update and format

vulnerabilities/AIKIDO-2023-10001.json

@@ -1,25 +1,38 @@
 {
-  "id" : "AIKIDO-2023-10001",
-  "package_name" : "axios",
-  "patch_versions" : [ "0.29.0", "1.6.4" ],
-  "vulnerable_ranges" : [ [ "0.1.0", "0.28.1" ], [ "1.0.0", "1.6.3" ] ],
-  "cwe" : [ "CWE-1321" ],
-  "tldr" : "Several security vulnerabilities were quietly patched in `axios` version 1.6.4 and version 0.29.0. Notably, a prototype pollution flaw impacted the `formDataToJSON` function, posing a significant risk. Additionally, a Regular Expression Denial of Service (ReDoS) vulnerability was identified and fixed in the `combineURLs` function.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use the formDataToJSON function. This is more likely to happen in a front-end than in a backend.",
-  "how_to_fix" : "To fix, either freeze the prototype or upgrade to axios 1.6.4 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Prototype Pollution",
-  "related_cve_id" : "",
-  "language" : "JS",
-  "severity_class" : "HIGH",
-  "aikido_score" : 77,
-  "changelog" : "https://github.com/axios/axios/releases/tag/v1.6.4",
-  "package_name_alias" : null,
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-01",
-  "last_modified" : "2024-11-22"
+  "package_name": "axios",
+  "patch_versions": [
+    "0.29.0",
+    "1.6.4"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "0.28.1"
+    ],
+    [
+      "1.0.0",
+      "1.6.3"
+    ]
+  ],
+  "cwe": [
+    "CWE-1321"
+  ],
+  "tldr": "Several security vulnerabilities were quietly patched in `axios` version 1.6.4 and version 0.29.0. Notably, a prototype pollution flaw impacted the `formDataToJSON` function, posing a significant risk. Additionally, a Regular Expression Denial of Service (ReDoS) vulnerability was identified and fixed in the `combineURLs` function.",
+  "doest_this_affect_me": "You are affected by this flaw if you use the formDataToJSON function. This is more likely to happen in a front-end than in a backend.",
+  "how_to_fix": "To fix, either freeze the prototype or upgrade to axios 1.6.4 or above.",
+  "reporter": null,
+  "vulnerable_to": "Prototype Pollution",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "HIGH",
+  "aikido_score": 77,
+  "changelog": "https://github.com/axios/axios/releases/tag/v1.6.4",
+  "package_name_alias": null,
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-01",
+  "last_modified": "2024-11-22"
 }

vulnerabilities/AIKIDO-2024-10001.json

@@ -1,25 +1,33 @@
 {
-  "id" : "AIKIDO-2024-10001",
-  "package_name" : "lilconfig",
-  "patch_versions" : [ "3.1.1" ],
-  "vulnerable_ranges" : [ [ "3.1.0", "3.1.0" ] ],
-  "cwe" : [ "CWE-94" ],
-  "tldr" : "A code injection vulnerability was silently addressed in version 3.1.1 of `lilconfig`, impacting all uses of the package in earlier versions.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use the 3.1.0 version of this package.",
-  "how_to_fix" : "To fix, upgrade to `lilconfig` 3.1.1 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Code Injection",
-  "related_cve_id" : "",
-  "language" : "JS",
-  "severity_class" : "MEDIUM",
-  "aikido_score" : 50,
-  "changelog" : "https://github.com/antonk52/lilconfig/releases/tag/v3.1.1",
-  "package_name_alias" : null,
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-23",
-  "last_modified" : "2024-02-23"
+  "package_name": "lilconfig",
+  "patch_versions": [
+    "3.1.1"
+  ],
+  "vulnerable_ranges": [
+    [
+      "3.1.0",
+      "3.1.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-94"
+  ],
+  "tldr": "A code injection vulnerability was silently addressed in version 3.1.1 of `lilconfig`, impacting all uses of the package in earlier versions.",
+  "doest_this_affect_me": "You are affected by this flaw if you use the 3.1.0 version of this package.",
+  "how_to_fix": "To fix, upgrade to `lilconfig` 3.1.1 or above.",
+  "reporter": null,
+  "vulnerable_to": "Code Injection",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "MEDIUM",
+  "aikido_score": 50,
+  "changelog": "https://github.com/antonk52/lilconfig/releases/tag/v3.1.1",
+  "package_name_alias": null,
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-23",
+  "last_modified": "2024-02-23"
 }

