bitnami
/
vulndb
mirror of https://github.com/bitnami/vulndb.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update 20230612141000 (#58) 

feat: Updated at 20230612141000

Signed-off-by: bitnami-bot <bitnami-bot@vmware.com>
This commit is contained in:
Bitnami Bot 2023-06-12 16:36:29 +02:00 committed by GitHub
parent 24f1bdc807
commit 2f050068db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5571 changed files with 224448 additions and 224490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
data/abantecart/BIT-2021-42050.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-42050",
"details": "An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS.",
"aliases": [
"CVE-2021-42050"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/abantecart/abantecart-src/releases"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-abantecart-e-commerce-platform/"
}
],
"published": "2023-06-12T14:10:58.472Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/abantecart/BIT-2021-42051.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-42051",
"details": "An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.",
"aliases": [
"CVE-2021-42051"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/abantecart/abantecart-src/releases"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-abantecart-e-commerce-platform/"
}
],
"published": "2023-06-12T14:10:47.868Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/abantecart/BIT-2022-26521.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-26521",
"details": "Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).",
"aliases": [
"CVE-2022-26521"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171487/Abantecart-1.3.2-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://github.com/sartlabs/0days/blob/main/Abantecart/Exploit.txt"
}
],
"published": "2023-06-12T14:10:37.175Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/abantecart/CVE-2021-42050.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-42050",
"details": "An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS.",
"aliases": [
"CVE-2021-42050"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/abantecart/abantecart-src/releases"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-abantecart-e-commerce-platform/"
}
],
"published": "2023-05-31T06:17:41.564Z",
"modified": "2023-05-31T06:17:41.564Z"
}

56
data/abantecart/CVE-2021-42051.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-42051",
"details": "An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.",
"aliases": [
"CVE-2021-42051"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/abantecart/abantecart-src/releases"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-abantecart-e-commerce-platform/"
}
],
"published": "2023-05-31T06:17:33.364Z",
"modified": "2023-05-31T06:17:33.364Z"
}

56
data/abantecart/CVE-2022-26521.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-26521",
"details": "Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).",
"aliases": [
"CVE-2022-26521"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "abantecart",
"purl": "pkg:bitnami/abantecart"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:abantecart:abantecart:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171487/Abantecart-1.3.2-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://github.com/sartlabs/0days/blob/main/Abantecart/Exploit.txt"
}
],
"published": "2023-05-31T06:17:25.765Z",
"modified": "2023-05-31T06:17:25.765Z"
}

66
data/activemq/BIT-2020-11998.json Normal file
View File

@ -0,0 +1,66 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-11998",
"details": "A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html \"A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.\" Mitigation: Upgrade to Apache ActiveMQ 5.15.13",
"aliases": [
"CVE-2020-11998"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"versions": [
"5.15.12"
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:activemq:5.15.12:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-06-12T14:11:29.875Z",
"modified": "2023-06-12T14:35:05.390Z"
}

68
data/activemq/BIT-2020-13920.json Normal file
View File

@ -0,0 +1,68 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-13920",
"details": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
"aliases": [
"CVE-2020-13920"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.15.12"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"published": "2023-06-12T14:11:19.868Z",
"modified": "2023-06-12T14:35:05.390Z"
}

83
data/activemq/BIT-2020-13947.json Normal file
View File

@ -0,0 +1,83 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-13947",
"details": "An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.",
"aliases": [
"CVE-2020-13947"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.15.14"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "5.16.0"
},
{
"fixed": "5.16.1"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13947-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r021c490028f61c8b6f7e38efb98e61693b0cbb6b99b02238c6fc7d66@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c@%3Cdev.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c@%3Cusers.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-06-12T14:11:10.672Z",
"modified": "2023-06-12T14:35:05.390Z"
}

80
data/activemq/BIT-2020-1941.json Normal file
View File

@ -0,0 +1,80 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-1941",
"details": "In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.",
"aliases": [
"CVE-2020-1941"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.15.11"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-1941-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re4672802b0e5ed67c08c9e77057d52138e062f77cc09581b723cf95a@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"published": "2023-06-12T14:11:00.870Z",
"modified": "2023-06-12T14:35:05.390Z"
}

98
data/activemq/BIT-2020-26217.json Normal file
View File

@ -0,0 +1,98 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-26217",
"details": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.",
"aliases": [
"CVE-2020-26217"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"versions": [
"5.15.4"
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:activemq:5.15.4:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
},
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210409-0004/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4811"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2020-26217.html"
}
],
"published": "2023-06-12T14:10:50.174Z",
"modified": "2023-06-12T14:35:05.390Z"
}

