Publish Advisories

GHSA-pv98-48f2-5vjr GHSA-36h2-g4c8-9xcm GHSA-v7mh-qpq8-5g5p GHSA-xpp6-8r3j-ww43
github · Jul 8, 2024 · ba9dfbe · ba9dfbe
1 parent be572f6
commit ba9dfbe
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 1 deletion.
diff --git a/advisories/unreviewed/2024/03/GHSA-pv98-48f2-5vjr/GHSA-pv98-48f2-5vjr.json b/advisories/unreviewed/2024/03/GHSA-pv98-48f2-5vjr/GHSA-pv98-48f2-5vjr.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pv98-48f2-5vjr",
-  "modified": "2024-07-08T18:31:15Z",
+  "modified": "2024-07-08T21:31:40Z",
   "published": "2024-03-03T00:30:32Z",
   "aliases": [
     "CVE-2024-26621"
@@ -37,6 +37,22 @@
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2024/07/08/3"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/07/08/4"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/07/08/5"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/07/08/6"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2024/07/08/7"
     }
   ],
   "database_specific": {

diff --git a/advisories/unreviewed/2024/07/GHSA-36h2-g4c8-9xcm/GHSA-36h2-g4c8-9xcm.json b/advisories/unreviewed/2024/07/GHSA-36h2-g4c8-9xcm/GHSA-36h2-g4c8-9xcm.json
@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36h2-g4c8-9xcm",
+  "modified": "2024-07-08T21:31:40Z",
+  "published": "2024-07-08T21:31:40Z",
+  "aliases": [
+    "CVE-2024-6227"
+  ],
+  "details": "A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause a denial of service by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6227"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/abcea7c6-bb3b-45e9-aa15-9eb6b224451a"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-07-08T19:15:10Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/07/GHSA-v7mh-qpq8-5g5p/GHSA-v7mh-qpq8-5g5p.json b/advisories/unreviewed/2024/07/GHSA-v7mh-qpq8-5g5p/GHSA-v7mh-qpq8-5g5p.json
@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v7mh-qpq8-5g5p",
+  "modified": "2024-07-08T21:31:40Z",
+  "published": "2024-07-08T21:31:40Z",
+  "aliases": [
+    "CVE-2024-6580"
+  ],
+  "details": "The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an application calling the SFTPServer component must grant user access without verifying the SSH public key or certificate (which would most likely be a separate vulnerability in the calling application). IPWorks SSH versions 22.0.8945 and 24.0.8945 were released to address this condition by blocking all filesystem and network path requests for SSH public keys or certificates.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:X/U:X"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.nsoftware.com/kb/articles/cve-2024-5806"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1390"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-07-08T19:15:10Z"
+  }
+}
diff --git a/advisories/unreviewed/2024/07/GHSA-xpp6-8r3j-ww43/GHSA-xpp6-8r3j-ww43.json b/advisories/unreviewed/2024/07/GHSA-xpp6-8r3j-ww43/GHSA-xpp6-8r3j-ww43.json
@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xpp6-8r3j-ww43",
+  "modified": "2024-07-08T21:31:40Z",
+  "published": "2024-07-08T21:31:40Z",
+  "aliases": [
+    "CVE-2024-5971"
+  ],
+  "details": "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2024-5971"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-07-08T21:15:12Z"
+  }
+}