From 6187252dcd3700d299ec74d6fab6e732593b221e Mon Sep 17 00:00:00 2001 From: bitnami-bot Date: Fri, 29 Dec 2023 07:44:27 +0000 Subject: [PATCH] feat: Updated at 20231229071524 Signed-off-by: bitnami-bot --- data/airflow/BIT-airflow-2023-47265.json | 58 +++++++++++++++++++ data/airflow/BIT-airflow-2023-48291.json | 58 +++++++++++++++++++ data/airflow/BIT-airflow-2023-49920.json | 58 +++++++++++++++++++ data/airflow/BIT-airflow-2023-50783.json | 58 +++++++++++++++++++ .../dotnet-sdk/BIT-dotnet-sdk-2021-31204.json | 4 +- .../dotnet-sdk/BIT-dotnet-sdk-2021-34485.json | 4 +- data/dotnet/BIT-dotnet-2021-31204.json | 4 +- data/dotnet/BIT-dotnet-2021-34485.json | 4 +- data/gitlab/BIT-gitlab-2023-4522.json | 7 ++- data/python/BIT-python-2023-27043.json | 26 ++++++++- 10 files changed, 270 insertions(+), 11 deletions(-) create mode 100644 data/airflow/BIT-airflow-2023-47265.json create mode 100644 data/airflow/BIT-airflow-2023-48291.json create mode 100644 data/airflow/BIT-airflow-2023-49920.json create mode 100644 data/airflow/BIT-airflow-2023-50783.json diff --git a/data/airflow/BIT-airflow-2023-47265.json b/data/airflow/BIT-airflow-2023-47265.json new file mode 100644 index 000000000..fcb1a5c47 --- /dev/null +++ b/data/airflow/BIT-airflow-2023-47265.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.5.0", + "id": "BIT-airflow-2023-47265", + "details": "Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users.Users of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability", + "aliases": [ + "CVE-2023-47265" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "airflow", + "purl": "pkg:bitnami/airflow" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.6.0" + }, + { + "fixed": "2.7.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/12/21/2" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/35460" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/128f3zl375vb1qv93k82zhnwkpl233pr" + } + ], + "published": "2023-12-29T07:16:44.425Z", + "modified": "2023-12-29T07:44:27.508Z" +} \ No newline at end of file diff --git a/data/airflow/BIT-airflow-2023-48291.json b/data/airflow/BIT-airflow-2023-48291.json new file mode 100644 index 000000000..955ceaa8a --- /dev/null +++ b/data/airflow/BIT-airflow-2023-48291.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.5.0", + "id": "BIT-airflow-2023-48291", + "details": "Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.", + "aliases": [ + "CVE-2023-48291" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "airflow", + "purl": "pkg:bitnami/airflow" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/12/21/1" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/34366" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3" + } + ], + "published": "2023-12-29T07:16:34.854Z", + "modified": "2023-12-29T07:44:27.508Z" +} \ No newline at end of file diff --git a/data/airflow/BIT-airflow-2023-49920.json b/data/airflow/BIT-airflow-2023-49920.json new file mode 100644 index 000000000..fde292f7f --- /dev/null +++ b/data/airflow/BIT-airflow-2023-49920.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.5.0", + "id": "BIT-airflow-2023-49920", + "details": "Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.Users are advised to upgrade to version 2.8.0 or later which is not affected", + "aliases": [ + "CVE-2023-49920" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "airflow", + "purl": "pkg:bitnami/airflow" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.7.0" + }, + { + "fixed": "2.7.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/12/21/3" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/36026" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq" + } + ], + "published": "2023-12-29T07:16:24.757Z", + "modified": "2023-12-29T07:44:27.508Z" +} \ No newline at end of file diff --git a/data/airflow/BIT-airflow-2023-50783.json b/data/airflow/BIT-airflow-2023-50783.json new file mode 100644 index 000000000..7e85442f3 --- /dev/null +++ b/data/airflow/BIT-airflow-2023-50783.