From 47661c2e0a77957c64ba5f41fe31b580e7aa4779 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Wed, 18 Dec 2024 09:30:37 +0000 Subject: [PATCH] updates 2024-12-18 Signed-off-by: Weston Steimel --- data/anchore/2023/CVE-2023-44487.json | 4 +- data/anchore/2023/CVE-2023-49921.json | 2 +- data/anchore/2024/CVE-2024-0620.json | 2 +- data/anchore/2024/CVE-2024-10356.json | 45 ++++++++++++++ data/anchore/2024/CVE-2024-11280.json | 45 ++++++++++++++ data/anchore/2024/CVE-2024-11294.json | 45 ++++++++++++++ data/anchore/2024/CVE-2024-12024.json | 49 +++++++++++++++ data/anchore/2024/CVE-2024-12239.json | 45 ++++++++++++++ data/anchore/2024/CVE-2024-12539.json | 46 ++++++++++++++ data/anchore/2024/CVE-2024-12601.json | 47 ++++++++++++++ data/anchore/2024/CVE-2024-23444.json | 2 +- data/anchore/2024/CVE-2024-23445.json | 2 +- data/anchore/2024/CVE-2024-23449.json | 2 +- data/anchore/2024/CVE-2024-23450.json | 2 +- data/anchore/2024/CVE-2024-23451.json | 2 +- data/anchore/2024/CVE-2024-23672.json | 4 +- data/anchore/2024/CVE-2024-24549.json | 4 +- data/anchore/2024/CVE-2024-34750.json | 10 +-- data/anchore/2024/CVE-2024-37222.json | 2 +- data/anchore/2024/CVE-2024-37280.json | 2 +- data/anchore/2024/CVE-2024-50379.json | 90 +++++++++++++++++++++++++++ data/anchore/2024/CVE-2024-51479.json | 45 ++++++++++++++ data/anchore/2024/CVE-2024-52316.json | 45 ++++++++++++-- data/anchore/2024/CVE-2024-52792.json | 46 ++++++++++++++ data/anchore/2024/CVE-2024-54677.json | 90 +++++++++++++++++++++++++++ 25 files changed, 652 insertions(+), 26 deletions(-) create mode 100644 data/anchore/2024/CVE-2024-10356.json create mode 100644 data/anchore/2024/CVE-2024-11280.json create mode 100644 data/anchore/2024/CVE-2024-11294.json create mode 100644 data/anchore/2024/CVE-2024-12024.json create mode 100644 data/anchore/2024/CVE-2024-12239.json create mode 100644 data/anchore/2024/CVE-2024-12539.json create mode 100644 data/anchore/2024/CVE-2024-12601.json create mode 100644 data/anchore/2024/CVE-2024-50379.json create mode 100644 data/anchore/2024/CVE-2024-51479.json create mode 100644 data/anchore/2024/CVE-2024-52792.json create mode 100644 data/anchore/2024/CVE-2024-54677.json diff --git a/data/anchore/2023/CVE-2023-44487.json b/data/anchore/2023/CVE-2023-44487.json index 2406d7df..9d1436cd 100644 --- a/data/anchore/2023/CVE-2023-44487.json +++ b/data/anchore/2023/CVE-2023-44487.json @@ -559,7 +559,7 @@ { "lessThan": "9.0.81", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "maven" }, { @@ -596,7 +596,7 @@ { "lessThan": "9.0.81", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "maven" }, { diff --git a/data/anchore/2023/CVE-2023-49921.json b/data/anchore/2023/CVE-2023-49921.json index f8496e0c..329f57ba 100644 --- a/data/anchore/2023/CVE-2023-49921.json +++ b/data/anchore/2023/CVE-2023-49921.json @@ -11,7 +11,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-0620.json b/data/anchore/2024/CVE-2024-0620.json index 36b762ea..4bf44ce2 100644 --- a/data/anchore/2024/CVE-2024-0620.json +++ b/data/anchore/2024/CVE-2024-0620.json @@ -18,7 +18,7 @@ "packageName": "password-protect-page", "packageType": "wordpress-plugin", "product": "PPWP – Password Protect Pages", - "repo": "https://plugins.svn.wordpress.org/ppwp", + "repo": "https://plugins.svn.wordpress.org/password-protect-page", "vendor": "yuryonfolio", "versions": [ { diff --git a/data/anchore/2024/CVE-2024-10356.json b/data/anchore/2024/CVE-2024-10356.json new file mode 100644 index 00000000..5fdb51e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-10356.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-10356", + "description": "The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.8 in inc/Widgets/accordion/output/content.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3204333/element-ready-lite", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a48c91-7e2c-4708-b5af-dfbcfea08f83?