139
data/activemq/BIT-2021-26117.json Normal file
View File

@ -0,0 +1,139 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-26117",
"details": "The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.",
"aliases": [
"CVE-2021-26117"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.15.0"
},
{
"fixed": "5.15.14"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "5.16.0"
},
{
"fixed": "5.16.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r22cdc0fb45e223ac92bc2ceff7af92f1193dfc614c8b248534456229@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3341d96d8f956e878fb7b463b08d57ca1d58fec9c970aee929b58e0d@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r519bfafd67091d0b91243efcb1c49b1eea27321355ba5594f679277d@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5899ece90bcae5805ad6142fdb05c58595cff19cb2e98cc58a91f55b@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r70389648227317bdadcdecbd9f238571a6047469d156bd72bb0ca2f7@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra255ddfc8b613b80e9fa22ff3e106168b245f38a22316bfb54d21159@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/raea451de09baed76950d6a60cc4bb1b74476c505e03205a3c68c9808@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd05b1c9d61dbd220664d559aa0e2b55e5830f006a09e82057f3f7863@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd75600cee29cb248d548edcf6338fe296466d63a69e2ed0afc439ec7@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re1b98da90a5f2e1c2e2d50e31c12e2578d61fe01c0737f9d0bd8de99@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rec93794f8aeddf8a5f1a643d264b4e66b933f06fd72a38f31448f0ac@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rffa5cd05d01c4c9853b17f3004d80ea6eb8856c422a8545c5f79b1a6@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3cCAH+vQmMeUEiKN4wYX9nLBbqmFZFPXqajNvBKmzb2V8QZANcSTA@mail.gmail.com%3e"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210304-0008/"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-06-12T14:10:39.974Z",
"modified": "2023-06-12T14:35:05.390Z"
}

66
data/activemq/CVE-2020-11998.json
View File

@ -1,66 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-11998",
"details": "A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html \"A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.\" Mitigation: Upgrade to Apache ActiveMQ 5.15.13",
"aliases": [
"CVE-2020-11998"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"versions": [
"5.15.12"
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:activemq:5.15.12:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-05-31T06:18:07.763Z",
"modified": "2023-05-31T06:18:07.763Z"
}

68
data/activemq/CVE-2020-13920.json
View File

@ -1,68 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-13920",
"details": "Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.",
"aliases": [
"CVE-2020-13920"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.15.12"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00013.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"published": "2023-05-31T06:17:59.270Z",
"modified": "2023-05-31T06:17:59.270Z"
}

83
data/activemq/CVE-2020-13947.json
View File

@ -1,83 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-13947",
"details": "An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.",
"aliases": [
"CVE-2020-13947"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.15.14"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "5.16.0"
},
{
"fixed": "5.16.1"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-13947-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r021c490028f61c8b6f7e38efb98e61693b0cbb6b99b02238c6fc7d66@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c@%3Cdev.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra66791f1f2b59fa651a81cec5202acdfbf34c2154fc0ff200301cc1c@%3Cusers.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-05-31T06:17:51.664Z",
"modified": "2023-05-31T06:17:51.664Z"
}

80
data/activemq/CVE-2020-1941.json
View File

@ -1,80 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-1941",
"details": "In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.",
"aliases": [
"CVE-2020-1941"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.15.11"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://activemq.apache.org/security-advisories.data/CVE-2020-1941-announcement.txt"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re4672802b0e5ed67c08c9e77057d52138e062f77cc09581b723cf95a@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"published": "2023-05-31T06:17:42.970Z",
"modified": "2023-05-31T06:17:42.970Z"
}

98
data/activemq/CVE-2020-26217.json
View File

@ -1,98 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-26217",
"details": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.",
"aliases": [
"CVE-2020-26217"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"versions": [
"5.15.4"
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:activemq:5.15.4:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
},
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210409-0004/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4811"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2020-26217.html"
}
],
"published": "2023-05-31T06:17:34.969Z",
"modified": "2023-05-31T06:17:34.969Z"
}