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.5.0", + "id": "BIT-airflow-2023-50783", + "details": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.Users are recommended to upgrade to 2.8.0, which fixes this issue", + "aliases": [ + "CVE-2023-50783" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "airflow", + "purl": "pkg:bitnami/airflow" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.8.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/12/21/4" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/33932" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn" + } + ], + "published": "2023-12-29T07:16:14.466Z", + "modified": "2023-12-29T07:44:27.508Z" +} \ No newline at end of file diff --git a/data/dotnet-sdk/BIT-dotnet-sdk-2021-31204.json b/data/dotnet-sdk/BIT-dotnet-sdk-2021-31204.json index 64ec49d9f..d78860b9b 100644 --- a/data/dotnet-sdk/BIT-dotnet-sdk-2021-31204.json +++ b/data/dotnet-sdk/BIT-dotnet-sdk-2021-31204.json @@ -15,7 +15,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "ranges": [ @@ -94,5 +94,5 @@ } ], "published": "2023-11-06T08:56:53.347Z", - "modified": "2023-11-08T07:44:02.038Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file diff --git a/data/dotnet-sdk/BIT-dotnet-sdk-2021-34485.json b/data/dotnet-sdk/BIT-dotnet-sdk-2021-34485.json index 47fdded04..9d9884d8f 100644 --- a/data/dotnet-sdk/BIT-dotnet-sdk-2021-34485.json +++ b/data/dotnet-sdk/BIT-dotnet-sdk-2021-34485.json @@ -15,7 +15,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" } ], "ranges": [ @@ -46,5 +46,5 @@ } ], "published": "2023-11-06T08:56:36.164Z", - "modified": "2023-11-06T09:17:33.630Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file diff --git a/data/dotnet/BIT-dotnet-2021-31204.json b/data/dotnet/BIT-dotnet-2021-31204.json index f583ad0c2..e4705d0d1 100644 --- a/data/dotnet/BIT-dotnet-2021-31204.json +++ b/data/dotnet/BIT-dotnet-2021-31204.json @@ -15,7 +15,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "ranges": [ @@ -94,5 +94,5 @@ } ], "published": "2023-11-06T08:56:40.078Z", - "modified": "2023-11-08T07:44:02.038Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file diff --git a/data/dotnet/BIT-dotnet-2021-34485.json b/data/dotnet/BIT-dotnet-2021-34485.json index 32bbea40f..37686da27 100644 --- a/data/dotnet/BIT-dotnet-2021-34485.json +++ b/data/dotnet/BIT-dotnet-2021-34485.json @@ -15,7 +15,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" } ], "ranges": [ @@ -46,5 +46,5 @@ } ], "published": "2023-11-06T08:56:21.175Z", - "modified": "2023-11-06T09:17:33.630Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file diff --git a/data/gitlab/BIT-gitlab-2023-4522.json b/data/gitlab/BIT-gitlab-2023-4522.json index e59d4e12d..e0dec63be 100644 --- a/data/gitlab/BIT-gitlab-2023-4522.json +++ b/data/gitlab/BIT-gitlab-2023-4522.json @@ -23,7 +23,10 @@ "type": "SEMVER", "events": [ { - "introduced": "16.2.0" + "introduced": "0" + }, + { + "fixed": "16.2.0" } ] } @@ -47,5 +50,5 @@ } ], "published": "2023-11-06T08:52:59.683Z", - "modified": "2023-11-16T07:45:34.179Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file diff --git a/data/python/BIT-python-2023-27043.json b/data/python/BIT-python-2023-27043.json index 4e89e7c95..c630221d2 100644 --- a/data/python/BIT-python-2023-27043.json +++ b/data/python/BIT-python-2023-27043.json @@ -89,8 +89,32 @@ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/" } ], "published": "2023-11-06T09:01:00.780Z", - "modified": "2023-12-28T07:44:30.236Z" + "modified": "2023-12-29T07:44:27.508Z" } \ No newline at end of file