Skip to content

Commit

Permalink
Publish Advisories
Browse files Browse the repository at this point in the history 
GHSA-g377-x8rg-c9mf
GHSA-273c-fjw8-v2w8
GHSA-5m48-c37x-f792
GHSA-7298-w54j-q7wm
GHSA-gmh3-x5w7-jg5m
GHSA-pgp9-x83g-v8x8
GHSA-rm23-6mwv-8q9q
GHSA-v3r8-6vfj-pppf
GHSA-5m48-c37x-f792
GHSA-gmh3-x5w7-jg5m
  • Loading branch information
@advisory-database
advisory-database[bot] committed Jul 12, 2022
1 parent 355e6dc commit 63fbd39
Show file tree
Hide file tree
Showing 10 changed files with 403 additions and 99 deletions.
29 changes: 26 additions & 3 deletions ...A-g377-x8rg-c9mf/GHSA-g377-x8rg-c9mf.json → ...A-g377-x8rg-c9mf/GHSA-g377-x8rg-c9mf.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
{
"schema_version": "1.2.0",
"id": "GHSA-g377-x8rg-c9mf",
"modified": "2022-07-09T00:00:29Z",
"modified": "2022-07-12T21:24:07Z",
"published": "2022-06-30T00:00:41Z",
"aliases": [
"CVE-2022-33107"
],
"summary": "Deserialization of Untrusted Data in topthink/framework",
"details": "ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\\league\\flysystem-cached-adapter\\src\\Storage\\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload.",
"severity": [
{
Expand All @@ -14,7 +15,25 @@
}
],
"affected": [

{
"package": {
"ecosystem": "Packagist",
"name": "topthink/framework"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 6.0.12"
}
}
],
"references": [
{
Expand All @@ -24,13 +43,17 @@
{
"type": "WEB",
"url": "https://github.com/top-think/framework/issues/2717"
},
{
"type": "PACKAGE",
"url": "https://github.com/top-think/framework"
}
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"severity": "CRITICAL",
"github_reviewed": false
"github_reviewed": true
}
}
29 changes: 26 additions & 3 deletions ...A-273c-fjw8-v2w8/GHSA-273c-fjw8-v2w8.json → ...A-273c-fjw8-v2w8/GHSA-273c-fjw8-v2w8.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
{
"schema_version": "1.2.0",
"id": "GHSA-273c-fjw8-v2w8",
"modified": "2022-07-09T00:00:28Z",
"modified": "2022-07-12T21:24:32Z",
"published": "2022-07-01T00:01:08Z",
"aliases": [
"CVE-2022-34803"
],
"summary": "Plaintext Storage of a Password in Jenkins OpsGenie Plugin",
"details": "Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.",
"severity": [
{
Expand All @@ -14,7 +15,25 @@
}
],
"affected": [

{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:opsgenie"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 1.9"
}
}
],
"references": [
{
Expand All @@ -24,13 +43,17 @@
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-1877"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/opsgenie-plugin"
}
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"severity": "MODERATE",
"github_reviewed": false
"github_reviewed": true
}
}
184 changes: 184 additions & 0 deletions advisories/github-reviewed/2022/07/GHSA-5m48-c37x-f792/GHSA-5m48-c37x-f792.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
{
"schema_version": "1.2.0",
"id": "GHSA-5m48-c37x-f792",
"modified": "2022-07-12T21:27:47Z",
"published": "2022-07-01T00:01:11Z",
"aliases": [
"CVE-2013-4170"
],
"summary": "Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data",
"details": "In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (\"XSS\"). This vulnerability only affects applications that assign or bind user-provided content to `tagName`.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0.rc1.1"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 1.0.0.rc1.0"
}
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0.rc2.0"
},
{
"fixed": "1.0.0.rc2.1"
}
]
}
],
"versions": [
"1.0.0.rc2.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0.rc3.0"
},
{
"fixed": "1.0.0.rc3.1"
}
]
}
],
"versions": [
"1.0.0.rc3.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0.rc4.0"
},
{
"fixed": "1.0.0.rc4.1"
}
]
}
],
"versions": [
"1.0.0.rc4.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0.rc5.0"
},
{
"fixed": "1.0.0.rc5.1"
}
]
}
],
"versions": [
"1.0.0.rc5.0"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ember-source"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0.rc6.0"
},
{
"fixed": "1.0.0.rc6.1"
}
]
}
],
"versions": [
"1.0.0.rc6.0"
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4170"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ember-source/CVE-2013-4170.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/ember-security/c/dokLVwwxAdM"
},
{
"type": "WEB",
"url": "https://rubysec.com/advisories/CVE-2013-4170/"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-RUBY-EMBERSOURCE-20102"
}
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"severity": "MODERATE",
"github_reviewed": true
}
}
29 changes: 26 additions & 3 deletions ...A-7298-w54j-q7wm/GHSA-7298-w54j-q7wm.json → ...A-7298-w54j-q7wm/GHSA-7298-w54j-q7wm.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
{
"schema_version": "1.2.0",
"id": "GHSA-7298-w54j-q7wm",
"modified": "2022-07-09T00:00:28Z",
"modified": "2022-07-12T21:25:20Z",
"published": "2022-07-01T00:01:07Z",
"aliases": [
"CVE-2022-34801"
],
"summary": "Cleartext Storage of Sensitive Information in Jenkins Build Notifications Plugin",
"details": "Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.",
"severity": [
{
Expand All @@ -14,7 +15,25 @@
}
],
"affected": [

{
"package": {
"ecosystem": "Maven",
"name": "tools.devnull:build-notifications"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 1.5.0"
}
}
],
"references": [
{
Expand All @@ -24,13 +43,17 @@
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/build-notifications-plugin"
}
],
"database_specific": {
"cwe_ids": [
"CWE-318"
],
"severity": "MODERATE",
"github_reviewed": false
"github_reviewed": true
}
}

0 comments on commit 63fbd39

Please sign in to comment.