From d586fdf1edfe0540f257befb43edc272de857f67 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Thu, 19 Sep 2024 14:46:19 -0400 Subject: [PATCH] Update tags and impact --- .../neuvector-hdf-withraw.json | 4946 ++++++++++++++++- .../neuvector_mapper/neuvector-hdf.json | 4946 ++++++++++++++++- libs/hdf-converters/src/neuvector-mapper.ts | 40 +- 3 files changed, 9924 insertions(+), 8 deletions(-) diff --git a/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf-withraw.json b/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf-withraw.json index a7a0e51527..a9eb809694 100644 --- a/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf-withraw.json @@ -23,8 +23,4950 @@ "depends": [], "groups": [], "status": "loaded", - "controls": [], - "sha256": "56a6f4affb2c6c6d22bd258b4e3a99b16880e93b4a99b128a244f91068f5269c" + "controls": [ + { + "tags": { + "cve": "CVE-2021-36159", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-36159", + "desc": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25235", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25235", + "desc": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22824", + "desc": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-45960", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-45960", + "desc": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25236", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25236", + "desc": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22823", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22823", + "desc": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25315", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25315", + "desc": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22822", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22822", + "desc": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23852", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23852", + "desc": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27404", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27404", + "desc": "FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-15900", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-15900", + "desc": "A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20232", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20232", + "desc": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20231", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20231", + "desc": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-31535", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-31535", + "desc": "LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-7774", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-7774", + "desc": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22931", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22931", + "desc": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22930", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22930", + "desc": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3711", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3711", + "desc": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-37434", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-37434", + "desc": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-30139", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-30139", + "desc": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42378", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42378", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42379", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42379", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42381", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42381", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42384", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42384", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42385", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42385", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42383", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42383", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42386", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42386", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-28831", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-28831", + "desc": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42380", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42380", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-28391", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-28391", + "desc": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42382", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42382", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-35492", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-35492", + "desc": "A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24407", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24407", + "desc": "In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-46143", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-46143", + "desc": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22825", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22825", + "desc": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22826", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22826", + "desc": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22827", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22827", + "desc": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25314", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25314", + "desc": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23990", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23990", + "desc": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27406", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27406", + "desc": "FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27405", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27405", + "desc": "FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20240", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20240", + "desc": "A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-43618", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-43618", + "desc": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29599", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29599", + "desc": "ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3518", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3518", + "desc": "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3517", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3517", + "desc": "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23308", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23308", + "desc": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39537", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39537", + "desc": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3580", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3580", + "desc": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39135", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39135", + "desc": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8277", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8277", + "desc": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-21824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-21824", + "desc": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39134", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39134", + "desc": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37713", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37713", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22883", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22883", + "desc": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8265", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8265", + "desc": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44531", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44531", + "desc": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37701", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37701", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37712", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37712", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22884", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22884", + "desc": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25692", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25692", + "desc": "A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25709", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25709", + "desc": "A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25710", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25710", + "desc": "A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-27212", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-27212", + "desc": "In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23840", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23840", + "desc": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-0778", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-0778", + "desc": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3450", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3450", + "desc": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3712", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3712", + "desc": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29363", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29363", + "desc": "An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29361", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29361", + "desc": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25696", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25696", + "desc": "A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \\gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25695", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25695", + "desc": "A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23214", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23214", + "desc": "When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25694", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25694", + "desc": "A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32027", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32027", + "desc": "A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-1271", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-1271", + "desc": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2018-25032", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2018-25032", + "desc": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-36217", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-36217", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3468", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3468", + "desc": "A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42374", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42374", + "desc": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3672", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3672", + "desc": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2019-6462", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2019-6462", + "desc": "An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25313", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25313", + "desc": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29385", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29385", + "desc": "GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-27560", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-27560", + "desc": "ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20205", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20205", + "desc": "Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-29824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-29824", + "desc": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3537", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3537", + "desc": "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3541", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3541", + "desc": "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-28928", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-28928", + "desc": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22960", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22960", + "desc": "The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22959", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22959", + "desc": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44533", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44533", + "desc": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44532", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44532", + "desc": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22939", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22939", + "desc": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8287", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8287", + "desc": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22918", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22918", + "desc": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3449", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3449", + "desc": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23839", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23839", + "desc": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-1971", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-1971", + "desc": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23841", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23841", + "desc": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29362", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29362", + "desc": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32028", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32028", + "desc": "A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20229", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20229", + "desc": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3393", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3393", + "desc": "An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32029", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32029", + "desc": "A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3677", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3677", + "desc": "A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23222", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23222", + "desc": "A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-0563", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-0563", + "desc": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3995", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3995", + "desc": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3996", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3996", + "desc": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32224", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32224", + "desc": "Possible RCE escalation bug with Serialized Columns in Active Record/nThere is a possible escalation to RCE when using YAML serialized columns in\nActive Record. This vulnerability has been assigned the CVE identifier\nCVE-2022-32224.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1\n\nImpact\n------\nWhen serialized columns that use YAML (the default) are deserialized, Rails\nuses `YAML.unsafe_load` to convert the YAML data in to Ruby objects. If an\nattacker can manipulate data in the database (via means like SQL injection),\nthen it may be possible for the attacker to escalate to an RCE.\n\nImpacted Active Record models will look something like this:\n\n```ruby\nclass User < ApplicationRecord\n serialize :options # Vulnerable: Uses YAML for serialization\n serialize :values, Array # Vulnerable: Uses YAML for serialization\n serialize :values, JSON # Not vulnerable\nend\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nThe released versions change the default YAML deserializer to use\n`YAML.safe_load`, which prevents deserialization of possibly dangerous\nobjects. This may introduce backwards compatibility issues with existing\ndata.\n\nIn order to cope with that situation, the released version also contains two\nnew Active Record configuration options. The configuration options are as\nfollows:\n\n* `config.active_record.use_yaml_unsafe_load`\n\nWhen set to true, this configuration option tells Rails to use the old\n\"unsafe\" YAML loading strategy, maintaining the existing behavior but leaving\nthe possible escalation vulnerability in place. Setting this option to true\nis *not* recommended, but can aid in upgrading.\n\n* `config.active_record.yaml_column_permitted_classes`\n\nThe \"safe YAML\" loading method does not allow all classes to be deserialized\nby default. This option allows you to specify classes deemed \"safe\" in your\napplication. For example, if your application uses Symbol and Time in\nserialized data, you can add Symbol and Time to the allowed list as follows:\n\n```\nconfig.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]\n```\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue, but other coders (such as\nJSON) are not impacted.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-21831", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-21831", + "desc": "Possible code injection vulnerability in Rails / Active Storage/nThere is a possible code injection vulnerability in the Active Storage module\nof Rails. This vulnerability has been assigned the CVE identifier\nCVE-2022-21831.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3\n\nImpact\n------\nThere is a possible code injection vulnerability in the Active Storage module\nof Rails. This vulnerability impacts applications that use Active Storage\nwith the image_processing processing in addition to the mini_magick back end\nfor image_processing.\n\nVulnerable code will look something similar to this:\n\n```ruby\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\n```\n\nWhere the transformation method or its arguments are untrusted arbitrary\ninput.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nTo work around this issue, applications should implement a strict allow-list\non accepted transformation methods or arguments. Additionally, a strict image\nmagick security policy will help mitigate this issue.\n\n https://imagemagick.org/script/security-policy.php\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-36327", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-36327", + "desc": "Dependency Confusion in Bundler with Implicit Private Dependencies/nBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a\ndependency source based on the highest gem version number, which means that a\nrogue gem found at a public source may be chosen, even if the intended choice\nwas a private gem that is a dependency of another private gem that is\nexplicitly depended on by the application.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-43809", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-43809", + "desc": "Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile/nIn `bundler` versions before 2.2.33, when working with untrusted and apparently harmless\n`Gemfile`'s, it is not expected that they lead to execution of external code, unless\nthat's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile`\nincludes `gem` entries that use the `git` option with invalid, but seemingly harmless,\nvalues with a leading dash, this can be false.