Various updates
including an initial converted OSV
diff --git a/content/projects/commons/_index.md b/content/projects/commons/_index.md
index d298e8a..f2d772e 100644
--- a/content/projects/commons/_index.md
+++ b/content/projects/commons/_index.md
@@ -17,6 +17,8 @@
CVE-2021-29425 [\[CVE json\]](./CVE-2021-29425.cve.json)
+CVE-2021-29425 [\[OSV json\]](./CVE-2021-29425.osv.json)
+
### Affected
* Apache Commons IO at 2.2
diff --git a/content/projects/dolphinscheduler/_index.md b/content/projects/dolphinscheduler/_index.md
index f6052d8..c301b92 100644
--- a/content/projects/dolphinscheduler/_index.md
+++ b/content/projects/dolphinscheduler/_index.md
@@ -165,7 +165,7 @@
### Description
-Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.
+Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.<br><span style="background-color: rgb(255, 255, 255);">This attack can be performed only by authenticated users which can login to DS.</span><br><br>
### References
* https://lists.apache.org/thread/r0wqzkjsoq17j6ww381kmpx3jjp9hb6r
diff --git a/content/projects/kafka/_index.md b/content/projects/kafka/_index.md
index 859892b..ad3ef7d 100644
--- a/content/projects/kafka/_index.md
+++ b/content/projects/kafka/_index.md
@@ -89,16 +89,17 @@
### Affected
-* Apache Kafka from 2.3.0 before 3.4.0
+* Apache Kafka Connect API from 2.3.0 before 3.4.0
### Description
-A possible security vulnerability has been identified in Apache Kafka Connect.<br>This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config<br>and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0.<br>When configuring the connector via the Kafka Connect REST API, an <span style="background-color: rgb(255, 255, 255);">authenticated operator</span> can set the <span style="background-color: rgb(255, 255, 255);">`sasl.jaas.config`<br></span>property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the<br>`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>This will allow the server to connect to the attacker's LDAP server<br>and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.<br>Attacker can cause <span style="background-color: rgb(255, 255, 255);">unrestricted deserialization of untrusted data (or) </span>RCE vulnerability when there are gadgets in the classpath.<br><br>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box<br>configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector<br>client override policy that permits them.<br><br>Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage<br>in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0. <br><br>We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for <br>vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,<br><span style="background-color: rgb(255, 255, 255);">in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector<br>client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.</span><br>
+A possible security vulnerability has been identified in Apache Kafka Connect API.<br>This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config<br>and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.<br>When configuring the connector via the Kafka Connect REST API, an <span style="background-color: rgb(255, 255, 255);">authenticated operator</span> can set the <span style="background-color: rgb(255, 255, 255);">`sasl.jaas.config`<br></span>property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the<br>`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>This will allow the server to connect to the attacker's LDAP server<br>and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.<br>Attacker can cause <span style="background-color: rgb(255, 255, 255);">unrestricted deserialization of untrusted data (or) </span>RCE vulnerability when there are gadgets in the classpath.<br><br>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box<br>configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector<br>client override policy that permits them.<br><br>Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage<br>in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka Connect 3.4.0. <br><br>We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for <br>vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,<br><span style="background-color: rgb(255, 255, 255);">in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector<br>client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.</span><br>
### References
* https://kafka.apache.org/cve-list
* https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz
+* http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html
### Credits
diff --git a/content/projects/superset/_index.md b/content/projects/superset/_index.md
index e47db71..2c25d6e 100644
--- a/content/projects/superset/_index.md
+++ b/content/projects/superset/_index.md
@@ -482,6 +482,7 @@
### References
* https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz
+* http://www.openwall.com/lists/oss-security/2023/04/24/3
### Credits
diff --git a/scripts/cve2osv.py b/scripts/cve2osv.py
new file mode 100755
index 0000000..7fe0ba9
--- /dev/null
+++ b/scripts/cve2osv.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+
+# Script to convert CVEs as published for Apache projects
+# from CVE JSON 5.0 format to OSV format.
