Auto Generated CVE annotations [Tue Oct 25 14:05:39 UTC 2022] 🤖

2022-10-25 14:05:39 +00:00 · 2022-10-25 14:05:39 +00:00 · 2bc756b7e1
parent 012eca9edd
commit 2bc756b7e1
8 changed files with 11 additions and 11 deletions
--- a/cves/2019/CVE-2019-18957.yaml
+++ b/cves/2019/CVE-2019-18957.yaml
@ -6,11 +6,11 @@ info:
  severity: medium
  description: |
    MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
-  remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
  reference:
    - https://seclists.org/bugtraq/2019/Nov/23
    - https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
    - https://nvd.nist.gov/vuln/detail/CVE-2019-18957
+  remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
--- a/cves/2020/CVE-2020-17526.yaml
+++ b/cves/2020/CVE-2020-17526.yaml
@ -6,12 +6,12 @@ info:
  severity: high
  description: |
    Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
-  remediation: Change default value for [webserver] secret_key config.
  reference:
    - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
    - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
    - http://www.openwall.com/lists/oss-security/2020/12/21/1
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
+  remediation: Change default value for [webserver] secret_key config.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 7.7
--- a/cves/2021/CVE-2021-45046.yaml
+++ b/cves/2021/CVE-2021-45046.yaml
@ -13,7 +13,7 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 9.0
+    cvss-score: 9
    cve-id: CVE-2021-45046
    cwe-id: CWE-502
  tags: cve,cve2021,rce,oast,log4j,injection
--- a/cves/2022/CVE-2022-40684.yaml
+++ b/cves/2022/CVE-2022-40684.yaml
@ -14,9 +14,9 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.6
-    cve-id: CVE-2022-27593
-    cwe-id: CWE-288
+    cvss-score: 9.8
+    cve-id: CVE-2022-40684
+    cwe-id: CWE-306
  tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev

 requests:
--- a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@ -6,15 +6,15 @@ info:
  severity: critical
  description: |
    Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.
-  remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
  reference:
    - https://issues.apache.org/jira/browse/OFBIZ-12449
    - https://ofbiz.apache.org/
    - https://logging.apache.org/log4j/2.x/security.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+  remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
+    cvss-score: 10
    cve-id: CVE-2021-44228
    cwe-id: CWE-77
  metadata:
--- a/vulnerabilities/other/aspnuke-openredirect.yaml
+++ b/vulnerabilities/other/aspnuke-openredirect.yaml
@ -11,7 +11,7 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
-  tags: aspnuke,redirect
+  tags: packetstorm,aspnuke,redirect

 requests:
  - method: GET
--- a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
+++ b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
@ -12,8 +12,8 @@ info:
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
-    cwe-id: CWE-77
    cve-id: CVE-2021-44228
+    cwe-id: CWE-77
  metadata:
    shodan-query: http.html:"GoAnywhere Managed File Transfer"
    verified: "true"
--- a/vulnerabilities/other/homeautomation-v3-openredirect.yaml
+++ b/vulnerabilities/other/homeautomation-v3-openredirect.yaml
@ -12,7 +12,7 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
-  tags: iot,redirect,homeautomation
+  tags: homeautomation,packetstorm,iot,redirect

 requests:
  - method: GET