From 14f2aaabcf537a4fa54f05af1072ff6b4d2b66fe Mon Sep 17 00:00:00 2001 From: cvelistV5 Github Action Date: Thu, 31 Oct 2024 10:03:21 +0000 Subject: [PATCH] 4 changes (4 new | 0 updated): - 4 new CVEs: CVE-2024-43383, CVE-2024-43984, CVE-2024-49674, CVE-2024-49685 - 0 updated CVEs: --- cves/2024/43xxx/CVE-2024-43383.json | 116 +++++++++++++++++++++++ cves/2024/43xxx/CVE-2024-43984.json | 142 ++++++++++++++++++++++++++++ cves/2024/49xxx/CVE-2024-49674.json | 123 ++++++++++++++++++++++++ cves/2024/49xxx/CVE-2024-49685.json | 142 ++++++++++++++++++++++++++++ cves/delta.json | 38 ++++---- cves/deltaLog.json | 66 +++++++------ 6 files changed, 577 insertions(+), 50 deletions(-) create mode 100644 cves/2024/43xxx/CVE-2024-43383.json create mode 100644 cves/2024/43xxx/CVE-2024-43984.json create mode 100644 cves/2024/49xxx/CVE-2024-49674.json create mode 100644 cves/2024/49xxx/CVE-2024-49685.json diff --git a/cves/2024/43xxx/CVE-2024-43383.json b/cves/2024/43xxx/CVE-2024-43383.json new file mode 100644 index 000000000000..0ad0ed0336a2 --- /dev/null +++ b/cves/2024/43xxx/CVE-2024-43383.json @@ -0,0 +1,116 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-43383", + "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "state": "PUBLISHED", + "assignerShortName": "apache", + "dateReserved": "2024-08-10T16:38:34.946Z", + "datePublished": "2024-10-31T09:57:29.062Z", + "dateUpdated": "2024-10-31T09:57:29.062Z" + }, + "containers": { + "cna": { + "affected": [ + { + "collectionURL": "https://www.nuget.org/packages/Lucene.Net.Replicator/4.8.0-beta00016", + "defaultStatus": "unaffected", + "packageName": "Lucene.Net.Replicator", + "product": "Apache Lucene.Net.Replicator", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "4.8.0-beta00016", + "status": "affected", + "version": "4.8.0-beta00005", + "versionType": "semver" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "reporter", + "value": "Summ3r, Vidar-Team" + }, + { + "lang": "en", + "type": "remediation developer", + "value": "Apache Lucene" + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.

This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.

An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.

Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

" + } + ], + "value": "Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.\n\nThis issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.\n\nAn attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.\n\n\nUsers are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue." + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-502", + "description": "CWE-502 Deserialization of Untrusted Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", + "shortName": "apache", + "dateUpdated": "2024-10-31T09:57:29.062Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://lists.apache.org/thread/wlz1p76dxpt4rl9o29voxjd5zl7717nh" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + } + } +} \ No newline at end of file diff --git a/cves/2024/43xxx/CVE-2024-43984.json b/cves/2024/43xxx/CVE-2024-43984.json new file mode 100644 index 000000000000..5cabe960e52a --- /dev/null +++ b/cves/2024/43xxx/CVE-2024-43984.json @@ -0,0 +1,142 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-43984", + "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "state": "PUBLISHED", + "assignerShortName": "Patchstack", + "dateReserved": "2024-08-18T21:57:10.849Z", + "datePublished": "2024-10-31T10:02:27.979Z", + "dateUpdated": "2024-10-31T10:02:27.979Z" + }, + "containers": { + "cna": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "defaultStatus": "unaffected", + "packageName": "podlove-podcasting-plugin-for-wordpress", + "product": "Podlove Podcast Publisher", + "vendor": "Podlove", + "versions": [ + { + "changes": [ + { + "at": "4.1.14", + "status": "unaffected" + } + ], + "lessThanOrEqual": "4.1.13", + "status": "affected", + "version": "n/a", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Muhammad Daffa (Patchstack Alliance)" + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.

This issue affects Podlove Podcast Publisher: from n/a through 4.1.13.

" + } + ], + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13." + } + ], + "impacts": [ + { + "capecId": "CAPEC-242", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-242 Code Injection" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.6, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-352", + "description": "CWE-352 Cross-Site Request Forgery (CSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "shortName": "Patchstack", + "dateUpdated": "2024-10-31T10:02:27.979Z" + }, + "references": [ + { + "tags": [ + "vdb-entry" + ], + "url": "https://patchstack.com/database/vulnerability/podlove-podcasting-plugin-for-wordpress/wordpress-podlove-podcast-publisher-plugin-4-1-13-csrf-to-remote-code-execution-rce-vulnerability?_s_id=cve" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update to 4.1.14 or a higher version." + } + ], + "value": "Update to 4.1.14 or a higher version." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "WordPress Podlove Podcast Publisher plugin <= 4.1.13 - CSRF to Remote Code Execution (RCE) vulnerability", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + } + } +} \ No newline at end of file diff --git a/cves/2024/49xxx/CVE-2024-49674.json b/cves/2024/49xxx/CVE-2024-49674.json new file mode 100644 index 000000000000..fc45604065f9 --- /dev/null +++ b/cves/2024/49xxx/CVE-2024-49674.json @@ -0,0 +1,123 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-49674", + "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "state": "PUBLISHED", + "assignerShortName": "Patchstack", + "dateReserved": "2024-10-17T09:52:10.631Z", + "datePublished": "2024-10-31T10:01:19.117Z", + "dateUpdated": "2024-10-31T10:01:19.117Z" + }, + "containers": { + "cna": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "defaultStatus": "unaffected", + "packageName": "ekc-tournament-manager", + "product": "EKC Tournament Manager", + "vendor": "Lukas Huser", + "versions": [ + { + "lessThanOrEqual": "2.2.1", + "status": "affected", + "version": "n/a", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Joshua Chan (Patchstack Alliance)" + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.

This issue affects EKC Tournament Manager: from n/a through 2.2.1.

" + } + ], + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1." + } + ], + "impacts": [ + { + "capecId": "CAPEC-650", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-650 Upload a Web Shell to a Web Server" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.6, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-352", + "description": "CWE-352 Cross-Site Request Forgery (CSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "shortName": "Patchstack", + "dateUpdated": "2024-10-31T10:01:19.117Z" + }, + "references": [ + { + "tags": [ + "vdb-entry" + ], + "url": "https://patchstack.com/database/vulnerability/ekc-tournament-manager/wordpress-ekc-tournament-manager-plugin-2-2-1-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "WordPress EKC Tournament Manager plugin <= 2.2.1 - CSRF to Arbitrary File Upload vulnerability", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + } + } +} \ No newline at end of file diff --git a/cves/2024/49xxx/CVE-2024-49685.json b/cves/2024/49xxx/CVE-2024-49685.json new file mode 100644 index 000000000000..427b1fc60bce --- /dev/null +++ b/cves/2024/49xxx/CVE-2024-49685.json @@ -0,0 +1,142 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-49685", + "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "state": "PUBLISHED", + "assignerShortName": "Patchstack", + "dateReserved": "2024-10-17T09:52:18.155Z", + "datePublished": "2024-10-31T09:59:49.185Z", + "dateUpdated": "2024-10-31T09:59:49.185Z" + }, + "containers": { + "cna": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "defaultStatus": "unaffected", + "packageName": "custom-twitter-feeds", + "product": "Custom Twitter Feeds (Tweets Widget)", + "vendor": "Smash Balloon", + "versions": [ + { + "changes": [ + { + "at": "2.2.4", + "status": "unaffected" + } + ], + "lessThanOrEqual": "2.2.3", + "status": "affected", + "version": "n/a", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "user": "00000000-0000-4000-9000-000000000000", + "value": "Rafie Muhammad (Patchstack)" + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.

This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3.

