diff --git a/src/main/java/io/gardenlinux/glvd/releasenotes/ReleaseNoteGenerator.java b/src/main/java/io/gardenlinux/glvd/releasenotes/ReleaseNoteGenerator.java index 693a0d0..72a835a 100644 --- a/src/main/java/io/gardenlinux/glvd/releasenotes/ReleaseNoteGenerator.java +++ b/src/main/java/io/gardenlinux/glvd/releasenotes/ReleaseNoteGenerator.java @@ -39,6 +39,7 @@ public ReleaseNote generate() { var cvesNewVersionIgnoreResolved = cvesNewVersion.stream().filter(sourcePackageCve -> !resolvedInNew.contains(sourcePackageCve.getCveId())).toList(); var cvesNewVersionCveIds = cvesNewVersionIgnoreResolved.stream().map(SourcePackageCve::getCveId).collect(Collectors.joining()); var diff = cvesOldVersion.stream().filter(sourcePackageCve -> !cvesNewVersionCveIds.contains(sourcePackageCve.getCveId())).toList(); + HashMap> sourcePackageNameToCveListMapping = new HashMap<>(); for (SourcePackageCve sourcePackageCve : diff) { var cveList = sourcePackageNameToCveListMapping.getOrDefault(sourcePackageCve.getSourcePackageName(), new ArrayList<>()); @@ -47,12 +48,24 @@ public ReleaseNote generate() { } List releaseNotesPackages = new ArrayList<>(); sourcePackageNameToCveListMapping.forEach((sourcePackage, cves) -> - releaseNotesPackages.add( - new ReleaseNotesPackage(sourcePackage, - getVersionByPackageName(sourcePackagesInOldVersion, sourcePackage), - getVersionByPackageName(sourcePackagesInNewVersion, sourcePackage), - cves) - ) + { + String oldVersion = getVersionByPackageName(sourcePackagesInOldVersion, sourcePackage); + String newVersion = getVersionByPackageName(sourcePackagesInNewVersion, sourcePackage); + if (oldVersion.isEmpty() || newVersion.isEmpty()) { + return; + } + // https://github.com/gardenlinux/glvd/issues/160 + // If the old and new version are the same, this is probably a false positive + if (oldVersion.equals(newVersion)) { + return; + } + releaseNotesPackages.add( + new ReleaseNotesPackage(sourcePackage, + oldVersion, + newVersion, + cves) + ); + } ); return new ReleaseNote(gardenLinuxVersion.printVersion(), releaseNotesPackages); diff --git a/src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java b/src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java index 2567545..de28b8c 100644 --- a/src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java +++ b/src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java @@ -231,7 +231,7 @@ public void shouldGetCveDetailsWithContextsForKernelCveIsResolved() { .body("details.kernelLtsVersion[0]", equalTo("6.6")) .body("details.kernelLtsVersion[1]", equalTo("6.12")) // This CVE is not fixed in any kernel, so all are vulnerable - .body("details.isVulnerable", is(List.of(true, true, true, true, true, true, true, true))) + .body("details.isVulnerable", is(List.of(true, true, true, true, true, true, true))) // Is explicitly marked as "resolved" .body("contexts.resolved", hasItems(true)); } @@ -275,6 +275,16 @@ public void shouldGenerateEmptyPatchReleaseNotesForDistWithNoSourcePackages() { .body("packageList", empty()); } + @Test + public void reproduceIssue153() { + // Reproducer for https://github.com/gardenlinux/glvd/issues/153 + given(this.spec).accept("application/json") + .when().port(this.port).get("/v1/patchReleaseNotes/1443.20") + .then().statusCode(200) + .body("version", equalTo("1443.20")) + .body("packageList", empty()); + } + @Test public void shouldReportExpectedTriagesForGardenlinuxVersion() { given(this.spec).accept("application/json") diff --git a/src/test/java/io/gardenlinux/glvd/ReleaseNoteGeneratorTest.java b/src/test/java/io/gardenlinux/glvd/ReleaseNoteGeneratorTest.java index 8cda269..cfbd116 100644 --- a/src/test/java/io/gardenlinux/glvd/ReleaseNoteGeneratorTest.java +++ b/src/test/java/io/gardenlinux/glvd/ReleaseNoteGeneratorTest.java @@ -204,4 +204,72 @@ public void generateReleaseNotesWithCveContextOfNonVulnerableCve() { assertEquals(cveOld3.getCveId(), actual.getPackageList().get(2).getFixedCves().getFirst()); } + SourcePackageCve rubyCveOld = new SourcePackageCve( + "CVE-2023-28755", + "ruby3.1", + "3.1.2-8.4gl0", + gardenLinuxVersion.previousPatchVersion(), + true, + "", + "", + "", + 7.5f, + "", + 7.5f, + 7.5f, + 7.5f, + 7.5f, + "", + "", + "", + "" + ); + + SourcePackageCve rubyCveNew = new SourcePackageCve( + "CVE-2023-28755", + "ruby3.1", + "3.1.2-8.4gl0", + gardenLinuxVersion.printVersion(), + true, + "", + "", + "", + 7.5f, + "", + 7.5f, + 7.5f, + 7.5f, + 7.5f, + "", + "", + "", + "" + ); + + @Test + public void generateReleaseNotesWithCveListAffectingTheSamePackageVersion() { + final List cvesOldVersion = List.of(rubyCveOld); + final List cvesNewVersion = List.of(rubyCveNew); + final List resolvedInNew = List.of(); + final List sourcePackagesInOldVersion = List.of(new DebSrc(DIST_ID_OLD, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_OLD, "2023-10-01", "rubygems", "3.4.20-1")); + final List sourcePackagesInNewVersion = List.of(new DebSrc(DIST_ID_NEW, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_NEW, "2023-10-01", "rubygems", "3.4.20-1")); + + var actual = new ReleaseNoteGenerator(gardenLinuxVersion, cvesOldVersion, cvesNewVersion, resolvedInNew, sourcePackagesInOldVersion, sourcePackagesInNewVersion).generate(); + + assertEquals(0, actual.getPackageList().size()); + } + + @Test + public void generateReleaseNotesWithCveListAffectingTheSamePackageVersionWhenNewCveIsTriaged() { + final List cvesOldVersion = List.of(rubyCveOld); + final List cvesNewVersion = List.of(rubyCveNew); + final List resolvedInNew = List.of(rubyCveNew.getCveId()); + final List sourcePackagesInOldVersion = List.of(new DebSrc(DIST_ID_OLD, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_OLD, "2023-10-01", "rubygems", "3.4.20-1")); + final List sourcePackagesInNewVersion = List.of(new DebSrc(DIST_ID_NEW, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_NEW, "2023-10-01", "rubygems", "3.4.20-1")); + + var actual = new ReleaseNoteGenerator(gardenLinuxVersion, cvesOldVersion, cvesNewVersion, resolvedInNew, sourcePackagesInOldVersion, sourcePackagesInNewVersion).generate(); + + assertEquals(0, actual.getPackageList().size()); + } + } \ No newline at end of file diff --git a/src/test/resources/test-data/01-schema.sql b/src/test/resources/test-data/01-schema.sql index 83faeef..fe18475 100644 --- a/src/test/resources/test-data/01-schema.sql +++ b/src/test/resources/test-data/01-schema.sql @@ -3,7 +3,7 @@ -- -- Dumped from database version 17.4 (Debian 17.4-1.pgdg120+2) --- Dumped by pg_dump version 17.4 (Debian 17.4-1.pgdg120+2) +-- Dumped by pg_dump version 17.5 (Debian 17.5-1) SET statement_timeout = 0; SET lock_timeout = 0; @@ -640,4 +640,5 @@ ALTER TABLE ONLY public.debsrc -- -- PostgreSQL database dump complete --- \ No newline at end of file +-- + diff --git a/src/test/resources/test-data/02-sample-data.sql b/src/test/resources/test-data/02-sample-data.sql index 7f58371..e90775e 100644 --- a/src/test/resources/test-data/02-sample-data.sql +++ b/src/test/resources/test-data/02-sample-data.sql @@ -1,26 +1,28 @@ -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '13', 'trixie'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '12', 'bookworm'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '', ''); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '11', 'bullseye'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '10', 'buster'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '9', 'stretch'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '8', 'jessie'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '7', 'wheezy'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '6.0', 'squeeze'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '5.0', 'lenny'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '4.0', 'etch'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '3.1', 'sarge'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('debian', 'debian_linux', '3.0', 'woody'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', 'today', 'today'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.4', '1592.4'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.5', '1592.5'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.6', '1592.6'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.7', '1592.7'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1443.18', '1443.18'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1443.19', '1443.19'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.8', '1592.8'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1443.20', '1443.20'); -INSERT INTO public.dist_cpe (cpe_vendor, cpe_product, cpe_version, deb_codename) VALUES ('sap', 'gardenlinux', '1592.9', '1592.9'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (1, 'debian', 'debian_linux', '13', 'trixie'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (2, 'debian', 'debian_linux', '12', 'bookworm'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (3, 'debian', 'debian_linux', '', ''); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (4, 'debian', 'debian_linux', '11', 'bullseye'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (5, 'debian', 'debian_linux', '10', 'buster'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (6, 'debian', 'debian_linux', '9', 'stretch'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (7, 'debian', 'debian_linux', '8', 'jessie'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (8, 'debian', 'debian_linux', '7', 'wheezy'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (9, 'debian', 'debian_linux', '6.0', 'squeeze'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (10, 'debian', 'debian_linux', '5.0', 'lenny'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (11, 'debian', 'debian_linux', '4.0', 'etch'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (12, 'debian', 'debian_linux', '3.1', 'sarge'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (13, 'debian', 'debian_linux', '3.0', 'woody'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (14, 'sap', 'gardenlinux', 'today', 'today'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (15, 'sap', 'gardenlinux', '1592.4', '1592.4'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (16, 'sap', 'gardenlinux', '1592.5', '1592.5'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (17, 'sap', 'gardenlinux', '1592.6', '1592.6'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (18, 'sap', 'gardenlinux', '1592.7', '1592.7'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (19, 'sap', 'gardenlinux', '1443.18', '1443.18'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (20, 'sap', 'gardenlinux', '1443.19', '1443.19'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (21, 'sap', 'gardenlinux', '1592.8', '1592.8'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (22, 'sap', 'gardenlinux', '1443.20', '1443.20'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (23, 'sap', 'gardenlinux', '1592.9', '1592.9'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (24, 'sap', 'gardenlinux', '1592.10', '1592.10'); +INSERT INTO public.dist_cpe (id, cpe_vendor, cpe_product, cpe_version, deb_codename) OVERRIDING SYSTEM VALUE VALUES (25, 'sap', 'gardenlinux', '1443.21', '1443.21'); INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2023-50387', '2024-12-06 11:25:13.831634+00', '{"id": "CVE-2023-50387", "sourceIdentifier": "cve@mitre.org", "published": "2024-02-14T16:15:45.300", "lastModified": "2024-11-21T08:36:56.937", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records."}, {"lang": "es", "value": "Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de una o m\u00e1s respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, tambi\u00e9n conocido como \"KeyTrap\". \" asunto. La especificaci\u00f3n del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "matchCriteriaId": "AF07A81D-12E5-4B1D-BFF9-C8D08C32FF4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*", "matchCriteriaId": "75CCACE6-A0EE-4A6F-BD5A-7AA504B02717"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.90", "matchCriteriaId": "964796B3-BA45-4180-A8DA-64CF93CED122"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.71", "matchCriteriaId": "8A8328E8-C652-4262-8C00-D89AD8F75CCF"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8.0", "versionEndExcluding": "4.8.6", "matchCriteriaId": "5207D316-7DC9-4724-BC48-C8D3EC5087E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.0", "versionEndExcluding": "4.9.3", "matchCriteriaId": "FEE64451-7CB9-45BD-8168-9F48199A9363"}, {"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.2", "matchCriteriaId": "0526B76D-52BB-4FA1-B692-8EDEC673EAE5"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.16.46", "matchCriteriaId": "F3814976-5223-4615-BA7B-E33083D3EC26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.18.0", "versionEndIncluding": "9.18.22", "matchCriteriaId": "140CCABA-F134-4CC2-9960-258D6BFF34DD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.19.0", "versionEndIncluding": "9.19.20", "matchCriteriaId": "71BAD5BF-8532-4988-A772-6CD7B851E9E2"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.19.1", "matchCriteriaId": "8C094EEB-BAD6-495B-B1CB-671D31549F15"}]}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=pdns-recursor", "deb": {"versionLatest": "4.8.8-1", "cvssSeverity": "HIGH", "versionEndExcluding": "4.9.3-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=bind9", "deb": {"versionLatest": "1:9.18.28-1~deb12u2", "cvssSeverity": "HIGH", "versionEndExcluding": "1:9.19.21-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=dnsmasq", "deb": {"versionLatest": "2.89-1", "cvssSeverity": "HIGH"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=knot-resolver", "deb": {"versionLatest": "5.6.0-1+deb12u1", "cvssSeverity": "HIGH", "versionEndExcluding": "5.7.1-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=unbound", "deb": {"versionLatest": "1.17.1-2+deb12u2", "cvssSeverity": "HIGH", "versionEndExcluding": "1.19.1-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=systemd", "deb": {"versionLatest": "252.31-1~deb12u1", "cvssSeverity": "HIGH", "versionEndExcluding": "252.23-1~deb12u1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=dnsjava", "deb": {"versionLatest": "2.1.8-2", "cvssSeverity": "HIGH"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=pdns-recursor", "deb": {"versionLatest": "5.1.3-1", "cvssSeverity": "HIGH", "versionEndExcluding": "4.9.3-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=unbound", "deb": {"versionLatest": "1.22.0-1", "cvssSeverity": "HIGH", "versionEndExcluding": "1.19.