139
data/activemq/CVE-2021-26117.json
View File

@ -1,139 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-26117",
"details": "The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.",
"aliases": [
"CVE-2021-26117"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "activemq",
"purl": "pkg:bitnami/activemq"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.15.0"
},
{
"fixed": "5.15.14"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "5.16.0"
},
{
"fixed": "5.16.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r110cacfa754471361234965ffe851a046e302ff2693b055f49f47b02@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r22cdc0fb45e223ac92bc2ceff7af92f1193dfc614c8b248534456229@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3341d96d8f956e878fb7b463b08d57ca1d58fec9c970aee929b58e0d@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r519bfafd67091d0b91243efcb1c49b1eea27321355ba5594f679277d@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5899ece90bcae5805ad6142fdb05c58595cff19cb2e98cc58a91f55b@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r70389648227317bdadcdecbd9f238571a6047469d156bd72bb0ca2f7@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra255ddfc8b613b80e9fa22ff3e106168b245f38a22316bfb54d21159@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/raea451de09baed76950d6a60cc4bb1b74476c505e03205a3c68c9808@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd05b1c9d61dbd220664d559aa0e2b55e5830f006a09e82057f3f7863@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd75600cee29cb248d548edcf6338fe296466d63a69e2ed0afc439ec7@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re1b98da90a5f2e1c2e2d50e31c12e2578d61fe01c0737f9d0bd8de99@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rec93794f8aeddf8a5f1a643d264b4e66b933f06fd72a38f31448f0ac@%3Cgitbox.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rffa5cd05d01c4c9853b17f3004d80ea6eb8856c422a8545c5f79b1a6@%3Ccommits.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00005.html"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3cCAH+vQmMeUEiKN4wYX9nLBbqmFZFPXqajNvBKmzb2V8QZANcSTA@mail.gmail.com%3e"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210304-0008/"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2023-05-31T06:17:27.762Z",
"modified": "2023-05-31T06:17:27.762Z"
}

56
data/airflow/BIT-2020-11978.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-11978",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.",
"aliases": [
"CVE-2020-11978"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:16:27.368Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-11981.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-11981",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.",
"aliases": [
"CVE-2020-11981"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:16:16.074Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-11982.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-11982",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.",
"aliases": [
"CVE-2020-11982"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:16:06.169Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-11983.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-11983",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.",
"aliases": [
"CVE-2020-11983"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:15:56.967Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2020-13927.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-13927",
"details": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default",
"aliases": [
"CVE-2020-13927"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.11"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:15:46.975Z",
"modified": "2023-06-12T14:35:05.390Z"
}

95
data/airflow/BIT-2020-13944.json Normal file
View File

@ -0,0 +1,95 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-13944",
"details": "In Apache Airflow < 1.10.12, the \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.",
"aliases": [
"CVE-2020-13944"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-06-12T14:15:36.670Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-17511.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-17511",
"details": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.",
"aliases": [
"CVE-2020-17511"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.13"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:15:27.372Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-17513.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-17513",
"details": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.",
"aliases": [
"CVE-2020-17513"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.13"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:15:17.172Z",
"modified": "2023-06-12T14:35:05.390Z"
}

95
data/airflow/BIT-2020-17515.json Normal file
View File

@ -0,0 +1,95 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-17515",
"details": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.",
"aliases": [
"CVE-2020-17515"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-06-12T14:15:07.870Z",
"modified": "2023-06-12T14:35:05.390Z"
}

60
data/airflow/BIT-2020-17526.json Normal file
View File

@ -0,0 +1,60 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-17526",
"details": "Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.",
"aliases": [
"CVE-2020-17526"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.14"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/21/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:14:59.172Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2020-9485.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-9485",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the \"classic\" UI.",
"aliases": [
"CVE-2020-9485"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:14:50.669Z",
"modified": "2023-06-12T14:35:05.390Z"
}

50
data/airflow/BIT-2021-26559.json Normal file
View File

@ -0,0 +1,50 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-26559",
"details": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.",
"aliases": [
"CVE-2021-26559"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"versions": [
"2.0.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E"
}
],
"published": "2023-06-12T14:14:41.570Z",
"modified": "2023-06-12T14:35:05.390Z"
}

58
data/airflow/BIT-2021-26697.json Normal file
View File

@ -0,0 +1,58 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-26697",
"details": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.",
"aliases": [
"CVE-2021-26697"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"versions": [
"2.0.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:14:31.968Z",
"modified": "2023-06-12T14:35:05.390Z"
}

67
data/airflow/BIT-2021-28359.json Normal file
View File

@ -0,0 +1,67 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-28359",
"details": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).",
"aliases": [
"CVE-2021-28359"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-06-12T14:14:23.171Z",
"modified": "2023-06-12T14:35:05.390Z"
}

62
data/airflow/BIT-2021-29621.json Normal file
View File

@ -0,0 +1,62 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-29621",
"details": "Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.",
"aliases": [
"CVE-2021-29621"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"versions": [
"1.10.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:1.10.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://pypi.org/project/Flask-AppBuilder/"
}
],
"published": "2023-06-12T14:14:14.569Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2021-35936.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-35936",
"details": "If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.",
"aliases": [
"CVE-2021-35936"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:14:06.173Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2021-38540.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-38540",
"details": "The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.",
"aliases": [
"CVE-2021-38540"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-06-12T14:13:56.671Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2021-45229.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-45229",
"details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
"aliases": [
"CVE-2021-45229"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
}
],
"published": "2023-06-12T14:13:47.171Z",
"modified": "2023-06-12T14:35:05.390Z"
}