\n\nTo handle dependencies that come from a Git repository instead of a registry, Bundler\nuses various commands, such as `git clone`. These commands are being constructed using\nuser input (e.g. the repository URL). When building the commands, Bundler versions\nbefore 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of\narguments instead of a command string. However, there is the possibility that a user\ninput starts with a dash (`-`) and is therefore treated as an optional argument instead\nof a positional one. This can lead to Code Execution because some of the commands have\noptions that can be leveraged to run arbitrary executables.\n\nSince this value comes from the `Gemfile` file, it can contain any character, including\na leading dash.\n\n### Exploitation\n\nTo exploit this vulnerability, an attacker has to craft a directory containing a\n`Gemfile` file that declares a dependency that is located in a Git repository. This\ndependency has to have a Git URL in the form of `-u./payload`. This URL will be used to\nconstruct a Git clone command but will be interpreted as the\n[upload-pack](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt--ultupload-packgt)\nargument. Then this directory needs to be shared with the victim, who then needs to run\na command that evaluates the Gemfile, such as `bundle lock`, inside.\n\n### Impact\n\nThis vulnerability can lead to Arbitrary Code Execution, which could potentially lead\nto the takeover of the system. However, as explained above, the exploitability is very\nlow, because it requires a lot of user interaction. It still could put developers at\nrisk when dealing with untrusted files in a way they think is safe, because the exploit\nstill works when the victim tries to make sure nothing can happen, e.g. by manually\nreviewing the `Gemfile` (although they would need the weird URL with a leading dash to\nnot raise any flags).\n\nThis kind of attack vector\n[has been used in the past](https://www.cnbc.com/2021/01/26/north-korean-hackers-targeting-security-researchers-on-twitter.html)\nto target security researchers by sending them projects to collaborate on.\n\n### Patches\n\nBundler 2.2.33 has patched this problem by inserting `--` as an argument before any\npositional arguments to those Git commands that were affected by this issue.\n\n### Workarounds\n\nRegardless of whether users can upgrade or not, they should review any untrusted\n`Gemfile`'s before running any `bundler` commands that may read them, since they\ncan contain arbitrary ruby code.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2016-7954", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2016-7954", + "desc": "Allows an attacker to inject arbitrary code into your application via any secondary Gem source declared in your Gemfile/nBundler 1.x might allow remote attackers to inject arbitrary Ruby\ncode into an application by leveraging a Gem name collision on a\nsecondary source.\n\nPlease note that this vulnerability only applies for Ruby\nprojects using Bundler < 2.0 with Gemfiles having 2 or more\n\"source\" lines.\n\nIn other words, if the user's Gemfile does not use multiple\nsources, this vulnerability can be ignored.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32511", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32511", + "desc": "JMESPath for Ruby using JSON.load instead of JSON.parse/njmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a\nsituation where JSON.parse is preferable.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25765", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25765", + "desc": "PDFKit vulnerable to Command Injection/nThe package pdfkit from version 0.0.0 through version 0.8.6 is vulnerable\nto Command Injection where the URL is not properly sanitized.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24790", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24790", + "desc": "HTTP Request Smuggling in puma/n### Impact\n\nWhen using Puma behind a proxy that does not properly validate that the\nincoming HTTP request matches the RFC7230 standard, Puma and the frontend\nproxy may disagree on where a request starts and ends. This would allow\nrequests to be smuggled via the front-end proxy to Puma.\n\nThe following vulnerabilities are addressed by this advisory:\n- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings\n should be rejected and the final encoding must be `chunked`.\n- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when\n only digits and hex digits should be allowed.\n- Lenient parsing of duplicate `Content-Length` headers, when they should be\n rejected.\n- Lenient parsing of the ending of chunked segments, when they should end\n with `\\r\\n`.\n\n### Patches\n\nThe vulnerability has been fixed in 5.6.4 and 4.3.12.\n\n### Workarounds\n\nWhen deploying a proxy in front of Puma, turning on any and all functionality\nto make sure that the request matches the RFC7230 standard.\n\nThese proxy servers are known to have \"good\" behavior re: this standard and\nupgrading Puma may not be necessary. Users are encouraged to validate for\nthemselves.\n\n- Nginx (latest)\n- Apache (latest)\n- Haproxy 2.5+\n- Caddy (latest)\n- Traefik (latest)\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-30123", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-30123", + "desc": "Possible shell escape sequence injection vulnerability in Rack/nThere is a possible shell escape sequence injection vulnerability in the Lint\nand CommonLogger components of Rack. This vulnerability has been assigned the\nCVE identifier CVE-2022-30123.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted requests can cause shell escape sequences to be written to\nthe terminal via Rack's Lint middleware and CommonLogger middleware. These\nescape sequences can be leveraged to possibly execute commands in the victim's\nterminal.\n\nImpacted applications will have either of these middleware installed, and\nvulnerable apps may have something like this:\n\n```\nuse Rack::Lint\n```\n\nOr\n\n```\nuse Rack::CommonLogger\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nRemove these middleware from your application\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-27280", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-27280", + "desc": "Buffer overread vulnerability in StringIO/nAn issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x\nthrough 3.0.6 and 3.1.x through 3.1.4.\n\nThe `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a\nstring, and a subsequent call to `StringIO.gets` may return the memory value.\n\nThis vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x\nand later.\n\nWe recommend to update the StringIO gem to version 3.0.3 or later. In order to\nensure compatibility with bundled version in older Ruby series, you may update\nas follows instead:\n\n* For Ruby 3.0 users: Update to `stringio` 3.0.1.1\n* For Ruby 3.1 users: Update to `stringio` 3.0.1.2\n\nYou can use `gem update stringio` to update it. If you are using bundler,\nplease add `gem \"stringio\", \">= 3.0.1.2\"` to your `Gemfile`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22885", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22885", + "desc": "Possible Information Disclosure / Unintended Method Execution in Action Pack/nThere is a possible information disclosure / unintended method execution\nvulnerability in Action Pack which has been assigned the CVE identifier\nCVE-2021-22885.\n\nVersions Affected: >= 2.0.0.\nNot affected: < 2.0.0.\nFixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nThere is a possible information disclosure / unintended method execution\nvulnerability in Action Pack when using the `redirect_to` or `polymorphic_url`\nhelper with untrusted user input.\n\nVulnerable code will look like this:\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid\nparameters passed from the user. For example:\n\n```\nprivate def check(param)\n case param\n when \"valid\"\n param\n else\n \"/\"\n end\nend\n\ndef index\n redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this:\n\n```\ndef index\n redirect_to(params[:some_param].to_s)\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22904", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22904", + "desc": "Possible DoS Vulnerability in Action Controller Token Authentication/nThere is a possible DoS vulnerability in the Token Authentication logic in\nAction Controller. This vulnerability has been assigned the CVE identifier\nCVE-2021-22904.\n\nVersions Affected: >= 4.0.0\nNot affected: < 4.0.0\nFixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or\n`authenticate_with_http_token` for request authentication. Impacted code will\nlook something like this:\n\n```\nclass PostsController < ApplicationController\n before_action :authenticate\n\n private\n\n def authenticate\n authenticate_or_request_with_http_token do |token, options|\n # ...\n end\n end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around\nthe issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22795", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22795", + "desc": "ReDoS based DoS vulnerability in Action Dispatch/nThere is a possible regular expression based DoS vulnerability in Action\nDispatch related to the If-None-Match header. This vulnerability has been\nassigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted HTTP If-None-Match header can cause the regular\nexpression engine to enter a state of catastrophic backtracking, when on a\nversion of Ruby below 3.2.0. This can cause the process to use large amounts\nof CPU and memory, leading to a possible DoS vulnerability All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious If-None-Match headers before they reach\nthe application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23633", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23633", + "desc": "Possible exposure of information vulnerability in Action Pack/n## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor < ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22792", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22792", + "desc": "ReDoS based DoS vulnerability in Action Dispatch/nThere is a possible regular expression based DoS vulnerability in Action\nDispatch. This vulnerability has been assigned the CVE identifier\nCVE-2023-22792.\n\nVersions Affected: >= 3.0.0\nNot affected: < 3.0.0\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nSpecially crafted cookies, in combination with a specially crafted\nX_FORWARDED_HOST header can cause the regular expression engine to enter a\nstate of catastrophic backtracking. This can cause the process to use large\namounts of CPU and memory, leading to a possible DoS vulnerability All users\nrunning an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious X_FORWARDED_HOST headers before they\nreach the application.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-23913", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-23913", + "desc": "DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements/nNOTE: rails-ujs is part of Rails/actionview since 5.1.0.\n\nThere is a potential DOM based cross-site scripting issue in rails-ujs\nwhich leverages the Clipboard API to target HTML elements that are\nassigned the contenteditable attribute. This has the potential to\noccur when pasting malicious HTML content from the clipboard that\nincludes a data-method, data-remote or data-disable-with attribute.\n\nThis vulnerability has been assigned the CVE identifier CVE-2023-23913.\n\nNot affected: < 5.1.0\nVersions Affected: >= 5.1.0\nFixed Versions: 6.1.7.3, 7.0.4.3\n\nImpact\n If the specified malicious HTML clipboard content is provided to a\n contenteditable element, this could result in the arbitrary execution\n of javascript on the origin in question.\n\nReleases\n The FIXED releases are available at the normal locations.\n\nWorkarounds\n We recommend that all users upgrade to one of the FIXED versions.\n In the meantime, users can attempt to mitigate this vulnerability\n by removing the contenteditable attribute from elements in pages\n that rails-ujs will interact with.\n\nPatches\n To aid users who aren’t able to upgrade immediately we have provided\n patches for the two supported release series. They are in git-am\n format and consist of a single changeset.\n\n* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series\n* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series\n\nPlease note that only the 7.0.Z and 6.1.Z series are\nsupported at present, and 6.0.Z for severe vulnerabilities.\n\nUsers of earlier unsupported releases are advised to upgrade as\nsoon as possible as we cannot guarantee the continued availability\nof security fixes for unsupported releases.\n\nCredits\n We would like to thank ryotak 15 for reporting this!\n\n* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)\n* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)\n* rails-ujs-data-method-contenteditable-main.patch (8.9 KB)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44566", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44566", + "desc": "Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter/nThere is a potential denial of service vulnerability present in\nActiveRecord’s PostgreSQL adapter.\n\nThis has been assigned the CVE identifier CVE-2022-44566.\n\nVersions Affected: All.\nNot affected: None.\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nIn ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a\n64bit signed integer is provided to the PostgreSQL connection adapter, it\nwill treat the target column type as numeric. Comparing integer values\nagainst numeric values can result in a slow sequential scan resulting in\npotential Denial of Service.\n\n# Workarounds\n\nEnsure that user supplied input which is provided to ActiveRecord clauses do\nnot contain integers wider than a signed 64bit representation or floats.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22796", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22796", + "desc": "ReDoS based DoS vulnerability in Active Support’s underscore/nThere is a possible regular expression based DoS vulnerability in Active\nSupport. This vulnerability has been assigned the CVE identifier\nCVE-2023-22796.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted string passed to the underscore method can cause the\nregular expression engine to enter a state of catastrophic backtracking.\nThis can cause the process to use large amounts of CPU and memory, leading\nto a possible DoS vulnerability.\n\nThis affects String#underscore, ActiveSupport::Inflector.underscore,\nString#titleize, and any other methods using these.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n\nUsers on Ruby 3.2.0 or greater may be able to reduce the impact by\nconfiguring Regexp.timeout.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32740", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32740", + "desc": "Regular Expression Denial of Service in Addressable templates/nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,\nleading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,\nbut nonetheless, no previous security advisory for Addressable has cautioned against doing this.\nUsers of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2019-3881", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2019-3881", + "desc": "Insecure path handling in Bundler/nBundler prior to 2.1.0 uses a predictable path in /tmp/, created with\ninsecure permissions as a storage location for gems, if locations under the user's\nhome directory are not available. If Bundler is used in a scenario where the user\ndoes not have a writable home directory, an attacker could place malicious code\nin this directory that would be later loaded and executed.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-21305", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-21305", + "desc": "Code Injection vulnerability in CarrierWave::RMagick/n### Impact\n[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb)\nhas a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation\noption(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.\nIf an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).\n\n(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to\nDoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)\n\n### Proof of Concept\n```ruby\nclass MyUploader < CarrierWave::Uploader::Base\n include CarrierWave::RMagick\nend\n\nMyUploader.new.manipulate!({ read: { density: \"1 }; p 'Hacked'; {\" }}) # => shows \"Hacked\"\n```\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nStop supplying untrusted input to `#manipulate!`'s mutation option.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41817", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41817", + "desc": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods/nDate's parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You\ncan use `gem update date` to update it. If you are using bundler, please add\n`gem \"date\", \">= 3.2.1\"` to your `Gemfile`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22799", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22799", + "desc": "ReDoS based DoS vulnerability in GlobalID/nThere is a ReDoS based DoS vulnerability in the GlobalID gem. This\nvulnerability has been assigned the CVE identifier CVE-2023-22799.\n\nVersions Affected: >= 0.2.1\nNot affected: < 0.2.1\nFixed Versions: 1.0.1\n\n# Impact\n\nThere is a possible DoS vulnerability in the model name parsing section\nof the GlobalID gem. Carefully crafted input can cause the regular\nexpression engine to take an unexpected amount of time. All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-10663", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-10663", + "desc": "json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)/nThere is an unsafe object creation vulnerability in the json gem bundled with\nRuby. This vulnerability has been assigned the CVE identifier CVE-2020-10663.\nWe strongly recommend upgrading the json gem.\n\nDetails\n-------\n\nWhen parsing certain JSON documents, the json gem (including the one bundled\nwith Ruby) can be coerced into creating arbitrary objects in the target system.\n\nThis is the same issue as CVE-2013-0269. The previous fix was incomplete, which\naddressed JSON.parse(user_input), but didn’t address some other styles of JSON\nparsing including JSON(user_input) and JSON.parse(user_input, nil).\n\nSee CVE-2013-0269 in detail. Note that the issue was exploitable to cause a\nDenial of Service by creating many garbage-uncollectable Symbol objects, but\nthis kind of attack is no longer valid because Symbol objects are now\ngarbage-collectable. However, creating arbitrary objects may cause severe\nsecurity consequences depending upon the application code.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23514", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23514", + "desc": "Inefficient Regular Expression Complexity in Loofah/n## Summary\n\nLoofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23516", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23516", + "desc": "Uncontrolled Recursion in Loofah/n## Summary\n\nLoofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24836", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24836", + "desc": "Inefficient Regular Expression Complexity in Nokogiri/n## Summary\n\nNokogiri `< v1.13.4` contains an inefficient regular expression that is\nsusceptible to excessive backtracking when attempting to detect encoding\nin HTML documents.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23437", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23437", + "desc": "XML Injection in Xerces Java affects Nokogiri/n## Summary\n\nNokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to\n2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437).\nThat CVE is scored as CVSS 6.5 \"Medium\" on the NVD record.\n\nPlease note that this advisory only applies to the **JRuby** implementation\nof Nokogiri `< 1.13.4`.