improve some python 2022 CVE version ranges

Signed-off-by: Weston Steimel <[email protected]>
anchore · Oct 1, 2024 · 1a808a8 · 1a808a8
1 parent afed90c
commit 1a808a8
Show file tree

Hide file tree

Showing 2 changed files with 170 additions and 0 deletions.
diff --git a/data/anchore/2022/CVE-2022-26488.json b/data/anchore/2022/CVE-2022-26488.json
@@ -0,0 +1,65 @@
+{
+  "additionalMetadata": {
+    "cna": "mitre",
+    "cveId": "CVE-2022-26488",
+    "description": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.",
+    "reason": "Improve version ranges to indicate fix",
+    "references": [
+      "https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/",
+      "https://security.netapp.com/advisory/ntap-20220419-0005/"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://github.com",
+        "cpes": [
+          "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "python/cpython",
+        "platforms": [
+          "Windows"
+        ],
+        "product": "CPython",
+        "repo": "https://github.com/python/cpython",
+        "vendor": "Python Software Foundation",
+        "versions": [
+          {
+            "lessThan": "3.11.0b1",
+            "status": "affected",
+            "version": "3.11.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.10.3",
+            "status": "affected",
+            "version": "3.10.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.9.11",
+            "status": "affected",
+            "version": "3.9.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.8.13",
+            "status": "affected",
+            "version": "3.8.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.7.13",
+            "status": "affected",
+            "version": "0",
+            "versionType": "python"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}
diff --git a/data/anchore/2022/CVE-2022-45061.json b/data/anchore/2022/CVE-2022-45061.json
@@ -0,0 +1,105 @@
+{
+  "additionalMetadata": {
+    "cna": "mitre",
+    "cveId": "CVE-2022-45061",
+    "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.",
+    "reason": "Improve version ranges to indicate fix",
+    "references": [
+      "https://github.com/python/cpython/issues/98433",
+      "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html",
+      "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/",
+      "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/",
+      "https://security.gentoo.org/glsa/202305-02",
+      "https://security.netapp.com/advisory/ntap-20221209-0007/"
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://github.com",
+        "cpes": [
+          "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "python/cpython",
+        "product": "CPython",
+        "repo": "https://github.com/python/cpython",
+        "vendor": "Python Software Foundation",
+        "versions": [
+          {
+            "lessThan": "3.12.0a3",
+            "status": "affected",
+            "version": "3.12.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.11.1",
+            "status": "affected",
+            "version": "3.11.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.10.9",
+            "status": "affected",
+            "version": "3.10.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.9.16",
+            "status": "affected",
+            "version": "3.9.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.8.16",
+            "status": "affected",
+            "version": "3.8.0a0",
+            "versionType": "python"
+          },
+          {
+            "lessThan": "3.7.16",
+            "status": "affected",
+            "version": "0",
+            "versionType": "python"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    },
+    "references": [
+      {
+        "url": "https://discuss.python.org/t/python-3-11-1-3-10-9-3-9-16-3-8-16-3-7-16-and-3-12-0-alpha-3-are-now-available/21724"
+      }
+    ]
+  }
+}