63
data/airflow/BIT-2021-45230.json Normal file
View File

@ -0,0 +1,63 @@
{
"schema_version": "1.5.0",
"id": "BIT-2021-45230",
"details": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.",
"aliases": [
"CVE-2021-45230"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"
}
],
"published": "2023-06-12T14:13:38.766Z",
"modified": "2023-06-12T14:35:05.390Z"
}

52
data/airflow/BIT-2022-24288.json Normal file
View File

@ -0,0 +1,52 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-24288",
"details": "In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.",
"aliases": [
"CVE-2022-24288"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t"
}
],
"published": "2023-06-12T14:13:29.368Z",
"modified": "2023-06-12T14:35:05.390Z"
}

60
data/airflow/BIT-2022-27949.json Normal file
View File

@ -0,0 +1,60 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-27949",
"details": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.",
"aliases": [
"CVE-2022-27949"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/3"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/22754"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p"
}
],
"published": "2023-06-12T14:13:18.571Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-38054.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-38054",
"details": "In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.",
"aliases": [
"CVE-2022-38054"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.2.4"
},
{
"fixed": "2.3.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb"
}
],
"published": "2023-06-12T14:13:07.370Z",
"modified": "2023-06-12T14:35:05.390Z"
}

64
data/airflow/BIT-2022-38170.json Normal file
View File

@ -0,0 +1,64 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-38170",
"details": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.",
"aliases": [
"CVE-2022-38170"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv"
}
],
"published": "2023-06-12T14:12:57.570Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-38649.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-38649",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.",
"aliases": [
"CVE-2022-38649"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27641"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dz"
}
],
"published": "2023-06-12T14:12:48.367Z",
"modified": "2023-06-12T14:35:05.390Z"
}

60
data/airflow/BIT-2022-40127.json Normal file
View File

@ -0,0 +1,60 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-40127",
"details": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.",
"aliases": [
"CVE-2022-40127"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/2"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/25960"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy"
}
],
"published": "2023-06-12T14:12:38.166Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-40189.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-40189",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.",
"aliases": [
"CVE-2022-40189"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27644"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15"
}
],
"published": "2023-06-12T14:12:28.569Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-40604.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-40604",
"details": "In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.",
"aliases": [
"CVE-2022-40604"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26337"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/z20x8m16fnhxdkoollv53w1ybsts687t"
}
],
"published": "2023-06-12T14:12:18.473Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-40754.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-40754",
"details": "In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.",
"aliases": [
"CVE-2022-40754"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26409"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/cn098dcp5x3c402xrb06p3l7nz5goffm"
}
],
"published": "2023-06-12T14:12:09.769Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-40954.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-40954",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).",
"aliases": [
"CVE-2022-40954"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27646"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45"
}
],
"published": "2023-06-12T14:11:59.771Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-41131.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-41131",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).",
"aliases": [
"CVE-2022-41131"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"published": "2023-06-12T14:11:49.470Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-41672.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-41672",
"details": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.",
"aliases": [
"CVE-2022-41672"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26635"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y"
}
],
"published": "2023-06-12T14:11:40.767Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-43982.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-43982",
"details": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.",
"aliases": [
"CVE-2022-43982"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27143"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l"
}
],
"published": "2023-06-12T14:11:30.569Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2022-43985.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-43985",
"details": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.",
"aliases": [
"CVE-2022-43985"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27143"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq"
}
],
"published": "2023-06-12T14:11:20.869Z",
"modified": "2023-06-12T14:35:05.390Z"
}

60
data/airflow/BIT-2022-45402.json Normal file
View File

@ -0,0 +1,60 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-45402",
"details": "In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.",
"aliases": [
"CVE-2022-45402"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/1"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27576"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh"
}
],
"published": "2023-06-12T14:11:11.270Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2023-22884.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2023-22884",
"details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.",
"aliases": [
"CVE-2023-22884"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/28811"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h"
}
],
"published": "2023-06-12T14:11:01.774Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/BIT-2023-25695.json Normal file
View File

@ -0,0 +1,56 @@
{
"schema_version": "1.5.0",
"id": "BIT-2023-25695",
"details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.",
"aliases": [
"CVE-2023-25695"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/29501"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2"
}
],
"published": "2023-06-12T14:10:50.974Z",
"modified": "2023-06-12T14:35:05.390Z"
}

60
data/airflow/BIT-2023-29247.json Normal file
View File

@ -0,0 +1,60 @@
{
"schema_version": "1.5.0",
"id": "BIT-2023-29247",
"details": "Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.",
"aliases": [
"CVE-2023-29247"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30447"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30779"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl"
}
],
"published": "2023-06-12T14:10:39.768Z",
"modified": "2023-06-12T14:35:05.390Z"
}

56
data/airflow/CVE-2020-11978.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-11978",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.",
"aliases": [
"CVE-2020-11978"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:22:39.867Z",
"modified": "2023-05-31T06:22:39.867Z"
}

