From 3dc000d460ae19b21b1f3365d8643f45b89b195a Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Thu, 10 Oct 2024 09:21:37 +0100 Subject: [PATCH] updates 2024-10-10 Signed-off-by: Weston Steimel --- data/anchore/2024/CVE-2024-20787.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45136.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-45137.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-45138.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45139.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45140.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45141.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45142.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45143.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45144.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45145.json | 46 ++++++++++++++++++ data/anchore/2024/CVE-2024-45146.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45150.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45152.json | 34 ++++++++++++++ data/anchore/2024/CVE-2024-45720.json | 37 +++++++++++++++ data/anchore/2024/CVE-2024-47410.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47411.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47412.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47413.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47414.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47415.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47416.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47417.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47418.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47419.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47420.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47421.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47422.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47423.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47424.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47425.json | 40 ++++++++++++++++ data/anchore/2024/CVE-2024-47763.json | 67 +++++++++++++++++++++++++++ data/anchore/2024/CVE-2024-47813.json | 63 +++++++++++++++++++++++++ data/anchore/2024/CVE-2024-47828.json | 37 +++++++++++++++ data/anchore/2024/CVE-2024-5968.json | 37 +++++++++++++++ data/anchore/2024/CVE-2024-9680.json | 65 ++++++++++++++++++++++++++ 36 files changed, 1446 insertions(+) create mode 100644 data/anchore/2024/CVE-2024-20787.json create mode 100644 data/anchore/2024/CVE-2024-45136.json create mode 100644 data/anchore/2024/CVE-2024-45137.json create mode 100644 data/anchore/2024/CVE-2024-45138.json create mode 100644 data/anchore/2024/CVE-2024-45139.json create mode 100644 data/anchore/2024/CVE-2024-45140.json create mode 100644 data/anchore/2024/CVE-2024-45141.json create mode 100644 data/anchore/2024/CVE-2024-45142.json create mode 100644 data/anchore/2024/CVE-2024-45143.json create mode 100644 data/anchore/2024/CVE-2024-45144.json create mode 100644 data/anchore/2024/CVE-2024-45145.json create mode 100644 data/anchore/2024/CVE-2024-45146.json create mode 100644 data/anchore/2024/CVE-2024-45150.json create mode 100644 data/anchore/2024/CVE-2024-45152.json create mode 100644 data/anchore/2024/CVE-2024-45720.json create mode 100644 data/anchore/2024/CVE-2024-47410.json create mode 100644 data/anchore/2024/CVE-2024-47411.json create mode 100644 data/anchore/2024/CVE-2024-47412.json create mode 100644 data/anchore/2024/CVE-2024-47413.json create mode 100644 data/anchore/2024/CVE-2024-47414.json create mode 100644 data/anchore/2024/CVE-2024-47415.json create mode 100644 data/anchore/2024/CVE-2024-47416.json create mode 100644 data/anchore/2024/CVE-2024-47417.json create mode 100644 data/anchore/2024/CVE-2024-47418.json create mode 100644 data/anchore/2024/CVE-2024-47419.json create mode 100644 data/anchore/2024/CVE-2024-47420.json create mode 100644 data/anchore/2024/CVE-2024-47421.json create mode 100644 data/anchore/2024/CVE-2024-47422.json create mode 100644 data/anchore/2024/CVE-2024-47423.json create mode 100644 data/anchore/2024/CVE-2024-47424.json create mode 100644 data/anchore/2024/CVE-2024-47425.json create mode 100644 data/anchore/2024/CVE-2024-47763.json create mode 100644 data/anchore/2024/CVE-2024-47813.json create mode 100644 data/anchore/2024/CVE-2024-47828.json create mode 100644 data/anchore/2024/CVE-2024-5968.json create mode 100644 data/anchore/2024/CVE-2024-9680.json diff --git a/data/anchore/2024/CVE-2024-20787.json b/data/anchore/2024/CVE-2024-20787.json new file mode 100644 index 00000000..321b44c6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-20787.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-20787", + "description": "Substance3D - Painter versions 10.0.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_painter/apsb24-52.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_painter:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Painter", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "10.1.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45136.json b/data/anchore/2024/CVE-2024-45136.json new file mode 100644 index 00000000..45ebdce1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45136.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45136", + "description": "InCopy versions 19.4, 18.5.3 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue requires user interaction.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/incopy/apsb24-79.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:incopy:*:*:*:*:*:*:*:*" + ], + "product": "InCopy", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "19.5", + "status": "affected", + "version": "19", + "versionType": "semver" + }, + { + "lessThan": "18.5.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45137.json b/data/anchore/2024/CVE-2024-45137.json new file mode 100644 index 00000000..c6beb9e2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45137.