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=bind9", "deb": {"versionLatest": "1:9.20.3-1", "cvssSeverity": "HIGH", "versionEndExcluding": "1:9.19.21-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=dnsmasq", "deb": {"versionLatest": "2.90-5", "cvssSeverity": "HIGH", "versionEndExcluding": "2.90-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=knot-resolver", "deb": {"versionLatest": "5.7.4-2", "cvssSeverity": "HIGH", "versionEndExcluding": "5.7.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=systemd", "deb": {"versionLatest": "257~rc3-1", "cvssSeverity": "HIGH", "versionEndExcluding": "255.4-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=bind9", "deb": {"versionLatest": "1:9.20.0-2", "cvssSeverity": "HIGH", "versionEndExcluding": "1:9.19.21-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=dnsmasq", "deb": {"versionLatest": "2.90-4", "cvssSeverity": "HIGH", "versionEndExcluding": "2.90-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=systemd", "deb": {"versionLatest": "256.4-2gardenlinux0", "cvssSeverity": "HIGH", "versionEndExcluding": "255.4-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=unbound", "deb": {"versionLatest": "1.20.0-1", "cvssSeverity": "HIGH", "versionEndExcluding": "1.19.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=systemd", "deb": {"versionLatest": "256.8-0gl0", "cvssSeverity": "HIGH", "versionEndExcluding": "255.4-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=bind9", "deb": {"versionLatest": "1:9.19.24-2gl0", "cvssSeverity": "HIGH", "versionEndExcluding": "1:9.19.21-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=dnsmasq", "deb": {"versionLatest": "2.90-5", "cvssSeverity": "HIGH", "versionEndExcluding": "2.90-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=unbound", "deb": {"versionLatest": "1.22.0-1", "cvssSeverity": "HIGH", "versionEndExcluding": "1.19.1-1"}, "vulnerable": false}], "negate": false, "operator": "OR"}]}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/16/2", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/3", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823", "source": "cve@mitre.org", "tags": ["Issue Tracking"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "source": "cve@mitre.org", "tags": ["Patch"]}, {"url": "https://kb.isc.org/docs/cve-2023-50387", "source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", "source": "cve@mitre.org"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", "source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39367411", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39372384", "source": "cve@mitre.org", "tags": ["Issue Tracking"]}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "source": "cve@mitre.org", "tags": ["Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/", "source": "cve@mitre.org"}, {"url": "https://www.athene-center.de/aktuelles/key-trap", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", "source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", "source": "cve@mitre.org", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", "source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"]}, {"url": "https://kb.isc.org/docs/cve-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39367411", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39372384", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"]}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.athene-center.de/aktuelles/key-trap", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"]}]}'); INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2024-11053', '2025-02-04 07:32:48.024849+00', '{"id": "CVE-2024-11053", "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "published": "2024-12-11T08:15:05.307", "lastModified": "2025-01-31T15:15:12.400", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password."}, {"lang": "es", "value": "Cuando se le pide que use un archivo `.netrc` para las credenciales y que siga las redirecciones HTTP, curl podr\u00eda filtrar la contrase\u00f1a utilizada para el primer host al host al que sigue en determinadas circunstancias. Esta falla solo se manifiesta si el archivo netrc tiene una entrada que coincide con el nombre de host de destino de la redirecci\u00f3n, pero la entrada omite solo la contrase\u00f1a u omite tanto el nombre de usuario como la contrase\u00f1a."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "references": [{"url": "https://curl.se/docs/CVE-2024-11053.html", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2024-11053.json", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://hackerone.com/reports/2829063", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/11/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250124-0012/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0003/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=curl", "deb": {"versionLatest": "8.11.1-1gl1", "versionEndExcluding": "8.11.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=curl", "deb": {"versionLatest": "7.88.1-10+deb12u8", "versionEndExcluding": "8.11.1-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.5:*:*:*:*:*:*:deb_source\\=curl", "deb": {"versionLatest": "8.11.1-1gl0", "versionEndExcluding": "8.11.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=curl", "deb": {"versionLatest": "8.11.1-1", "versionEndExcluding": "8.11.1-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=curl", "deb": {"versionLatest": "8.11.0-1gl0", "versionEndExcluding": "8.11.1-1"}, "vulnerable": true}], "negate": false, "operator": "OR"}]}]}'); @@ -38,6 +40,8 @@ INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2025-21866', '2 INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2024-44953', '2025-04-14 12:53:01.777914+00', '{"id": "CVE-2024-44953", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-09-04T19:15:30.297", "lastModified": "2025-03-07T18:15:40.950", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix deadlock during RTC update\n\nThere is a deadlock when runtime suspend waits for the flush of RTC work,\nand the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume.\n\nHere is deadlock backtrace:\n\nkworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367\nptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff\n __switch_to+0x1a8/0x2d4\n __schedule+0x684/0xa98\n schedule+0x48/0xc8\n schedule_timeout+0x48/0x170\n do_wait_for_common+0x108/0x1b0\n wait_for_completion+0x44/0x60\n __flush_work+0x39c/0x424\n __cancel_work_sync+0xd8/0x208\n cancel_delayed_work_sync+0x14/0x28\n __ufshcd_wl_suspend+0x19c/0x480\n ufshcd_wl_runtime_suspend+0x3c/0x1d4\n scsi_runtime_suspend+0x78/0xc8\n __rpm_callback+0x94/0x3e0\n rpm_suspend+0x2d4/0x65c\n __pm_runtime_suspend+0x80/0x114\n scsi_runtime_idle+0x38/0x6c\n rpm_idle+0x264/0x338\n __pm_runtime_idle+0x80/0x110\n ufshcd_rtc_work+0x128/0x1e4\n process_one_work+0x26c/0x650\n worker_thread+0x260/0x3d8\n kthread+0x110/0x134\n ret_from_fork+0x10/0x20\n\nSkip updating RTC if RPM state is not RPM_ACTIVE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Se corrige un bloqueo durante la actualizaci\u00f3n de RTC. Hay un bloqueo cuando la suspensi\u00f3n en tiempo de ejecuci\u00f3n espera la limpieza del trabajo de RTC y el trabajo de RTC llama a ufshcd_rpm_get_sync() para esperar la reanudaci\u00f3n del tiempo de ejecuci\u00f3n. Aqu\u00ed est\u00e1 el backtrace del bloqueo: kworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367 ptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff __switch_to+0x1a8/0x2d4 __schedule+0x684/0xa98 schedule+0x48/0xc8 schedule_timeout+0x48/0x170 do_wait_for_common+0x108/0x1b0 wait_for_completion+0x44/0x60 __flush_work+0x39c/0x424 __cancel_work_sync+0xd8/0x208 cancel_delayed_work_sync+0x14/0x28 __ufshcd_wl_suspend+0x19c/0x480 ufshcd_wl_runtime_suspend+0x3c/0x1d4 scsi_runtime_suspend+0x78/0xc8 __rpm_callback+0x94/0x3e0 rpm_suspend+0x2d4/0x65c __pm_runtime_suspend+0x80/0x114 scsi_runtime_idle+0x38/0x6c rpm_idle+0x264/0x338 __pm_runtime_idle+0x80/0x110 ufshcd_rtc_work+0x128/0x1e4 process_one_work+0x26c/0x650 worker_thread+0x260/0x3d8 kthread+0x110/0x134 ret_from_fork+0x10/0x20 Skip updating RTC if RPM state is not RPM_ACTIVE. "}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.10.5", "matchCriteriaId": "48E239A0-A959-4FAB-8475-D045FED3DDA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}]}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.1.129-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.12.23-1gl0", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.83-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.80-0gl0~bp1443", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.83-0gl0~bp1443", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.12.21-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.84-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.63-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.78-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.5:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.71-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}], "negate": false, "operator": "OR"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3911af778f208e5f49d43ce739332b91e26bc48e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a4921b76bc9421d3838e167f6a17ea3112d8fe62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f13f1858a28c68b7fc0d72c2008d5c1f80d2e8d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}'); INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2005-2541', '2025-04-14 12:53:01.777914+00', '{"id": "CVE-2005-2541", "sourceIdentifier": "cve@mitre.org", "published": "2005-08-10T04:00:00.000", "lastModified": "2025-04-03T01:03:51.193", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges."}], "metrics": {"cvssMetricV2": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": true, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:tar:1.15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B8B4A20D-AAD0-4857-AC0F-D221EBB08BFD"}]}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.34+dfsg-1.2+deb12u1", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3.1", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.5:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3.1", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}], "negate": false, "operator": "OR"}]}], "references": [{"url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vendorComments": [{"organization": "Red Hat", "comment": "This is the documented and expected behaviour of tar.", "lastModified": "2006-08-30T00:00:00"}]}'); INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2019-1010022', '2025-04-14 12:53:01.777914+00', '{"id": "CVE-2019-1010022", "sourceIdentifier": "josh@bress.net", "published": "2019-07-15T04:15:13.317", "lastModified": "2024-11-21T04:17:55.500", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "josh@bress.net", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat."}, {"lang": "es", "value": "** EN DISPUTA ** La biblioteca Libc actual de GNU est\u00e1 afectada por: Omisi\u00f3n de Mitigaci\u00f3n. El impacto es: El atacante puede omitir la protecci\u00f3n stack guard. El componente es: nptl. El vector de ataque es: explotar la vulnerabilidad de desbordamiento del b\u00fafer de la pila y utilizar esta vulnerabilidad de omisi\u00f3n para eludir la protecci\u00f3n stack guard. NOTA: Los comentarios de los usuarios indican que \"esto est\u00e1 siendo tratado como un error de no seguridad y no una amenaza real\"."}], "metrics": {"cvssMetricV30": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*", "matchCriteriaId": "68D5A70D-5CEE-4E19-BF35-0245A0E0F6BC"}]}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.4:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.41-6", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.37-15gl0~bp1443", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.41-6", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.5:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.37-15gl0~bp1443", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6gl0~bp1592", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6gl0~bp1592", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6gl0~bp1592", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.36-9+deb12u10", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}], "negate": false, "operator": "OR"}]}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "source": "josh@bress.net"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "source": "josh@bress.net", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "source": "josh@bress.net"}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "source": "josh@bress.net"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}'); +INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2024-35176', '2025-04-14 12:53:01.777914+00', '{"id": "CVE-2024-35176", "sourceIdentifier": "security-advisories@github.com", "published": "2024-05-16T16:15:09.707", "lastModified": "2025-03-07T01:15:11.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": " REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don''t parse untrusted XMLs."