From 8f229ff6311e8fd6f04cf50d5ed0cdb98414cf4a Mon Sep 17 00:00:00 2001 From: cplvic Date: Mon, 13 Mar 2017 09:43:26 -0700 Subject: [PATCH 1/4] Modified 2016-4970. - Unaffected version for netty uses different pom. Modified 2016-9878, 2016-9879 - Per Jassiner, added series information Added 2016-5007 - Spring Security + Framework for issue #49 Added 2017 folder Added 2017-5638 for Apache Stuts2 0-Day --- database/java/2016/4970.yaml | 13 ++++++++----- database/java/2016/5007.yaml | 19 +++++++++++++++++++ database/java/2016/9878.yaml | 10 +++++----- database/java/2016/9879.yaml | 10 +++++----- database/java/2017/5638.yaml | 16 ++++++++++++++++ 5 files changed, 53 insertions(+), 15 deletions(-) create mode 100644 database/java/2016/5007.yaml create mode 100644 database/java/2017/5638.yaml diff --git a/database/java/2016/4970.yaml b/database/java/2016/4970.yaml index 6abf4fe..1c90274 100644 --- a/database/java/2016/4970.yaml +++ b/database/java/2016/4970.yaml @@ -9,10 +9,13 @@ affected: - groupId: "io.netty" artifactId: "netty-all" version: - - "<=4.0.36.Final" - - "<=4.1.0.Final" + - "<=4.0.36.Final,4.0" + - "<=4.1.0.Final,4.1" fixedin: - - ">=4.0.37.Final" - - ">=4.1.1.Final" + - ">=4.0.37.Final,4.0" + - ">=4.1.1.Final,4.1" unaffected: - - "<=3.10.6.Final" \ No newline at end of file + - groupId: "io.netty" + arifactId: "netty" + version: + - "<=3.10.6.Final,3" \ No newline at end of file diff --git a/database/java/2016/5007.yaml b/database/java/2016/5007.yaml new file mode 100644 index 0000000..57423c1 --- /dev/null +++ b/database/java/2016/5007.yaml @@ -0,0 +1,19 @@ +cve: 2016-5007 +title: "Spring Security / MVC Path Matching Inconsistency" +description: > + Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. +references: + - https://pivotal.io/security/cve-2016-5007 +affected: + - groupId: "org.springframework.security" + artifactId: "spring-security-core" + version: + - "<=4.1.0.RELEASE" + fixedin: + - ">=4.1.1.RELEASE" + - groupId: "org.springframework" + artifactId: "spring-core" + version: + - "<=4.3.0.RELEASE" + fixedin: + - ">=4.3.1.RELEASE" \ No newline at end of file diff --git a/database/java/2016/9878.yaml b/database/java/2016/9878.yaml index 32e604d..4365b84 100644 --- a/database/java/2016/9878.yaml +++ b/database/java/2016/9878.yaml @@ -10,9 +10,9 @@ affected: artifactId: "spring" version: - "<=3.2.17.RELEASE" - - "<=4.2.8.RELEASE" - - "<=4.3.4.RELEASE" + - "<=4.2.8.RELEASE,4.2" + - "<=4.3.4.RELEASE,4.3" fixedin: - - ">=3.2.18.RELEASE" - - ">=4.2.9.RELEASE" - - ">=4.3.5.RELEASE" \ No newline at end of file + - ">=3.2.18.RELEASE,3.2" + - ">=4.2.9.RELEASE.4.2" + - ">=4.3.5.RELEASE,4.3" \ No newline at end of file diff --git a/database/java/2016/9879.yaml b/database/java/2016/9879.yaml index 81844dd..1f33b08 100644 --- a/database/java/2016/9879.yaml +++ b/database/java/2016/9879.yaml @@ -10,9 +10,9 @@ affected: artifactId: "spring-security-core" version: - "<=3.2.9.RELEASE" - - "<=4.1.3.RELEASE" - - "<=4.2.0.RELEASE" + - "<=4.1.3.RELEASE,4.1" + - "<=4.2.0.RELEASE,4.2" fixedin: - - ">=3.2.10.RELEASE" - - ">=4.1.4.RELEASE" - - ">=4.2.1.RELEASE" \ No newline at end of file + - ">=3.2.10.RELEASE,3.2" + - ">=4.1.4.RELEASE,4.1" + - ">=4.2.1.RELEASE,4.2" \ No newline at end of file diff --git a/database/java/2017/5638.yaml