8_4.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5222", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "libwebp-0:1.0.0-7.el8_4.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5222", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "libwebp-0:1.0.0-7.el8_4.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5189", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "libwebp-0:1.0.0-7.el8_6.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5198", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "firefox-0:102.15.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5202", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "thunderbird-0:102.15.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5200", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "firefox-0:102.15.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5214", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "libwebp-0:1.2.0-7.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5224", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "thunderbird-0:102.15.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5204", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "libwebp-0:1.2.0-6.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5205", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "firefox-0:102.15.1-1.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5223", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "thunderbird-0:102.15.1-1.el9_0" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "firefox", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Not affected", + "package_name" : "libwebp", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "firefox:flatpak/firefox", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "thunderbird:flatpak/thunderbird", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-4863\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4863\nhttps://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-40/" ], + "csaw" : true, + "name" : "CVE-2023-4863", + "mitigation" : { + "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", + "lang" : "en:us" + } +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5129 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5129 new file mode 100644 index 00000000..556f4408 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5129 @@ -0,0 +1,233 @@ +{ + "public_date" : "2023-09-25T00:00:00Z", + "bugzilla" : { + "description" : "libwebp: out-of-bounds write with a specially crafted WebP lossless file", + "id" : "2240759", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2240759" + }, + "cvss3" : { + "cvss3_base_score" : "0.0", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", + "status" : "verified" + }, + "cwe" : "CWE-122", + "details" : [ "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Duplicate of CVE-2023-4863.", "This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863." ], + "statement" : "This flaw was found to be a duplicate of CVE-2023-4863. Please see https://access.redhat.com/security/cve/CVE-2023-4863 for information about affected products and security errata.", + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5191", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "thunderbird-0:102.15.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5197", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "firefox-0:102.15.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5184", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "firefox-0:102.15.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5201", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "thunderbird-0:102.15.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-09-20T00:00:00Z", + "advisory" : "RHSA-2023:5309", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "libwebp-0:1.0.0-8.el8_8.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5183", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "firefox-0:102.15.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5188", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "thunderbird-0:102.15.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5236", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "libwebp-0:1.0.0-5.2.el8_1.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5186", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "thunderbird-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5187", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "firefox-0:102.15.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5190", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "libwebp-0:1.0.0-7.el8_2.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5185", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "thunderbird-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5192", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "firefox-0:102.15.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5189", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "libwebp-0:1.0.0-7.el8_6.1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5198", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "firefox-0:102.15.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5202", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "thunderbird-0:102.15.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5200", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "firefox-0:102.15.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5214", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "libwebp-0:1.2.0-7.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5224", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "thunderbird-0:102.15.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5204", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "libwebp-0:1.2.0-6.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-18T00:00:00Z", + "advisory" : "RHSA-2023:5205", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "firefox-0:102.15.1-1.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-09-19T00:00:00Z", + "advisory" : "RHSA-2023:5223", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "thunderbird-0:102.15.1-1.el9_0" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "firefox", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Not affected", + "package_name" : "libwebp", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "firefox:flatpak/firefox", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "thunderbird:flatpak/thunderbird", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5129\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5129\nhttps://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76\nhttps://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a" ], + "name" : "CVE-2023-5129", + "csaw" : false +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5217 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5217 new file mode 100644 index 00000000..697f83d2 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2023-5217 @@ -0,0 +1,257 @@ +{ + "threat_severity" : "Important", + "public_date" : "2023-09-27T00:00:00Z", + "bugzilla" : { + "description" : "Heap buffer overflow in vp8 encoding in libvpx", + "id" : "2241191", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2241191" + }, + "cvss3" : { + "cvss3_base_score" : "8.8", + "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "status" : "verified" + }, + "cwe" : "CWE-119", + "details" : [ "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library." ], + "statement" : "This security issue has been classified as having an Important security impact. Desktop users are at a high risk of exploitation of this flaw with very minimal interaction. It may compromise the confidentiality, integrity, or availability of resources.