From ae273f5c8055c57432d85537d61fc67d214fb3e0 Mon Sep 17 00:00:00 2001 From: Emanuelle Pharand Date: Sun, 19 Jun 2022 13:55:53 -0400 Subject: [PATCH] CVE-2022-1664.json --- 2019/11xxx/CVE-2019-11277.json | 316 +++++++++++++++++++++++---------- 1 file changed, 224 insertions(+), 92 deletions(-) diff --git a/2019/11xxx/CVE-2019-11277.json b/2019/11xxx/CVE-2019-11277.json index 6afe640548e..9468ea3f5cf 100644 --- a/2019/11xxx/CVE-2019-11277.json +++ b/2019/11xxx/CVE-2019-11277.json @@ -3,100 +3,232 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { - "ASSIGNER": "security@pivotal.io", - "DATE_PUBLIC": "2019-09-23T00:00:00.000Z", - "ID": "CVE-2019-11277", - "STATE": "PUBLIC", - "TITLE": "Volume Services is vulnerable to an LDAP injection attack" - }, - "source": { - "discovery": "UNKNOWN" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "CF NFS volume release", - "version": { - "version_data": [ - { - "affected": "<", - "version_name": "1.7", - "version_value": "v1.7.11" - }, - { - "affected": "<", - "version_name": "2.3", - "version_value": "v2.3.0" - } - ] - } - }, - { - "product_name": "CF Deployment", - "version": { - "version_data": [ - { - "affected": "<", - "version_name": "All", - "version_value": "v11.1.0" - } - ] - } - } - ] + + "ASSIGNER": "security@debian.org", + + "DATE_PUBLIC": "2022-05-25T00:00:00.000Z", + + "ID": "CVE-2022-1664", + + "STATE": "PUBLIC", + + "TITLE": "directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar" + + }, + + "affects": { + + "vendor": { + + "vendor_data": [ + + { + + "product": { + + "product_data": [ + + { + + "product_name": "dpkg", + + "version": { + + "version_data": [ + + { + + "version_affected": "<", + + "version_name": "1.14.17", + + "version_value": "1.21.8" + }, - "vendor_name": "Cloud Foundry" - } - ] - } - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack." - } - ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ + + { + + "version_affected": "<", + + "version_name": "1.14.17", + + "version_value": "1.20.10" + + }, + { - "lang": "eng", - "value": "CWE-90: LDAP Injection" + + "version_affected": "<", + + "version_name": "1.14.17", + + "version_value": "1.19.8" + + }, + + { + + "version_affected": "<", + + "version_name": "1.14.17", + + "version_value": "1.18.26" + } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "CONFIRM", - "url": "https://www.cloudfoundry.org/blog/cve-2019-11277", - "name": "https://www.cloudfoundry.org/blog/cve-2019-11277" - } - ] - }, - "impact": { - "cvss": { - "attackComplexity": "HIGH", - "attackVector": "NETWORK", - "availabilityImpact": "LOW", - "baseScore": 8.4, - "baseSeverity": "HIGH", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", - "privilegesRequired": "LOW", - "scope": "CHANGED", - "userInteraction": "NONE", - "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", - "version": "3.0" + + ] + + } + + } + + ] + + }, + + "vendor_name": "Debian" + } + + ] + } -} \ No newline at end of file + + }, + + "data_format": "MITRE", + + "data_type": "CVE", + + "data_version": "4.0", + + "description": { + + "description_data": [ + + { + + "lang": "eng", + + "value": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs." + + } + + ] + + }, + + "generator": { + + "engine": "Vulnogram 0.0.9" + + }, + + "problemtype": { + + "problemtype_data": [ + + { + + "description": [ + + { + + "lang": "eng", + + "value": "directory traversal" + + } + + ] + + } + + ] + + }, + + "references": { + + "reference_data": [ + + { + + "refsource": "MISC", + + "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b", + + "name": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b" + + }, + + { + + "refsource": "MISC", + + "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5", + + "name": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5" + + }, + + { + + "refsource": "MISC", + + "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495", + + "name": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495" + + }, + + { + + "refsource": "MISC", + + "url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be", + + "name": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be" + + }, + + { + + "refsource": "MISC", + + "url": "https://lists.debian.org/debian-security-announce/2022/msg00115.html", + + "name": "https://lists.debian.org/debian-security-announce/2022/msg00115.html" + + }, + + { + + "refsource": "MISC", + + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html", + + "name": "https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html" + + } + + ] + + }, + + "source": { + + "advisory": "https://lists.debian.org/debian-security-announce/2022/msg00115.html", + + "defect": [ + + "DSA-5147-1" + + ], + + "discovery": "EXTERNAL" + + } + +} +