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J\n\n- **Severity**: Medium\n- **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)\n- **Description**: There's a vulnerability within the Apache Xerces Java\n (XercesJ) XML parser when handling specially crafted XML document payloads.\n This causes, the XercesJ XML parser to wait in an infinite loop, which may\n sometimes consume system resources for prolonged duration. This vulnerability\n is present within XercesJ version 2.12.1 and the previous versions.\n- **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-29181", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-29181", + "desc": "Improper Handling of Unexpected Data Type in Nokogiri/n### Summary\n\nNokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers.\nFor CRuby users, this may allow specially crafted untrusted inputs to cause illegal\nmemory access errors (segfault) or reads from unrelated memory.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1).\n\n### Mitigation\n\nCRuby users should upgrade to Nokogiri `>= 1.13.6`.\n\nJRuby users are not affected.\n\n### Workarounds\n\nTo avoid this vulnerability in affected applications, ensure the untrusted input is a\n`String` by calling `#to_s` or equivalent.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-30560", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-30560", + "desc": "Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)/n## Summary\n\nNokogiri v1.13.2 upgrades two of its packaged dependencies:\n\n* vendored libxml2 from v2.9.12 to v2.9.13\n* vendored libxslt from v1.1.34 to v1.1.35\n\nThose library versions address the following upstream CVEs:\n\n* libxslt: CVE-2021-30560 (CVSS 8.8, High severity)\n* libxml2: CVE-2022-23308 (Unspecified severity, see more information below)\n\nThose library versions also address numerous other issues including performance\nimprovements, regression fixes, and bug fixes, as well as memory leaks and other\nuse-after-free issues that were not assigned CVEs.\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri < 1.13.2, and only if the packaged libraries are being used. If you've\noverridden defaults at installation time to use system libraries instead of\npackaged libraries, you should instead pay attention to your distro's `libxml2`\nand `libxslt` release announcements.\n\n## Mitigation\n\nUpgrade to Nokogiri >= 1.13.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link an older version Nokogiri against external libraries\nlibxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.\n\n## Impact\n\n* libxslt CVE-2021-30560\n* CVSS3 score: 8.8 (High)\n\nFixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c\n\nAll versions of libxslt prior to v1.1.35 are affected.\n\nApplications using untrusted XSL stylesheets to transform XML are vulnerable to\na denial-of-service attack and should be upgraded immediately.\n\nlibxml2 CVE-2022-23308\n* As of the time this security advisory was published, there is no officially\npublished information available about this CVE's severity. The above NIST link\ndoes not yet have a published record, and the libxml2 maintainer has declined\nto provide a severity score.\n* Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12\n* Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html\n\nThe upstream commit and the explanation linked above indicate that an application\nmay be vulnerable to a denial of service, memory disclosure, or code execution if\nit parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT`\nset to false.\n\nAn analysis of these parse options:\n\n* While `NOENT` is off by default for Document, DocumentFragment, Reader, and\nSchema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri\nv1.12.0 and later.\n* `DTDVALID` is an option that Nokogiri does not set for any operations, and so\nthis CVE applies only to applications setting this option explicitly.\n\nIt seems reasonable to assume that any application explicitly setting the parse\noption `DTDVALID` when parsing untrusted documents is vulnerable and should be\nupgraded immediately.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41098", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41098", + "desc": "Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby/n### Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.)\n\n### Impact\n\nIn Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default.\n\nUsers of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:\n\n- Nokogiri::XML::SAX::Parser\n- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser\n- Nokogiri::XML::SAX::PushParser\n- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser\n\n### Mitigation\n\nJRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.\n\nCRuby users are not affected.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24839", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24839", + "desc": "Denial of Service (DoS) in Nokogiri on JRuby/n## Summary\n\nNokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to\n`1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv).\nThat CVE is rated 7.5 (High Severity).\n\nSee [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)\nfor more information.\n\nPlease note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.4`.\n\n## Impact\n\n### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml\n\n- **Severity**: High 7.5\n- **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption\n- **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a\n `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.\n- **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23634", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23634", + "desc": "Information Exposure with Puma when used with Rails/n### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n> Under certain circumstances response bodies will not be closed, for example\n> a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n> response is not notified of a close, ActionDispatch::Executor will not know\n> to reset thread local state for the next request. This can lead to data\n> being leaked to subsequent requests, especially when interacting with\n> ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails'\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1)\nincludes a middleware that can be used instead.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-29509", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-29509", + "desc": "Keepalive Connections Causing Denial Of Service in puma/n### Impact\n\nThe fix for CVE-2019-16770 was incomplete. The original fix only protected\nexisting connections that had already been accepted from having their\nrequests starved by greedy persistent-connections saturating all threads in\nthe same process. However, new connections may still be starved by greedy\npersistent-connections saturating all threads in all processes in the\ncluster.\n\nA puma server which received more concurrent keep-alive connections than the\nserver had threads in its threadpool would service only a subset of\nconnections, denying service to the unserved connections.\n\n### Patches\n\nThis problem has been fixed in puma 4.3.8 and 5.3.1.\n\n### Workarounds\n\nSetting queue_requests false also fixes the issue. This is not advised when\nusing puma without a reverse proxy, such as nginx or apache, because you will\nopen yourself to slow client attacks (e.g. [slowloris][1]).\n\nThe fix is very small. [A git patch is available here][2] for those using\n[unsupported versions][3] of Puma.\n\n[1]: https://en.wikipedia.org/wiki/Slowloris_(computer_security)\n[2]: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837\n[3]: https://github.com/puma/puma/security/policy#supported-versions\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44571", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44571", + "desc": "Denial of Service Vulnerability in Rack Content-Disposition parsing/nThere is a denial of service vulnerability in the Content-Disposition parsing\ncomponent of Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-44571.\n\nVersions Affected: >= 2.0.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause Content-Disposition header parsing in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. This header is used typically used in multipart\nparsing. Any applications that parse multipart posts using Rack (virtually\nall Rails applications) are impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44572", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44572", + "desc": "Denial of service via multipart parsing in Rack/nThere is a denial of service vulnerability in the multipart parsing component\nof Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-44572.\n\nVersions Affected: >= 2.0.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause RFC2183 multipart boundary parsing in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that parse multipart posts using\nRack (virtually all Rails applications) are impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-27530", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-27530", + "desc": "Possible DoS Vulnerability in Multipart MIME parsing/nThere is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.\n\nVersions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3\n\n# Impact\nThe Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n# Workarounds\nA proxy can be configured to limit the POST body size which will mitigate this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44570", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44570", + "desc": "Denial of service via header parsing in Rack/nThere is a possible denial of service vulnerability in the Range header\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2022-44570.\n\nVersions Affected: >= 1.5.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause the Range header parsing component in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that deal with Range requests (such\nas streaming applications, or applications that serve files) may be impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-30122", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-30122", + "desc": "Denial of Service Vulnerability in Rack Multipart Parsing/nThere is a possible denial of service vulnerability in the multipart parsing\ncomponent of Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-30122.\n\nVersions Affected: >= 1.2\nNot affected: < 1.2\nFixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted multipart POST requests can cause Rack's multipart parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack's multipart parser to parse multipart posts. This\nincludes directly using the multipart parser like this:\n\n```\nparams = Rack::Multipart.parse_multipart(env)\n```\n\nBut it also includes reading POST data from a Rack request object like this:\n\n```\np request.POST # read POST data\np request.params # reads both query params and POST data\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23517", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23517", + "desc": "Inefficient Regular Expression Complexity in rails-html-sanitizer/n## Summary\n\nCertain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-31799", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-31799", + "desc": "RDoc OS command injection vulnerability/nRDoc used to call `Kernel#open` to open a local file. If a Ruby project has\na file whose name starts with `|` and ends with `tags`, the command following\nthe pipe character is executed. A malicious Ruby project could exploit it to\nrun an arbitrary command execution against a user who attempts to run `rdoc`\ncommand.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-28965", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-28965", + "desc": "XML round-trip vulnerability in REXML/nWhen parsing and serializing a crafted XML document, REXML gem (including\nthe one bundled with Ruby) can create a wrong XML document whose structure\nis different from the original one.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-31163", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-31163", + "desc": "TZInfo relative path traversal vulnerability allows loading of arbitrary files/n# Impact\n\n## Affected versions\n\n- 0.3.60 and earlier.\n- 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).\n\n## Vulnerability\n\nWith the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and\nlater and built-in to earlier versions), time zones are defined in Ruby files.\nThere is one file per time zone. Time zone files are loaded with `require` on\ndemand. In the affected versions, `TZInfo::Timezone.get` fails to validate\ntime zone identifiers correctly, allowing a new line character within the\nidentifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be\nmade to load unintended files with `require`, executing them within the Ruby\nprocess.\n\nFor example, with version 1.2.9, you can run the following to load a file with\npath `/tmp/payload.rb`:\n\n```ruby\nTZInfo::Timezone.get(\\\"foo\\\n/../../../../../../../../../../../../../../../../tmp/payload\\\")\n```\n\nThe exact number of parent directory traversals needed will vary depending on\nthe location of the tzinfo-data gem.\n\nTZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the\nRuby load path. Versions up to and including 1.2.5 can only be made to load\nfiles from directories within the load path.\n\nThis could be exploited in, for example, a Ruby on Rails application using\ntzinfo version 1.2.9, that allows file uploads and has a time zone selector\nthat accepts arbitrary time zone identifiers.\nThe CVSS score and severity have been set on this basis.\n\nVersions 2.0.0 and later are not vulnerable.\n\n# Patches\n\nVersions 0.3.61 and 1.2.10 include fixes to correctly validate time zone\nidentifiers.\n\nNote that version 0.3.61 can still load arbitrary files from the Ruby load\npath if their name follows the rules for a valid time zone identifier and the\nfile has a prefix of `tzinfo/definition` within a directory in the load path.\nFor example if `/tmp/upload` was in the load path, then\n`TZInfo::Timezone.get('foo')` could load a file with path\n`/tmp/upload/tzinfo/definition/foo.rb`. Applications should ensure that\nuntrusted files are not placed in a directory on the load path.\n\n# Workarounds\n\nAs a workaround, the time zone identifier can be validated before passing to\n`TZInfo::Timezone.get` by ensuring it matches the regular expression\n`\\\\A[A-Za-z0-9+\\\\-_]+(?:\\\\/[A-Za-z0-9+\\\\-_]+)*\\\\z`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25613", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25613", + "desc": "Potential HTTP Request Smuggling Vulnerability in WEBrick/nWEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to\ninconsistent interpretation between WEBrick and some HTTP proxy servers, which may\nallow the attacker to \"smuggle\" a request. See CWE-444 in detail.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22577", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22577", + "desc": "Possible XSS Vulnerability in Action Pack/nThere is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been\nassigned the CVE identifier CVE-2022-22577.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nCSP headers were only sent along with responses that Rails considered as\n\"HTML\" responses. This left API requests without CSP headers, which could\npossibly expose users to XSS attacks.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nSet a CSP for your API responses manually.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27777", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27777", + "desc": "Possible XSS Vulnerability in Action View tag helpers/nThere is a possible XSS vulnerability in Action View tag helpers. Passing\nuntrusted input as hash keys can lead to a possible XSS vulnerability. This\nvulnerability has been assigned the CVE identifier CVE-2022-27777.\n\nVersions Affected: ALL\nNot affected: NONE\nFixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nIf untrusted data is passed as the hash key for tag attributes, there is a\npossibility that the untrusted data may not be properly escaped which can\nlead to an XSS vulnerability.\n\nImpacted code will look something like this:\n\n```\ncheck_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })\n```\n\nWhere the \"malicious_input\" variable contains untrusted data.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nEscape the untrusted data before using it as a key for tag helper methods.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-15169", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-15169", + "desc": "Potential XSS vulnerability in Action View/nThere is a potential Cross-Site Scripting (XSS) vulnerability in Action\nView's translation helpers. Views that allow the user to control the\ndefault (not found) value of the `t` and `translate` helpers could be\nsusceptible to XSS attacks.\n\nImpact\n------\n\nWhen an HTML-unsafe string is passed as the default for a missing\ntranslation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations),\nthe default string is incorrectly marked as HTML-safe and not escaped.\nVulnerable code may look like the following examples:\n\n```erb\n<%# The welcome_html translation is not defined for the current locale: %>\n<%= t(\"welcome_html\", default: untrusted_user_controlled_string) %>\n\n<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>\n<%= t(\"title.html\", default: [:\"missing.html\", untrusted_user_controlled_string]) %>\n```\n\nWorkarounds\n-----------\nImpacted users who can’t upgrade to a patched Rails version can avoid\nthis issue by manually escaping default translations with the\n`html_escape` helper (aliased as `h`):\n\n```erb\n<%= t(\"welcome_html\", default: h(untrusted_user_controlled_string)) %>\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22880", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22880", + "desc": "Possible DoS Vulnerability in Active Record PostgreSQL adapter/nThere is a possible DoS vulnerability in the PostgreSQL adapter in Active\nRecord. This vulnerability has been assigned the CVE identifier CVE-2021-22880.\n\nVersions Affected: >= 4.2.0\nNot affected: < 4.2.0\nFixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5\n\nImpact\n------\nCarefully crafted input can cause the input validation in the \"money\" type of\nthe PostgreSQL adapter in Active Record to spend too much time in a regular\nexpression, resulting in the potential for a DoS attack.\n\nThis only impacts Rails applications that are using PostgreSQL along with\nmoney type columns that take user input.\n\nWorkarounds\n-----------\nIn the case a patch can't be applied, the following monkey patch can be used\nin an initializer:\n\n```\nmodule ActiveRecord\n module ConnectionAdapters\n module PostgreSQL\n module OID # :nodoc:\n class Money < Type::Decimal # :nodoc:\n def cast_value(value)\n return value unless ::String === value\n\n value = value.sub(/^\\((.+)\\)$/, '-\\1') # (4)\n case value\n when /^-?\\D*+[\\d,]+\\.\\d{2}$/ # (1)\n value.gsub!(/[^-\\d.]/, \"\")\n when /^-?\\D*+[\\d.]+,\\d{2}$/ # (2)\n value.gsub!(/[^-\\d,]/, \"\").sub!(/,/, \".\")\n end\n\n super(value)\n end\n end\n end\n end\n end\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26144", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26144", + "desc": "Possible Sensitive Session Information Leak in Active Storage/nThere is a possible sensitive session information leak in Active Storage.\nBy default, Active Storage sends a `Set-Cookie` header along with the user’s\nsession cookie when serving blobs. It also sets `Cache-Control` to public.\nCertain proxies may cache the `Set-Cookie`, leading to an information leak.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-26144.\n\nVersions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7\n\n# Impact\n\nA proxy which chooses to caches this request can cause users to share\nsessions. This may include a user receiving an attacker’s session or vice\nversa.\n\nThis was patched in 7.1.0 but not previously identified as a security\nvulnerability.