b/database/java/2017/5638.yaml new file mode 100644 index 0000000..6586f73 --- /dev/null +++ b/database/java/2017/5638.yaml @@ -0,0 +1,16 @@ +cve: 2017-5638 +title: "Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser." +description: > + The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017. +references: + - https://cwiki.apache.org/confluence/display/WW/S2-045 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 +affected: + - groupId: "org.apache.struts" + artifactId: "struts-core" + version: + - "<=2.3.31.RELEASE,2.3" + - "<=2.5.10.RELEASE,2.5" + fixedin: + - ">=2.3.32.RELEASE,2.3" + - ">=2.5.10.1.RELEASE" \ No newline at end of file From 1f8fa95b81b4abdbd3786c352f73a2ff538330aa Mon Sep 17 00:00:00 2001 From: cplvic Date: Mon, 13 Mar 2017 10:29:34 -0700 Subject: [PATCH 2/4] Modified 2016-4970. - Unaffected version for netty uses different pom. Modified 2016-9878, 2016-9879 - Per Jassiner, added series information Added 2016-5007 - Spring Security + Framework for issue #49 Added 2017 folder Added 2017-5638 for Apache Stuts2 0-Day --- database/java/2016/4970.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/database/java/2016/4970.yaml b/database/java/2016/4970.yaml index 1c90274..8ee464c 100644 --- a/database/java/2016/4970.yaml +++ b/database/java/2016/4970.yaml @@ -15,7 +15,7 @@ affected: - ">=4.0.37.Final,4.0" - ">=4.1.1.Final,4.1" unaffected: - - groupId: "io.netty" - arifactId: "netty" - version: - - "<=3.10.6.Final,3" \ No newline at end of file + - groupId: "io.netty" + artifactId: "netty" + version: + - "<=3.10.6.Final,3" \ No newline at end of file From 14405b233ae9b69d243df811da11d472e7372f19 Mon Sep 17 00:00:00 2001 From: cplvic Date: Mon, 13 Mar 2017 12:41:05 -0700 Subject: [PATCH 3/4] Modified 2016-4970 - Unaffected version for netty uses different pom. Modified 2016-9878, 2016-9879 - Per Jassiner, added series information Added 2016-5007 - Spring Security + Framework for issue #49 Added 2017 folder Added 2017-5638 for Apache Stuts2 0-Day --- database/java/2016/4970.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/database/java/2016/4970.yaml b/database/java/2016/4970.yaml index 8ee464c..4c57649 100644 --- a/database/java/2016/4970.yaml +++ b/database/java/2016/4970.yaml @@ -15,7 +15,4 @@ affected: - ">=4.0.37.Final,4.0" - ">=4.1.1.Final,4.1" unaffected: - - groupId: "io.netty" - artifactId: "netty" - version: - - "<=3.10.6.Final,3" \ No newline at end of file + - "<=3.10.6.Final,3" \ No newline at end of file From df397a25a99dc427084fe66c91bed87c9441d19c Mon Sep 17 00:00:00 2001 From: cplvic Date: Mon, 13 Mar 2017 15:15:12 -0700 Subject: [PATCH 4/4] Update 5638.yaml --- database/java/2017/5638.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/database/java/2017/5638.yaml b/database/java/2017/5638.yaml index 6586f73..ad14b99 100644 --- a/database/java/2017/5638.yaml +++ b/database/java/2017/5638.yaml @@ -7,10 +7,10 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 affected: - groupId: "org.apache.struts" - artifactId: "struts-core" + artifactId: "struts2-core" version: - - "<=2.3.31.RELEASE,2.3" - - "<=2.5.10.RELEASE,2.5" + - "<=2.3.31,2.3" + - "<=2.5.10,2.5" fixedin: - - ">=2.3.32.RELEASE,2.3" - - ">=2.5.10.1.RELEASE" \ No newline at end of file + - ">=2.3.32,2.3" + - ">=2.5.10.1,2.5"