}, {"lang": "es", "value": " REXML es un conjunto de herramientas XML para Ruby. La gema REXML anterior a 3.2.6 tiene una vulnerabilidad de denegaci\u00f3n de servicio cuando analiza un XML que tiene muchos `<` en un valor de atributo. Aquellos que necesiten analizar archivos XML que no sean de confianza pueden verse afectados por esta vulnerabilidad. La gema REXML 3.2.7 o posterior incluye el parche para corregir esta vulnerabilidad. Como soluci\u00f3n alternativa, no analice archivos XML que no sean de confianza."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh", "source": "security-advisories@github.com"}, {"url": "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250306-0001/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-7+deb12u1"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.3"}, "vulnerable": true}], "negate": false, "operator": "OR"}]}]}'); +INSERT INTO public.all_cve (cve_id, last_mod, data) VALUES ('CVE-2023-28755', '2025-04-14 12:53:01.777914+00', '{"id": "CVE-2023-28755", "sourceIdentifier": "cve@mitre.org", "published": "2023-03-31T04:15:09.037", "lastModified": "2025-02-14T20:15:32.817", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1333"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionEndIncluding": "0.10.0", "matchCriteriaId": "ADDFECF7-5F46-498B-9862-55DA03C8F07B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "9AEC0027-E0D8-4E68-BDFC-6FAEFF01FEEA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.11.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "3D764446-C057-4529-B486-CA7C9D38E48A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.12.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "8C229D83-75B1-4874-B2A9-764FBA12C517"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}]}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=jruby", "deb": {"versionLatest": "9.3.9.0+ds-8", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-7+deb12u1", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=jruby", "deb": {"versionLatest": "9.4.8.0+ds-2", "cvssSeverity": "MEDIUM", "versionEndExcluding": "9.4.5.0+ds-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.3.15-2", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.3", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}, {"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:sap:gardenlinux:today:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.6.6-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.6.7-2", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}], "negate": false, "operator": "OR"}]}], "references": [{"url": "https://github.com/ruby/uri/releases/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html", "source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202401-27", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0003/", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.ruby-lang.org/en/downloads/releases/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/", "source": "cve@mitre.org", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/ruby/uri/releases/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202401-27", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0003/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.ruby-lang.org/en/downloads/releases/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"]}]}'); INSERT INTO public.cve_context (dist_id, cve_id, create_date, context_descriptor, score_override, description, is_resolved) VALUES (14, 'CVE-2023-50387', '2024-12-06 11:25:25.922465+00', 'dummy', NULL, 'automated dummy data', true); INSERT INTO public.cve_context (dist_id, cve_id, create_date, context_descriptor, score_override, description, is_resolved) VALUES (16, 'CVE-2025-0938', '2024-12-06 11:25:25.922465+00', 'UNIT_TEST', NULL, 'Unit test for https://github.com/gardenlinux/glvd/issues/141', true); @@ -146,10 +150,19 @@ INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (17, '1592.6', 'CVE-2024-44953', '2025-04-14 12:52:19.087694+00', 3, 'linux', '6.6.78-0gl0~bp1592', '6.10.6-1', true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.6:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.78-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}'); INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (18, '1592.7', 'CVE-2024-44953', '2025-04-14 12:52:19.087694+00', 3, 'linux', '6.6.83-0gl0~bp1592', '6.10.6-1', true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.83-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}'); INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (19, '1443.18', 'CVE-2024-44953', '2025-04-14 12:52:19.087694+00', 3, 'linux', '6.6.80-0gl0~bp1443', '6.10.6-1', true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.18:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.80-0gl0~bp1443", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}'); -INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (20, '1443.19', 'CVE-2024-44953', '2025-04-14 12:52:19.087694+00', 3, 'linux', '6.6.83-0gl0~bp1443', '6.10.6-1', true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.83-0gl0~bp1443", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}'); INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (21, '1592.8', 'CVE-2024-44953', '2025-04-14 12:52:19.087694+00', 3, 'linux', '6.6.84-0gl0~bp1592', '6.10.6-1', true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=linux", "deb": {"versionLatest": "6.6.84-0gl0~bp1592", "cvssSeverity": "MEDIUM", "versionEndExcluding": "6.10.6-1"}, "vulnerable": true}'); INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (23, '1592.9', 'CVE-2005-2541', '2025-04-14 12:52:19.087694+00', 1, 'tar', '1.35+dfsg-3', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=tar", "deb": {"versionLatest": "1.35+dfsg-3", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}'); INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (23, '1592.9', 'CVE-2019-1010022', '2025-04-14 12:52:19.087694+00', 1, 'glibc', '2.39-6gl0~bp1592', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=glibc", "deb": {"versionLatest": "2.39-6gl0~bp1592", "cvssSeverity": "UNIMPORTANT"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (18, '1592.7', 'CVE-2023-28755', '2025-04-14 12:52:19.087694+00', 3, 'rubygems', '3.4.20-1', '3.4.20-1', false, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (18, '1592.7', 'CVE-2023-28755', '2025-04-14 12:52:19.087694+00', 3, 'ruby3.1', '3.1.2-8.5gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (18, '1592.7', 'CVE-2024-35176', '2025-04-14 12:52:19.087694+00', NULL, 'ruby3.1', '3.1.2-8.5gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.7:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (21, '1592.8', 'CVE-2024-35176', '2025-04-14 12:52:19.087694+00', NULL, 'ruby3.1', '3.1.2-8.5gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (21, '1592.8', 