Skip to content

Commit

Permalink
6 changes (3 new | 3 updated):
Browse files Browse the repository at this point in the history 
      - 3 new CVEs:  CVE-2024-57252, CVE-2025-23202, CVE-2025-23205
      - 3 updated CVEs: CVE-2025-23954, CVE-2025-23962, CVE-2025-23963
  • Loading branch information
cvelistV5 Github Action committed Jan 17, 2025
1 parent 5e2a24e commit ef6e5c5
Show file tree
Hide file tree
Showing 8 changed files with 441 additions and 65 deletions.
59 changes: 59 additions & 0 deletions cves/2024/57xxx/CVE-2024-57252.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"dataType": "CVE_RECORD",
"cveMetadata": {
"state": "PUBLISHED",
"cveId": "CVE-2024-57252",
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"dateUpdated": "2025-01-17T20:17:18.159297",
"dateReserved": "2025-01-09T00:00:00",
"datePublished": "2025-01-17T00:00:00"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre",
"dateUpdated": "2025-01-17T20:17:18.159297"
},
"descriptions": [
{
"lang": "en",
"value": "OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily."
}
],
"affected": [
{
"vendor": "n/a",
"product": "n/a",
"versions": [
{
"version": "n/a",
"status": "affected"
}
]
}
],
"references": [
{
"url": "https://github.com/J-0k3r/some/blob/main/ssrf.pdf"
},
{
"url": "https://github.com/J-0k3r/CVE-2024-57252"
}
],
"problemTypes": [
{
"descriptions": [
{
"type": "text",
"lang": "en",
"description": "n/a"
}
]
}
]
}
},
"dataVersion": "5.1"
}
94 changes: 94 additions & 0 deletions cves/2025/23xxx/CVE-2025-23202.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-23202",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"state": "PUBLISHED",
"assignerShortName": "GitHub_M",
"dateReserved": "2025-01-13T17:15:41.050Z",
"datePublished": "2025-01-17T20:18:20.352Z",
"dateUpdated": "2025-01-17T20:18:20.352Z"
},
"containers": {
"cna": {
"title": "Improper Input Validation in Bible Module for ROBLOX",
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"lang": "en",
"description": "CWE-20: Improper Input Validation",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"subAvailabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"references": [
{
"name": "https://github.com/devycreates/Bible-Module/security/advisories/GHSA-cm7w-99v2-prrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devycreates/Bible-Module/security/advisories/GHSA-cm7w-99v2-prrq"
},
{
"name": "https://github.com/devycreates/Bible-Module/commit/5b783855fc3285be2da8639c97ac37af28f8c55a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devycreates/Bible-Module/commit/5b783855fc3285be2da8639c97ac37af28f8c55a"
}
],
"affected": [
{
"vendor": "devycreates",
"product": "Bible-Module",
"versions": [
{
"version": "< 0.0.3",
"status": "affected"
}
]
}
],
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2025-01-17T20:18:20.352Z"
},
"descriptions": [
{
"lang": "en",
"value": "Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The `FetchVerse` and `FetchPassage` functions in the Bible Module are susceptible to injection attacks due to the absence of input validation. This vulnerability could allow an attacker to manipulate the API request URLs, potentially leading to unauthorized access or data tampering. This issue has been addressed in version 0.0.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"source": {
"advisory": "GHSA-cm7w-99v2-prrq",
"discovery": "UNKNOWN"
}
}
}
}
108 changes: 108 additions & 0 deletions cves/2025/23xxx/CVE-2025-23205.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2025-23205",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"state": "PUBLISHED",
"assignerShortName": "GitHub_M",
"dateReserved": "2025-01-13T17:15:41.050Z",
"datePublished": "2025-01-17T20:23:21.818Z",
"dateUpdated": "2025-01-17T20:23:21.818Z"
},
"containers": {
"cna": {
"title": "`frame-ancestors: self` grants all users access to formgrader in nbgrader",
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"lang": "en",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"userInteraction": "PASSIVE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"references": [
{
"name": "https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m"
},
{
"name": "https://github.com/jupyter/nbgrader/pull/1915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyter/nbgrader/pull/1915"
},
{
"name": "https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325"
},
{
"name": "https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors",
"tags": [
"x_refsource_MISC"
],
"url": "https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors"
}
],
"affected": [
{
"vendor": "jupyter",
"product": "nbgrader",
"versions": [
{
"version": "= 0.9.4",
"status": "affected"
}
]
}
],
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2025-01-17T20:23:21.818Z"
},
"descriptions": [
{
"lang": "en",
"value": "nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. This issue has been addressed in release 0.9.5 and all users are advised to upgrade. Users unable to upgrade may disable `frame-ancestors: self`, or enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame)."
}
],
"source": {
"advisory": "GHSA-fcr8-4r9f-r66m",
"discovery": "UNKNOWN"
}
}
}
}
38 changes: 36 additions & 2 deletions cves/2025/23xxx/CVE-2025-23954.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"assignerShortName": "Patchstack",
"dateReserved": "2025-01-16T11:32:55.399Z",
"datePublished": "2025-01-16T20:08:08.694Z",
"dateUpdated": "2025-01-16T20:08:08.694Z"
"dateUpdated": "2025-01-17T20:24:36.547Z"
},
"containers": {
"cna": {
Expand Down Expand Up @@ -118,6 +118,40 @@
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"adp": [
{
"metrics": [
{
"other": {
"type": "ssvc",
"content": {
"timestamp": "2025-01-17T20:24:20.534084Z",
"id": "CVE-2025-23954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"version": "2.0.3"
}
}
}
],
"title": "CISA ADP Vulnrichment",
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-01-17T20:24:36.547Z"
}
}
]
}
}
38 changes: 36 additions & 2 deletions cves/2025/23xxx/CVE-2025-23962.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"assignerShortName": "Patchstack",
"dateReserved": "2025-01-16T11:33:05.290Z",
"datePublished": "2025-01-16T20:08:09.352Z",
"dateUpdated": "2025-01-16T20:08:09.352Z"
"dateUpdated": "2025-01-17T20:23:45.652Z"
},
"containers": {
"cna": {
Expand Down Expand Up @@ -118,6 +118,40 @@
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"adp": [
{
"metrics": [
{
"other": {
"type": "ssvc",
"content": {
"timestamp": "2025-01-17T20:23:30.210039Z",
"id": "CVE-2025-23962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"version": "2.0.3"
}
}
}
],
"title": "CISA ADP Vulnrichment",
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-01-17T20:23:45.652Z"
}
}
]
}
}
Loading

0 comments on commit ef6e5c5

Please sign in to comment.