\nCustomers using this application, which does server-side video codecs by linking to the libvpx library, are also potentially impacted by this flaw and are advised to update to the fixed versions of the package.", + "affected_release" : [ { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-10-05T00:00:00Z", + "advisory" : "RHSA-2023:5475", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "thunderbird-0:115.3.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "release_date" : "2023-10-05T00:00:00Z", + "advisory" : "RHSA-2023:5477", + "cpe" : "cpe:/o:redhat:enterprise_linux:7", + "package" : "firefox-0:115.3.1-1.el7_9" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5428", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "thunderbird-0:115.3.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5433", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "firefox-0:115.3.1-1.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5537", + "cpe" : "cpe:/a:redhat:enterprise_linux:8", + "package" : "libvpx-0:1.7.0-10.el8_8" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5438", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "thunderbird-0:115.3.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5440", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "firefox-0:115.3.1-1.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5535", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", + "package" : "libvpx-0:1.7.0-8.el8_1" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5426", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "firefox-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5432", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "thunderbird-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5534", + "cpe" : "cpe:/a:redhat:rhel_aus:8.2", + "package" : "libvpx-0:1.7.0-8.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5426", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "firefox-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5432", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "thunderbird-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5534", + "cpe" : "cpe:/a:redhat:rhel_tus:8.2", + "package" : "libvpx-0:1.7.0-8.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5426", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "firefox-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5432", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "thunderbird-0:115.3.1-1.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5534", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", + "package" : "libvpx-0:1.7.0-8.el8_2" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5429", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "thunderbird-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5437", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "firefox-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5536", + "cpe" : "cpe:/a:redhat:rhel_aus:8.4", + "package" : "libvpx-0:1.7.0-10.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5429", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "thunderbird-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5437", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "firefox-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5536", + "cpe" : "cpe:/a:redhat:rhel_tus:8.4", + "package" : "libvpx-0:1.7.0-10.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5429", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "thunderbird-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5437", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "firefox-0:115.3.1-1.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5536", + "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", + "package" : "libvpx-0:1.7.0-10.el8_4" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5430", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "thunderbird-0:115.3.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5436", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "firefox-0:115.3.1-1.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5538", + "cpe" : "cpe:/a:redhat:rhel_eus:8.6", + "package" : "libvpx-0:1.7.0-10.el8_6" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5434", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "firefox-0:115.3.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5435", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "thunderbird-0:115.3.1-1.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5539", + "cpe" : "cpe:/a:redhat:enterprise_linux:9", + "package" : "libvpx-0:1.9.0-7.el9_2" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5427", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "firefox-0:115.3.1-1.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-10-04T00:00:00Z", + "advisory" : "RHSA-2023:5439", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "thunderbird-0:115.3.1-1.el9_0" + }, { + "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", + "release_date" : "2023-10-09T00:00:00Z", + "advisory" : "RHSA-2023:5540", + "cpe" : "cpe:/a:redhat:rhel_eus:9.0", + "package" : "libvpx-0:1.9.0-7.el9_0" + } ], + "package_state" : [ { + "product_name" : "Red Hat Enterprise Linux 6", + "fix_state" : "Out of support scope", + "package_name" : "libvpx", + "cpe" : "cpe:/o:redhat:enterprise_linux:6" + }, { + "product_name" : "Red Hat Enterprise Linux 7", + "fix_state" : "Not affected", + "package_name" : "libvpx", + "cpe" : "cpe:/o:redhat:enterprise_linux:7" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "firefox:flatpak/firefox", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + }, { + "product_name" : "Red Hat Enterprise Linux 9", + "fix_state" : "Affected", + "package_name" : "thunderbird:flatpak/thunderbird", + "cpe" : "cpe:/o:redhat:enterprise_linux:9" + } ], + "upstream_fix" : "chromium-browser 117.0.5938.132", + "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5217\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5217\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2023-44/" ], + "csaw" : true, + "name" : "CVE-2023-5217", + "mitigation" : { + "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", + "lang" : "en:us" + } +} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2019-25059 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2019-25059 new file mode 100644 index 00000000..b22c567f --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2019-25059 @@ -0,0 +1 @@ +{"CVE": "CVE-2019-25059", "severity": "moderate", "public_date": "2022-04-25T00:00:00Z", "advisories": [], "bugzilla": "2078491", "bugzilla_description": "Mishandling of .completefont (incomplete fix for CVE-2019-3839)", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-1173", "affected_packages": [], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-25059.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16587 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16587 new file mode 100644 index 00000000..b596c0ba --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16587 @@ -0,0 +1 @@ +{"CVE": "CVE-2020-16587", "severity": "low", "public_date": "2020-12-10T00:00:00Z", "advisories": [], "bugzilla": "1929320", "bugzilla_description": "CVE-2020-16587 OpenEXR: A heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp could result in a DOS via a crafted EXR file", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-787", "affected_packages": [], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-16587.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3_score": "5.5"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16588 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16588 new file mode 100644 index 00000000..a4041b01 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2020-16588 @@ -0,0 +1 @@ +{"CVE": "CVE-2020-16588", "severity": "low", "public_date": "2020-12-10T00:00:00Z", "advisories": [], "bugzilla": "1929315", "bugzilla_description": "CVE-2020-16588 OpenEXR: A Null Pointer Deference in generatePreview in makePreview.cpp could result in a DOS via a crafted EXR file", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-476", "affected_packages": [], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-16588.