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T12:43:38.479Z", + "dateReserved": "2024-10-24T16:03:33.275Z", + "dateUpdated": "2024-12-17T17:28:56.942Z", + "digest": "23105693886bcc5d3f7989837a54278098b134f876ba4a196a434e6f0dfc7576" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:quomodosoft:elementsready:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "element-ready-lite", + "packageType": "wordpress-plugin", + "product": "ElementsReady Addons for Elementor", + "repo": "https://plugins.svn.wordpress.org/element-ready-lite", + "vendor": "quomodosoft", + "versions": [ + { + "lessThan": "6.4.9", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11280.json b/data/anchore/2024/CVE-2024-11280.json new file mode 100644 index 00000000..7956fdd4 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11280.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11280", + "description": "The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3208393/password-protect-page", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ac0d84-dff4-4a03-a530-cac47ffaf2bb?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T11:24:29.909Z", + "dateReserved": "2024-11-15T19:22:40.649Z", + "dateUpdated": "2024-12-17T17:29:04.305Z", + "digest": "998346e4a730eb2d6ab3f8aa4eed2226fcde79294168225cad6f62d33aa9d4a6" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:passwordprotectwp:password_protect_wordpress:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "password-protect-page", + "packageType": "wordpress-plugin", + "product": "PPWP – Password Protect Pages", + "repo": "https://plugins.svn.wordpress.org/password-protect-page", + "vendor": "yuryonfolio", + "versions": [ + { + "lessThan": "1.9.6", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-11294.json b/data/anchore/2024/CVE-2024-11294.json new file mode 100644 index 00000000..40daf642 --- /dev/null +++ b/data/anchore/2024/CVE-2024-11294.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-11294", + "description": "The Memberful plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.73.9 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as site members.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/changeset/3204895/memberful-wp", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/19ad787d-e027-48f5-8b5f-9263338b4fc3?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T08:22:46.366Z", + "dateReserved": "2024-11-15T23:28:57.445Z", + "dateUpdated": "2024-12-17T14:37:53.936Z", + "digest": "607cab6eb4162e50d29c5fc2dcc0eaba3cb1fdb2ef44fb7c98818a637673d8dc" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:memberful:memberful:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "memberful-wp", + "packageType": "wordpress-plugin", + "product": "Memberful – Membership Plugin", + "repo": "https://plugins.svn.wordpress.org/memberful-wp", + "vendor": "memberful", + "versions": [ + { + "lessThan": "1.74.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12024.json b/data/anchore/2024/CVE-2024-12024.json new file mode 100644 index 00000000..c7254e83 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12024.json @@ -0,0 +1,49 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12024", + "description": "The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_data parameters in all versions up to, and including, 4.0.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.\r\nNote: this vulnerability requires the \"Guest Submissions\" setting to be enabled. It is disabled by default.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.0.5.3/admin/partials/metaboxes/meta-box-tickets-panel-html.php#L216", + "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.0.5.3/admin/partials/metaboxes/meta-box-tickets-panel-html.php#L264", + "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.0.5.3/includes/class-ep-ajax.php#L1245", + "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.0.5.3/includes/class-ep-ajax.php#L971", + "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.0.5.3/includes/class-eventprime-sanitizer.php#L122", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e51c8b5-cbb9-48aa-9c99-69f1b39fb0b4?