Skip to content

Commit

Permalink
reconcile with NVD
Browse files Browse the repository at this point in the history 
Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
@westonsteimel
westonsteimel committed Jan 15, 2025
1 parent 47cc15f commit 67c6852
Show file tree
Hide file tree
Showing 11 changed files with 290 additions and 44 deletions.
7 changes: 5 additions & 2 deletions data/anchore/2024/CVE-2024-54268.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,14 @@
"references": [
"https://patchstack.com/database/wordpress/plugin/so-widgets-bundle/vulnerability/wordpress-siteorigin-widgets-bundle-plugin-1-64-0-broken-access-control-vulnerability?_s_id=cve"
],
"solutions": [
"Update to 1.64.1 or a higher version."
],
"upstream": {
"datePublished": "2024-12-13T14:24:45.711Z",
"dateReserved": "2024-12-02T12:04:05.093Z",
"dateUpdated": "2024-12-13T21:03:05.693Z",
"digest": "2ed87ff270f7eb4ff57c01a22cb59b39fa55d070e3f51a6346d73e14c823493d"
"dateUpdated": "2024-12-16T22:00:57.531Z",
"digest": "a28a4a60170a0144bb3058c4e74cb6d3c9da6540875c25f15b3acacfad0e5673"
}
},
"adp": {
Expand Down
12 changes: 9 additions & 3 deletions data/anchore/2024/CVE-2024-56145.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"additionalMetadata": {
"cna": "github_m",
"cveId": "CVE-2024-56145",
"description": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.",
"description": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3",
Expand All @@ -11,8 +11,8 @@
"upstream": {
"datePublished": "2024-12-18T20:37:34.301Z",
"dateReserved": "2024-12-16T18:04:39.983Z",
"dateUpdated": "2024-12-18T21:10:48.315Z",
"digest": "fd488b59f0371d0786fa3cda8221ea5d372155c5234137065b1bae8e5d275a6f"
"dateUpdated": "2024-12-19T20:13:33.762Z",
"digest": "9a6b1c75d8ceb0eaf6829f27b168ec4ae6be596f86853d29dbf9a8a295af0aeb"
}
},
"adp": {
Expand All @@ -39,6 +39,12 @@
"status": "affected",
"version": "5.0.0-rc1",
"versionType": "custom"
},
{
"lessThan": "3.9.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
Expand Down
8 changes: 4 additions & 4 deletions data/anchore/2024/CVE-2024-56201.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"additionalMetadata": {
"cna": "github_m",
"cveId": "CVE-2024-56201",
"description": "Jinja is an extensible templating engine. Prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.",
"description": "Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f",
Expand All @@ -13,8 +13,8 @@
"upstream": {
"datePublished": "2024-12-23T15:37:36.110Z",
"dateReserved": "2024-12-18T18:29:25.896Z",
"dateUpdated": "2024-12-24T01:45:43.607Z",
"digest": "b7a6a49c62cb0342717fb8c7a327c4c3e7b21b409d65691b27930299f29e8e89"
"dateUpdated": "2025-01-09T16:26:45.996Z",
"digest": "668e39849de567fec6227b9124051ba3bdbb024baaf81b59f5d12e3e0c54614e"
}
},
"adp": {
Expand All @@ -34,7 +34,7 @@
{
"lessThan": "3.1.5",
"status": "affected",
"version": "0",
"version": "3.0.0",
"versionType": "python"
}
]
Expand Down
40 changes: 36 additions & 4 deletions data/anchore/2025/CVE-2025-0237.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,20 @@
"additionalMetadata": {
"cna": "mozilla",
"cveId": "CVE-2025-0237",
"description": "The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.",
"description": "The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1915257",
"https://www.mozilla.org/security/advisories/mfsa2025-01/",
"https://www.mozilla.org/security/advisories/mfsa2025-02/"
"https://www.mozilla.org/security/advisories/mfsa2025-02/",
"https://www.mozilla.org/security/advisories/mfsa2025-04/",
"https://www.mozilla.org/security/advisories/mfsa2025-05/"
],
"upstream": {
"datePublished": "2025-01-07T16:07:05.787Z",
"dateReserved": "2025-01-06T14:48:59.270Z",
"dateUpdated": "2025-01-07T16:07:05.787Z",
"digest": "45e925945de39272939e7063cc8bd016bed7fa6a2b28bf78ab981f5b0f91b840"
"dateUpdated": "2025-01-13T21:54:58.675Z",
"digest": "42db98d7b9bfbb28c10f0bf376e446e5d7c75a09cedfece798f6e4b5a906ef50"
}
},
"adp": {
Expand Down Expand Up @@ -47,6 +49,36 @@
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "134",
"status": "affected",
"version": "129",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "128.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
Expand Down