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45137", + "description": "InDesign Desktop versions 19.4, 18.5.3 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by uploading a malicious file which, when executed, could run arbitrary code in the context of the server. Exploitation of this issue requires user interaction.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/incopy/apsb24-79.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*" + ], + "product": "InDesign Desktop", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "19.5", + "status": "affected", + "version": "19", + "versionType": "semver" + }, + { + "lessThan": "18.5.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45138.json b/data/anchore/2024/CVE-2024-45138.json new file mode 100644 index 00000000..1d3f71a0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45138.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45138", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45139.json b/data/anchore/2024/CVE-2024-45139.json new file mode 100644 index 00000000..b7bdfd89 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45139.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45139", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45140.json b/data/anchore/2024/CVE-2024-45140.json new file mode 100644 index 00000000..87b5ac7d --- /dev/null +++ b/data/anchore/2024/CVE-2024-45140.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45140", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45141.json b/data/anchore/2024/CVE-2024-45141.json new file mode 100644 index 00000000..ffc2a9db --- /dev/null +++ b/data/anchore/2024/CVE-2024-45141.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45141", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45142.json b/data/anchore/2024/CVE-2024-45142.json new file mode 100644 index 00000000..076d2fe6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45142.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45142", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by a Write-what-where Condition vulnerability that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability allows an attacker to write a controlled value to an arbitrary memory location, potentially leading to code execution. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45143.json b/data/anchore/2024/CVE-2024-45143.json new file mode 100644 index 00000000..0536efbf --- /dev/null +++ b/data/anchore/2024/CVE-2024-45143.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45143", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45144.json b/data/anchore/2024/CVE-2024-45144.json new file mode 100644 index 00000000..bccc7c36 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45144.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45144", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45145.json b/data/anchore/2024/CVE-2024-45145.json new file mode 100644 index 00000000..144ab7fb --- /dev/null +++ b/data/anchore/2024/CVE-2024-45145.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45145", + "description": "Lightroom Desktop versions 7.4.1, 13.5, 12.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/lightroom/apsb24-78.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:lightroom:*:*:*:*:*:*:*:*" + ], + "product": "Lightroom Desktop", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "7.5", + "status": "affected", + "version": "0", + "versionType": "semver" + }, + { + "lessThan": "12.5.2", + "status": "affected", + "version": "8", + "versionType": "semver" + }, + { + "lessThanOrEqual": "13.5.1", + "status": "affected", + "version": "13", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45146.json b/data/anchore/2024/CVE-2024-45146.json new file mode 100644 index 00000000..0c850440 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45146.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45146", + "description": "Dimension versions 4.0.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/dimension/apsb24-74.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:dimension:*:*:*:*:*:*:*:*" + ], + "product": "Dimension", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "4.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45150.json b/data/anchore/2024/CVE-2024-45150.json new file mode 100644 index 00000000..488f8603 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45150.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45150", + "description": "Dimension versions 4.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/dimension/apsb24-74.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:dimension:*:*:*:*:*:*:*:*" + ], + "product": "Dimension", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "4.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45152.json b/data/anchore/2024/CVE-2024-45152.json new file mode 100644 index 00000000..f31926e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45152.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-45152", + "description": "Substance3D - Stager versions 3.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/substance3d_stager/apsb24-81.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*" + ], + "product": "Substance3D - Stager", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "3.0.4", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-45720.json b/data/anchore/2024/CVE-2024-45720.json new file mode 100644 index 00000000..25a8bd52 --- /dev/null +++ b/data/anchore/2024/CVE-2024-45720.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-45720", + "description": "On Windows platforms, a \"best fit\" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed.\n\nAll versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes this issue.\n\nSubversion is not affected on UNIX-like platforms.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://subversion.apache.org/security/CVE-2024-45720-advisory.txt" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*" + ], + "platforms": [ + "Windows" + ], + "product": "Apache Subversion", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "1.14.4", + "status": "affected", + "version": "1.0.0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47410.json b/data/anchore/2024/CVE-2024-47410.json new file mode 100644 index 00000000..0f9fde51 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47410.