52
data/airflow/CVE-2020-11981.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-11981",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.",
"aliases": [
"CVE-2020-11981"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:22:30.967Z",
"modified": "2023-05-31T06:22:30.967Z"
}

52
data/airflow/CVE-2020-11982.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-11982",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.",
"aliases": [
"CVE-2020-11982"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:22:21.668Z",
"modified": "2023-05-31T06:22:21.668Z"
}

52
data/airflow/CVE-2020-11983.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-11983",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.",
"aliases": [
"CVE-2020-11983"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:22:12.466Z",
"modified": "2023-05-31T06:22:12.466Z"
}

56
data/airflow/CVE-2020-13927.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-13927",
"details": "The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default",
"aliases": [
"CVE-2020-13927"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.11"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:22:02.562Z",
"modified": "2023-05-31T06:22:02.562Z"
}

95
data/airflow/CVE-2020-13944.json
View File

@ -1,95 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-13944",
"details": "In Apache Airflow < 1.10.12, the \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.",
"aliases": [
"CVE-2020-13944"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r97e1b60ca508a86be58c43f405c0c8ff00ba467ba0bee68704ae7e3e%40%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-05-31T06:21:54.163Z",
"modified": "2023-05-31T06:21:54.163Z"
}

52
data/airflow/CVE-2020-17511.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-17511",
"details": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.",
"aliases": [
"CVE-2020-17511"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.13"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:21:44.763Z",
"modified": "2023-05-31T06:21:44.763Z"
}

52
data/airflow/CVE-2020-17513.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-17513",
"details": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.",
"aliases": [
"CVE-2020-17513"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.13"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb3647269f07cc2775ca6568cbfd4994d862c842a58120d2aba9c658a%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:21:36.966Z",
"modified": "2023-05-31T06:21:36.966Z"
}

95
data/airflow/CVE-2020-17515.json
View File

@ -1,95 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-17515",
"details": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.",
"aliases": [
"CVE-2020-17515"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/11/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2892ef594dbbf54d0939b808626f52f7c2d1584f8aa1d81570847d2a@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4656959c8ed06c1f6202d89aa4e67b35ad7bdba5a666caff3fea888e@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-05-31T06:21:28.566Z",
"modified": "2023-05-31T06:21:28.566Z"
}

60
data/airflow/CVE-2020-17526.json
View File

@ -1,60 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-17526",
"details": "Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.",
"aliases": [
"CVE-2020-17526"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.14"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/21/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:21:19.864Z",
"modified": "2023-05-31T06:21:19.864Z"
}

52
data/airflow/CVE-2020-9485.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-9485",
"details": "An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the \"classic\" UI.",
"aliases": [
"CVE-2020-9485"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.10"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:21:11.272Z",
"modified": "2023-05-31T06:21:11.272Z"
}

50
data/airflow/CVE-2021-26559.json
View File

@ -1,50 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-26559",
"details": "Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.",
"aliases": [
"CVE-2021-26559"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"versions": [
"2.0.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/02/17/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3b3787700279ec361308cbefb7c2cce2acb26891a12ce864e4a13c8d%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd142565996d7ee847b9c14b8a9921dcf80bc6bc160e3d9dca6dfc2f8@%3Cannounce.apache.org%3E"
}
],
"published": "2023-05-31T06:21:02.262Z",
"modified": "2023-05-31T06:21:02.262Z"
}

58
data/airflow/CVE-2021-26697.json
View File

@ -1,58 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-26697",
"details": "The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can just get some metadata about a DAG and a Task. This issue affects Apache Airflow 2.0.0.",
"aliases": [
"CVE-2021-26697"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"versions": [
"2.0.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:2.0.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/02/17/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36111262a59219a3e2704c71e97cf84937dae5ba7a1da99499e5d8f9@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cdev.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re21fec81baea7a6d73b0b5d31efd07cc02c61f832e297f65bb19b519@%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:20:54.468Z",
"modified": "2023-05-31T06:20:54.468Z"
}

67
data/airflow/CVE-2021-28359.json
View File

@ -1,67 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-28359",
"details": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).",
"aliases": [
"CVE-2021-28359"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E"
}
],
"published": "2023-05-31T06:20:45.572Z",
"modified": "2023-05-31T06:20:45.572Z"
}

62
data/airflow/CVE-2021-29621.json
View File

@ -1,62 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-29621",
"details": "Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.",
"aliases": [
"CVE-2021-29621"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"versions": [
"1.10.0"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:1.10.0:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5b754118ba4e996adf03863705d34168bffec202da5c6bdc9bf3add5@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r91067f953906d93aaa1c69fe2b5472754019cc6bd4f1ba81349d62a0@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://pypi.org/project/Flask-AppBuilder/"
}
],
"published": "2023-05-31T06:20:37.164Z",
"modified": "2023-05-31T06:20:37.164Z"
}