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cvss3_score": "5.5"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20298 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20298 new file mode 100644 index 00000000..f51988d5 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20298 @@ -0,0 +1 @@ +{"CVE": "CVE-2021-20298", "severity": "low", "public_date": "2021-02-15T00:00:00Z", "advisories": [], "bugzilla": "1939156", "bugzilla_description": "CVE-2021-20298 OpenEXR: Out-of-memory in B44Compressor", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-787", "affected_packages": [], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20298.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20299 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20299 new file mode 100644 index 00000000..2c14b99f --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2021-20299 @@ -0,0 +1 @@ +{"CVE": "CVE-2021-20299", "severity": "low", "public_date": "2021-02-15T00:00:00Z", "advisories": [], "bugzilla": "1939154", "bugzilla_description": "CVE-2021-20299 OpenEXR: Null-dereference READ in Imf_2_5::Header::operator", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-476", "affected_packages": [], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20299.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1921 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1921 new file mode 100644 index 00000000..72551e20 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1921 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-1921", "severity": "moderate", "public_date": "2022-05-17T00:00:00Z", "advisories": ["RHSA-2023:2260"], "bugzilla": "2130949", "bugzilla_description": "Heap-based buffer overflow in the avi demuxer when handling certain AVI files", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-190", "affected_packages": ["gstreamer1-plugins-good-0:1.18.4-6.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1921.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1922 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1922 new file mode 100644 index 00000000..20c66816 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1922 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-1922", "severity": "moderate", "public_date": "2022-05-18T00:00:00Z", "advisories": ["RHSA-2023:2260"], "bugzilla": "2130955", "bugzilla_description": "Potential heap overwrite in mkv demuxing using zlib decompression", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-190", "affected_packages": ["gstreamer1-plugins-good-0:1.18.4-6.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1922.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1923 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1923 new file mode 100644 index 00000000..6a48eba1 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1923 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-1923", "severity": "moderate", "public_date": "2022-05-18T00:00:00Z", "advisories": ["RHSA-2023:2260"], "bugzilla": "2130959", "bugzilla_description": "Potential heap overwrite in mkv demuxing using bz2 decompression", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-190", "affected_packages": ["gstreamer1-plugins-good-0:1.18.4-6.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1923.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1924 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1924 new file mode 100644 index 00000000..26dd5971 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1924 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-1924", "severity": "moderate", "public_date": "2022-05-18T00:00:00Z", "advisories": ["RHSA-2023:2260"], "bugzilla": "2131003", "bugzilla_description": "Potential heap overwrite in mkv demuxing using lzo decompression", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-190", "affected_packages": ["gstreamer1-plugins-good-0:1.18.4-6.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1924.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1925 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1925 new file mode 100644 index 00000000..9a4be188 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-1925 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-1925", "severity": "moderate", "public_date": "2022-05-18T00:00:00Z", "advisories": ["RHSA-2023:2260"], "bugzilla": "2131007", "bugzilla_description": "Potential heap overwrite in mkv demuxing using HEADERSTRIP decompression", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-190->CWE-122", "affected_packages": ["gstreamer1-plugins-good-0:1.18.4-6.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1925.json", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "7.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-2309 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-2309 new file mode 100644 index 00000000..80bb1207 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2022-2309 @@ -0,0 +1 @@ +{"CVE": "CVE-2022-2309", "severity": "moderate", "public_date": "2022-07-05T00:00:00Z", "advisories": ["RHSA-2022:8226"], "bugzilla": "2107571", "bugzilla_description": "CVE-2022-2309 lxml: NULL Pointer Dereference in lxml", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-476", "affected_packages": ["python-lxml-0:4.6.5-3.el9"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2309.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3_score": "7.5"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-4863 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-4863 new file mode 100644 index 00000000..698f101a --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-4863 @@ -0,0 +1 @@ +{"CVE": "CVE-2023-4863", "severity": "important", "public_date": "2023-09-11T00:00:00Z", "advisories": ["RHSA-2023:5204", "RHSA-2023:5205", "RHSA-2023:5202", "RHSA-2023:5224", "RHSA-2023:5236", "RHSA-2023:5214", "RHSA-2023:5309", "RHSA-2023:5192", "RHSA-2023:5190", "RHSA-2023:5191", "RHSA-2023:5222", "RHSA-2023:5189", "RHSA-2023:5200", "RHSA-2023:5201", "RHSA-2023:5223", "RHSA-2023:5187", "RHSA-2023:5198", "RHSA-2023:5188", "RHSA-2023:5185", "RHSA-2023:5197", "RHSA-2023:5186", "RHSA-2023:5183", "RHSA-2023:5184"], "bugzilla": "2238431", "bugzilla_description": "libwebp: Heap buffer overflow in WebP Codec", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-122", "affected_packages": ["libwebp-0:1.2.0-6.el9_0", "libwebp-0:1.0.0-5.2.el8_1.1", "thunderbird-0:102.15.1-1.el8_2", "thunderbird-0:102.15.1-1.el8_1", "thunderbird-0:102.15.1-1.el9_0", "libwebp-0:1.0.0-8.el8_8.1", "thunderbird-0:102.15.1-1.el8_4", "libwebp-0:1.2.0-7.el9_2", "thunderbird-0:102.15.1-1.el9_2", "libwebp-0:1.0.0-7.el8_2.1", "thunderbird-0:102.15.1-1.el8_6", "firefox-0:102.15.1-1.el9_2", "firefox-0:102.15.1-1.el8_4", "thunderbird-0:102.15.1-1.el7_9", "thunderbird-0:102.15.1-1.el8_8", "firefox-0:102.15.1-1.el8_1", "libwebp-0:1.0.0-7.el8_4.1", "firefox-0:102.15.1-1.el9_0", "firefox-0:102.15.1-1.el8_2", "libwebp-0:1.0.0-7.el8_6.1", "firefox-0:102.15.1-1.el7_9", "firefox-0:102.15.1-1.el8_8", "firefox-0:102.15.1-1.el8_6"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-4863.