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47410", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47411.json b/data/anchore/2024/CVE-2024-47411.json new file mode 100644 index 00000000..66b4ceed --- /dev/null +++ b/data/anchore/2024/CVE-2024-47411.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47411", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47412.json b/data/anchore/2024/CVE-2024-47412.json new file mode 100644 index 00000000..5e9fa2a7 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47412.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47412", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47413.json b/data/anchore/2024/CVE-2024-47413.json new file mode 100644 index 00000000..503f6ff7 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47413.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47413", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47414.json b/data/anchore/2024/CVE-2024-47414.json new file mode 100644 index 00000000..7f7e6a86 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47414.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47414", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47415.json b/data/anchore/2024/CVE-2024-47415.json new file mode 100644 index 00000000..e988e9e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47415.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47415", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47416.json b/data/anchore/2024/CVE-2024-47416.json new file mode 100644 index 00000000..c24a1ef1 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47416.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47416", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47417.json b/data/anchore/2024/CVE-2024-47417.json new file mode 100644 index 00000000..fb0705e5 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47417.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47417", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47418.json b/data/anchore/2024/CVE-2024-47418.json new file mode 100644 index 00000000..e7ccaba0 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47418.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47418", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47419.json b/data/anchore/2024/CVE-2024-47419.json new file mode 100644 index 00000000..e121e58c --- /dev/null +++ b/data/anchore/2024/CVE-2024-47419.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47419", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47420.json b/data/anchore/2024/CVE-2024-47420.json new file mode 100644 index 00000000..d74ec766 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47420.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47420", + "description": "Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/animate/apsb24-76.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:animate:*:*:*:*:*:*:*:*" + ], + "product": "Animate", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "24.0.5", + "status": "affected", + "version": "24", + "versionType": "semver" + }, + { + "lessThan": "23.0.8", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47421.json b/data/anchore/2024/CVE-2024-47421.json new file mode 100644 index 00000000..20a58172 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47421.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47421", + "description": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*" + ], + "product": "Adobe Framemaker", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "2022.5", + "status": "affected", + "version": "2021", + "versionType": "semver" + }, + { + "lessThan": "2020.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47422.json b/data/anchore/2024/CVE-2024-47422.json new file mode 100644 index 00000000..9c7b0b60 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47422.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47422", + "description": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious path into the search directories, which the application could unknowingly execute. This could allow the attacker to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*" + ], + "product": "Adobe Framemaker", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "2022.5", + "status": "affected", + "version": "2021", + "versionType": "semver" + }, + { + "lessThan": "2020.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47423.json b/data/anchore/2024/CVE-2024-47423.json new file mode 100644 index 00000000..14d97fde --- /dev/null +++ b/data/anchore/2024/CVE-2024-47423.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47423", + "description": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by uploading a malicious file which can be automatically processed or executed by the system. Exploitation of this issue requires user interaction.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*" + ], + "product": "Adobe Framemaker", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "2022.5", + "status": "affected", + "version": "2021", + "versionType": "semver" + }, + { + "lessThan": "2020.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47424.json b/data/anchore/2024/CVE-2024-47424.json new file mode 100644 index 00000000..ded548e2 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47424.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47424", + "description": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*" + ], + "product": "Adobe Framemaker", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "2022.5", + "status": "affected", + "version": "2021", + "versionType": "semver" + }, + { + "lessThan": "2020.