From 2bc756b7e1d5a13e0307e3f87a44043953485f45 Mon Sep 17 00:00:00 2001
From: GitHub Action <action@github.com>
Date: Tue, 25 Oct 2022 14:05:39 +0000
Subject: [PATCH] Auto Generated CVE annotations [Tue Oct 25 14:05:39 UTC 2022]
 :robot:

---
 cves/2019/CVE-2019-18957.yaml                             | 2 +-
 cves/2020/CVE-2020-17526.yaml                             | 2 +-
 cves/2021/CVE-2021-45046.yaml                             | 2 +-
 cves/2022/CVE-2022-40684.yaml                             | 6 +++---
 vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml        | 4 ++--
 vulnerabilities/other/aspnuke-openredirect.yaml           | 2 +-
 vulnerabilities/other/goanywhere-mft-log4j-rce.yaml       | 2 +-
 vulnerabilities/other/homeautomation-v3-openredirect.yaml | 2 +-
 8 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/cves/2019/CVE-2019-18957.yaml b/cves/2019/CVE-2019-18957.yaml
index bd5532aed5..5fc00dcf02 100644
--- a/cves/2019/CVE-2019-18957.yaml
+++ b/cves/2019/CVE-2019-18957.yaml
@@ -6,11 +6,11 @@ info:
   severity: medium
   description: |
     MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
-  remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
   reference:
     - https://seclists.org/bugtraq/2019/Nov/23
     - https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
     - https://nvd.nist.gov/vuln/detail/CVE-2019-18957
+  remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
diff --git a/cves/2020/CVE-2020-17526.yaml b/cves/2020/CVE-2020-17526.yaml
index 4b03aaefda..33fae9deff 100644
--- a/cves/2020/CVE-2020-17526.yaml
+++ b/cves/2020/CVE-2020-17526.yaml
@@ -6,12 +6,12 @@ info:
   severity: high
   description: |
     Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
-  remediation: Change default value for [webserver] secret_key config.
   reference:
     - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
     - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
     - http://www.openwall.com/lists/oss-security/2020/12/21/1
     - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
+  remediation: Change default value for [webserver] secret_key config.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
     cvss-score: 7.7
diff --git a/cves/2021/CVE-2021-45046.yaml b/cves/2021/CVE-2021-45046.yaml
index 677a692f1e..651ced1cbb 100644
--- a/cves/2021/CVE-2021-45046.yaml
+++ b/cves/2021/CVE-2021-45046.yaml
@@ -13,7 +13,7 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 9.0
+    cvss-score: 9
     cve-id: CVE-2021-45046
     cwe-id: CWE-502
   tags: cve,cve2021,rce,oast,log4j,injection
diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml
index d85e5cf41c..c2bb50aeb8 100644
--- a/cves/2022/CVE-2022-40684.yaml
+++ b/cves/2022/CVE-2022-40684.yaml
@@ -14,9 +14,9 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2022-40684
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.6
-    cve-id: CVE-2022-27593
-    cwe-id: CWE-288
+    cvss-score: 9.8
+    cve-id: CVE-2022-40684
+    cwe-id: CWE-306
   tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev
 
 requests:
diff --git a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
index 2e90772b2b..67fe1101dd 100644
--- a/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
+++ b/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
@@ -6,15 +6,15 @@ info:
   severity: critical
   description: |
     Apache OFBiz is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.
-  remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
   reference:
     - https://issues.apache.org/jira/browse/OFBIZ-12449
     - https://ofbiz.apache.org/
     - https://logging.apache.org/log4j/2.x/security.html
     - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+  remediation: Upgrade to Apache OFBiz version 8.12.03 or later.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
+    cvss-score: 10
     cve-id: CVE-2021-44228
     cwe-id: CWE-77
   metadata:
diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml
index 3561f65aa6..1968d00097 100644
--- a/vulnerabilities/other/aspnuke-openredirect.yaml
+++ b/vulnerabilities/other/aspnuke-openredirect.yaml
@@ -11,7 +11,7 @@ info:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cwe-id: CWE-601
-  tags: aspnuke,redirect
+  tags: packetstorm,aspnuke,redirect
 
 requests:
   - method: GET
diff --git a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
index f67b3644e1..33911ca9e5 100644
--- a/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
+++ b/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
@@ -12,8 +12,8 @@ info:
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 10
-    cwe-id: CWE-77
     cve-id: CVE-2021-44228
+    cwe-id: CWE-77
   metadata:
     shodan-query: http.html:"GoAnywhere Managed File Transfer"
     verified: "true"
diff --git a/vulnerabilities/other/homeautomation-v3-openredirect.yaml b/vulnerabilities/other/homeautomation-v3-openredirect.yaml
index e150a1a59c..b45889e1f4 100644
--- a/vulnerabilities/other/homeautomation-v3-openredirect.yaml
+++ b/vulnerabilities/other/homeautomation-v3-openredirect.yaml
@@ -12,7 +12,7 @@ info:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.1
     cwe-id: CWE-601
-  tags: iot,redirect,homeautomation
+  tags: homeautomation,packetstorm,iot,redirect
 
 requests:
   - method: GET