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "cvss3_score": "9.6"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5129 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5129 new file mode 100644 index 00000000..5c37f78a --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5129 @@ -0,0 +1 @@ +{"CVE": "CVE-2023-5129", "severity": null, "public_date": "2023-09-25T00:00:00Z", "advisories": ["RHSA-2023:5204", "RHSA-2023:5205", "RHSA-2023:5202", "RHSA-2023:5224", "RHSA-2023:5236", "RHSA-2023:5214", "RHSA-2023:5309", "RHSA-2023:5192", "RHSA-2023:5190", "RHSA-2023:5191", "RHSA-2023:5189", "RHSA-2023:5200", "RHSA-2023:5201", "RHSA-2023:5223", "RHSA-2023:5187", "RHSA-2023:5198", "RHSA-2023:5188", "RHSA-2023:5185", "RHSA-2023:5197", "RHSA-2023:5186", "RHSA-2023:5183", "RHSA-2023:5184"], "bugzilla": "2240759", "bugzilla_description": "libwebp: out-of-bounds write with a specially crafted WebP lossless file", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-122", "affected_packages": ["libwebp-0:1.2.0-6.el9_0", "libwebp-0:1.0.0-5.2.el8_1.1", "thunderbird-0:102.15.1-1.el8_2", "thunderbird-0:102.15.1-1.el8_1", "thunderbird-0:102.15.1-1.el9_0", "libwebp-0:1.0.0-8.el8_8.1", "thunderbird-0:102.15.1-1.el8_4", "libwebp-0:1.2.0-7.el9_2", "thunderbird-0:102.15.1-1.el9_2", "libwebp-0:1.0.0-7.el8_2.1", "thunderbird-0:102.15.1-1.el8_6", "firefox-0:102.15.1-1.el9_2", "firefox-0:102.15.1-1.el8_4", "thunderbird-0:102.15.1-1.el7_9", "thunderbird-0:102.15.1-1.el8_8", "firefox-0:102.15.1-1.el8_1", "firefox-0:102.15.1-1.el9_0", "firefox-0:102.15.1-1.el8_2", "libwebp-0:1.0.0-7.el8_6.1", "firefox-0:102.15.1-1.el7_9", "firefox-0:102.15.1-1.el8_8", "firefox-0:102.15.1-1.el8_6"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5129.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5217 b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5217 new file mode 100644 index 00000000..c7f71d09 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/input/cve/min/CVE-2023-5217 @@ -0,0 +1 @@ +{"CVE": "CVE-2023-5217", "severity": "important", "public_date": "2023-09-27T00:00:00Z", "advisories": ["RHSA-2023:5428", "RHSA-2023:5538", "RHSA-2023:5439", "RHSA-2023:5429", "RHSA-2023:5539", "RHSA-2023:5426", "RHSA-2023:5437", "RHSA-2023:5536", "RHSA-2023:5537", "RHSA-2023:5438", "RHSA-2023:5427", "RHSA-2023:5534", "RHSA-2023:5435", "RHSA-2023:5535", "RHSA-2023:5436", "RHSA-2023:5477", "RHSA-2023:5433", "RHSA-2023:5434", "RHSA-2023:5475", "RHSA-2023:5432", "RHSA-2023:5440", "RHSA-2023:5430", "RHSA-2023:5540"], "bugzilla": "2241191", "bugzilla_description": "Heap buffer overflow in vp8 encoding in libvpx", "cvss_score": null, "cvss_scoring_vector": null, "CWE": "CWE-119", "affected_packages": ["libvpx-0:1.9.0-7.el9_0", "libvpx-0:1.7.0-8.el8_2", "libvpx-0:1.7.0-8.el8_1", "thunderbird-0:115.3.1-1.el8_4", "thunderbird-0:115.3.1-1.el9_2", "thunderbird-0:115.3.1-1.el8_2", "thunderbird-0:115.3.1-1.el8_1", "thunderbird-0:115.3.1-1.el9_0", "libvpx-0:1.7.0-10.el8_8", "thunderbird-0:115.3.1-1.el7_9", "thunderbird-0:115.3.1-1.el8_8", "firefox-0:115.3.1-1.el8_1", "firefox-0:115.3.1-1.el9_0", "thunderbird-0:115.3.1-1.el8_6", "firefox-0:115.3.1-1.el9_2", "firefox-0:115.3.1-1.el8_2", "firefox-0:115.3.1-1.el8_4", "libvpx-0:1.7.0-10.el8_4", "firefox-0:115.3.1-1.el8_6", "libvpx-0:1.9.0-7.el9_2", "firefox-0:115.3.1-1.el7_9", "firefox-0:115.3.1-1.el8_8", "libvpx-0:1.7.0-10.el8_6"], "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5217.json", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cvss3_score": "8.8"} diff --git a/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml b/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml index 7f114aa7..475eda68 100644 --- a/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml +++ b/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml @@ -183,6 +183,150 @@ resolves these issues. + + + RHSA-2023:5428: thunderbird security update (Important) + + Red Hat Enterprise Linux 8 + + + + + + + + Mozilla Thunderbird is a standalone mail and newsgroup client. + +This update upgrades Thunderbird to version 115.3.1. + +Security Fix(es): + +* firefox: use-after-free in workers (CVE-2023-3600) + +* Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169) + +* Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171) + +* Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5176) + +* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217) + +For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. + + Important + Copyright 2023 Red Hat, Inc. + + + CVE-2023-3600 + CVE-2023-5169 + CVE-2023-5171 + CVE-2023-5176 + CVE-2023-5217 + use-after-free in workers + Out-of-bounds write in PathOps + Use-after-free in Ion Compiler + Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 + libvpx: Heap buffer overflow in vp8 encoding in libvpx + + cpe:/a:redhat:enterprise_linux:8 + cpe:/a:redhat:enterprise_linux:8::appstream + cpe:/a:redhat:enterprise_linux:8::crb + cpe:/a:redhat:enterprise_linux:8::highavailability + cpe:/a:redhat:enterprise_linux:8::nfv + cpe:/a:redhat:enterprise_linux:8::realtime + cpe:/a:redhat:enterprise_linux:8::resilientstorage + cpe:/a:redhat:enterprise_linux:8::sap + cpe:/a:redhat:enterprise_linux:8::sap_hana + cpe:/a:redhat:enterprise_linux:8::supplementary + cpe:/o:redhat:enterprise_linux:8 + cpe:/o:redhat:enterprise_linux:8::baseos + + + + + + + + + + + + + + + + + + RHSA-2023:5433: firefox security update (Important) + + Red Hat Enterprise Linux 8 + + + + + + + + Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. + +This update upgrades Firefox to version 115.3.1 ESR. + +Security Fix(es): + +* firefox: use-after-free in workers (CVE-2023-3600) + +* Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169) + +* Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171) + +* Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5176) + +* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217) + +For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. + + Important + Copyright 2023 Red Hat, Inc. + + + CVE-2023-3600 + CVE-2023-5169 + CVE-2023-5171 + CVE-2023-5176 + CVE-2023-5217 + use-after-free in workers + Out-of-bounds write in PathOps + Use-after-free in Ion Compiler + Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 + libvpx: Heap buffer overflow in vp8 encoding in libvpx + + cpe:/a:redhat:enterprise_linux:8 + cpe:/a:redhat:enterprise_linux:8::appstream + cpe:/a:redhat:enterprise_linux:8::crb + cpe:/a:redhat:enterprise_linux:8::highavailability + cpe:/a:redhat:enterprise_linux:8::nfv + cpe:/a:redhat:enterprise_linux:8::realtime + cpe:/a:redhat:enterprise_linux:8::resilientstorage + cpe:/a:redhat:enterprise_linux:8::sap + cpe:/a:redhat:enterprise_linux:8::sap_hana + cpe:/a:redhat:enterprise_linux:8::supplementary + cpe:/o:redhat:enterprise_linux:8 + cpe:/o:redhat:enterprise_linux:8::baseos + + + + + + + + + + + + + + + diff --git a/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml.sha256sum b/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml.sha256sum index dd04c4ec..1c0e51a1 100644 --- a/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml.sha256sum +++ b/tests/unit/providers/rhel/test-fixtures/input/rhsa/com.redhat.rhsa-all.xml.sha256sum @@ -1 +1 @@ -5b0ea9596e8945f84aa3c18b089fed570db01feb71a963de18dc695cfd9c1bba +41d3c9db24a3b8e61dc0db9d25b28ae6d80e015968e8f8dc51d0aeef431e0dda diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16587.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16587.json new file mode 100644 index 00000000..14d1d3e4 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16587.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2020-16587","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:6","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2020-16587","Description":"A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.","Metadata":{},"Name":"CVE-2020-16587","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","base_metrics":{"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6,"base_severity":"Medium"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16588.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16588.json new file mode 100644 index 00000000..7196a85e --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2020-16588.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2020-16588","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:6","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2020-16588","Description":"A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.","Metadata":{},"Name":"CVE-2020-16588","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","base_metrics":{"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6,"base_severity":"Medium"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20298.