remove libcurl from CVE-2024-32928

Signed-off-by: Weston Steimel <[email protected]>
anchore · Nov 11, 2024 · 5c8eeb9 · 5c8eeb9
1 parent 5ab0216
commit 5c8eeb9
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/data/anchore/2024/CVE-2024-32928.json b/data/anchore/2024/CVE-2024-32928.json
@@ -0,0 +1,34 @@
+{
+  "additionalMetadata": {
+    "cna": "google_devices",
+    "cveId": "CVE-2024-32928",
+    "description": "The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.",
+    "reason": "Remove libcurl as affected product",
+    "references": [
+      "https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy="
+    ]
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:o:google:nest_mini_firmware:-:*:*:*:*:*:*:*"
+        ],
+        "product": "Nest Speakers",
+        "vendor": "Google",
+        "versions": [
+          {
+            "lessThan": "3.73",
+            "version": "0",
+            "status": "affected",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}