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47425.json b/data/anchore/2024/CVE-2024-47425.json new file mode 100644 index 00000000..8b275b09 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47425.json @@ -0,0 +1,40 @@ +{ + "additionalMetadata": { + "cna": "adobe", + "cveId": "CVE-2024-47425", + "description": "Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://helpx.adobe.com/security/products/framemaker/apsb24-82.html" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*" + ], + "product": "Adobe Framemaker", + "vendor": "Adobe", + "versions": [ + { + "lessThan": "2022.5", + "status": "affected", + "version": "2021", + "versionType": "semver" + }, + { + "lessThan": "2020.7", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47763.json b/data/anchore/2024/CVE-2024-47763.json new file mode 100644 index 00000000..93baa4d4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47763.json @@ -0,0 +1,67 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47763", + "description": "Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtime crash is a deterministic process abort when Wasmtime is compiled with Rust 1.81 and later. WebAssembly tail calls are a proposal which relatively recently reached stage 4 in the standardization process. Wasmtime first enabled support for tail calls by default in Wasmtime 21.0.0, although that release contained a bug where it was only on-by-default for some configurations. In Wasmtime 22.0.0 tail calls were enabled by default for all configurations. The specific crash happens when an exported function in a WebAssembly module (or component) performs a `return_call` (or `return_call_indirect` or `return_call_ref`) to an imported host function which captures a stack trace (for example, the host function raises a trap). In this situation, the stack-walking code previously assumed there was always at least one WebAssembly frame on the stack but with tail calls that is no longer true. With the tail-call proposal it's possible to have an entry trampoline appear as if it directly called the exit trampoline. This situation triggers an internal assert in the stack-walking code which raises a Rust `panic!()`. When Wasmtime is compiled with Rust versions 1.80 and prior this means that an `extern \"C\"` function in Rust is raising a `panic!()`. This is technically undefined behavior and typically manifests as a process abort when the unwinder fails to unwind Cranelift-generated frames. When Wasmtime is compiled with Rust versions 1.81 and later this panic becomes a deterministic process abort. Overall the impact of this issue is that this is a denial-of-service vector where a malicious WebAssembly module or component can cause the host to crash. There is no other impact at this time other than availability of a service as the result of the crash is always a crash and no more. This issue was discovered by routine fuzzing performed by the Wasmtime project via Google's OSS-Fuzz infrastructure. We have no evidence that it has ever been exploited by an attacker in the wild. All versions of Wasmtime which have tail calls enabled by default have been patched: * 21.0.x - patched in 21.0.2 * 22.0.x - patched in 22.0.1 * 23.0.x - patched in 23.0.3 * 24.0.x - patched in 24.0.1 * 25.0.x - patched in 25.0.2. Wasmtime versions from 12.0.x (the first release with experimental tail call support) to 20.0.x (the last release with tail-calls off-by-default) have support for tail calls but the support is disabled by default. These versions are not affected in their default configurations, but users who explicitly enabled tail call support will need to either disable tail call support or upgrade to a patched version of Wasmtime. The main workaround for this issue is to disable tail support for tail calls in Wasmtime, for example with `Config::wasm_tail_call(false)`. Users are otherwise encouraged to upgrade to patched versions.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_tail_call", + "https://github.com/WebAssembly/proposals", + "https://github.com/bytecodealliance/wasmtime/pull/8540", + "https://github.com/bytecodealliance/wasmtime/pull/8682", + "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q8hx-mm92-4wvg", + "https://github.com/webassembly/tail-call" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://crates.io", + "cpes": [ + "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*" + ], + "packageName": "wasmtime", + "packageType": "rust-crate", + "product": "wasmtime", + "repo": "https://github.com/bytecodealliance/wasmtime", + "vendor": "bytecodealliance", + "versions": [ + { + "lessThan": "21.0.2", + "status": "affected", + "version": "21.0.0", + "versionType": "custom" + }, + { + "lessThan": "22.0.1", + "status": "affected", + "version": "22.0.0", + "versionType": "custom" + }, + { + "lessThan": "23.0.3", + "status": "affected", + "version": "23.0.0", + "versionType": "custom" + }, + { + "lessThan": "24.0.1", + "status": "affected", + "version": "24.0.0", + "versionType": "custom" + }, + { + "lessThan": "25.0.2", + "status": "affected", + "version": "25.0.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47813.json b/data/anchore/2024/CVE-2024-47813.json new file mode 100644 index 00000000..918398ab --- /dev/null +++ b/data/anchore/2024/CVE-2024-47813.json @@ -0,0 +1,63 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47813", + "description": "Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That registry corruption could, following an additional and particular sequence of concurrent events, lead to violations of WebAssembly's control-flow integrity (CFI) and type safety. Users that do not use `wasmtime::Engine` across multiple threads are not affected. Users that only create new modules across threads over time are additionally not affected. Reproducing this bug requires creating and dropping multiple type instances (such as `wasmtime::FuncType` or `wasmtime::ArrayType`) concurrently on multiple threads, where all types are associated with the same `wasmtime::Engine`. **Wasm guests cannot trigger this bug.