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20298.json new file mode 100644 index 00000000..69470991 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20298.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2021-20298","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:6","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20298","Description":"A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20298","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20299.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20299.json new file mode 100644 index 00000000..16c68e6c --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2021-20299.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2021-20299","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:6","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20299","Description":"A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20299","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1921.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1921.json new file mode 100644 index 00000000..82339b24 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1921.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2022-1921","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:6","FixedIn":[{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1921","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1921","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1922.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1922.json new file mode 100644 index 00000000..e28ce0b1 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1922.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2022-1922","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:6","FixedIn":[{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1922","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1922","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1923.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1923.json new file mode 100644 index 00000000..2e805fdf --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1923.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2022-1923","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:6","FixedIn":[{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1923","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using bzip decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1923","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1924.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1924.json new file mode 100644 index 00000000..72417a2f --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1924.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2022-1924","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:6","FixedIn":[{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1924","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using lzo decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1924","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1925.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1925.json new file mode 100644 index 00000000..e1af26f8 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2022-1925.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2022-1925","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:6","FixedIn":[{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1925","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using HEADERSTRIP decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1925","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-4863.json new file mode 100644 index 00000000..d7e60941 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-4863.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2023-4863","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:6","FixedIn":[{"Name":"firefox","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-4863","Description":"A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.","Metadata":{},"Name":"CVE-2023-4863","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","base_metrics":{"base_score":9.6,"exploitability_score":2.8,"impact_score":6.0,"base_severity":"Critical"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5129.json new file mode 100644 index 00000000..086a521b --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5129.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2023-5129","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"rhel:6","FixedIn":[{"Name":"firefox","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5129","Description":"This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.","Metadata":{},"Name":"CVE-2023-5129","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N","base_metrics":{"base_score":0.0,"exploitability_score":2.8,"impact_score":-0.2,"base_severity":"None"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5217.json new file mode 100644 index 00000000..1e826db2 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:6/cve-2023-5217.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:6/cve-2023-5217","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:6","FixedIn":[{"Name":"libvpx","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:6","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5217","Description":"A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.","Metadata":{},"Name":"CVE-2023-5217","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":8.8,"exploitability_score":2.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16587.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16587.json new file mode 100644 index 00000000..b127c1d7 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16587.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2020-16587","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:7","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2020-16587","Description":"A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.","Metadata":{},"Name":"CVE-2020-16587","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","base_metrics":{"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6,"base_severity":"Medium"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16588.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16588.json new file mode 100644 index 00000000..f5e16c2d --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2020-16588.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2020-16588","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:7","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2020-16588","Description":"A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.","Metadata":{},"Name":"CVE-2020-16588","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","base_metrics":{"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6,"base_severity":"Medium"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20298.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20298.json new file mode 100644 index 00000000..5e7038e8 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20298.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2021-20298","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:7","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20298","Description":"A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20298","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20299.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20299.json new file mode 100644 index 00000000..5e0d165d --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2021-20299.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2021-20299","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:7","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20299","Description":"A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20299","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1921.