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nUpgrade to Rails 7.1.X, or configure caching proxies not to cache the\n`Set-Cookie` headers.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-21288", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-21288", + "desc": "Server-side request forgery in CarrierWave/n### Impact\n[CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location\nhas an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use\nand gather information about the Intranet infrastructure of the platform.\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nUsing proper network segmentation and applying the principle of least privilege to outbound connections from application\nservers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server\nwithout access to any internal network resources or cloud metadata access.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-49090", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-49090", + "desc": "CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS/n###Impact\n[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb)\nhas a Content-Type allowlist bypass vulnerability, possibly leading to XSS.\n\nThe validation in `allowlisted_content_type?` determines Content-Type\npermissions by performing a partial match.\nIf the `content_type` argument of `allowlisted_content_type?` is passed\na value crafted by the attacker, Content-Types not included in the\n`content_type_allowlist` will be allowed.\n\nIn addition, by setting the Content-Type configured by the attacker\nat the time of file delivery, it is possible to cause XSS on the\nuser's browser when the uploaded file is opened.\n\n### Patches\nUpgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5)\nor [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5).\n\n### Workarounds\nWhen validating with `allowlisted_content_type?` in\n[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb),\nforward match(`\\\\A`) the Content-Type set in `content_type_allowlist`,\npreventing unintentional permission of `text/html;image/png` when\nyou want to allow only `image/png` in `content_type_allowlist`.\n\n### References\n[OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-29034", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-29034", + "desc": "CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained/n### Impact\n\nThe vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)\nwasn't fully addressed.\n\nThis vulnerability is caused by the fact that when uploading to\nobject storage, including Amazon S3, it is possible to set a\nContent-Type value that is interpreted by browsers to be different\nfrom what's allowed by `content_type_allowlist`, by providing\nmultiple values separated by commas.\n\nThis bypassed value can be used to cause XSS.\n\n### Patches\n\nUpgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).\n\n### Workarounds\nUse the following monkey patch to let CarrierWave parse the\nContent-type by using `Marcel::MimeType.for`.\n\n```ruby\n# For CarrierWave 3.x\nCarrierWave::SanitizedFile.class_eval do\n def declared_content_type\n @declared_content_type ||\n if @file.respond_to?(:content_type) && @file.content_type\n Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)\n end\n end\nend\n```\n\n```ruby\n# For CarrierWave 2.x\nCarrierWave::SanitizedFile.class_eval do\n def existing_content_type\n if @file.respond_to?(:content_type) && @file.content_type\n Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)\n end\n end\nend\n```\n\n### References\n\n[OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23515", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23515", + "desc": "Improper neutralization of data URIs may allow XSS in Loofah/n## Summary\n\nLoofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-26247", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-26247", + "desc": "Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability/n### Description\n\nIn Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema`\nare **trusted** by default, allowing external resources to be accessed over the\nnetwork, potentially enabling XXE or SSRF attacks.\n\nThis behavior is counter to\nthe security policy followed by Nokogiri maintainers, which is to treat all input\nas **untrusted** by default whenever possible.\n\nPlease note that this security\nfix was pushed into a new minor version, 1.11.x, rather than a patch release to\nthe 1.10.x branch, because it is a breaking change for some schemas and the risk\nwas assessed to be \"Low Severity\".\n\n### Affected Versions\n\nNokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`\n\n### Mitigation\n\nThere are no known workarounds for affected versions. Upgrade to Nokogiri\n`1.11.0.rc4` or later.\n\nIf, after upgrading to `1.11.0.rc4` or later, you wish\nto re-enable network access for resolution of external resources (i.e., return to\nthe previous behavior):\n\n1. Ensure the input is trusted. Do not enable this option\nfor untrusted input.\n2. When invoking the `Nokogiri::XML::Schema` constructor,\npass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the\n`NONET` flag turned off.\n\nSo if your previous code was:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network\n# but in v1.11.0.rc4 and later, this call will disallow network access for external resources\nschema = Nokogiri::XML::Schema.new(schema)\n\n# in v1.11.0.rc4 and later, the following is equivalent to the code above\n# (the second parameter is optional, and this demonstrates its default value)\nschema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)\n```\n\nThen you can add the second parameter to indicate that the input is trusted by changing it to:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this would raise an ArgumentError\n# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-40175", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-40175", + "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma/n### Impact\n\nPrior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.\n\nThe following vulnerabilities are addressed by this advisory:\n- Incorrect parsing of trailing fields in chunked transfer encoding bodies\n- Parsing of blank/zero-length Content-Length headers`\\r\\n`\n\n### Patches\n\nThe vulnerability has been fixed in 6.3.1 and 5.6.7.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-21647", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-21647", + "desc": "Puma HTTP Request/Response Smuggling vulnerability/n\n### Impact\nPrior to versions 6.4.2 and 5.6.8, puma exhibited incorrect\nbehavior when parsing chunked transfer encoding bodies in a\nway that allowed HTTP request smuggling.\n\nFixed versions limit the size of chunk extensions. Without this\nlimit, an attacker could cause unbounded resource (CPU, network\nbandwidth) consumption.\n\n### Patches\n\nThe vulnerability has been fixed in 6.4.2 and 5.6.8.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n* Open an issue in [Puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26141", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26141", + "desc": "Possible DoS Vulnerability with Range Header in Rack/nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-27539", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-27539", + "desc": "Possible Denial of Service Vulnerability in Rack’s header parsing/nThere is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.\n\nVersions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1\n\n# Impact\nCarefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.\n\n# Workarounds\nSetting Regexp.timeout in Ruby 3.2 is a possible workaround.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-25126", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-25126", + "desc": "Denial of Service Vulnerability in Rack Content-Type Parsing/nThere is a possible denial of service vulnerability in the content type\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2024-25126.\n\nVersions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted content type headers can cause Rack’s media type parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack’s media type parser to parse content type headers.\nThis code will look like below:\n\n```\nrequest.media_type\n\n## OR\nrequest.media_type_params\n\n## OR\nRack::MediaType.type(content_type)\n```\n\nSome frameworks (including Rails) call this code internally, so upgrading is\nrecommended!\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26146", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26146", + "desc": "Possible Denial of Service Vulnerability in Rack Header Parsing/nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\n# Impact\n\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. `Accept` and\n`Forwarded` headers are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using\nRuby 3.2 or newer are unaffected.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2014-0081", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2014-0081", + "desc": "CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability/nMultiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb\nin Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2\nallow remote attackers to inject arbitrary web script or HTML via the (1) format,\n(2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage,\nor (c) number_to_human helper.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23518", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23518", + "desc": "Improper neutralization of data URIs may allow XSS in rails-html-sanitizer/n## Summary\n\nrails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32209", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32209", + "desc": "Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer/nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\nThis vulnerability has been assigned the CVE identifier CVE-2022-32209.\n\nVersions Affected: ALL\nNot affected: NONE\nFixed Versions: v1.4.3\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer\nmay allow an attacker to inject content if the application developer has overridden\nthe sanitizer's allowed tags to allow both `select` and `style` elements.\n\nCode is only impacted if allowed tags are being overridden. This may be done via\napplication configuration:\n\n```ruby\n# In config/application.rb\nconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`:\n\n```\n<%= sanitize @comment.body, tags: [\"select\", \"style\"] %>\n```\n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\nOr it may be done with Rails::Html::SafeListSanitizer directly:\n\n```ruby\n# class-level option\nRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n```\n\nor\n\n```ruby\n# instance-level option\nRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])\n```\n\nAll users overriding the allowed tags by any of the above mechanisms to include\nboth \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\n## Workarounds\n\nRemove either `select` or `style` from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23519", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23519", + "desc": "Possible XSS vulnerability with certain configurations of rails-html-sanitizer/n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n ```ruby\n # In config/application.rb\n config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n # or\n config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n ```\n\n see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n ```\n <%= sanitize @comment.body, tags: [\"math\", \"style\"] %>\n <%# or %>\n <%= sanitize @comment.body, tags: [\"svg\", \"style\"] %>\n ```\n\n see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n ```ruby\n # class-level option\n Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n # or\n Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n ```ruby\n # instance-level option\n Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n # or\n Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23520", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23520", + "desc": "Possible XSS vulnerability with certain configurations of rails-html-sanitizer/n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n ```ruby\n # In config/application.rb\n config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n ```\n\n (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n ```ruby\n # class-level option\n Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-27281", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-27281", + "desc": "RCE vulnerability with .rdoc_options in RDoc/nAn issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby\n3.x through 3.3.0.\n\nWhen parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file,\nobject injection and resultant remote code execution are possible because\nthere are no restrictions on the classes that can be restored.\n\nWhen loading the documentation cache, object injection and resultant remote\ncode execution are also possible if there were a crafted cache.\n\nWe recommend to update the RDoc gem to version 6.6.3.1 or later. In order to\nensure compatibility with bundled version in older Ruby series, you may\nupdate as follows instead:\n\n* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1\n* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1\n* For Ruby 3.2 users: Update to `rdoc` 6.5.1.1\n\nYou can use `gem update rdoc` to update it. If you are using bundler, please\nadd `gem \"rdoc\", \">= 6.6.3.1\"` to your `Gemfile`.\n\nNote: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to\nupgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-39908", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-39908", + "desc": "DoS in REXML/nThere is a DoS vulnerability in REXML gem. This vulnerability has\nbeen assigned the CVE identifier CVE-2024-39908. We strongly\nrecommend upgrading the REXML gem.\n\n## Details\n\nWhen it parses an XML that has many specific characters such as\n<, 0 and %>. REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.2 or later.\n\n## Affected versions\n\nREXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to mprogrammer for discovering this issue.\n\n## History\n\nOriginally published at 2024-07-16 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-35176", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-35176", + "desc": "REXML contains a denial of service vulnerability/n### Impact\n\nThe REXML gem before 3.2.6 has a DoS vulnerability when it\nparses an XML that has many `<`s in an attribute value.\n\nIf you need to parse untrusted XMLs, you many be impacted\nto this vulnerability.\n\n### Patches\n\nThe REXML gem 3.2.7 or later include the patch to fix this\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-43398", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-43398", + "desc": "REXML denial of service vulnerability/n### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an\nXML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like\n`REXML::Document.new`, you may be impacted to this vulnerability.\nIf you use other parser APIs such as stream parser API and SAX2\nparser API, this vulnerability is not affected.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-43398.\nWe strongly recommend upgrading the REXML gem.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n## Affected versions\n\nREXML gem 3.3.5 or prior\n\n## Credits\n\nThanks to l33thaxor for discovering this issue.\n\n## History\n\nOriginally published at 2024-08-22 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-41123", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-41123", + "desc": "DoS vulnerabilities in REXML/nThere are some DoS vulnerabilities in REXML gem.\nThese vulnerabilities have been assigned the CVE identifier\nCVE-2024-41123. We strongly recommend upgrading the REXML gem.\n\n## Details\n\nWhen parsing an XML document that has many specific characters such\nas whitespace character, >] and ]>, REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.3 or later.\n\n## Affected versions\n\n* REXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to mprogrammer and scyoon for discovering these issues.\n\n## History\n\nOriginally published at 2024-08-01 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-41946", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-41946", + "desc": "DoS vulnerabilities in REXML/nThere is a DoS vulnerability in REXML gem.\nThis vulnerability has been assigned the CVE identifier\nCVE-2024-41946. We strongly recommend upgrading the REXML gem.\n\n## Details\n\nWhen parsing an XML that has many entity expansions with SAX2 or\npull parser API, REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.3 or later.\n\n## Affected versions\n\n* REXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to NAITOH Jun for discovering and fixing this issue.\n\n## History\n\nOriginally published at 2024-08-01 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41136", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41136", + "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma/n### Impact\n\nPrior to `puma` version 5.5.0, using `puma` with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.\n\nThis behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as \"low\". Puma is only aware of a single proxy server which has this behavior.\n\nIf the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.\n\n### Patches\n\nThis vulnerability was patched in Puma 5.5.1 and 4.3.9.\n\n### Workarounds\n\nThis vulnerability only affects Puma installations without any proxy in front.\n\nUse a proxy which does not forward LF characters as line endings.\n\nProxies which do not forward LF characters as line endings:\n\n* Nginx\n* Apache (>2.4.25)\n* Haproxy\n* Caddy\n* Traefik\n\n### Possible Breakage\n\nIf you are [dealing with legacy clients that want to send `LF` as a line ending](https://stackoverflow.com/questions/43574428/have-apache-accept-lf-vs-crlf-in-request-headers) in an HTTP header, this will cause those clients to receive a `400` error.