52
data/airflow/CVE-2021-35936.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-35936",
"details": "If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow < 2.1.2.",
"aliases": [
"CVE-2021-35936"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r53d6bd7b0a66f92ddaf1313282f10fec802e71246606dd30c16536df%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:20:28.668Z",
"modified": "2023-05-31T06:20:28.668Z"
}

56
data/airflow/CVE-2021-38540.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-38540",
"details": "The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.",
"aliases": [
"CVE-2021-38540"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rac2ed9118f64733e47b4f1e82ddc8c8020774698f13328ca742b03a2@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb34c3dd1a815456355217eef34060789f771b6f77c3a3dec77de2064%40%3Cusers.airflow.apache.org%3E"
}
],
"published": "2023-05-31T06:20:19.672Z",
"modified": "2023-05-31T06:20:19.672Z"
}

52
data/airflow/CVE-2021-45229.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-45229",
"details": "It was discovered that the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.",
"aliases": [
"CVE-2021-45229"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/phx76cgtmhwwdy780rvwhobx8qoy4bnk"
}
],
"published": "2023-05-31T06:20:11.568Z",
"modified": "2023-05-31T06:20:11.568Z"
}

63
data/airflow/CVE-2021-45230.json
View File

@ -1,63 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2021-45230",
"details": "In Apache Airflow prior to 2.2.0. This CVE applies to a specific case where a User who has \"can_create\" permissions on DAG Runs can create Dag Runs for dags that they don't have \"edit\" permissions for.",
"aliases": [
"CVE-2021-45230"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.15"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/m778ojn0k595rwco4ht9wjql89mjoxnl"
}
],
"published": "2023-05-31T06:20:03.980Z",
"modified": "2023-05-31T06:20:03.980Z"
}

52
data/airflow/CVE-2022-24288.json
View File

@ -1,52 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-24288",
"details": "In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.",
"aliases": [
"CVE-2022-24288"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t"
}
],
"published": "2023-05-31T06:19:55.768Z",
"modified": "2023-05-31T06:19:55.768Z"
}

60
data/airflow/CVE-2022-27949.json
View File

@ -1,60 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-27949",
"details": "A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.",
"aliases": [
"CVE-2022-27949"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/3"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/22754"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p"
}
],
"published": "2023-05-31T06:19:47.963Z",
"modified": "2023-05-31T06:19:47.963Z"
}

56
data/airflow/CVE-2022-38054.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-38054",
"details": "In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.",
"aliases": [
"CVE-2022-38054"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.2.4"
},
{
"fixed": "2.3.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb"
}
],
"published": "2023-05-31T06:19:39.868Z",
"modified": "2023-05-31T06:19:39.868Z"
}

64
data/airflow/CVE-2022-38170.json
View File

@ -1,64 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-38170",
"details": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.",
"aliases": [
"CVE-2022-38170"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv"
}
],
"published": "2023-05-31T06:19:31.467Z",
"modified": "2023-05-31T06:19:31.467Z"
}

56
data/airflow/CVE-2022-38649.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-38649",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airflow Pinot Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Apache Airflow Pinot Provider is installed (Apache Airflow Pinot Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pinot Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.",
"aliases": [
"CVE-2022-38649"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27641"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/033o1gbc4ly6dpd2xf1o201v56fbl4dz"
}
],
"published": "2023-05-31T06:19:23.067Z",
"modified": "2023-05-31T06:19:23.067Z"
}

60
data/airflow/CVE-2022-40127.json
View File

@ -1,60 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-40127",
"details": "A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.",
"aliases": [
"CVE-2022-40127"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/2"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/25960"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy"
}
],
"published": "2023-05-31T06:19:14.964Z",
"modified": "2023-05-31T06:19:14.964Z"
}

56
data/airflow/CVE-2022-40189.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-40189",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.",
"aliases": [
"CVE-2022-40189"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27644"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15"
}
],
"published": "2023-05-31T06:19:05.966Z",
"modified": "2023-05-31T06:19:05.966Z"
}

56
data/airflow/CVE-2022-40604.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-40604",
"details": "In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.",
"aliases": [
"CVE-2022-40604"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26337"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/z20x8m16fnhxdkoollv53w1ybsts687t"
}
],
"published": "2023-05-31T06:18:56.869Z",
"modified": "2023-05-31T06:18:56.869Z"
}

56
data/airflow/CVE-2022-40754.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-40754",
"details": "In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.",
"aliases": [
"CVE-2022-40754"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26409"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/cn098dcp5x3c402xrb06p3l7nz5goffm"
}
],
"published": "2023-05-31T06:18:47.363Z",
"modified": "2023-05-31T06:18:47.363Z"
}

