From b0a9be9d08883b5b082599c5fcde40c955e68c95 Mon Sep 17 00:00:00 2001
From: Noam Rathaus <noamr@beyondsecurity.com>
Date: Tue, 30 Mar 2021 09:50:02 +0300
Subject: [PATCH] Description

---
 cves/2019/CVE-2019-11248.yaml | 7 ++++---
 cves/2019/CVE-2019-15043.yaml | 5 +++++
 cves/2019/CVE-2019-16097.yaml | 2 ++
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/cves/2019/CVE-2019-11248.yaml b/cves/2019/CVE-2019-11248.yaml
index 904b51e710..4f65493181 100644
--- a/cves/2019/CVE-2019-11248.yaml
+++ b/cves/2019/CVE-2019-11248.yaml
@@ -5,9 +5,10 @@ info:
   author: 0xceeb
   severity: medium
   tags: cve,cve2019,debug
-
-  # https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
-  # http://mmcloughlin.com/posts/your-pprof-is-showing
+  description: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration.
+  reference:
+    - https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
+    - http://mmcloughlin.com/posts/your-pprof-is-showing
 
 requests:
   - method: GET
diff --git a/cves/2019/CVE-2019-15043.yaml b/cves/2019/CVE-2019-15043.yaml
index 891877b985..50891d2037 100644
--- a/cves/2019/CVE-2019-15043.yaml
+++ b/cves/2019/CVE-2019-15043.yaml
@@ -3,6 +3,11 @@ info:
   author: bing0o
   name: Grafana unauthenticated API
   severity: medium
+  description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
+  reference: |
+    - https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
+    - https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569	Vendor Advisory
+    - https://community.grafana.com/t/release-notes-v6-3-x/19202
   tags: cve,cve2019,grafana
 
 requests:
diff --git a/cves/2019/CVE-2019-16097.yaml b/cves/2019/CVE-2019-16097.yaml
index 7f21737099..813c880b10 100644
--- a/cves/2019/CVE-2019-16097.yaml
+++ b/cves/2019/CVE-2019-16097.yaml
@@ -3,6 +3,8 @@ info:
   name: Harbor Enables Privilege Escalation From Zero to admin
   author: pikpikcu
   severity: critical
+  description: |
+    core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
   issues: https://github.com/goharbor/harbor/issues/8951
   reference: https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
   tags: cve,cve2019,intrusive,harbor