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1921.json new file mode 100644 index 00000000..52873d7c --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1921.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2022-1921","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:7","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}},{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1921","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1921","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1922.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1922.json new file mode 100644 index 00000000..20fc85b6 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1922.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2022-1922","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:7","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}},{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1922","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1922","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1923.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1923.json new file mode 100644 index 00000000..8874af33 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1923.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2022-1923","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:7","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}},{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1923","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using bzip decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1923","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1924.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1924.json new file mode 100644 index 00000000..a00b17fa --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1924.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2022-1924","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:7","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}},{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1924","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using lzo decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1924","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1925.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1925.json new file mode 100644 index 00000000..6923ad4e --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2022-1925.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2022-1925","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:7","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}},{"Name":"gstreamer-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1925","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using HEADERSTRIP decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1925","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-4863.json new file mode 100644 index 00000000..802e39ac --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-4863.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2023-4863","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:7","FixedIn":[{"Name":"thunderbird","Version":"0:102.15.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5191","Link":"https://access.redhat.com/errata/RHSA-2023:5191"}]}},{"Name":"firefox","Version":"0:102.15.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5197","Link":"https://access.redhat.com/errata/RHSA-2023:5197"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-4863","Description":"A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.","Metadata":{},"Name":"CVE-2023-4863","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","base_metrics":{"base_score":9.6,"exploitability_score":2.8,"impact_score":6.0,"base_severity":"Critical"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5129.json new file mode 100644 index 00000000..781db5fc --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5129.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2023-5129","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"rhel:7","FixedIn":[{"Name":"thunderbird","Version":"0:102.15.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5191","Link":"https://access.redhat.com/errata/RHSA-2023:5191"}]}},{"Name":"firefox","Version":"0:102.15.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5197","Link":"https://access.redhat.com/errata/RHSA-2023:5197"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5129","Description":"This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.","Metadata":{},"Name":"CVE-2023-5129","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N","base_metrics":{"base_score":0.0,"exploitability_score":2.8,"impact_score":-0.2,"base_severity":"None"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5217.json new file mode 100644 index 00000000..40454f61 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:7/cve-2023-5217.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:7/cve-2023-5217","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:7","FixedIn":[{"Name":"thunderbird","Version":"0:115.3.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5475","Link":"https://access.redhat.com/errata/RHSA-2023:5475"}]}},{"Name":"firefox","Version":"0:115.3.1-1.el7_9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:7","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5477","Link":"https://access.redhat.com/errata/RHSA-2023:5477"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5217","Description":"A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.","Metadata":{},"Name":"CVE-2023-5217","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":8.8,"exploitability_score":2.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2019-25059.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2019-25059.json new file mode 100644 index 00000000..a1da6003 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2019-25059.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2019-25059","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"ghostscript","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2019-25059","Description":"Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.","Metadata":{},"Name":"CVE-2019-25059","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2020-16587.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2020-16587.json new file mode 100644 index 00000000..1005bb8a --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2020-16587.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2020-16587","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:8","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2020-16587","Description":"A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.","Metadata":{},"Name":"CVE-2020-16587","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","base_metrics":{"base_score":5.5,"exploitability_score":1.8,"impact_score":3.6,"base_severity":"Medium"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20298.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20298.json new file mode 100644 index 00000000..47a19866 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20298.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2021-20298","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:8","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20298","Description":"A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20298","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20299.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20299.json new file mode 100644 index 00000000..248a4ae1 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2021-20299.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2021-20299","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"rhel:8","FixedIn":[{"Name":"OpenEXR","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2021-20299","Description":"A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.","Metadata":{},"Name":"CVE-2021-20299","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1921.