'CVE-2023-28755', '2025-04-14 12:52:19.087694+00', 3, 'rubygems', '3.4.20-1', '3.4.20-1', false, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (21, '1592.8', 'CVE-2023-28755', '2025-04-14 12:52:19.087694+00', 3, 'ruby3.1', '3.1.2-8.5gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1592.8:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.5gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (20, '1443.19', 'CVE-2023-28755', '2025-04-10 15:36:05.643518+00', 3, 'rubygems', '3.4.20-1', '3.4.20-1', false, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (20, '1443.19', 'CVE-2023-28755', '2025-04-10 15:36:05.643518+00', 3, 'ruby3.1', '3.1.2-8.4gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0", "cvssSeverity": "MEDIUM"}, "vulnerable": true}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (22, '1443.20', 'CVE-2023-28755', '2025-05-02 07:06:24.211099+00', 3, 'rubygems', '3.4.20-1', '3.4.20-1', false, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.20:*:*:*:*:*:*:deb_source\\=rubygems", "deb": {"versionLatest": "3.4.20-1", "cvssSeverity": "MEDIUM", "versionEndExcluding": "3.4.20-1"}, "vulnerable": false}'); +INSERT INTO public.deb_cve (dist_id, gardenlinux_version, cve_id, last_mod, cvss_severity, deb_source, deb_version, deb_version_fixed, debsec_vulnerable, data_cpe_match) VALUES (20, '1443.19', 'CVE-2024-35176', '2025-04-10 15:36:05.643518+00', NULL, 'ruby3.1', '3.1.2-8.4gl0', NULL, true, '{"criteria": "cpe:2.3:o:sap:gardenlinux:1443.19:*:*:*:*:*:*:deb_source\\=ruby3.1", "deb": {"versionLatest": "3.1.2-8.4gl0"}, "vulnerable": true}'); INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2023-50387', '2024-11-21 08:36:56.937+00', '{"id": "CVE-2023-50387", "sourceIdentifier": "cve@mitre.org", "published": "2024-02-14T16:15:45.300", "lastModified": "2024-11-21T08:36:56.937", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records."}, {"lang": "es", "value": "Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de una o m\u00e1s respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, tambi\u00e9n conocido como \"KeyTrap\". \" asunto. La especificaci\u00f3n del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "matchCriteriaId": "AF07A81D-12E5-4B1D-BFF9-C8D08C32FF4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*", "matchCriteriaId": "75CCACE6-A0EE-4A6F-BD5A-7AA504B02717"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.90", "matchCriteriaId": "964796B3-BA45-4180-A8DA-64CF93CED122"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.71", "matchCriteriaId": "8A8328E8-C652-4262-8C00-D89AD8F75CCF"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8.0", "versionEndExcluding": "4.8.6", "matchCriteriaId": "5207D316-7DC9-4724-BC48-C8D3EC5087E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.0", "versionEndExcluding": "4.9.3", "matchCriteriaId": "FEE64451-7CB9-45BD-8168-9F48199A9363"}, {"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.2", "matchCriteriaId": "0526B76D-52BB-4FA1-B692-8EDEC673EAE5"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.16.46", "matchCriteriaId": "F3814976-5223-4615-BA7B-E33083D3EC26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.18.0", "versionEndIncluding": "9.18.22", "matchCriteriaId": "140CCABA-F134-4CC2-9960-258D6BFF34DD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.19.0", "versionEndIncluding": "9.19.20", "matchCriteriaId": "71BAD5BF-8532-4988-A772-6CD7B851E9E2"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.19.1", "matchCriteriaId": "8C094EEB-BAD6-495B-B1CB-671D31549F15"}]}]}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/16/2", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/3", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823", "source": "cve@mitre.org", "tags": ["Issue Tracking"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "source": "cve@mitre.org", "tags": ["Patch"]}, {"url": "https://kb.isc.org/docs/cve-2023-50387", "source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", "source": "cve@mitre.org", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", "source": "cve@mitre.org"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", "source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39367411", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39372384", "source": "cve@mitre.org", "tags": ["Issue Tracking"]}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "source": "cve@mitre.org", "tags": ["Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/", "source": "cve@mitre.org"}, {"url": "https://www.athene-center.de/aktuelles/key-trap", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", "source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", "source": "cve@mitre.org", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", "source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/16/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"]}, {"url": "https://kb.isc.org/docs/cve-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39367411", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://news.ycombinator.com/item?id=39372384", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"]}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.athene-center.de/aktuelles/key-trap", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"]}]}'); INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2024-11053', '2025-01-31 15:15:12.4+00', '{"id": "CVE-2024-11053", "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "published": "2024-12-11T08:15:05.307", "lastModified": "2025-01-31T15:15:12.400", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password."}, {"lang": "es", "value": "Cuando se le pide que use un archivo `.netrc` para las credenciales y que siga las redirecciones HTTP, curl podr\u00eda filtrar la contrase\u00f1a utilizada para el primer host al host al que sigue en determinadas circunstancias. Esta falla solo se manifiesta si el archivo netrc tiene una entrada que coincide con el nombre de host de destino de la redirecci\u00f3n, pero la entrada omite solo la contrase\u00f1a u omite tanto el nombre de usuario como la contrase\u00f1a."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "references": [{"url": "https://curl.se/docs/CVE-2024-11053.html", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2024-11053.json", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://hackerone.com/reports/2829063", "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2024/12/11/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250124-0012/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0003/", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}'); @@ -167,6 +180,9 @@ INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2025-21866', '2 INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2024-44953', '2025-03-07 18:15:40.95+00', '{"id": "CVE-2024-44953", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-09-04T19:15:30.297", "lastModified": "2025-03-07T18:15:40.950", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix deadlock during RTC update\n\nThere is a deadlock when runtime suspend waits for the flush of RTC work,\nand the RTC work calls ufshcd_rpm_get_sync() to wait for runtime resume.