vulnerabilities/AIKIDO-2024-10002.json

@@ -1,25 +1,33 @@
 {
-  "id" : "AIKIDO-2024-10002",
-  "package_name" : "rpyc",
-  "patch_versions" : [ "6.0.0" ],
-  "vulnerable_ranges" : [ [ "4.0.0", "5.3.1" ] ],
-  "cwe" : [ "CWE-94" ],
-  "tldr" : "A Remote Code Execution (RCE) vulnerability was discreetly patched in version 6.0.0 of rpyc. This exploit is only possible when the server-side accesses the `__array__` attribute and invokes it, such as through `np.array(x)`.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use a version >= 4.0.0 and <= 5.3.1 of this package.",
-  "how_to_fix" : "To fix, upgrade to `rpyc` 6.0.0 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Remote Code Execution (RCE)",
-  "related_cve_id" : "CVE-2024-27758",
-  "language" : "python",
-  "severity_class" : "HIGH",
-  "aikido_score" : 80,
-  "changelog" : "https://github.com/tomerfiliba-org/rpyc/releases/tag/6.0.0",
-  "package_name_alias" : null,
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-26",
-  "last_modified" : "2024-02-26"
+  "package_name": "rpyc",
+  "patch_versions": [
+    "6.0.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "4.0.0",
+      "5.3.1"
+    ]
+  ],
+  "cwe": [
+    "CWE-94"
+  ],
+  "tldr": "A Remote Code Execution (RCE) vulnerability was discreetly patched in version 6.0.0 of rpyc. This exploit is only possible when the server-side accesses the `__array__` attribute and invokes it, such as through `np.array(x)`.",
+  "doest_this_affect_me": "You are affected by this flaw if you use a version >= 4.0.0 and <= 5.3.1 of this package.",
+  "how_to_fix": "To fix, upgrade to `rpyc` 6.0.0 or above.",
+  "reporter": null,
+  "vulnerable_to": "Remote Code Execution (RCE)",
+  "related_cve_id": "CVE-2024-27758",
+  "language": "python",
+  "severity_class": "HIGH",
+  "aikido_score": 80,
+  "changelog": "https://github.com/tomerfiliba-org/rpyc/releases/tag/6.0.0",
+  "package_name_alias": null,
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-26",
+  "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10003.json

@@ -1,25 +1,33 @@
 {
-  "id" : "AIKIDO-2024-10003",
-  "package_name" : "smart-open",
-  "patch_versions" : [ "7.0.0" ],
-  "vulnerable_ranges" : [ [ "6.3.0", "6.4.0" ] ],
-  "cwe" : [ "CWE-300" ],
-  "tldr" : "The connection to the FTPS server was insufficiently secured because the FTP library, by default, does not utilize SSL certificates.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use the FTP secure connection functionality and version 6.3.0 or 6.4.0 of this package.",
-  "how_to_fix" : "To fix, upgrade to `smart-open` 7.0.0 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Man-in-the-middle attack",
-  "related_cve_id" : "",
-  "language" : "python",
-  "severity_class" : "MEDIUM",
-  "aikido_score" : 45,
-  "changelog" : "https://github.com/piskvorky/smart_open/releases/tag/v7.0.0",
-  "package_name_alias" : null,
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-26",
-  "last_modified" : "2024-02-26"
+  "package_name": "smart-open",
+  "patch_versions": [
+    "7.0.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "6.3.0",
+      "6.4.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-300"
+  ],
+  "tldr": "The connection to the FTPS server was insufficiently secured because the FTP library, by default, does not utilize SSL certificates.",
+  "doest_this_affect_me": "You are affected by this flaw if you use the FTP secure connection functionality and version 6.3.0 or 6.4.0 of this package.",
+  "how_to_fix": "To fix, upgrade to `smart-open` 7.0.0 or above.",
+  "reporter": null,
+  "vulnerable_to": "Man-in-the-middle attack",
+  "related_cve_id": "",
+  "language": "python",
+  "severity_class": "MEDIUM",
+  "aikido_score": 45,
+  "changelog": "https://github.com/piskvorky/smart_open/releases/tag/v7.0.0",
+  "package_name_alias": null,
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-26",
+  "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10004.json