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + } + ], + "sha256": "d8dd7fb2cc5d767a82da37b75060391c990e470a19b730881b9b8df23c32c73d" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf.json b/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf.json index 8bbc26d5c2..3eab5c496a 100644 --- a/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf.json +++ b/libs/hdf-converters/sample_jsons/neuvector_mapper/neuvector-hdf.json @@ -23,8 +23,4950 @@ "depends": [], "groups": [], "status": "loaded", - "controls": [], - "sha256": "56a6f4affb2c6c6d22bd258b4e3a99b16880e93b4a99b128a244f91068f5269c" + "controls": [ + { + "tags": { + "cve": "CVE-2021-36159", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-36159", + "desc": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25235", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25235", + "desc": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22824", + "desc": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-45960", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-45960", + "desc": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25236", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25236", + "desc": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22823", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22823", + "desc": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25315", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25315", + "desc": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22822", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22822", + "desc": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23852", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23852", + "desc": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27404", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27404", + "desc": "FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-15900", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-15900", + "desc": "A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20232", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20232", + "desc": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20231", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20231", + "desc": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-31535", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-31535", + "desc": "LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-7774", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-7774", + "desc": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22931", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22931", + "desc": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22930", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22930", + "desc": "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3711", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3711", + "desc": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-37434", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-37434", + "desc": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-30139", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-30139", + "desc": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42378", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42378", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42379", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42379", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42381", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42381", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42384", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42384", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42385", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42385", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42383", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42383", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42386", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42386", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-28831", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-28831", + "desc": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42380", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42380", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-28391", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-28391", + "desc": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42382", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42382", + "desc": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-35492", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-35492", + "desc": "A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24407", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24407", + "desc": "In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-46143", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-46143", + "desc": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22825", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22825", + "desc": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22826", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22826", + "desc": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22827", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22827", + "desc": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25314", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25314", + "desc": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23990", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23990", + "desc": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27406", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27406", + "desc": "FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27405", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27405", + "desc": "FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20240", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20240", + "desc": "A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-43618", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-43618", + "desc": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29599", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29599", + "desc": "ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3518", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3518", + "desc": "There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3517", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3517", + "desc": "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23308", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23308", + "desc": "valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39537", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39537", + "desc": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3580", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3580", + "desc": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39135", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39135", + "desc": "`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8277", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8277", + "desc": "A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-21824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-21824", + "desc": "Due to the formatting logic of the \"console.table()\" function it was not safe to allow user controlled input to be passed to the \"properties\" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be \"__proto__\". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-39134", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-39134", + "desc": "`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `\"foo\": \"file:/some/path\"`. Another package, `pwn-b` could define a dependency such as `FOO: \"file:foo.tgz\"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37713", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37713", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22883", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22883", + "desc": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8265", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8265", + "desc": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44531", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44531", + "desc": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37701", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37701", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-37712", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-37712", + "desc": "The npm package \"tar\" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22884", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22884", + "desc": "Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25692", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25692", + "desc": "A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25709", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25709", + "desc": "A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25710", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25710", + "desc": "A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-27212", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-27212", + "desc": "In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23840", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23840", + "desc": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-0778", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-0778", + "desc": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3450", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3450", + "desc": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3712", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3712", + "desc": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29363", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29363", + "desc": "An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29361", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29361", + "desc": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25696", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25696", + "desc": "A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \\gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25695", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25695", + "desc": "A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23214", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23214", + "desc": "When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25694", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25694", + "desc": "A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32027", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32027", + "desc": "A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-1271", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-1271", + "desc": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2018-25032", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2018-25032", + "desc": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-36217", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-36217", + "desc": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3468", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3468", + "desc": "A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-42374", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-42374", + "desc": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3672", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3672", + "desc": "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2019-6462", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2019-6462", + "desc": "An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25313", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25313", + "desc": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29385", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29385", + "desc": "GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-27560", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-27560", + "desc": "ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20205", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20205", + "desc": "Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-29824", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-29824", + "desc": "In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3537", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3537", + "desc": "A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3541", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3541", + "desc": "A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-28928", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-28928", + "desc": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22960", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22960", + "desc": "The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22959", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22959", + "desc": "The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44533", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44533", + "desc": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-44532", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-44532", + "desc": "Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22939", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22939", + "desc": "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-8287", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-8287", + "desc": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22918", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22918", + "desc": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3449", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3449", + "desc": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23839", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23839", + "desc": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-1971", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-1971", + "desc": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23841", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23841", + "desc": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-29362", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-29362", + "desc": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32028", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32028", + "desc": "A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-20229", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-20229", + "desc": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3393", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3393", + "desc": "An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32029", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32029", + "desc": "A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3677", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3677", + "desc": "A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-23222", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-23222", + "desc": "A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-0563", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-0563", + "desc": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3995", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3995", + "desc": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-3996", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-3996", + "desc": "A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32224", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32224", + "desc": "Possible RCE escalation bug with Serialized Columns in Active Record/nThere is a possible escalation to RCE when using YAML serialized columns in\nActive Record. This vulnerability has been assigned the CVE identifier\nCVE-2022-32224.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1\n\nImpact\n------\nWhen serialized columns that use YAML (the default) are deserialized, Rails\nuses `YAML.unsafe_load` to convert the YAML data in to Ruby objects. If an\nattacker can manipulate data in the database (via means like SQL injection),\nthen it may be possible for the attacker to escalate to an RCE.\n\nImpacted Active Record models will look something like this:\n\n```ruby\nclass User < ApplicationRecord\n serialize :options # Vulnerable: Uses YAML for serialization\n serialize :values, Array # Vulnerable: Uses YAML for serialization\n serialize :values, JSON # Not vulnerable\nend\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nThe released versions change the default YAML deserializer to use\n`YAML.safe_load`, which prevents deserialization of possibly dangerous\nobjects. This may introduce backwards compatibility issues with existing\ndata.\n\nIn order to cope with that situation, the released version also contains two\nnew Active Record configuration options. The configuration options are as\nfollows:\n\n* `config.active_record.use_yaml_unsafe_load`\n\nWhen set to true, this configuration option tells Rails to use the old\n\"unsafe\" YAML loading strategy, maintaining the existing behavior but leaving\nthe possible escalation vulnerability in place. Setting this option to true\nis *not* recommended, but can aid in upgrading.\n\n* `config.active_record.yaml_column_permitted_classes`\n\nThe \"safe YAML\" loading method does not allow all classes to be deserialized\nby default. This option allows you to specify classes deemed \"safe\" in your\napplication. For example, if your application uses Symbol and Time in\nserialized data, you can add Symbol and Time to the allowed list as follows:\n\n```\nconfig.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]\n```\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue, but other coders (such as\nJSON) are not impacted.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-21831", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-21831", + "desc": "Possible code injection vulnerability in Rails / Active Storage/nThere is a possible code injection vulnerability in the Active Storage module\nof Rails. This vulnerability has been assigned the CVE identifier\nCVE-2022-21831.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3\n\nImpact\n------\nThere is a possible code injection vulnerability in the Active Storage module\nof Rails. This vulnerability impacts applications that use Active Storage\nwith the image_processing processing in addition to the mini_magick back end\nfor image_processing.\n\nVulnerable code will look something similar to this:\n\n```ruby\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\n```\n\nWhere the transformation method or its arguments are untrusted arbitrary\ninput.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nTo work around this issue, applications should implement a strict allow-list\non accepted transformation methods or arguments. Additionally, a strict image\nmagick security policy will help mitigate this issue.\n\n https://imagemagick.org/script/security-policy.php\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-36327", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-36327", + "desc": "Dependency Confusion in Bundler with Implicit Private Dependencies/nBundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a\ndependency source based on the highest gem version number, which means that a\nrogue gem found at a public source may be chosen, even if the intended choice\nwas a private gem that is a dependency of another private gem that is\nexplicitly depended on by the application.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-43809", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-43809", + "desc": "Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile/nIn `bundler` versions before 2.2.33, when working with untrusted and apparently harmless\n`Gemfile`'s, it is not expected that they lead to execution of external code, unless\nthat's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile`\nincludes `gem` entries that use the `git` option with invalid, but seemingly harmless,\nvalues with a leading dash, this can be false.\n\nTo handle dependencies that come from a Git repository instead of a registry, Bundler\nuses various commands, such as `git clone`. These commands are being constructed using\nuser input (e.g. the repository URL). When building the commands, Bundler versions\nbefore 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of\narguments instead of a command string. However, there is the possibility that a user\ninput starts with a dash (`-`) and is therefore treated as an optional argument instead\nof a positional one. This can lead to Code Execution because some of the commands have\noptions that can be leveraged to run arbitrary executables.\n\nSince this value comes from the `Gemfile` file, it can contain any character, including\na leading dash.\n\n### Exploitation\n\nTo exploit this vulnerability, an attacker has to craft a directory containing a\n`Gemfile` file that declares a dependency that is located in a Git repository. This\ndependency has to have a Git URL in the form of `-u./payload`. This URL will be used to\nconstruct a Git clone command but will be interpreted as the\n[upload-pack](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt--ultupload-packgt)\nargument. Then this directory needs to be shared with the victim, who then needs to run\na command that evaluates the Gemfile, such as `bundle lock`, inside.\n\n### Impact\n\nThis vulnerability can lead to Arbitrary Code Execution, which could potentially lead\nto the takeover of the system. However, as explained above, the exploitability is very\nlow, because it requires a lot of user interaction. It still could put developers at\nrisk when dealing with untrusted files in a way they think is safe, because the exploit\nstill works when the victim tries to make sure nothing can happen, e.g. by manually\nreviewing the `Gemfile` (although they would need the weird URL with a leading dash to\nnot raise any flags).