56
data/airflow/CVE-2022-40954.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-40954",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed).",
"aliases": [
"CVE-2022-40954"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27646"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/0tmdlnmjs5t4gsx5fy73tb6zd3jztq45"
}
],
"published": "2023-05-31T06:18:38.364Z",
"modified": "2023-05-31T06:18:38.364Z"
}

56
data/airflow/CVE-2022-41131.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-41131",
"details": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access to DAG files. This issue affects Hive Provider versions prior to 4.1.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case HIve Provider is installed (Hive Provider 4.1.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the HIve Provider version 4.1.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Hive Provider installed).",
"aliases": [
"CVE-2022-41131"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27647"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/wwo3qp0z8gv54yzn7hr04wy4n8gb0vhl"
}
],
"published": "2023-05-31T06:18:29.068Z",
"modified": "2023-05-31T06:18:29.068Z"
}

56
data/airflow/CVE-2022-41672.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-41672",
"details": "In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.",
"aliases": [
"CVE-2022-41672"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/26635"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y"
}
],
"published": "2023-05-31T06:18:18.972Z",
"modified": "2023-05-31T06:18:18.972Z"
}

56
data/airflow/CVE-2022-43982.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-43982",
"details": "In Apache Airflow versions prior to 2.4.2, the \"Trigger DAG with config\" screen was susceptible to XSS attacks via the `origin` query argument.",
"aliases": [
"CVE-2022-43982"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27143"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/vqnvdrfsw9z7v7c46qh3psjgr7wy959l"
}
],
"published": "2023-05-31T06:18:09.270Z",
"modified": "2023-05-31T06:18:09.270Z"
}

56
data/airflow/CVE-2022-43985.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-43985",
"details": "In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.",
"aliases": [
"CVE-2022-43985"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27143"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/m13y9s5kw92fw9l8j4qd85h0txp4kfcq"
}
],
"published": "2023-05-31T06:18:01.263Z",
"modified": "2023-05-31T06:18:01.263Z"
}

60
data/airflow/CVE-2022-45402.json
View File

@ -1,60 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-45402",
"details": "In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.",
"aliases": [
"CVE-2022-45402"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.3"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/1"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/27576"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh"
}
],
"published": "2023-05-31T06:17:53.064Z",
"modified": "2023-05-31T06:17:53.064Z"
}

56
data/airflow/CVE-2023-22884.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2023-22884",
"details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.",
"aliases": [
"CVE-2023-22884"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1"
}
]
}
]
}
],
"database_specific": {
"severity": "Critical",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/28811"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/0l0j3nt0t7fzrcjl2ch0jgj6c58kxs5h"
}
],
"published": "2023-05-31T06:17:44.771Z",
"modified": "2023-05-31T06:17:44.771Z"
}

56
data/airflow/CVE-2023-25695.json
View File

@ -1,56 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2023-25695",
"details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2.",
"aliases": [
"CVE-2023-25695"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.2"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/29501"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2"
}
],
"published": "2023-05-31T06:17:36.367Z",
"modified": "2023-05-31T06:17:36.367Z"
}

60
data/airflow/CVE-2023-29247.json
View File

@ -1,60 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2023-29247",
"details": "Task instance details page in the UI is vulnerable to a stored XSS.This issue affects Apache Airflow: before 2.6.0.",
"aliases": [
"CVE-2023-29247"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "airflow",
"purl": "pkg:bitnami/airflow"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30447"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30779"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/kqf5lxmko133780clsp827xfsh4xd3fl"
}
],
"published": "2023-05-31T06:17:28.368Z",
"modified": "2023-05-31T06:17:28.368Z"
}

67
data/akeneo/BIT-2022-46157.json Normal file
View File

@ -0,0 +1,67 @@
{
"schema_version": "1.5.0",
"id": "BIT-2022-46157",
"details": "Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. Users are advised to upgrade. Users unable to upgrade may Replace any reference to `<FilesMatch \\.php$>` in their apache httpd configurations with: `<Location \"/index.php\">`.",
"aliases": [
"CVE-2022-46157"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "akeneo",
"purl": "pkg:bitnami/akeneo"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.119"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.53"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:akeneo:product_information_management:*:*:*:*:community:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/akeneo/pim-community-dev/blob/b4d79bb073c8b68ea26ab227c97cc78d86c4cba1/docker/httpd.conf#L39"
},
{
"type": "WEB",
"url": "https://github.com/akeneo/pim-community-dev/security/advisories/GHSA-w9wc-4xcq-8gr6"
}
],
"published": "2023-06-12T14:10:42.269Z",
"modified": "2023-06-12T14:35:05.390Z"
}