51 changes: 46 additions & 5 deletions data/anchore/2025/CVE-2025-0238.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,21 @@
"additionalMetadata": {
"cna": "mozilla",
"cveId": "CVE-2025-0238",
"description": "Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19.",
"description": "Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1915535",
"https://www.mozilla.org/security/advisories/mfsa2025-01/",
"https://www.mozilla.org/security/advisories/mfsa2025-02/",
"https://www.mozilla.org/security/advisories/mfsa2025-03/"
"https://www.mozilla.org/security/advisories/mfsa2025-03/",
"https://www.mozilla.org/security/advisories/mfsa2025-04/",
"https://www.mozilla.org/security/advisories/mfsa2025-05/"
],
"upstream": {
"datePublished": "2025-01-07T16:07:06.043Z",
"dateReserved": "2025-01-06T14:49:02.331Z",
"dateUpdated": "2025-01-07T16:07:06.043Z",
"digest": "8c78fdff1b3246dded818c04e42c53f1095ea21af200fc1efe19797f895a62c9"
"dateUpdated": "2025-01-13T21:54:58.998Z",
"digest": "3ed08772b0751efb82a977d459455c2900190e04e8bf9c55f26ef4f9baa2ffbb"
}
},
"adp": {
Expand Down Expand Up @@ -46,14 +48,53 @@
"status": "affected",
"version": "116",
"versionType": "custom"
},
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"
],
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "134",
"status": "affected",
"version": "129",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "128.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
Expand Down
40 changes: 36 additions & 4 deletions data/anchore/2025/CVE-2025-0239.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,20 @@
"additionalMetadata": {
"cna": "mozilla",
"cveId": "CVE-2025-0239",
"description": "When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.",
"description": "When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1929156",
"https://www.mozilla.org/security/advisories/mfsa2025-01/",
"https://www.mozilla.org/security/advisories/mfsa2025-02/"
"https://www.mozilla.org/security/advisories/mfsa2025-02/",
"https://www.mozilla.org/security/advisories/mfsa2025-04/",
"https://www.mozilla.org/security/advisories/mfsa2025-05/"
],
"upstream": {
"datePublished": "2025-01-07T16:07:06.317Z",
"dateReserved": "2025-01-06T14:49:04.597Z",
"dateUpdated": "2025-01-07T16:07:06.317Z",
"digest": "45e925945de39272939e7063cc8bd016bed7fa6a2b28bf78ab981f5b0f91b840"
"dateUpdated": "2025-01-13T21:54:59.320Z",
"digest": "42db98d7b9bfbb28c10f0bf376e446e5d7c75a09cedfece798f6e4b5a906ef50"
}
},
"adp": {
Expand Down Expand Up @@ -47,6 +49,36 @@
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "134",
"status": "affected",
"version": "129",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "128.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
Expand Down
40 changes: 36 additions & 4 deletions data/anchore/2025/CVE-2025-0240.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,20 @@
"additionalMetadata": {
"cna": "mozilla",
"cveId": "CVE-2025-0240",
"description": "Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.",
"description": "Parsing a JavaScript module as JSON could under some circumstances cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://bugzilla.mozilla.org/show_bug.cgi?id=1929623",
"https://www.mozilla.org/security/advisories/mfsa2025-01/",
"https://www.mozilla.org/security/advisories/mfsa2025-02/"
"https://www.mozilla.org/security/advisories/mfsa2025-02/",
"https://www.mozilla.org/security/advisories/mfsa2025-04/",
"https://www.mozilla.org/security/advisories/mfsa2025-05/"
],
"upstream": {
"datePublished": "2025-01-07T16:07:06.551Z",
"dateReserved": "2025-01-06T14:49:06.842Z",
"dateUpdated": "2025-01-07T16:07:06.551Z",
"digest": "45e925945de39272939e7063cc8bd016bed7fa6a2b28bf78ab981f5b0f91b840"
"dateUpdated": "2025-01-13T21:54:59.635Z",
"digest": "42db98d7b9bfbb28c10f0bf376e446e5d7c75a09cedfece798f6e4b5a906ef50"
}
},
"adp": {
Expand Down Expand Up @@ -47,6 +49,36 @@
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "134",
"status": "affected",
"version": "129",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
],
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "128.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
Expand Down
Loading

0 comments on commit 67c6852

Please sign in to comment.