\n\nThis kind of attack vector\n[has been used in the past](https://www.cnbc.com/2021/01/26/north-korean-hackers-targeting-security-researchers-on-twitter.html)\nto target security researchers by sending them projects to collaborate on.\n\n### Patches\n\nBundler 2.2.33 has patched this problem by inserting `--` as an argument before any\npositional arguments to those Git commands that were affected by this issue.\n\n### Workarounds\n\nRegardless of whether users can upgrade or not, they should review any untrusted\n`Gemfile`'s before running any `bundler` commands that may read them, since they\ncan contain arbitrary ruby code.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2016-7954", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2016-7954", + "desc": "Allows an attacker to inject arbitrary code into your application via any secondary Gem source declared in your Gemfile/nBundler 1.x might allow remote attackers to inject arbitrary Ruby\ncode into an application by leveraging a Gem name collision on a\nsecondary source.\n\nPlease note that this vulnerability only applies for Ruby\nprojects using Bundler < 2.0 with Gemfiles having 2 or more\n\"source\" lines.\n\nIn other words, if the user's Gemfile does not use multiple\nsources, this vulnerability can be ignored.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32511", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32511", + "desc": "JMESPath for Ruby using JSON.load instead of JSON.parse/njmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a\nsituation where JSON.parse is preferable.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-25765", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-25765", + "desc": "PDFKit vulnerable to Command Injection/nThe package pdfkit from version 0.0.0 through version 0.8.6 is vulnerable\nto Command Injection where the URL is not properly sanitized.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24790", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24790", + "desc": "HTTP Request Smuggling in puma/n### Impact\n\nWhen using Puma behind a proxy that does not properly validate that the\nincoming HTTP request matches the RFC7230 standard, Puma and the frontend\nproxy may disagree on where a request starts and ends. This would allow\nrequests to be smuggled via the front-end proxy to Puma.\n\nThe following vulnerabilities are addressed by this advisory:\n- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings\n should be rejected and the final encoding must be `chunked`.\n- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when\n only digits and hex digits should be allowed.\n- Lenient parsing of duplicate `Content-Length` headers, when they should be\n rejected.\n- Lenient parsing of the ending of chunked segments, when they should end\n with `\\r\\n`.\n\n### Patches\n\nThe vulnerability has been fixed in 5.6.4 and 4.3.12.\n\n### Workarounds\n\nWhen deploying a proxy in front of Puma, turning on any and all functionality\nto make sure that the request matches the RFC7230 standard.\n\nThese proxy servers are known to have \"good\" behavior re: this standard and\nupgrading Puma may not be necessary. Users are encouraged to validate for\nthemselves.\n\n- Nginx (latest)\n- Apache (latest)\n- Haproxy 2.5+\n- Caddy (latest)\n- Traefik (latest)\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-30123", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-30123", + "desc": "Possible shell escape sequence injection vulnerability in Rack/nThere is a possible shell escape sequence injection vulnerability in the Lint\nand CommonLogger components of Rack. This vulnerability has been assigned the\nCVE identifier CVE-2022-30123.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted requests can cause shell escape sequences to be written to\nthe terminal via Rack's Lint middleware and CommonLogger middleware. These\nescape sequences can be leveraged to possibly execute commands in the victim's\nterminal.\n\nImpacted applications will have either of these middleware installed, and\nvulnerable apps may have something like this:\n\n```\nuse Rack::Lint\n```\n\nOr\n\n```\nuse Rack::CommonLogger\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nRemove these middleware from your application\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-27280", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-27280", + "desc": "Buffer overread vulnerability in StringIO/nAn issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x\nthrough 3.0.6 and 3.1.x through 3.1.4.\n\nThe `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a\nstring, and a subsequent call to `StringIO.gets` may return the memory value.\n\nThis vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x\nand later.\n\nWe recommend to update the StringIO gem to version 3.0.3 or later. In order to\nensure compatibility with bundled version in older Ruby series, you may update\nas follows instead:\n\n* For Ruby 3.0 users: Update to `stringio` 3.0.1.1\n* For Ruby 3.1 users: Update to `stringio` 3.0.1.2\n\nYou can use `gem update stringio` to update it. If you are using bundler,\nplease add `gem \"stringio\", \">= 3.0.1.2\"` to your `Gemfile`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22885", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22885", + "desc": "Possible Information Disclosure / Unintended Method Execution in Action Pack/nThere is a possible information disclosure / unintended method execution\nvulnerability in Action Pack which has been assigned the CVE identifier\nCVE-2021-22885.\n\nVersions Affected: >= 2.0.0.\nNot affected: < 2.0.0.\nFixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nThere is a possible information disclosure / unintended method execution\nvulnerability in Action Pack when using the `redirect_to` or `polymorphic_url`\nhelper with untrusted user input.\n\nVulnerable code will look like this:\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid\nparameters passed from the user. For example:\n\n```\nprivate def check(param)\n case param\n when \"valid\"\n param\n else\n \"/\"\n end\nend\n\ndef index\n redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this:\n\n```\ndef index\n redirect_to(params[:some_param].to_s)\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22904", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22904", + "desc": "Possible DoS Vulnerability in Action Controller Token Authentication/nThere is a possible DoS vulnerability in the Token Authentication logic in\nAction Controller. This vulnerability has been assigned the CVE identifier\nCVE-2021-22904.\n\nVersions Affected: >= 4.0.0\nNot affected: < 4.0.0\nFixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nImpacted code uses `authenticate_or_request_with_http_token` or\n`authenticate_with_http_token` for request authentication. Impacted code will\nlook something like this:\n\n```\nclass PostsController < ApplicationController\n before_action :authenticate\n\n private\n\n def authenticate\n authenticate_or_request_with_http_token do |token, options|\n # ...\n end\n end\nend\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch placed in an initializer can be used to work around\nthe issue:\n\n```ruby\nmodule ActionController::HttpAuthentication::Token\n AUTHN_PAIR_DELIMITERS = /(?:,|;|\\t)/\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22795", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22795", + "desc": "ReDoS based DoS vulnerability in Action Dispatch/nThere is a possible regular expression based DoS vulnerability in Action\nDispatch related to the If-None-Match header. This vulnerability has been\nassigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted HTTP If-None-Match header can cause the regular\nexpression engine to enter a state of catastrophic backtracking, when on a\nversion of Ruby below 3.2.0. This can cause the process to use large amounts\nof CPU and memory, leading to a possible DoS vulnerability All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious If-None-Match headers before they reach\nthe application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23633", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23633", + "desc": "Possible exposure of information vulnerability in Action Pack/n## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor < ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22792", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22792", + "desc": "ReDoS based DoS vulnerability in Action Dispatch/nThere is a possible regular expression based DoS vulnerability in Action\nDispatch. This vulnerability has been assigned the CVE identifier\nCVE-2023-22792.\n\nVersions Affected: >= 3.0.0\nNot affected: < 3.0.0\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nSpecially crafted cookies, in combination with a specially crafted\nX_FORWARDED_HOST header can cause the regular expression engine to enter a\nstate of catastrophic backtracking. This can cause the process to use large\namounts of CPU and memory, leading to a possible DoS vulnerability All users\nrunning an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious X_FORWARDED_HOST headers before they\nreach the application.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-23913", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-23913", + "desc": "DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements/nNOTE: rails-ujs is part of Rails/actionview since 5.1.0.\n\nThere is a potential DOM based cross-site scripting issue in rails-ujs\nwhich leverages the Clipboard API to target HTML elements that are\nassigned the contenteditable attribute. This has the potential to\noccur when pasting malicious HTML content from the clipboard that\nincludes a data-method, data-remote or data-disable-with attribute.\n\nThis vulnerability has been assigned the CVE identifier CVE-2023-23913.\n\nNot affected: < 5.1.0\nVersions Affected: >= 5.1.0\nFixed Versions: 6.1.7.3, 7.0.4.3\n\nImpact\n If the specified malicious HTML clipboard content is provided to a\n contenteditable element, this could result in the arbitrary execution\n of javascript on the origin in question.\n\nReleases\n The FIXED releases are available at the normal locations.\n\nWorkarounds\n We recommend that all users upgrade to one of the FIXED versions.\n In the meantime, users can attempt to mitigate this vulnerability\n by removing the contenteditable attribute from elements in pages\n that rails-ujs will interact with.\n\nPatches\n To aid users who aren’t able to upgrade immediately we have provided\n patches for the two supported release series. They are in git-am\n format and consist of a single changeset.\n\n* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series\n* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series\n\nPlease note that only the 7.0.Z and 6.1.Z series are\nsupported at present, and 6.0.Z for severe vulnerabilities.\n\nUsers of earlier unsupported releases are advised to upgrade as\nsoon as possible as we cannot guarantee the continued availability\nof security fixes for unsupported releases.\n\nCredits\n We would like to thank ryotak 15 for reporting this!\n\n* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)\n* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)\n* rails-ujs-data-method-contenteditable-main.patch (8.9 KB)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44566", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44566", + "desc": "Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter/nThere is a potential denial of service vulnerability present in\nActiveRecord’s PostgreSQL adapter.\n\nThis has been assigned the CVE identifier CVE-2022-44566.\n\nVersions Affected: All.\nNot affected: None.\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nIn ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a\n64bit signed integer is provided to the PostgreSQL connection adapter, it\nwill treat the target column type as numeric. Comparing integer values\nagainst numeric values can result in a slow sequential scan resulting in\npotential Denial of Service.\n\n# Workarounds\n\nEnsure that user supplied input which is provided to ActiveRecord clauses do\nnot contain integers wider than a signed 64bit representation or floats.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22796", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22796", + "desc": "ReDoS based DoS vulnerability in Active Support’s underscore/nThere is a possible regular expression based DoS vulnerability in Active\nSupport. This vulnerability has been assigned the CVE identifier\nCVE-2023-22796.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted string passed to the underscore method can cause the\nregular expression engine to enter a state of catastrophic backtracking.\nThis can cause the process to use large amounts of CPU and memory, leading\nto a possible DoS vulnerability.\n\nThis affects String#underscore, ActiveSupport::Inflector.underscore,\nString#titleize, and any other methods using these.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n\nUsers on Ruby 3.2.0 or greater may be able to reduce the impact by\nconfiguring Regexp.timeout.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-32740", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-32740", + "desc": "Regular Expression Denial of Service in Addressable templates/nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,\nleading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,\nbut nonetheless, no previous security advisory for Addressable has cautioned against doing this.\nUsers of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2019-3881", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2019-3881", + "desc": "Insecure path handling in Bundler/nBundler prior to 2.1.0 uses a predictable path in /tmp/, created with\ninsecure permissions as a storage location for gems, if locations under the user's\nhome directory are not available. If Bundler is used in a scenario where the user\ndoes not have a writable home directory, an attacker could place malicious code\nin this directory that would be later loaded and executed.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-21305", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-21305", + "desc": "Code Injection vulnerability in CarrierWave::RMagick/n### Impact\n[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb)\nhas a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation\noption(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.\nIf an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).\n\n(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to\nDoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)\n\n### Proof of Concept\n```ruby\nclass MyUploader < CarrierWave::Uploader::Base\n include CarrierWave::RMagick\nend\n\nMyUploader.new.manipulate!({ read: { density: \"1 }; p 'Hacked'; {\" }}) # => shows \"Hacked\"\n```\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nStop supplying untrusted input to `#manipulate!`'s mutation option.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41817", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41817", + "desc": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods/nDate's parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You\ncan use `gem update date` to update it. If you are using bundler, please add\n`gem \"date\", \">= 3.2.1\"` to your `Gemfile`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-22799", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-22799", + "desc": "ReDoS based DoS vulnerability in GlobalID/nThere is a ReDoS based DoS vulnerability in the GlobalID gem. This\nvulnerability has been assigned the CVE identifier CVE-2023-22799.\n\nVersions Affected: >= 0.2.1\nNot affected: < 0.2.1\nFixed Versions: 1.0.1\n\n# Impact\n\nThere is a possible DoS vulnerability in the model name parsing section\nof the GlobalID gem. Carefully crafted input can cause the regular\nexpression engine to take an unexpected amount of time. All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-10663", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-10663", + "desc": "json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)/nThere is an unsafe object creation vulnerability in the json gem bundled with\nRuby. This vulnerability has been assigned the CVE identifier CVE-2020-10663.\nWe strongly recommend upgrading the json gem.\n\nDetails\n-------\n\nWhen parsing certain JSON documents, the json gem (including the one bundled\nwith Ruby) can be coerced into creating arbitrary objects in the target system.\n\nThis is the same issue as CVE-2013-0269. The previous fix was incomplete, which\naddressed JSON.parse(user_input), but didn’t address some other styles of JSON\nparsing including JSON(user_input) and JSON.parse(user_input, nil).\n\nSee CVE-2013-0269 in detail. Note that the issue was exploitable to cause a\nDenial of Service by creating many garbage-uncollectable Symbol objects, but\nthis kind of attack is no longer valid because Symbol objects are now\ngarbage-collectable. However, creating arbitrary objects may cause severe\nsecurity consequences depending upon the application code.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23514", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23514", + "desc": "Inefficient Regular Expression Complexity in Loofah/n## Summary\n\nLoofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23516", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23516", + "desc": "Uncontrolled Recursion in Loofah/n## Summary\n\nLoofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24836", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24836", + "desc": "Inefficient Regular Expression Complexity in Nokogiri/n## Summary\n\nNokogiri `< v1.13.4` contains an inefficient regular expression that is\nsusceptible to excessive backtracking when attempting to detect encoding\nin HTML documents.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23437", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23437", + "desc": "XML Injection in Xerces Java affects Nokogiri/n## Summary\n\nNokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to\n2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437).\nThat CVE is scored as CVSS 6.5 \"Medium\" on the NVD record.\n\nPlease note that this advisory only applies to the **JRuby** implementation\nof Nokogiri `< 1.13.4`.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J\n\n- **Severity**: Medium\n- **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)\n- **Description**: There's a vulnerability within the Apache Xerces Java\n (XercesJ) XML parser when handling specially crafted XML document payloads.\n This causes, the XercesJ XML parser to wait in an infinite loop, which may\n sometimes consume system resources for prolonged duration. This vulnerability\n is present within XercesJ version 2.12.1 and the previous versions.\n- **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-29181", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-29181", + "desc": "Improper Handling of Unexpected Data Type in Nokogiri/n### Summary\n\nNokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers.\nFor CRuby users, this may allow specially crafted untrusted inputs to cause illegal\nmemory access errors (segfault) or reads from unrelated memory.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1).\n\n### Mitigation\n\nCRuby users should upgrade to Nokogiri `>= 1.13.6`.\n\nJRuby users are not affected.\n\n### Workarounds\n\nTo avoid this vulnerability in affected applications, ensure the untrusted input is a\n`String` by calling `#to_s` or equivalent.