@@ -1,25 +1,33 @@
 {
-  "id" : "AIKIDO-2024-10004",
-  "package_name" : "aws-cdk",
-  "patch_versions" : [ "2.130.0" ],
-  "vulnerable_ranges" : [ [ "2.109.0", "2.129.0" ] ],
-  "cwe" : [ "CWE-117" ],
-  "tldr" : "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
-  "how_to_fix" : "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Log injection",
-  "related_cve_id" : "",
-  "language" : "python",
-  "severity_class" : "LOW",
-  "aikido_score" : 20,
-  "changelog" : "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
-  "package_name_alias" : "aws-cdk-lib",
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-26",
-  "last_modified" : "2024-02-26"
+  "package_name": "aws-cdk",
+  "patch_versions": [
+    "2.130.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "2.109.0",
+      "2.129.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-117"
+  ],
+  "tldr": "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
+  "doest_this_affect_me": "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
+  "how_to_fix": "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
+  "reporter": null,
+  "vulnerable_to": "Log injection",
+  "related_cve_id": "",
+  "language": "python",
+  "severity_class": "LOW",
+  "aikido_score": 20,
+  "changelog": "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
+  "package_name_alias": "aws-cdk-lib",
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-26",
+  "last_modified": "2024-02-26"
 }

vulnerabilities/AIKIDO-2024-10005.json

@@ -1,25 +1,33 @@
 {
-  "id" : "AIKIDO-2024-10005",
-  "package_name" : "aws-cdk",
-  "patch_versions" : [ "2.130.0" ],
-  "vulnerable_ranges" : [ [ "2.109.0", "2.129.0" ] ],
-  "cwe" : [ "CWE-117" ],
-  "tldr" : "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
-  "doest_this_affect_me" : "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
-  "how_to_fix" : "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
-  "reporter" : null,
-  "vulnerable_to" : "Log injection",
-  "related_cve_id" : "",
-  "language" : "JS",
-  "severity_class" : "LOW",
-  "aikido_score" : 20,
-  "changelog" : "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
-  "package_name_alias" : "aws-cdk-lib",
-  "package_wildcard_ends_in" : null,
-  "package_wildcard_contains" : null,
-  "extra_specific_non_vulnerable_versions" : null,
-  "unaffected_distros" : null,
-  "simplify_version_if_has_patch_part" : false,
-  "published" : "2024-02-26",
-  "last_modified" : "2024-02-26"
+  "package_name": "aws-cdk",
+  "patch_versions": [
+    "2.130.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "2.109.0",
+      "2.129.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-117"
+  ],
+  "tldr": "Affected versions of this package allow attackers to forge log entries or inject malicious content into log files.",
+  "doest_this_affect_me": "You are affected by this flaw if you use a version >= 2.109.0 and <= 2.129.0 of this package.",
+  "how_to_fix": "To fix, upgrade to `aws-cdk` 2.130.0 or above.",
+  "reporter": null,
+  "vulnerable_to": "Log injection",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "LOW",
+  "aikido_score": 20,
+  "changelog": "https://github.com/aws/aws-cdk/releases/tag/v2.130.0",
+  "package_name_alias": "aws-cdk-lib",
+  "package_wildcard_ends_in": null,
+  "package_wildcard_contains": null,
+  "extra_specific_non_vulnerable_versions": null,
+  "unaffected_distros": null,
+  "simplify_version_if_has_patch_part": false,
+  "published": "2024-02-26",
+  "last_modified": "2024-02-26"
 }