67
data/akeneo/CVE-2022-46157.json
View File

@ -1,67 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2022-46157",
"details": "Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. Users are advised to upgrade. Users unable to upgrade may Replace any reference to `<FilesMatch \\.php$>` in their apache httpd configurations with: `<Location \"/index.php\">`.",
"aliases": [
"CVE-2022-46157"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "akeneo",
"purl": "pkg:bitnami/akeneo"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.119"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.53"
}
]
}
]
}
],
"database_specific": {
"severity": "High",
"cpes": [
"cpe:2.3:a:akeneo:product_information_management:*:*:*:*:community:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://github.com/akeneo/pim-community-dev/blob/b4d79bb073c8b68ea26ab227c97cc78d86c4cba1/docker/httpd.conf#L39"
},
{
"type": "WEB",
"url": "https://github.com/akeneo/pim-community-dev/security/advisories/GHSA-w9wc-4xcq-8gr6"
}
],
"published": "2023-05-31T06:17:29.863Z",
"modified": "2023-05-31T06:17:29.863Z"
}

46
data/alfresco/BIT-2020-18327.json Normal file
View File

@ -0,0 +1,46 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-18327",
"details": "Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2",
"aliases": [
"CVE-2020-18327"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"versions": [
"5.2"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:5.2:*:*:*:community:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://gist.github.com/paatui/a3c7ca8cf12594b437d3854f13d76cb8"
},
{
"type": "WEB",
"url": "https://www.cvedetails.com/vulnerability-list/vendor_id-13372/product_id-27784/opxss-1/Alfresco-Alfresco.html"
}
],
"published": "2023-06-12T14:11:13.675Z",
"modified": "2023-06-12T14:35:05.390Z"
}

72
data/alfresco/BIT-2020-8776.json Normal file
View File

@ -0,0 +1,72 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-8776",
"details": "Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.",
"aliases": [
"CVE-2020-8776"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.7"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:community:*:*:*",
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:enterprise:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/snippets/1937042"
},
{
"type": "WEB",
"url": "https://issues.alfresco.com/jira/browse/ALF-22110"
}
],
"published": "2023-06-12T14:11:04.570Z",
"modified": "2023-06-12T14:35:05.390Z"
}

72
data/alfresco/BIT-2020-8777.json Normal file
View File

@ -0,0 +1,72 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-8777",
"details": "Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.",
"aliases": [
"CVE-2020-8777"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.7"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:community:*:*:*",
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:enterprise:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/snippets/1937042"
},
{
"type": "WEB",
"url": "https://issues.alfresco.com/jira/browse/ALF-22110"
}
],
"published": "2023-06-12T14:10:53.971Z",
"modified": "2023-06-12T14:35:05.390Z"
}

72
data/alfresco/BIT-2020-8778.json Normal file
View File

@ -0,0 +1,72 @@
{
"schema_version": "1.5.0",
"id": "BIT-2020-8778",
"details": "Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.",
"aliases": [
"CVE-2020-8778"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.7"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:community:*:*:*",
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:enterprise:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/snippets/1937042"
},
{
"type": "WEB",
"url": "https://issues.alfresco.com/jira/browse/ALF-22110"
}
],
"published": "2023-06-12T14:10:43.174Z",
"modified": "2023-06-12T14:35:05.390Z"
}

46
data/alfresco/CVE-2020-18327.json
View File

@ -1,46 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-18327",
"details": "Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2",
"aliases": [
"CVE-2020-18327"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"versions": [
"5.2"
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:5.2:*:*:*:community:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "https://gist.github.com/paatui/a3c7ca8cf12594b437d3854f13d76cb8"
},
{
"type": "WEB",
"url": "https://www.cvedetails.com/vulnerability-list/vendor_id-13372/product_id-27784/opxss-1/Alfresco-Alfresco.html"
}
],
"published": "2023-05-31T06:17:55.569Z",
"modified": "2023-05-31T06:17:55.569Z"
}

72
data/alfresco/CVE-2020-8776.json
View File

@ -1,72 +0,0 @@
{
"schema_version": "1.5.0",
"id": "CVE-2020-8776",
"details": "Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.",
"aliases": [
"CVE-2020-8776"
],
"affected": [
{
"packages": [
{
"ecosystem": "bitnami",
"name": "alfresco",
"purl": "pkg:bitnami/alfresco"
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
}
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.7"
}
]
},
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.0"
}
]
}
]
}
],
"database_specific": {
"severity": "Medium",
"cpes": [
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:community:*:*:*",
"cpe:2.3:a:alfresco:alfresco:*:*:*:*:enterprise:*:*:*"
]
},
"references": [
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/snippets/1937042"
},
{
"type": "WEB",
"url": "https://issues.alfresco.com/jira/browse/ALF-22110"
}
],
"published": "2023-05-31T06:17:46.470Z",
"modified": "2023-05-31T06:17:46.470Z"
}

Some files were not shown because too many files have changed in this diff Show More