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T09:22:41.540Z", + "dateReserved": "2024-12-02T14:36:59.586Z", + "dateUpdated": "2024-12-17T17:29:41.507Z", + "digest": "caaa1bbdd891c00987f970fb18a37df213062cb14218484111700516f4e9d6c5" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "eventprime-event-calendar-management", + "packageType": "wordpress-plugin", + "product": "EventPrime – Events Calendar, Bookings and Tickets", + "repo": "https://plugins.svn.wordpress.org/eventprime-event-calendar-management", + "vendor": "metagauss", + "versions": [ + { + "lessThan": "4.0.6.0", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12239.json b/data/anchore/2024/CVE-2024-12239.json new file mode 100644 index 00000000..04d7738d --- /dev/null +++ b/data/anchore/2024/CVE-2024-12239.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12239", + "description": "The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the navigate parameter in all versions up to, and including, 1.3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/powerpack-addon-for-beaver-builder/trunk/includes/admin-settings-templates.php#L62", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/5138ed4c-3e9c-45da-917e-e8d8396a62f1?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T01:45:15.497Z", + "dateReserved": "2024-12-05T12:14:23.511Z", + "dateUpdated": "2024-12-17T14:35:57.246Z", + "digest": "d7e14a9a7c7fcf7824271cb7e521035cf6da9e34e13ee09edcdeaa0f475981de" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:wpbeaveraddons:powerpack_lite_for_beaver_builder:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "powerpack-addon-for-beaver-builder", + "packageType": "wordpress-plugin", + "product": "PowerPack Lite for Beaver Builder", + "repo": "https://plugins.svn.wordpress.org/powerpack-addon-for-beaver-builder", + "vendor": "ideaboxcreations", + "versions": [ + { + "lessThan": "1.3.1", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12539.json b/data/anchore/2024/CVE-2024-12539.json new file mode 100644 index 00000000..232bbf20 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12539.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "elastic", + "cveId": "CVE-2024-12539", + "description": "An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091" + ], + "upstream": { + "datePublished": "2024-12-17T20:50:04.968Z", + "dateReserved": "2024-12-11T20:10:08.792Z", + "dateUpdated": "2024-12-17T21:23:57.366Z", + "digest": "bbab2295ea166199d85c58ced483484b7db10aa273b84102472127c9f39314ad" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", + "cpes": [ + "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.elasticsearch:elasticsearch", + "packageType": "maven", + "product": "Elasticsearch", + "repo": "https://github.com/elastic/elasticsearch", + "vendor": "Elastic", + "versions": [ + { + "lessThan": "8.16.2", + "status": "affected", + "version": "8.16.0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-12601.json b/data/anchore/2024/CVE-2024-12601.json new file mode 100644 index 00000000..f05e4565 --- /dev/null +++ b/data/anchore/2024/CVE-2024-12601.json @@ -0,0 +1,47 @@ +{ + "additionalMetadata": { + "cna": "wordfence", + "cveId": "CVE-2024-12601", + "description": "The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L74", + "https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L75", + "https://plugins.trac.wordpress.org/changeset/3207826/", + "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eade2ed-9a75-4857-a2c5-a21e016e7029?source=cve" + ], + "upstream": { + "datePublished": "2024-12-17T11:10:17.899Z", + "dateReserved": "2024-12-13T00:38:11.068Z", + "dateUpdated": "2024-12-17T17:29:22.544Z", + "digest": "e0f2373cc4b3b13bd8bab2b313a49172a135718eae27d99e0f9009f6be5436a1" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://wordpress.org/plugins", + "cpes": [ + "cpe:2.3:a:codepeople:calculated_fields_form:*:*:*:*:*:wordpress:*:*" + ], + "packageName": "calculated-fields-form", + "packageType": "wordpress-plugin", + "product": "Calculated Fields Form", + "repo": "https://plugins.svn.wordpress.org/calculated-fields-form", + "vendor": "codepeople", + "versions": [ + { + "lessThan": "5.2.64", + "status": "affected", + "version": "0", + "versionType": "semver" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-23444.json b/data/anchore/2024/CVE-2024-23444.json index 5ff233a8..f1c87ee1 100644 --- a/data/anchore/2024/CVE-2024-23444.json +++ b/data/anchore/2024/CVE-2024-23444.json @@ -11,7 +11,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-23445.json b/data/anchore/2024/CVE-2024-23445.json index 684467d1..56c963c7 100644 --- a/data/anchore/2024/CVE-2024-23445.json +++ b/data/anchore/2024/CVE-2024-23445.json @@ -11,7 +11,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-23449.json b/data/anchore/2024/CVE-2024-23449.json index 924c0a91..b9838705 100644 --- a/data/anchore/2024/CVE-2024-23449.json +++ b/data/anchore/2024/CVE-2024-23449.json @@ -10,7 +10,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-23450.json b/data/anchore/2024/CVE-2024-23450.json index 4c71c278..451583a3 100644 --- a/data/anchore/2024/CVE-2024-23450.json +++ b/data/anchore/2024/CVE-2024-23450.json @@ -11,7 +11,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-23451.json b/data/anchore/2024/CVE-2024-23451.json index 5f49da0b..dd161656 100644 --- a/data/anchore/2024/CVE-2024-23451.json +++ b/data/anchore/2024/CVE-2024-23451.json @@ -10,7 +10,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-23672.json b/data/anchore/2024/CVE-2024-23672.json index 17191684..5549bb9d 100644 --- a/data/anchore/2024/CVE-2024-23672.json +++ b/data/anchore/2024/CVE-2024-23672.json @@ -38,7 +38,7 @@ { "lessThan": "9.0.86", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "semver" }, { @@ -75,7 +75,7 @@ { "lessThan": "9.0.86", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "semver" }, { diff --git a/data/anchore/2024/CVE-2024-24549.json b/data/anchore/2024/CVE-2024-24549.json index a0254b55..b3041701 100644 --- a/data/anchore/2024/CVE-2024-24549.json +++ b/data/anchore/2024/CVE-2024-24549.json @@ -39,7 +39,7 @@ { "lessThan": "9.0.86", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "semver" }, { @@ -77,7 +77,7 @@ { "lessThan": "9.0.86", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "semver" }, { diff --git a/data/anchore/2024/CVE-2024-34750.json b/data/anchore/2024/CVE-2024-34750.json index ce60d68c..4932a20d 100644 --- a/data/anchore/2024/CVE-2024-34750.json +++ b/data/anchore/2024/CVE-2024-34750.json @@ -37,7 +37,7 @@ { "lessThan": "9.0.90", "status": "affected", - "version": "9.0.0-M1", + "version": "9.0.0.M1", "versionType": "maven" } ] @@ -55,21 +55,21 @@ "vendor": "Apache Software Foundation", "versions": [ { - "lessThan": "11.0.0-m21", + "lessThan": "11.0.0-M21", "status": "affected", - "version": "11.0.0-m1", + "version": "11.0.0-M1", "versionType": "maven" }, { "lessThan": "10.1.25", "status": "affected", - "version": "10.1.0-m1", + "version": "10.1.0-M1", "versionType": "maven" }, { "lessThan": "9.0.90", "status": "affected", - "version": "9.0.0-m1", + "version": "9.0.0.M1", "versionType": "maven" } ] diff --git a/data/anchore/2024/CVE-2024-37222.json b/data/anchore/2024/CVE-2024-37222.json index 53d2003f..7f3d3f68 100644 --- a/data/anchore/2024/CVE-2024-37222.json +++ b/data/anchore/2024/CVE-2024-37222.json @@ -22,7 +22,7 @@ "vendor": "Averta", "versions": [ { - "lessThanOrEqual": "3.9.10", + "lessThan": "3.10.5", "status": "affected", "version": "0", "versionType": "custom" diff --git a/data/anchore/2024/CVE-2024-37280.json b/data/anchore/2024/CVE-2024-37280.json index 0d73edbf..d3fb036b 100644 --- a/data/anchore/2024/CVE-2024-37280.json +++ b/data/anchore/2024/CVE-2024-37280.json @@ -11,7 +11,7 @@ "adp": { "affected": [ { - "collectionURL": "https://repo.maven.apache.org/maven2", + "collectionURL": "https://artifacts.elastic.co/downloads/elasticsearch", "cpes": [ "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:maven:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:maven:*:*", diff --git a/data/anchore/2024/CVE-2024-50379.json b/data/anchore/2024/CVE-2024-50379.json new file mode 100644 