From 1a808a8e2b0c324d6d861c3ac03f9edd46afc951 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Tue, 1 Oct 2024 12:41:37 +0100 Subject: [PATCH] improve some python 2022 CVE version ranges Signed-off-by: Weston Steimel --- data/anchore/2022/CVE-2022-26488.json | 65 ++++++++++++++++ data/anchore/2022/CVE-2022-45061.json | 105 ++++++++++++++++++++++++++ 2 files changed, 170 insertions(+) create mode 100644 data/anchore/2022/CVE-2022-26488.json create mode 100644 data/anchore/2022/CVE-2022-45061.json diff --git a/data/anchore/2022/CVE-2022-26488.json b/data/anchore/2022/CVE-2022-26488.json new file mode 100644 index 00000000..9f0ff21e --- /dev/null +++ b/data/anchore/2022/CVE-2022-26488.json @@ -0,0 +1,65 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2022-26488", + "description": "In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.", + "reason": "Improve version ranges to indicate fix", + "references": [ + "https://mail.python.org/archives/list/security-announce%40python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/", + "https://security.netapp.com/advisory/ntap-20220419-0005/" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ], + "packageName": "python/cpython", + "platforms": [ + "Windows" + ], + "product": "CPython", + "repo": "https://github.com/python/cpython", + "vendor": "Python Software Foundation", + "versions": [ + { + "lessThan": "3.11.0b1", + "status": "affected", + "version": "3.11.0a0", + "versionType": "python" + }, + { + "lessThan": "3.10.3", + "status": "affected", + "version": "3.10.0a0", + "versionType": "python" + }, + { + "lessThan": "3.9.11", + "status": "affected", + "version": "3.9.0a0", + "versionType": "python" + }, + { + "lessThan": "3.8.13", + "status": "affected", + "version": "3.8.0a0", + "versionType": "python" + }, + { + "lessThan": "3.7.13", + "status": "affected", + "version": "0", + "versionType": "python" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2022/CVE-2022-45061.json b/data/anchore/2022/CVE-2022-45061.json new file mode 100644 index 00000000..64dbf32e --- /dev/null +++ b/data/anchore/2022/CVE-2022-45061.json @@ -0,0 +1,105 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2022-45061", + "description": "An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.", + "reason": "Improve version ranges to indicate fix", + "references": [ + "https://github.com/python/cpython/issues/98433", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/", + "https://security.gentoo.org/glsa/202305-02", + "https://security.netapp.com/advisory/ntap-20221209-0007/" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" + ], + "packageName": "python/cpython", + "product": "CPython", + "repo": "https://github.com/python/cpython", + "vendor": "Python Software Foundation", + "versions": [ + { + "lessThan": "3.12.0a3", + "status": "affected", + "version": "3.12.0a0", + "versionType": "python" + }, + { + "lessThan": "3.11.1", + "status": "affected", + "version": "3.11.0a0", + "versionType": "python" + }, + { + "lessThan": "3.10.9", + "status": "affected", + "version": "3.10.0a0", + "versionType": "python" + }, + { + "lessThan": "3.9.16", + "status": "affected", + "version": "3.9.0a0", + "versionType": "python" + }, + { + "lessThan": "3.8.16", + "status": "affected", + "version": "3.8.0a0", + "versionType": "python" + }, + { + "lessThan": "3.7.16", + "status": "affected", + "version": "0", + "versionType": "python" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://discuss.python.org/t/python-3-11-1-3-10-9-3-9-16-3-8-16-3-7-16-and-3-12-0-alpha-3-are-now-available/21724" + } + ] + } +} \ No newline at end of file