\n\nHere is deadlock backtrace:\n\nkworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367\nptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff\n __switch_to+0x1a8/0x2d4\n __schedule+0x684/0xa98\n schedule+0x48/0xc8\n schedule_timeout+0x48/0x170\n do_wait_for_common+0x108/0x1b0\n wait_for_completion+0x44/0x60\n __flush_work+0x39c/0x424\n __cancel_work_sync+0xd8/0x208\n cancel_delayed_work_sync+0x14/0x28\n __ufshcd_wl_suspend+0x19c/0x480\n ufshcd_wl_runtime_suspend+0x3c/0x1d4\n scsi_runtime_suspend+0x78/0xc8\n __rpm_callback+0x94/0x3e0\n rpm_suspend+0x2d4/0x65c\n __pm_runtime_suspend+0x80/0x114\n scsi_runtime_idle+0x38/0x6c\n rpm_idle+0x264/0x338\n __pm_runtime_idle+0x80/0x110\n ufshcd_rtc_work+0x128/0x1e4\n process_one_work+0x26c/0x650\n worker_thread+0x260/0x3d8\n kthread+0x110/0x134\n ret_from_fork+0x10/0x20\n\nSkip updating RTC if RPM state is not RPM_ACTIVE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Se corrige un bloqueo durante la actualizaci\u00f3n de RTC. Hay un bloqueo cuando la suspensi\u00f3n en tiempo de ejecuci\u00f3n espera la limpieza del trabajo de RTC y el trabajo de RTC llama a ufshcd_rpm_get_sync() para esperar la reanudaci\u00f3n del tiempo de ejecuci\u00f3n. Aqu\u00ed est\u00e1 el backtrace del bloqueo: kworker/0:1 D 4892.876354 10 10971 4859 0x4208060 0x8 10 0 120 670730152367 ptr f0ffff80c2e40000 0 1 0x00000001 0x000000ff 0x000000ff 0x000000ff __switch_to+0x1a8/0x2d4 __schedule+0x684/0xa98 schedule+0x48/0xc8 schedule_timeout+0x48/0x170 do_wait_for_common+0x108/0x1b0 wait_for_completion+0x44/0x60 __flush_work+0x39c/0x424 __cancel_work_sync+0xd8/0x208 cancel_delayed_work_sync+0x14/0x28 __ufshcd_wl_suspend+0x19c/0x480 ufshcd_wl_runtime_suspend+0x3c/0x1d4 scsi_runtime_suspend+0x78/0xc8 __rpm_callback+0x94/0x3e0 rpm_suspend+0x2d4/0x65c __pm_runtime_suspend+0x80/0x114 scsi_runtime_idle+0x38/0x6c rpm_idle+0x264/0x338 __pm_runtime_idle+0x80/0x110 ufshcd_rtc_work+0x128/0x1e4 process_one_work+0x26c/0x650 worker_thread+0x260/0x3d8 kthread+0x110/0x134 ret_from_fork+0x10/0x20 Skip updating RTC if RPM state is not RPM_ACTIVE. "}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.10.5", "matchCriteriaId": "48E239A0-A959-4FAB-8475-D045FED3DDA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3911af778f208e5f49d43ce739332b91e26bc48e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a4921b76bc9421d3838e167f6a17ea3112d8fe62", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f13f1858a28c68b7fc0d72c2008d5c1f80d2e8d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}'); INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2005-2541', '2025-04-03 01:03:51.193+00', '{"id": "CVE-2005-2541", "sourceIdentifier": "cve@mitre.org", "published": "2005-08-10T04:00:00.000", "lastModified": "2025-04-03T01:03:51.193", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges."}], "metrics": {"cvssMetricV2": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": true, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:tar:1.15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B8B4A20D-AAD0-4857-AC0F-D221EBB08BFD"}]}]}], "references": [{"url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=bugtraq&m=112327628230258&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vendorComments": [{"organization": "Red Hat", "comment": "This is the documented and expected behaviour of tar.", "lastModified": "2006-08-30T00:00:00"}]}'); INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2019-1010022', '2024-11-21 04:17:55.5+00', '{"id": "CVE-2019-1010022", "sourceIdentifier": "josh@bress.net", "published": "2019-07-15T04:15:13.317", "lastModified": "2024-11-21T04:17:55.500", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "josh@bress.net", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat."}, {"lang": "es", "value": "** EN DISPUTA ** La biblioteca Libc actual de GNU est\u00e1 afectada por: Omisi\u00f3n de Mitigaci\u00f3n. El impacto es: El atacante puede omitir la protecci\u00f3n stack guard. El componente es: nptl. El vector de ataque es: explotar la vulnerabilidad de desbordamiento del b\u00fafer de la pila y utilizar esta vulnerabilidad de omisi\u00f3n para eludir la protecci\u00f3n stack guard. NOTA: Los comentarios de los usuarios indican que \"esto est\u00e1 siendo tratado como un error de no seguridad y no una amenaza real\"."}], "metrics": {"cvssMetricV30": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*", "matchCriteriaId": "68D5A70D-5CEE-4E19-BF35-0245A0E0F6BC"}]}]}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "source": "josh@bress.net"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "source": "josh@bress.net", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "source": "josh@bress.net"}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "source": "josh@bress.net"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}'); +INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2024-35176', '2025-03-07 01:15:11.507+00', '{"id": "CVE-2024-35176", "sourceIdentifier": "security-advisories@github.com", "published": "2024-05-16T16:15:09.707", "lastModified": "2025-03-07T01:15:11.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": " REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don''t parse untrusted XMLs."}, {"lang": "es", "value": " REXML es un conjunto de herramientas XML para Ruby. La gema REXML anterior a 3.2.6 tiene una vulnerabilidad de denegaci\u00f3n de servicio cuando analiza un XML que tiene muchos `<` en un valor de atributo. Aquellos que necesiten analizar archivos XML que no sean de confianza pueden verse afectados por esta vulnerabilidad. La gema REXML 3.2.7 o posterior incluye el parche para corregir esta vulnerabilidad. Como soluci\u00f3n alternativa, no analice archivos XML que no sean de confianza."}], "metrics": {"cvssMetricV31": [{"source": "security-advisories@github.com", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "security-advisories@github.com", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh", "source": "security-advisories@github.com"}, {"url": "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250306-0001/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}'); +INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2023-28755', '2025-02-14 20:15:32.817+00', '{"id": "CVE-2023-28755", "sourceIdentifier": "cve@mitre.org", "published": "2023-03-31T04:15:09.037", "lastModified": "2025-02-14T20:15:32.817", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1333"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionEndIncluding": "0.10.0", "matchCriteriaId": "ADDFECF7-5F46-498B-9862-55DA03C8F07B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:ruby:*:*", "matchCriteriaId": "9AEC0027-E0D8-4E68-BDFC-6FAEFF01FEEA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.11.