index 00000000..ad1df4f6 --- /dev/null +++ b/data/anchore/2024/CVE-2024-50379.json @@ -0,0 +1,90 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-50379", + "description": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r" + ], + "upstream": { + "datePublished": "2024-12-17T12:34:54.827Z", + "dateReserved": "2024-10-23T13:31:10.241Z", + "dateUpdated": "2024-12-17T18:03:45.524Z", + "digest": "73dd76aa4341fc21193463516d5123988168dd436af4f0f31edcc057a51d3803" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:tomcat-catalina:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.tomcat:tomcat-catalina:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.tomcat:tomcat-catalina", + "packageType": "maven", + "product": "Apache Tomcat", + "repo": "https://github.com/apache/tomcat", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "11.0.2", + "status": "affected", + "version": "11.0.0-M1", + "versionType": "maven" + }, + { + "lessThan": "10.1.34", + "status": "affected", + "version": "10.1.0-M1", + "versionType": "maven" + }, + { + "lessThan": "9.0.98", + "status": "affected", + "version": "9.0.0.M1", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:tomcat-embed-core:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.tomcat.embed:tomcat-embed-core", + "packageType": "maven", + "product": "Apache Tomcat Embed", + "repo": "https://github.com/apache/tomcat", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "11.0.2", + "status": "affected", + "version": "11.0.0-M1", + "versionType": "maven" + }, + { + "lessThan": "10.1.34", + "status": "affected", + "version": "10.1.0-M1", + "versionType": "maven" + }, + { + "lessThan": "9.0.98", + "status": "affected", + "version": "9.0.0.M1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-51479.json b/data/anchore/2024/CVE-2024-51479.json new file mode 100644 index 00000000..f52bf8e9 --- /dev/null +++ b/data/anchore/2024/CVE-2024-51479.json @@ -0,0 +1,45 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-51479", + "description": "Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/vercel/next.js/releases/tag/v14.2.15", + "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f" + ], + "upstream": { + "datePublished": "2024-12-17T18:13:02.806Z", + "dateReserved": "2024-10-28T14:20:59.335Z", + "dateUpdated": "2024-12-17T20:36:28.402Z", + "digest": "7c8be53232c5562209a4f85b89e36e1310a82d6ead941cc786e466c7c14ac68b" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://registry.npmjs.org", + "cpes": [ + "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*" + ], + "packageName": "next", + "packageType": "npm", + "product": "next.js", + "repo": "https://github.com/vercel/next.js", + "vendor": "vercel", + "versions": [ + { + "lessThan": "14.2.15", + "status": "affected", + "version": "9.5.5", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-52316.json b/data/anchore/2024/CVE-2024-52316.json index 65d2ea03..c01cafb5 100644 --- a/data/anchore/2024/CVE-2024-52316.json +++ b/data/anchore/2024/CVE-2024-52316.json @@ -20,25 +20,58 @@ "packageName": "org.apache.tomcat:tomcat-catalina", "packageType": "maven", "product": "Apache Tomcat", + "repo": "https://github.com/apache/tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "11.0.0", "status": "affected", - "version": "11.0.0-m1", - "versionType": "semver" + "version": "11.0.0-M1", + "versionType": "maven" }, { "lessThan": "10.1.31", "status": "affected", - "version": "10.1.0-m1", - "versionType": "semver" + "version": "10.1.0-M1", + "versionType": "maven" }, { "lessThan": "9.0.96", "status": "affected", - "version": "9.0.0-m1", - "versionType": "semver" + "version": "9.0.0.M1", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:tomcat-embed-core:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.tomcat.embed:tomcat-embed-core", + "packageType": "maven", + "product": "Apache Tomcat