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1921.json new file mode 100644 index 00000000..d1e17531 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1921.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2022-1921","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1921","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1921","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1922.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1922.json new file mode 100644 index 00000000..5ff7c13c --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1922.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2022-1922","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1922","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1922","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1923.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1923.json new file mode 100644 index 00000000..91c1bc5c --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1923.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2022-1923","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1923","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using bzip decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1923","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1924.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1924.json new file mode 100644 index 00000000..30270f97 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1924.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2022-1924","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1924","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using lzo decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1924","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1925.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1925.json new file mode 100644 index 00000000..26c73d0a --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2022-1925.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2022-1925","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:8","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1925","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using HEADERSTRIP decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1925","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-4863.json new file mode 100644 index 00000000..679743c3 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-4863.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2023-4863","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:8","FixedIn":[{"Name":"firefox","Version":"0:102.15.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5184","Link":"https://access.redhat.com/errata/RHSA-2023:5184"}]}},{"Name":"thunderbird","Version":"0:102.15.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5201","Link":"https://access.redhat.com/errata/RHSA-2023:5201"}]}},{"Name":"libwebp","Version":"0:1.0.0-8.el8_8.1","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5309","Link":"https://access.redhat.com/errata/RHSA-2023:5309"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-4863","Description":"A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.","Metadata":{},"Name":"CVE-2023-4863","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","base_metrics":{"base_score":9.6,"exploitability_score":2.8,"impact_score":6.0,"base_severity":"Critical"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5129.json new file mode 100644 index 00000000..4d9c8164 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5129.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2023-5129","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"rhel:8","FixedIn":[{"Name":"firefox","Version":"0:102.15.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5184","Link":"https://access.redhat.com/errata/RHSA-2023:5184"}]}},{"Name":"thunderbird","Version":"0:102.15.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5201","Link":"https://access.redhat.com/errata/RHSA-2023:5201"}]}},{"Name":"libwebp","Version":"0:1.0.0-8.el8_8.1","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5309","Link":"https://access.redhat.com/errata/RHSA-2023:5309"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5129","Description":"This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.","Metadata":{},"Name":"CVE-2023-5129","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N","base_metrics":{"base_score":0.0,"exploitability_score":2.8,"impact_score":-0.2,"base_severity":"None"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5217.json new file mode 100644 index 00000000..bbd74610 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:8/cve-2023-5217.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:8/cve-2023-5217","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:8","FixedIn":[{"Name":"thunderbird","Version":"0:115.3.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5428","Link":"https://access.redhat.com/errata/RHSA-2023:5428"}]}},{"Name":"firefox","Version":"0:115.3.1-1.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5433","Link":"https://access.redhat.com/errata/RHSA-2023:5433"}]}},{"Name":"libvpx","Version":"0:1.7.0-10.el8_8","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:8","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5537","Link":"https://access.redhat.com/errata/RHSA-2023:5537"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5217","Description":"A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.","Metadata":{},"Name":"CVE-2023-5217","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":8.8,"exploitability_score":2.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2019-25059.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2019-25059.json new file mode 100644 index 00000000..48208f56 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2019-25059.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2019-25059","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"ghostscript","Version":"None","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":true}}],"Link":"https://access.redhat.com/security/cve/CVE-2019-25059","Description":"Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.","Metadata":{},"Name":"CVE-2019-25059","CVSS":[{"version":"3.1","status":"draft","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1921.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1921.json new file mode 100644 index 00000000..7ce2843f --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1921.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-1921","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"0:1.18.4-6.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:2260","Link":"https://access.redhat.com/errata/RHSA-2023:2260"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1921","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1921","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1922.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1922.json new file mode 100644 index 00000000..2a4a0292 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1922.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-1922","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"0:1.18.4-6.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:2260","Link":"https://access.redhat.com/errata/RHSA-2023:2260"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1922","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1922","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1923.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1923.json new file mode 100644 index 00000000..c50aafff --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1923.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-1923","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"0:1.18.4-6.