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "3D764446-C057-4529-B486-CA7C9D38E48A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:0.12.0:*:*:*:*:ruby:*:*", "matchCriteriaId": "8C229D83-75B1-4874-B2A9-764FBA12C517"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}]}]}], "references": [{"url": "https://github.com/ruby/uri/releases/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html", "source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202401-27", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0003/", "source": "cve@mitre.org", "tags": ["Third Party Advisory"]}, {"url": "https://www.ruby-lang.org/en/downloads/releases/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/", "source": "cve@mitre.org", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/", "source": "cve@mitre.org", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/ruby/uri/releases/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202401-27", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0003/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.ruby-lang.org/en/downloads/releases/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"]}, {"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"]}]}'); +INSERT INTO public.nvd_cve (cve_id, last_mod, data) VALUES ('CVE-2023-36617', '2024-11-21 08:10:04.68+00', '{"id": "CVE-2023-36617", "sourceIdentifier": "cve@mitre.org", "published": "2023-06-29T13:15:09.583", "lastModified": "2024-11-21T08:10:04.680", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version."}], "metrics": {"cvssMetricV31": [{"source": "nvd@nist.gov", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "nvd@nist.gov", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "0.10.3", "matchCriteriaId": "06CEBB34-129C-4B37-97B8-AB07821FEF47"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.11.0", "versionEndExcluding": "0.12.2", "matchCriteriaId": "8975D88A-EAD0-4A3F-AB3E-1F768AAFFFBD"}]}]}], "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20230725-0002/", "source": "cve@mitre.org"}, {"url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/", "source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20230725-0002/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"]}]}'); INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (14, 'today', '2025-01-16 08:12:20.315927+00', 'python3.12', '3.12.8-5gl0'); INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (14, 'today', '2025-01-20 07:30:51.705341+00', 'rsync', '3.3.0+ds1-4gl0'); @@ -190,6 +206,16 @@ INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, d INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (18, '1592.7', '2025-01-30 07:30:53.933119+00', 'linux', '6.6.83-0gl0~bp1592'); INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (23, '1592.9', '2025-04-14 12:28:44.739829+00', 'tar', '1.35+dfsg-3'); INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (23, '1592.9', '2025-04-14 12:28:44.739829+00', 'glibc', '2.39-6gl0~bp1592'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (18, '1592.7', '2025-04-14 12:28:43.316664+00', 'rubygems-integration', '1.18'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (18, '1592.7', '2025-04-14 12:28:43.316664+00', 'rubygems', '3.4.20-1'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (21, '1592.8', '2025-04-14 12:28:44.739829+00', 'rubygems-integration', '1.18'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (21, '1592.8', '2025-04-14 12:28:44.739829+00', 'rubygems', '3.4.20-1'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (18, '1592.7', '2025-04-14 12:28:43.316664+00', 'ruby3.1', '3.1.2-8.5gl0'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (21, '1592.8', '2025-04-14 12:28:44.739829+00', 'ruby3.1', '3.1.2-8.5gl0'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (20, '1443.19', '2025-04-10 15:13:09.823245+00', 'ruby3.1', '3.1.2-8.4gl0'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (20, '1443.19', '2025-04-10 15:13:09.823245+00', 'rubygems', '3.4.20-1'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (22, '1443.20', '2025-05-02 07:06:23.456498+00', 'ruby3.1', '3.1.2-8.4gl0'); +INSERT INTO public.debsrc (dist_id, gardenlinux_version, last_mod, deb_source, deb_version) VALUES (22, '1443.20', '2025-05-02 07:06:23.456498+00', 'rubygems', '3.4.20-1'); INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, '', 'CVE-2024-11053', '2025-01-15 15:04:46.943381+00', 'curl', NULL, 'no-dsa', 'Minor issue'); INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, '', 'CVE-2024-9287', '2025-01-15 15:04:46.943381+00', 'pypy3', '7.3.11+dfsg-2+deb12u3', NULL, NULL); @@ -213,6 +239,15 @@ INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, d INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2024-44953', '2025-04-14 12:28:34.320367+00', 'linux', '6.10.6-1', NULL, NULL); INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2005-2541', '2025-04-14 12:28:34.320367+00', 'tar', NULL, 'unfixed', 'bug #328228; unimportant'); INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2019-1010022', '2025-04-14 12:28:34.320367+00', 'glibc', NULL, 'unfixed', 'unimportant'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2024-35176', '2025-04-14 12:28:34.320367+00', 'ruby3.1', NULL, 'unfixed', 'bug #1071626'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, NULL, 'CVE-2024-35176', '2025-04-14 12:28:34.320367+00', 'ruby3.1', NULL, 'no-dsa', 'Minor issue'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'rubygems', '3.4.20-1', NULL, NULL); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'ruby3.1', NULL, 'unfixed', 'bug #1038408'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (3, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'jruby', '9.4.5.0+ds-1', NULL, 'bug #1036283'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (4, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'rubygems', NULL, 'no-dsa', 'Minor issue'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'rubygems', NULL, 'no-dsa', 'Minor issue'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'ruby3.1', NULL, 'no-dsa', 'Minor issue'); +INSERT INTO public.debsec_cve (dist_id, gardenlinux_version, cve_id, last_mod, deb_source, deb_version_fixed, debsec_tag, debsec_note) VALUES (2, NULL, 'CVE-2023-28755', '2025-04-14 12:28:34.320367+00', 'jruby', NULL, 'ignored', 'Minor issue'); -- Test data targets Garden Linux 1592.6 (lts kernel 6.6) -- Not vulnerable because we have a later patch version diff --git a/stop-db-for-test.sh b/stop-db-for-test.sh new file mode 100755 index 0000000..9ede382 --- /dev/null +++ b/stop-db-for-test.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +podman compose --file unit-test-db-compose.yaml down --volumes --remove-orphans