+
+import json
+import sys
+
+# TODO get from arg
+cve = json.load(open(sys.argv[1]))
+
+def mavenPackage(groupId, artifactId):
+ return {
+ 'ecosystem': 'Maven',
+ 'name': f"{groupId}:{artifactId}",
+ 'purl': f"pkg:maven/{groupId}/{artifactId}"
+ }
+
+def package(product):
+ if product == 'Apache Commons IO':
+ return mavenPackage('org.apache.commons', 'commons-io')
+ else:
+ raise ValueError(f'Cannot infer package for product {product}')
+
+def range(versions):
+ if versions['status'] != 'affected':
+ raise "TODO support for explicitly 'unaffected' ranges"
+ if 'lessThan' in versions:
+ events = [{
+ 'introduced': versions['version']
+ },{
+ 'fixed': versions['lessThan']
+ }]
+ else:
+ events = [{
+ 'introduced': versions['version']
+ },{
+ 'last_affected': versions['version']
+ }]
+
+ return {
+ 'type': 'SEMVER',
+ 'events': events
+ }
+
+def convert_affected(affected):
+ return {
+ 'package': package(affected['product']),
+ # TODO severity
+ 'ranges': list(map(range, affected['versions'])),
+ }
+
+def reference(reference):
+ url = reference['url']
+ if 'jira' in url:
+ t = 'REPORT'
+ elif 'x_refsource_CONFIRM' in reference['tags']:
+ t = 'ADVISORY'
+ else:
+ t = 'WEB'
+ return {
+ 'type': t,
+ 'url': reference['url']
+ }
+
+cna = cve['containers']['cna']
+osv = {
+ 'schema_version': '1.6.1',
+ 'id': cve['cveMetadata']['cveId'],
+ 'summary': cna['title'],
+ 'details': cna['descriptions'][0]['value'],
+ # TODO 'severity'
+ 'affected': list(map(convert_affected, cna['affected'])),
+ 'references': list(map(reference, cna['references']))
+ # TODO 'credits'
+}
+
+with open(sys.argv[2], 'w', encoding='utf-8') as f:
+ json.dump(osv, f, ensure_ascii=False)
diff --git a/scripts/cve4to5.nix b/scripts/cve4to5.nix
index 1e955a4..956a264 100644
--- a/scripts/cve4to5.nix
+++ b/scripts/cve4to5.nix
@@ -23,8 +23,8 @@
owner = "raboof";
repo = "cve-schema";
# 'standalone-cve4to5' branch
- rev = "edb05884906e24b60a942593344764d435e347b8";
- hash = "sha256-8I2xCh1IuFuAndD4ZbfSGYJ6PGmIDoSB3aC3zL+qvrQ=";
+ rev = "9d22833a2cafa48da9bb58479232d09e9b2cd5f2";
+ hash = "sha256-Thc7ZOIZZtRiXcCAMuIGJei4tJVeaOfTRrN9YhOftJQ=";
};
sourceRoot = "source/schema/v5.0/support/CVE_4_to_5_converter";
diff --git a/scripts/project-page.py b/scripts/project-page.py
index 91e387f..91c9b1e 100755
--- a/scripts/project-page.py
+++ b/scripts/project-page.py
@@ -60,7 +60,7 @@
print(cve_id)
if not os.path.exists('cache/%s.json' % cve_id):
f = urlopen('https://cveprocess.apache.org/publicjson/%s' % cve_id)
- with open('cache/%s.json' % cve, 'w') as d:
+ with open('cache/%s.json' % cve_id, 'w') as d:
d.write(f.read().decode('utf-8'))
with open('cache/%s.json' % cve_id, 'r') as d:
@@ -144,10 +144,26 @@
for advisory in advisories[pmc]:
cve_id = advisory['ID']
+ cve = fetch_cve(cve_id)
+
+ with open(staticdir + cve_id + '.cve.json', 'w') as cveFile:
+ cve_doc = {
+ "containers": cve['containers'],
+ "cveMetadata": cve['cveMetadata'],
+ "dataType": cve['dataType'],
+ "dataVersion": cve['dataVersion'],
+ }
+ json.dump(cve_doc, cveFile, ensure_ascii=True, indent=2)