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-30560", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-30560", + "desc": "Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)/n## Summary\n\nNokogiri v1.13.2 upgrades two of its packaged dependencies:\n\n* vendored libxml2 from v2.9.12 to v2.9.13\n* vendored libxslt from v1.1.34 to v1.1.35\n\nThose library versions address the following upstream CVEs:\n\n* libxslt: CVE-2021-30560 (CVSS 8.8, High severity)\n* libxml2: CVE-2022-23308 (Unspecified severity, see more information below)\n\nThose library versions also address numerous other issues including performance\nimprovements, regression fixes, and bug fixes, as well as memory leaks and other\nuse-after-free issues that were not assigned CVEs.\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri < 1.13.2, and only if the packaged libraries are being used. If you've\noverridden defaults at installation time to use system libraries instead of\npackaged libraries, you should instead pay attention to your distro's `libxml2`\nand `libxslt` release announcements.\n\n## Mitigation\n\nUpgrade to Nokogiri >= 1.13.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link an older version Nokogiri against external libraries\nlibxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.\n\n## Impact\n\n* libxslt CVE-2021-30560\n* CVSS3 score: 8.8 (High)\n\nFixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c\n\nAll versions of libxslt prior to v1.1.35 are affected.\n\nApplications using untrusted XSL stylesheets to transform XML are vulnerable to\na denial-of-service attack and should be upgraded immediately.\n\nlibxml2 CVE-2022-23308\n* As of the time this security advisory was published, there is no officially\npublished information available about this CVE's severity. The above NIST link\ndoes not yet have a published record, and the libxml2 maintainer has declined\nto provide a severity score.\n* Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12\n* Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html\n\nThe upstream commit and the explanation linked above indicate that an application\nmay be vulnerable to a denial of service, memory disclosure, or code execution if\nit parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT`\nset to false.\n\nAn analysis of these parse options:\n\n* While `NOENT` is off by default for Document, DocumentFragment, Reader, and\nSchema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri\nv1.12.0 and later.\n* `DTDVALID` is an option that Nokogiri does not set for any operations, and so\nthis CVE applies only to applications setting this option explicitly.\n\nIt seems reasonable to assume that any application explicitly setting the parse\noption `DTDVALID` when parsing untrusted documents is vulnerable and should be\nupgraded immediately.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41098", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41098", + "desc": "Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby/n### Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.)\n\n### Impact\n\nIn Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default.\n\nUsers of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:\n\n- Nokogiri::XML::SAX::Parser\n- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser\n- Nokogiri::XML::SAX::PushParser\n- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser\n\n### Mitigation\n\nJRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.\n\nCRuby users are not affected.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-24839", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-24839", + "desc": "Denial of Service (DoS) in Nokogiri on JRuby/n## Summary\n\nNokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to\n`1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv).\nThat CVE is rated 7.5 (High Severity).\n\nSee [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)\nfor more information.\n\nPlease note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.4`.\n\n## Impact\n\n### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml\n\n- **Severity**: High 7.5\n- **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption\n- **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a\n `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.\n- **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23634", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23634", + "desc": "Information Exposure with Puma when used with Rails/n### Impact\n\nPrior to `puma` version `5.6.2`, `puma` may not always call\n`close` on the response body. Rails, prior to version `7.0.2.2`, depended on the\nresponse body being closed in order for its `CurrentAttributes` implementation to\nwork correctly.\n\nFrom Rails:\n\n> Under certain circumstances response bodies will not be closed, for example\n> a bug in a webserver[1] or a bug in a Rack middleware. In the event a\n> response is not notified of a close, ActionDispatch::Executor will not know\n> to reset thread local state for the next request. This can lead to data\n> being leaked to subsequent requests, especially when interacting with\n> ActiveSupport::CurrentAttributes.\n\nThe combination of these two behaviors (Puma not closing the body + Rails'\nExecutor implementation) causes information leakage.\n\n### Patches\n\nThis problem is fixed in Puma versions 5.6.2 and 4.3.11.\n\nThis problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nSee: https://github.com/advisories/GHSA-wh98-p28r-vrc9\nfor details about the rails vulnerability\n\nUpgrading to a patched Rails _or_ Puma version fixes the vulnerability.\n\n### Workarounds\n\nUpgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\nThe [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1)\nincludes a middleware that can be used instead.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-29509", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-29509", + "desc": "Keepalive Connections Causing Denial Of Service in puma/n### Impact\n\nThe fix for CVE-2019-16770 was incomplete. The original fix only protected\nexisting connections that had already been accepted from having their\nrequests starved by greedy persistent-connections saturating all threads in\nthe same process. However, new connections may still be starved by greedy\npersistent-connections saturating all threads in all processes in the\ncluster.\n\nA puma server which received more concurrent keep-alive connections than the\nserver had threads in its threadpool would service only a subset of\nconnections, denying service to the unserved connections.\n\n### Patches\n\nThis problem has been fixed in puma 4.3.8 and 5.3.1.\n\n### Workarounds\n\nSetting queue_requests false also fixes the issue. This is not advised when\nusing puma without a reverse proxy, such as nginx or apache, because you will\nopen yourself to slow client attacks (e.g. [slowloris][1]).\n\nThe fix is very small. [A git patch is available here][2] for those using\n[unsupported versions][3] of Puma.\n\n[1]: https://en.wikipedia.org/wiki/Slowloris_(computer_security)\n[2]: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837\n[3]: https://github.com/puma/puma/security/policy#supported-versions\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44571", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44571", + "desc": "Denial of Service Vulnerability in Rack Content-Disposition parsing/nThere is a denial of service vulnerability in the Content-Disposition parsing\ncomponent of Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-44571.\n\nVersions Affected: >= 2.0.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause Content-Disposition header parsing in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. This header is used typically used in multipart\nparsing. Any applications that parse multipart posts using Rack (virtually\nall Rails applications) are impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44572", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44572", + "desc": "Denial of service via multipart parsing in Rack/nThere is a denial of service vulnerability in the multipart parsing component\nof Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-44572.\n\nVersions Affected: >= 2.0.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause RFC2183 multipart boundary parsing in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that parse multipart posts using\nRack (virtually all Rails applications) are impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-27530", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-27530", + "desc": "Possible DoS Vulnerability in Multipart MIME parsing/nThere is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.\n\nVersions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3\n\n# Impact\nThe Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n# Workarounds\nA proxy can be configured to limit the POST body size which will mitigate this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-44570", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-44570", + "desc": "Denial of service via header parsing in Rack/nThere is a possible denial of service vulnerability in the Range header\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2022-44570.\n\nVersions Affected: >= 1.5.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause the Range header parsing component in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that deal with Range requests (such\nas streaming applications, or applications that serve files) may be impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-30122", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-30122", + "desc": "Denial of Service Vulnerability in Rack Multipart Parsing/nThere is a possible denial of service vulnerability in the multipart parsing\ncomponent of Rack. This vulnerability has been assigned the CVE identifier\nCVE-2022-30122.\n\nVersions Affected: >= 1.2\nNot affected: < 1.2\nFixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted multipart POST requests can cause Rack's multipart parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack's multipart parser to parse multipart posts. This\nincludes directly using the multipart parser like this:\n\n```\nparams = Rack::Multipart.parse_multipart(env)\n```\n\nBut it also includes reading POST data from a Rack request object like this:\n\n```\np request.POST # read POST data\np request.params # reads both query params and POST data\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23517", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23517", + "desc": "Inefficient Regular Expression Complexity in rails-html-sanitizer/n## Summary\n\nCertain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-31799", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-31799", + "desc": "RDoc OS command injection vulnerability/nRDoc used to call `Kernel#open` to open a local file. If a Ruby project has\na file whose name starts with `|` and ends with `tags`, the command following\nthe pipe character is executed. A malicious Ruby project could exploit it to\nrun an arbitrary command execution against a user who attempts to run `rdoc`\ncommand.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-28965", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-28965", + "desc": "XML round-trip vulnerability in REXML/nWhen parsing and serializing a crafted XML document, REXML gem (including\nthe one bundled with Ruby) can create a wrong XML document whose structure\nis different from the original one.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-31163", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-31163", + "desc": "TZInfo relative path traversal vulnerability allows loading of arbitrary files/n# Impact\n\n## Affected versions\n\n- 0.3.60 and earlier.\n- 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).\n\n## Vulnerability\n\nWith the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and\nlater and built-in to earlier versions), time zones are defined in Ruby files.\nThere is one file per time zone. Time zone files are loaded with `require` on\ndemand. In the affected versions, `TZInfo::Timezone.get` fails to validate\ntime zone identifiers correctly, allowing a new line character within the\nidentifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be\nmade to load unintended files with `require`, executing them within the Ruby\nprocess.\n\nFor example, with version 1.2.9, you can run the following to load a file with\npath `/tmp/payload.rb`:\n\n```ruby\nTZInfo::Timezone.get(\\\"foo\\\n/../../../../../../../../../../../../../../../../tmp/payload\\\")\n```\n\nThe exact number of parent directory traversals needed will vary depending on\nthe location of the tzinfo-data gem.\n\nTZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the\nRuby load path. Versions up to and including 1.2.5 can only be made to load\nfiles from directories within the load path.\n\nThis could be exploited in, for example, a Ruby on Rails application using\ntzinfo version 1.2.9, that allows file uploads and has a time zone selector\nthat accepts arbitrary time zone identifiers.\nThe CVSS score and severity have been set on this basis.\n\nVersions 2.0.0 and later are not vulnerable.\n\n# Patches\n\nVersions 0.3.61 and 1.2.10 include fixes to correctly validate time zone\nidentifiers.\n\nNote that version 0.3.61 can still load arbitrary files from the Ruby load\npath if their name follows the rules for a valid time zone identifier and the\nfile has a prefix of `tzinfo/definition` within a directory in the load path.\nFor example if `/tmp/upload` was in the load path, then\n`TZInfo::Timezone.get('foo')` could load a file with path\n`/tmp/upload/tzinfo/definition/foo.rb`. Applications should ensure that\nuntrusted files are not placed in a directory on the load path.\n\n# Workarounds\n\nAs a workaround, the time zone identifier can be validated before passing to\n`TZInfo::Timezone.get` by ensuring it matches the regular expression\n`\\\\A[A-Za-z0-9+\\\\-_]+(?:\\\\/[A-Za-z0-9+\\\\-_]+)*\\\\z`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-25613", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-25613", + "desc": "Potential HTTP Request Smuggling Vulnerability in WEBrick/nWEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to\ninconsistent interpretation between WEBrick and some HTTP proxy servers, which may\nallow the attacker to \"smuggle\" a request. See CWE-444 in detail.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-22577", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-22577", + "desc": "Possible XSS Vulnerability in Action Pack/nThere is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been\nassigned the CVE identifier CVE-2022-22577.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nCSP headers were only sent along with responses that Rails considered as\n\"HTML\" responses. This left API requests without CSP headers, which could\npossibly expose users to XSS attacks.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nSet a CSP for your API responses manually.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-27777", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-27777", + "desc": "Possible XSS Vulnerability in Action View tag helpers/nThere is a possible XSS vulnerability in Action View tag helpers. Passing\nuntrusted input as hash keys can lead to a possible XSS vulnerability. This\nvulnerability has been assigned the CVE identifier CVE-2022-27777.\n\nVersions Affected: ALL\nNot affected: NONE\nFixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nIf untrusted data is passed as the hash key for tag attributes, there is a\npossibility that the untrusted data may not be properly escaped which can\nlead to an XSS vulnerability.\n\nImpacted code will look something like this:\n\n```\ncheck_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })\n```\n\nWhere the \"malicious_input\" variable contains untrusted data.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nEscape the untrusted data before using it as a key for tag helper methods.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-15169", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-15169", + "desc": "Potential XSS vulnerability in Action View/nThere is a potential Cross-Site Scripting (XSS) vulnerability in Action\nView's translation helpers. Views that allow the user to control the\ndefault (not found) value of the `t` and `translate` helpers could be\nsusceptible to XSS attacks.\n\nImpact\n------\n\nWhen an HTML-unsafe string is passed as the default for a missing\ntranslation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations),\nthe default string is incorrectly marked as HTML-safe and not escaped.\nVulnerable code may look like the following examples:\n\n```erb\n<%# The welcome_html translation is not defined for the current locale: %>\n<%= t(\"welcome_html\", default: untrusted_user_controlled_string) %>\n\n<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>\n<%= t(\"title.html\", default: [:\"missing.html\", untrusted_user_controlled_string]) %>\n```\n\nWorkarounds\n-----------\nImpacted users who can’t upgrade to a patched Rails version can avoid\nthis issue by manually escaping default translations with the\n`html_escape` helper (aliased as `h`):\n\n```erb\n<%= t(\"welcome_html\", default: h(untrusted_user_controlled_string)) %>\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-22880", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-22880", + "desc": "Possible DoS Vulnerability in Active Record PostgreSQL adapter/nThere is a possible DoS vulnerability in the PostgreSQL adapter in Active\nRecord. This vulnerability has been assigned the CVE identifier CVE-2021-22880.\n\nVersions Affected: >= 4.2.0\nNot affected: < 4.2.0\nFixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5\n\nImpact\n------\nCarefully crafted input can cause the input validation in the \"money\" type of\nthe PostgreSQL adapter in Active Record to spend too much time in a regular\nexpression, resulting in the potential for a DoS attack.\n\nThis only impacts Rails applications that are using PostgreSQL along with\nmoney type columns that take user input.\n\nWorkarounds\n-----------\nIn the case a patch can't be applied, the following monkey patch can be used\nin an initializer:\n\n```\nmodule ActiveRecord\n module ConnectionAdapters\n module PostgreSQL\n module OID # :nodoc:\n class Money < Type::Decimal # :nodoc:\n def cast_value(value)\n return value unless ::String === value\n\n value = value.sub(/^\\((.+)\\)$/, '-\\1') # (4)\n case value\n when /^-?\\D*+[\\d,]+\\.\\d{2}$/ # (1)\n value.gsub!(/[^-\\d.]/, \"\")\n when /^-?\\D*+[\\d.]+,\\d{2}$/ # (2)\n value.gsub!(/[^-\\d,]/, \"\").sub!(/,/, \".\")\n end\n\n super(value)\n end\n end\n end\n end\n end\nend\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26144", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26144", + "desc": "Possible Sensitive Session Information Leak in Active Storage/nThere is a possible sensitive session information leak in Active Storage.\nBy default, Active Storage sends a `Set-Cookie` header along with the user’s\nsession cookie when serving blobs. It also sets `Cache-Control` to public.\nCertain proxies may cache the `Set-Cookie`, leading to an information leak.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-26144.\n\nVersions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7\n\n# Impact\n\nA proxy which chooses to caches this request can cause users to share\nsessions. This may include a user receiving an attacker’s session or vice\nversa.\n\nThis was patched in 7.1.0 but not previously identified as a security\nvulnerability.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nUpgrade to Rails 7.1.X, or configure caching proxies not to cache the\n`Set-Cookie` headers.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-21288", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-21288", + "desc": "Server-side request forgery in CarrierWave/n### Impact\n[CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location\nhas an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use\nand gather information about the Intranet infrastructure of the platform.