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:2260","Link":"https://access.redhat.com/errata/RHSA-2023:2260"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1923","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using bzip decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1923","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1924.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1924.json new file mode 100644 index 00000000..6669fa85 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1924.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-1924","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"0:1.18.4-6.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:2260","Link":"https://access.redhat.com/errata/RHSA-2023:2260"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1924","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using lzo decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1924","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1925.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1925.json new file mode 100644 index 00000000..f43610d5 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-1925.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-1925","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"gstreamer1-plugins-good","Version":"0:1.18.4-6.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:2260","Link":"https://access.redhat.com/errata/RHSA-2023:2260"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-1925","Description":"A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using HEADERSTRIP decompression. This vulnerability can result in application crash, memory corruption, and code execution.","Metadata":{},"Name":"CVE-2022-1925","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":7.8,"exploitability_score":1.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-2309.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-2309.json new file mode 100644 index 00000000..53c860ad --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2022-2309.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2022-2309","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"rhel:9","FixedIn":[{"Name":"python-lxml","Version":"0:4.6.5-3.el9","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2022:8226","Link":"https://access.redhat.com/errata/RHSA-2022:8226"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2022-2309","Description":"A NULL Pointer dereference vulnerability found in lxml, caused by the iterwalk function (also used by the canonicalize function). This flaw can lead to a crash when the incorrect parser input occurs together with usages.","Metadata":{},"Name":"CVE-2022-2309","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","base_metrics":{"base_score":7.5,"exploitability_score":3.9,"impact_score":3.6,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-4863.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-4863.json new file mode 100644 index 00000000..7850c562 --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-4863.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2023-4863","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:9","FixedIn":[{"Name":"firefox","Version":"0:102.15.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5200","Link":"https://access.redhat.com/errata/RHSA-2023:5200"}]}},{"Name":"libwebp","Version":"0:1.2.0-7.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5214","Link":"https://access.redhat.com/errata/RHSA-2023:5214"}]}},{"Name":"thunderbird","Version":"0:102.15.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5224","Link":"https://access.redhat.com/errata/RHSA-2023:5224"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-4863","Description":"A heap-based buffer flaw was found in the way libwebp, a library used to process \"WebP\" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.","Metadata":{},"Name":"CVE-2023-4863","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","base_metrics":{"base_score":9.6,"exploitability_score":2.8,"impact_score":6.0,"base_severity":"Critical"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5129.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5129.json new file mode 100644 index 00000000..d1d77a3e --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5129.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2023-5129","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"rhel:9","FixedIn":[{"Name":"firefox","Version":"0:102.15.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5200","Link":"https://access.redhat.com/errata/RHSA-2023:5200"}]}},{"Name":"libwebp","Version":"0:1.2.0-7.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5214","Link":"https://access.redhat.com/errata/RHSA-2023:5214"}]}},{"Name":"thunderbird","Version":"0:102.15.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5224","Link":"https://access.redhat.com/errata/RHSA-2023:5224"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5129","Description":"This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.","Metadata":{},"Name":"CVE-2023-5129","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N","base_metrics":{"base_score":0.0,"exploitability_score":2.8,"impact_score":-0.2,"base_severity":"None"}}]}}} diff --git a/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5217.json b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5217.json new file mode 100644 index 00000000..518e282e --- /dev/null +++ b/tests/unit/providers/rhel/test-fixtures/snapshots/rhel:9/cve-2023-5217.json @@ -0,0 +1 @@ +{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"rhel:9/cve-2023-5217","item":{"Vulnerability":{"Severity":"High","NamespaceName":"rhel:9","FixedIn":[{"Name":"firefox","Version":"0:115.3.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5434","Link":"https://access.redhat.com/errata/RHSA-2023:5434"}]}},{"Name":"thunderbird","Version":"0:115.3.1-1.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5435","Link":"https://access.redhat.com/errata/RHSA-2023:5435"}]}},{"Name":"libvpx","Version":"0:1.9.0-7.el9_2","Module":null,"VersionFormat":"rpm","NamespaceName":"rhel:9","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[{"ID":"RHSA-2023:5539","Link":"https://access.redhat.com/errata/RHSA-2023:5539"}]}}],"Link":"https://access.redhat.com/security/cve/CVE-2023-5217","Description":"A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.","Metadata":{},"Name":"CVE-2023-5217","CVSS":[{"version":"3.1","status":"verified","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","base_metrics":{"base_score":8.8,"exploitability_score":2.8,"impact_score":5.9,"base_severity":"High"}}]}}} diff --git a/tests/unit/providers/rhel/test_rhel.py b/tests/unit/providers/rhel/test_rhel.py index f3f7ba0f..81318c1c 100644 --- a/tests/unit/providers/rhel/test_rhel.py +++ b/tests/unit/providers/rhel/test_rhel.py @@ -444,7 +444,7 @@ def test_parse_affected_releases(self, tmpdir, affected_releases, fixed_ins, moc def test_parse_package_state(self, tmpdir, mock_cve): driver = Parser(workspace=workspace.Workspace(tmpdir, "test", create=True)) - results = driver._parse_package_state([], mock_cve.get("name"), mock_cve) + results = driver._parse_package_state(mock_cve.get("name"), mock_cve) assert results and isinstance(results, list) and len(results) == 1 fixed_in = results[0] @@ -532,26 +532,7 @@ def mock_init_rhsa_data(*args, **kwargs): p.update(None) - assert 18 == workspace.num_result_entries() - # list of 18 entries: - # "CVE-2017-3539" (rhel 5) - # "CVE-2017-3539" (rhel 6) - # "CVE-2017-3539" (rhel 7) - # "CVE-2017-3509" (rhel 5) - # "CVE-2017-3509" (rhel 6) - # "CVE-2017-3509" (rhel 7) - # "CVE-2017-3533" (rhel 5) - # "CVE-2017-3533" (rhel 6) - # "CVE-2017-3533" (rhel 7) - # "CVE-2017-3526" (rhel 5) - # "CVE-2017-3526" (rhel 6) - # "CVE-2017-3526" (rhel 7) - # "CVE-2017-3544" (rhel 5) - # "CVE-2017-3544" (rhel 6) - # "CVE-2017-3544" (rhel 7) - # "CVE-2017-3511" (rhel 5) - # "CVE-2017-3511" (rhel 6) - # "CVE-2017-3511" (rhel 7) + assert workspace.num_result_entries() == 64 assert workspace.result_schemas_valid(require_entries=True)