Embed", + "repo": "https://github.com/apache/tomcat", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "11.0.0", + "status": "affected", + "version": "11.0.0-M1", + "versionType": "maven" + }, + { + "lessThan": "10.1.31", + "status": "affected", + "version": "10.1.0-M1", + "versionType": "maven" + }, + { + "lessThan": "9.0.96", + "status": "affected", + "version": "9.0.0.M1", + "versionType": "maven" } ] } diff --git a/data/anchore/2024/CVE-2024-52792.json b/data/anchore/2024/CVE-2024-52792.json new file mode 100644 index 00000000..13d191e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-52792.json @@ -0,0 +1,46 @@ +{ + "additionalMetadata": { + "cna": "github_m", + "cveId": "CVE-2024-52792", + "description": "LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via `mainmanage.php` and `confmain.php`. This allows setting arbitrary config values and thus effectively bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via `mainmanage.php` and `confmain.php`.\nThe values are written to `config.cfg` or `serverprofile.conf` in the format of `settingsName: settingsValue` line-by-line.\nAn attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://github.com/LDAPAccountManager/lam/blob/fd665fef3b222bf8205154b14f676815d2d6ae20/lam/templates/config/mainmanage.php#L263", + "https://github.com/LDAPAccountManager/lam/releases/tag/9.0", + "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc", + "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv" + ], + "upstream": { + "datePublished": "2024-12-17T21:46:27.319Z", + "dateReserved": "2024-11-15T17:11:13.439Z", + "dateUpdated": "2024-12-17T21:46:27.319Z", + "digest": "a5010619effb91ac4c446dd9fb36f194a2cfbc16a2cfa2cc5f9d237848c8bd88" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://github.com", + "cpes": [ + "cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*" + ], + "packageName": "ldapaccountmanager/lam", + "product": "lam", + "repo": "https://github.com/ldapaccountmanager/lam", + "vendor": "LDAPAccountManager", + "versions": [ + { + "lessThan": "9.0", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-54677.json b/data/anchore/2024/CVE-2024-54677.json new file mode 100644 index 00000000..8c040115 --- /dev/null +++ b/data/anchore/2024/CVE-2024-54677.json @@ -0,0 +1,90 @@ +{ + "additionalMetadata": { + "cna": "apache", + "cveId": "CVE-2024-54677", + "description": "Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.", + "reason": "Added CPE configurations because not yet analyzed by NVD.", + "references": [ + "https://lists.apache.org/thread/tdtbbxpg5trdwc2wnopcth9ccvdftq2n" + ], + "upstream": { + "datePublished": "2024-12-17T12:35:50.948Z", + "dateReserved": "2024-12-05T07:31:33.851Z", + "dateUpdated": "2024-12-18T07:08:30.439Z", + "digest": "73dd76aa4341fc21193463516d5123988168dd436af4f0f31edcc057a51d3803" + } + }, + "adp": { + "affected": [ + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:tomcat-catalina:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.tomcat:tomcat-catalina:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.tomcat:tomcat-catalina", + "packageType": "maven", + "product": "Apache Tomcat", + "repo": "https://github.com/apache/tomcat", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "11.0.2", + "status": "affected", + "version": "11.0.0-M1", + "versionType": "maven" + }, + { + "lessThan": "10.1.34", + "status": "affected", + "version": "10.1.0-M1", + "versionType": "maven" + }, + { + "lessThan": "9.0.98", + "status": "affected", + "version": "9.0.0.M1", + "versionType": "maven" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:apache:tomcat-embed-core:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.apache.tomcat.embed:tomcat-embed-core", + "packageType": "maven", + "product": "Apache Tomcat Embed", + "repo": "https://github.com/apache/tomcat", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThan": "11.0.2", + "status": "affected", + "version": "11.0.0-M1", + "versionType": "maven" + }, + { + "lessThan": "10.1.34", + "status": "affected", + "version": "10.1.0-M1", + "versionType": "maven" + }, + { + "lessThan": "9.0.98", + "status": "affected", + "version": "9.0.0.M1", + "versionType": "maven" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file