** See the \"References\" section below for a list of Wasmtime types-related APIs that are affected. Wasmtime maintains an internal registry of types within a `wasmtime::Engine` and an engine is shareable across threads. Types can be created and referenced through creation of a `wasmtime::Module`, creation of `wasmtime::FuncType`, or a number of other APIs where the host creates a function (see \"References\" below). Each of these cases interacts with an engine to deduplicate type information and manage type indices that are used to implement type checks in WebAssembly's `call_indirect` function, for example. This bug is a race condition in this management where the internal type registry could be corrupted to trigger an assert or contain invalid state. Wasmtime's internal representation of a type has individual types (e.g. one-per-host-function) maintain a registration count of how many time it's been used. Types additionally have state within an engine behind a read-write lock such as lookup/deduplication information. The race here is a time-of-check versus time-of-use (TOCTOU) bug where one thread atomically decrements a type entry's registration count, observes zero registrations, and then acquires a lock in order to unregister that entry. However, between when this first thread observed the zero-registration count and when it acquires that lock, another thread could perform the following sequence of events: re-register another copy of the type, which deduplicates to that same entry, resurrecting it and incrementing its registration count; then drop the type and decrement its registration count; observe that the registration count is now zero; acquire the type registry lock; and finally unregister the type. Now, when the original thread finally acquires the lock and unregisters the entry, it is the second time this entry has been unregistered. This bug was originally introduced in Wasmtime 19's development of the WebAssembly GC proposal. This bug affects users who are not using the GC proposal, however, and affects Wasmtime in its default configuration even when the GC proposal is disabled. Wasmtime users using 19.0.0 and after are all affected by this issue. We have released the following Wasmtime versions, all of which have a fix for this bug: * 21.0.2 * 22.0.1 * 23.0.3 * 24.0.1 * 25.0.2. If your application creates and drops Wasmtime types on multiple threads concurrently, there are no known workarounds. Users are encouraged to upgrade to a patched release.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/bytecodealliance/wasmtime/pull/7969", + "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7qmx-3fpx-r45m" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://crates.io", + "cpes": [ + "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*" + ], + "packageName": "wasmtime", + "packageType": "rust-crate", + "product": "wasmtime", + "repo": "https://github.com/bytecodealliance/wasmtime", + "vendor": "bytecodealliance", + "versions": [ + { + "lessThan": "21.0.2", + "status": "affected", + "version": "19.0.0", + "versionType": "custom" + }, + { + "lessThan": "22.0.1", + "status": "affected", + "version": "22.0.0", + "versionType": "custom" + }, + { + "lessThan": "23.0.3", + "status": "affected", + "version": "23.0.0", + "versionType": "custom" + }, + { + "lessThan": "24.0.1", + "status": "affected", + "version": "24.0.0", + "versionType": "custom" + }, + { + "lessThan": "25.0.2", + "status": "affected", + "version": "25.0.0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-47828.json b/data/anchore/2024/CVE-2024-47828.json new file mode 100644 index 00000000..7e0b9353 --- /dev/null +++ b/data/anchore/2024/CVE-2024-47828.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-47828", + "description": "ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. This vulnerability can be exploited by creating a malicious script with an arbitrary playlist ID belonging to another user. When the user submits the request, their playlist will be deleted. Any User with active sessions who are tricked into submitting a malicious request are impacted, as their playlists or other objects could be deleted without their consent.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/ampache/ampache/security/advisories/GHSA-p9cq-2qph-55f2" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*" + ], + "packageName": "ampache/ampache", + "product": "ampache", + "repo": "https://github.com/ampache/ampache", + "vendor": "ampache", + "versions": [ + { + "lessThanOrEqual": "6.6.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-5968.json b/data/anchore/2024/CVE-2024-5968.json new file mode 100644 index 00000000..39770035 --- /dev/null +++ b/data/anchore/2024/CVE-2024-5968.json @@ -0,0 +1,37 @@ +{ + "additionalMetadata": { + "cna": "wpscan", + "cveId": "CVE-2024-5968", + "description": "The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://wpscan.com/vulnerability/db73e8d8-feb1-4daa-937e-a73969a93bcc/" + ] + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "photo-gallery", + "packageType": "wordpress-plugin", + "product": "Photo Gallery by 10Web", + "repo": "https://plugins.svn.wordpress.org/photo-gallery", + "versions": [ + { + "lessThan": "1.8.28", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-9680.json b/data/anchore/2024/CVE-2024-9680.json new file mode 100644 index 00000000..63592909 --- /dev/null +++ b/data/anchore/2024/CVE-2024-9680.json @@ -0,0 +1,65 @@ +{ + "additionalMetadata": { + "cna": "mozilla", + "cveId": "CVE-2024-9680", + "description": "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, and Firefox ESR < 115.16.1.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1923344", + "https://www.mozilla.org/security/advisories/mfsa2024-51/" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*" + ], + "product": "Firefox", + "vendor": "Mozilla", + "versions": [ + { + "lessThan": "131.0.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*" + ], + "product": "Firefox ESR", + "vendor": "Mozilla", + "versions": [ + { + "lessThan": "128.3.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*" + ], + "product": "Firefox ESR", + "vendor": "Mozilla", + "versions": [ + { + "lessThan": "115.16.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file