\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nUsing proper network segmentation and applying the principle of least privilege to outbound connections from application\nservers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server\nwithout access to any internal network resources or cloud metadata access.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-49090", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-49090", + "desc": "CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS/n###Impact\n[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb)\nhas a Content-Type allowlist bypass vulnerability, possibly leading to XSS.\n\nThe validation in `allowlisted_content_type?` determines Content-Type\npermissions by performing a partial match.\nIf the `content_type` argument of `allowlisted_content_type?` is passed\na value crafted by the attacker, Content-Types not included in the\n`content_type_allowlist` will be allowed.\n\nIn addition, by setting the Content-Type configured by the attacker\nat the time of file delivery, it is possible to cause XSS on the\nuser's browser when the uploaded file is opened.\n\n### Patches\nUpgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5)\nor [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5).\n\n### Workarounds\nWhen validating with `allowlisted_content_type?` in\n[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb),\nforward match(`\\\\A`) the Content-Type set in `content_type_allowlist`,\npreventing unintentional permission of `text/html;image/png` when\nyou want to allow only `image/png` in `content_type_allowlist`.\n\n### References\n[OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-29034", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-29034", + "desc": "CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained/n### Impact\n\nThe vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)\nwasn't fully addressed.\n\nThis vulnerability is caused by the fact that when uploading to\nobject storage, including Amazon S3, it is possible to set a\nContent-Type value that is interpreted by browsers to be different\nfrom what's allowed by `content_type_allowlist`, by providing\nmultiple values separated by commas.\n\nThis bypassed value can be used to cause XSS.\n\n### Patches\n\nUpgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).\n\n### Workarounds\nUse the following monkey patch to let CarrierWave parse the\nContent-type by using `Marcel::MimeType.for`.\n\n```ruby\n# For CarrierWave 3.x\nCarrierWave::SanitizedFile.class_eval do\n def declared_content_type\n @declared_content_type ||\n if @file.respond_to?(:content_type) && @file.content_type\n Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)\n end\n end\nend\n```\n\n```ruby\n# For CarrierWave 2.x\nCarrierWave::SanitizedFile.class_eval do\n def existing_content_type\n if @file.respond_to?(:content_type) && @file.content_type\n Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)\n end\n end\nend\n```\n\n### References\n\n[OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23515", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23515", + "desc": "Improper neutralization of data URIs may allow XSS in Loofah/n## Summary\n\nLoofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs.\n\n## Mitigation\n\nUpgrade to Loofah `>= 2.19.1`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2020-26247", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2020-26247", + "desc": "Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability/n### Description\n\nIn Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema`\nare **trusted** by default, allowing external resources to be accessed over the\nnetwork, potentially enabling XXE or SSRF attacks.\n\nThis behavior is counter to\nthe security policy followed by Nokogiri maintainers, which is to treat all input\nas **untrusted** by default whenever possible.\n\nPlease note that this security\nfix was pushed into a new minor version, 1.11.x, rather than a patch release to\nthe 1.10.x branch, because it is a breaking change for some schemas and the risk\nwas assessed to be \"Low Severity\".\n\n### Affected Versions\n\nNokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`\n\n### Mitigation\n\nThere are no known workarounds for affected versions. Upgrade to Nokogiri\n`1.11.0.rc4` or later.\n\nIf, after upgrading to `1.11.0.rc4` or later, you wish\nto re-enable network access for resolution of external resources (i.e., return to\nthe previous behavior):\n\n1. Ensure the input is trusted. Do not enable this option\nfor untrusted input.\n2. When invoking the `Nokogiri::XML::Schema` constructor,\npass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the\n`NONET` flag turned off.\n\nSo if your previous code was:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network\n# but in v1.11.0.rc4 and later, this call will disallow network access for external resources\nschema = Nokogiri::XML::Schema.new(schema)\n\n# in v1.11.0.rc4 and later, the following is equivalent to the code above\n# (the second parameter is optional, and this demonstrates its default value)\nschema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)\n```\n\nThen you can add the second parameter to indicate that the input is trusted by changing it to:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this would raise an ArgumentError\n# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-40175", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-40175", + "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma/n### Impact\n\nPrior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.\n\nThe following vulnerabilities are addressed by this advisory:\n- Incorrect parsing of trailing fields in chunked transfer encoding bodies\n- Parsing of blank/zero-length Content-Length headers`\\r\\n`\n\n### Patches\n\nThe vulnerability has been fixed in 6.3.1 and 5.6.7.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-21647", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-21647", + "desc": "Puma HTTP Request/Response Smuggling vulnerability/n\n### Impact\nPrior to versions 6.4.2 and 5.6.8, puma exhibited incorrect\nbehavior when parsing chunked transfer encoding bodies in a\nway that allowed HTTP request smuggling.\n\nFixed versions limit the size of chunk extensions. Without this\nlimit, an attacker could cause unbounded resource (CPU, network\nbandwidth) consumption.\n\n### Patches\n\nThe vulnerability has been fixed in 6.4.2 and 5.6.8.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n* Open an issue in [Puma](https://github.com/puma/puma)\n* See our [security policy](https://github.com/puma/puma/security/policy)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26141", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26141", + "desc": "Possible DoS Vulnerability with Range Header in Rack/nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2023-27539", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2023-27539", + "desc": "Possible Denial of Service Vulnerability in Rack’s header parsing/nThere is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.\n\nVersions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1\n\n# Impact\nCarefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.\n\n# Workarounds\nSetting Regexp.timeout in Ruby 3.2 is a possible workaround.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-25126", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-25126", + "desc": "Denial of Service Vulnerability in Rack Content-Type Parsing/nThere is a possible denial of service vulnerability in the content type\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2024-25126.\n\nVersions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted content type headers can cause Rack’s media type parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack’s media type parser to parse content type headers.\nThis code will look like below:\n\n```\nrequest.media_type\n\n## OR\nrequest.media_type_params\n\n## OR\nRack::MediaType.type(content_type)\n```\n\nSome frameworks (including Rails) call this code internally, so upgrading is\nrecommended!\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-26146", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-26146", + "desc": "Possible Denial of Service Vulnerability in Rack Header Parsing/nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\n# Impact\n\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. `Accept` and\n`Forwarded` headers are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using\nRuby 3.2 or newer are unaffected.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2014-0081", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2014-0081", + "desc": "CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability/nMultiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb\nin Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2\nallow remote attackers to inject arbitrary web script or HTML via the (1) format,\n(2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage,\nor (c) number_to_human helper.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23518", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23518", + "desc": "Improper neutralization of data URIs may allow XSS in rails-html-sanitizer/n## Summary\n\nrails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-32209", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-32209", + "desc": "Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer/nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\nThis vulnerability has been assigned the CVE identifier CVE-2022-32209.\n\nVersions Affected: ALL\nNot affected: NONE\nFixed Versions: v1.4.3\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer\nmay allow an attacker to inject content if the application developer has overridden\nthe sanitizer's allowed tags to allow both `select` and `style` elements.\n\nCode is only impacted if allowed tags are being overridden. This may be done via\napplication configuration:\n\n```ruby\n# In config/application.rb\nconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`:\n\n```\n<%= sanitize @comment.body, tags: [\"select\", \"style\"] %>\n```\n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\nOr it may be done with Rails::Html::SafeListSanitizer directly:\n\n```ruby\n# class-level option\nRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n```\n\nor\n\n```ruby\n# instance-level option\nRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])\n```\n\nAll users overriding the allowed tags by any of the above mechanisms to include\nboth \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\n## Workarounds\n\nRemove either `select` or `style` from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23519", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23519", + "desc": "Possible XSS vulnerability with certain configurations of rails-html-sanitizer/n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n ```ruby\n # In config/application.rb\n config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n # or\n config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n ```\n\n see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n ```\n <%= sanitize @comment.body, tags: [\"math\", \"style\"] %>\n <%# or %>\n <%= sanitize @comment.body, tags: [\"svg\", \"style\"] %>\n ```\n\n see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n ```ruby\n # class-level option\n Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n # or\n Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n ```ruby\n # instance-level option\n Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n # or\n Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2022-23520", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2022-23520", + "desc": "Possible XSS vulnerability with certain configurations of rails-html-sanitizer/n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n ```ruby\n # In config/application.rb\n config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n ```\n\n (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n ```ruby\n # class-level option\n Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-27281", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-27281", + "desc": "RCE vulnerability with .rdoc_options in RDoc/nAn issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby\n3.x through 3.3.0.\n\nWhen parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file,\nobject injection and resultant remote code execution are possible because\nthere are no restrictions on the classes that can be restored.\n\nWhen loading the documentation cache, object injection and resultant remote\ncode execution are also possible if there were a crafted cache.\n\nWe recommend to update the RDoc gem to version 6.6.3.1 or later. In order to\nensure compatibility with bundled version in older Ruby series, you may\nupdate as follows instead:\n\n* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1\n* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1\n* For Ruby 3.2 users: Update to `rdoc` 6.5.1.1\n\nYou can use `gem update rdoc` to update it. If you are using bundler, please\nadd `gem \"rdoc\", \">= 6.6.3.1\"` to your `Gemfile`.\n\nNote: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to\nupgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-39908", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-39908", + "desc": "DoS in REXML/nThere is a DoS vulnerability in REXML gem. This vulnerability has\nbeen assigned the CVE identifier CVE-2024-39908. We strongly\nrecommend upgrading the REXML gem.\n\n## Details\n\nWhen it parses an XML that has many specific characters such as\n<, 0 and %>. REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.2 or later.\n\n## Affected versions\n\nREXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to mprogrammer for discovering this issue.\n\n## History\n\nOriginally published at 2024-07-16 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-35176", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-35176", + "desc": "REXML contains a denial of service vulnerability/n### Impact\n\nThe REXML gem before 3.2.6 has a DoS vulnerability when it\nparses an XML that has many `<`s in an attribute value.\n\nIf you need to parse untrusted XMLs, you many be impacted\nto this vulnerability.\n\n### Patches\n\nThe REXML gem 3.2.7 or later include the patch to fix this\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-43398", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-43398", + "desc": "REXML denial of service vulnerability/n### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an\nXML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like\n`REXML::Document.new`, you may be impacted to this vulnerability.\nIf you use other parser APIs such as stream parser API and SAX2\nparser API, this vulnerability is not affected.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-43398.\nWe strongly recommend upgrading the REXML gem.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n## Affected versions\n\nREXML gem 3.3.5 or prior\n\n## Credits\n\nThanks to l33thaxor for discovering this issue.\n\n## History\n\nOriginally published at 2024-08-22 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-41123", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-41123", + "desc": "DoS vulnerabilities in REXML/nThere are some DoS vulnerabilities in REXML gem.\nThese vulnerabilities have been assigned the CVE identifier\nCVE-2024-41123. We strongly recommend upgrading the REXML gem.\n\n## Details\n\nWhen parsing an XML document that has many specific characters such\nas whitespace character, >] and ]>, REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.3 or later.\n\n## Affected versions\n\n* REXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to mprogrammer and scyoon for discovering these issues.\n\n## History\n\nOriginally published at 2024-08-01 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2024-41946", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2024-41946", + "desc": "DoS vulnerabilities in REXML/nThere is a DoS vulnerability in REXML gem.\nThis vulnerability has been assigned the CVE identifier\nCVE-2024-41946. We strongly recommend upgrading the REXML gem.\n\n## Details\n\nWhen parsing an XML that has many entity expansions with SAX2 or\npull parser API, REXML gem may take long time.\n\nPlease update REXML gem to version 3.3.3 or later.\n\n## Affected versions\n\n* REXML gem 3.3.2 or prior\n\n## Credits\n\nThanks to NAITOH Jun for discovering and fixing this issue.\n\n## History\n\nOriginally published at 2024-08-01 03:00:00 (UTC)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + }, + { + "tags": { + "cve": "CVE-2021-41136", + "cwe": [], + "nist": [ + "SI-10", + "RA-5" + ] + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": null, + "id": "CVE-2021-41136", + "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma/n### Impact\n\nPrior to `puma` version 5.5.0, using `puma` with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.\n\nThis behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as \"low\". Puma is only aware of a single proxy server which has this behavior.\n\nIf the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.\n\n### Patches\n\nThis vulnerability was patched in Puma 5.5.1 and 4.3.9.\n\n### Workarounds\n\nThis vulnerability only affects Puma installations without any proxy in front.\n\nUse a proxy which does not forward LF characters as line endings.\n\nProxies which do not forward LF characters as line endings:\n\n* Nginx\n* Apache (>2.4.25)\n* Haproxy\n* Caddy\n* Traefik\n\n### Possible Breakage\n\nIf you are [dealing with legacy clients that want to send `LF` as a line ending](https://stackoverflow.com/questions/43574428/have-apache-accept-lf-vs-crlf-in-request-headers) in an HTTP header, this will cause those clients to receive a `400` error.\n\n### References\n\n* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n", + "impact": 0, + "code": null, + "results": [ + { + "status": "failed", + "code_desc": "", + "message": null, + "run_time": null, + "start_time": "" + } + ] + } + ], + "sha256": "d8dd7fb2cc5d767a82da37b75060391c990e470a19b730881b9b8df23c32c73d" } ], "passthrough": { diff --git a/libs/hdf-converters/src/neuvector-mapper.ts b/libs/hdf-converters/src/neuvector-mapper.ts index 13c421562d..4ec29ba0f3 100644 --- a/libs/hdf-converters/src/neuvector-mapper.ts +++ b/libs/hdf-converters/src/neuvector-mapper.ts @@ -7,6 +7,27 @@ import { impactMapping, MappedTransform } from './base-converter'; +import {DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS} from './utils/global'; +import {CweNistMapping} from './mappings/CweNistMapping'; + +const CWE_NIST_MAPPING = new CweNistMapping(); +const DEFAULT_NIST_TAGS = ['SI-10', 'RA-5']; + +function cweTag(description: string): string[] { + const regex = /CWE-\d{3}}/g; + return description.match(regex) || []; +} + +function nistTags(cweTags: string[]): string[] { + return CWE_NIST_MAPPING.nistFilter(cweTags, DEFAULT_NIST_TAGS); +} + +const IMPACT_MAPPING: Map = new Map([ + ['Critical', 0.9], + ['High', 0.7], + ['Medium', 0.5], + ['Low', 0.3] +]); export class NeuvectorMapper extends BaseConverter { withRaw: boolean; @@ -41,11 +62,19 @@ export class NeuvectorMapper extends BaseConverter { status: 'loaded', //Insert data controls: [ { - path: 'report.Vulnerabilities', + path: 'report.vulnerabilities', key: 'id', tags: { - nist: ['RA-5', 'SA-10'], - cve: {path: 'name'} + cve: {path: 'name'}, + cwe: { + path: 'description', + transformer: cweTag + }, + nist: { + path: 'description', + transformer: (description: string) => + nistTags(cweTag(description)) + } }, //Insert data descriptions: [], //Insert data refs: [], //Insert data @@ -53,7 +82,10 @@ export class NeuvectorMapper extends BaseConverter { title: null, //Insert data id: {path: 'name'}, //Insert data desc: {path: 'description'}, //Insert data - impact: 0, //Insert data + impact: { + path: 'severity', + transformer: impactMapping(IMPACT_MAPPING) + }, //Insert data code: null, //Insert data results: [ {