" + } + ], + "value": "Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through 2.2.3." + } + ], + "impacts": [ + { + "capecId": "CAPEC-62", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-62 Cross Site Request Forgery" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 5.4, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-352", + "description": "CWE-352 Cross-Site Request Forgery (CSRF)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", + "shortName": "Patchstack", + "dateUpdated": "2024-10-31T09:59:49.185Z" + }, + "references": [ + { + "tags": [ + "vdb-entry" + ], + "url": "https://patchstack.com/database/vulnerability/custom-twitter-feeds/wordpress-custom-twitter-feeds-plugin-2-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update to 2.2.4 or a higher version." + } + ], + "value": "Update to 2.2.4 or a higher version." + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "title": "WordPress Custom Twitter Feeds plugin <= 2.2.3 - Cross Site Request Forgery (CSRF) vulnerability", + "x_generator": { + "engine": "Vulnogram 0.1.0-dev" + } + } + } +} \ No newline at end of file diff --git a/cves/delta.json b/cves/delta.json index 49eb88605c1b..e605b3454fd4 100644 --- a/cves/delta.json +++ b/cves/delta.json @@ -1,26 +1,32 @@ { - "fetchTime": "2024-10-31T09:20:39.280Z", - "numberOfChanges": 3, - "new": [], - "updated": [ + "fetchTime": "2024-10-31T10:03:10.456Z", + "numberOfChanges": 4, + "new": [ { - "cveId": "CVE-2024-10525", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-10525", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/10xxx/CVE-2024-10525.json", - "dateUpdated": "2024-10-31T09:09:42.334Z" + "cveId": "CVE-2024-43383", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-43383", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/43xxx/CVE-2024-43383.json", + "dateUpdated": "2024-10-31T09:57:29.062Z" }, { - "cveId": "CVE-2024-3935", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-3935", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/3xxx/CVE-2024-3935.json", - "dateUpdated": "2024-10-31T09:12:11.012Z" + "cveId": "CVE-2024-43984", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-43984", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/43xxx/CVE-2024-43984.json", + "dateUpdated": "2024-10-31T10:02:27.979Z" }, { - "cveId": "CVE-2024-8376", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-8376", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/8xxx/CVE-2024-8376.json", - "dateUpdated": "2024-10-31T09:15:30.149Z" + "cveId": "CVE-2024-49674", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-49674", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/49xxx/CVE-2024-49674.json", + "dateUpdated": "2024-10-31T10:01:19.117Z" + }, + { + "cveId": "CVE-2024-49685", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-49685", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/49xxx/CVE-2024-49685.json", + "dateUpdated": "2024-10-31T09:59:49.185Z" } ], + "updated": [], "error": [] } \ No newline at end of file diff --git a/cves/deltaLog.json b/cves/deltaLog.json index ebfbac0ba464..8129e4cb9282 100644 --- a/cves/deltaLog.json +++ b/cves/deltaLog.json @@ -1,4 +1,36 @@ [ + { + "fetchTime": "2024-10-31T10:03:10.456Z", + "numberOfChanges": 4, + "new": [ + { + "cveId": "CVE-2024-43383", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-43383", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/43xxx/CVE-2024-43383.json", + "dateUpdated": "2024-10-31T09:57:29.062Z" + }, + { + "cveId": "CVE-2024-43984", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-43984", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/43xxx/CVE-2024-43984.json", + "dateUpdated": "2024-10-31T10:02:27.979Z" + }, + { + "cveId": "CVE-2024-49674", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-49674", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/49xxx/CVE-2024-49674.json", + "dateUpdated": "2024-10-31T10:01:19.117Z" + }, + { + "cveId": "CVE-2024-49685", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-49685", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/49xxx/CVE-2024-49685.json", + "dateUpdated": "2024-10-31T09:59:49.185Z" + } + ], + "updated": [], + "error": [] + }, { "fetchTime": "2024-10-31T09:20:39.280Z", "numberOfChanges": 3, @@ -132893,39 +132925,5 @@ } ], "error": [] - }, - { - "fetchTime": "2024-10-01T09:52:29.215Z", - "numberOfChanges": 1, - "new": [ - { - "cveId": "CVE-2023-3441", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2023-3441", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2023/3xxx/CVE-2023-3441.json", - "dateUpdated": "2024-10-01T09:47:16.444Z" - } - ], - "updated": [], - "error": [] - }, - { - "fetchTime": "2024-10-01T09:36:44.796Z", - "numberOfChanges": 2, - "new": [ - { - "cveId": "CVE-2024-9060", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9060", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9060.json", - "dateUpdated": "2024-10-01T09:30:31.950Z" - }, - { - "cveId": "CVE-2024-9118", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9118", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9118.json", - "dateUpdated": "2024-10-01T09:30:31.139Z" - } - ], - "updated": [], - "error": [] } ] \ No newline at end of file