+
+ has_osv = True
+ if subprocess.call(['./cve2osv.py', staticdir + cve_id + '.cve.json', staticdir + cve_id + '.osv.json']) != 0:
+ has_osv = False
+
project_page.write("\n\n## %s ## { #%s }\n\n" % (advisory['title'], cve_id))
project_page.write("%s [\[CVE json\]](./%s.cve.json)\n\n" % (cve_id, cve_id))
+ if has_osv:
+ project_page.write("%s [\[OSV json\]](./%s.osv.json)\n\n" % (cve_id, cve_id))
- cve = fetch_cve(cve_id)
cna = cve['containers']['cna']
project_page.write("### Affected\n\n")
for affected in cna['affected']:
@@ -185,11 +201,3 @@
else:
project_page.write('* %s\n' % credit['value'])
- with open(staticdir + cve_id + '.cve.json', 'w') as cveFile:
- cve_doc = {
- "containers": cve['containers'],
- "cveMetadata": cve['cveMetadata'],
- "dataType": cve['dataType'],
- "dataVersion": cve['dataVersion'],
- }
- json.dump(cve_doc, cveFile, ensure_ascii=True, indent=2)
diff --git a/static/projects/activemq/CVE-2020-13947.cve.json b/static/projects/activemq/CVE-2020-13947.cve.json
index 267ccb4..3f8f225 100644
--- a/static/projects/activemq/CVE-2020-13947.cve.json
+++ b/static/projects/activemq/CVE-2020-13947.cve.json
@@ -53,6 +53,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "XSS in Apache ActiveMQ",
"x_ValidationErrors": [
"$.cveMetadata.assignerOrgId -- validator = pattern",
"$.containers.cna.providerMetadata.orgId -- validator = pattern"
diff --git a/static/projects/airflow/CVE-2020-17511.cve.json b/static/projects/airflow/CVE-2020-17511.cve.json
index 4ac7145..9546898 100644
--- a/static/projects/airflow/CVE-2020-17511.cve.json
+++ b/static/projects/airflow/CVE-2020-17511.cve.json
@@ -53,6 +53,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "Admin password gets logged in plain text in Apache Airflow",
"x_ValidationErrors": [
"$.cveMetadata.assignerOrgId -- validator = pattern",
"$.containers.cna.providerMetadata.orgId -- validator = pattern"
diff --git a/static/projects/airflow/CVE-2020-17513.cve.json b/static/projects/airflow/CVE-2020-17513.cve.json
index a21f4b9..368d6a6 100644
--- a/static/projects/airflow/CVE-2020-17513.cve.json
+++ b/static/projects/airflow/CVE-2020-17513.cve.json
@@ -48,6 +48,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "CWE-918 Server-Side Request Forgery (SSRF) in Apache Airflow",
"x_ValidationErrors": [
"$.cveMetadata.assignerOrgId -- validator = pattern",
"$.containers.cna.providerMetadata.orgId -- validator = pattern"
diff --git a/static/projects/airflow/CVE-2020-17515.cve.json b/static/projects/airflow/CVE-2020-17515.cve.json
index 1269657..040fc98 100644
--- a/static/projects/airflow/CVE-2020-17515.cve.json
+++ b/static/projects/airflow/CVE-2020-17515.cve.json
@@ -53,6 +53,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "Reflected XSS via Origin Parameter in Apache Airflow",
"x_ValidationErrors": [
"$.cveMetadata.assignerOrgId -- validator = pattern",
"$.containers.cna.providerMetadata.orgId -- validator = pattern"
diff --git a/static/projects/airflow/CVE-2020-17526.cve.json b/static/projects/airflow/CVE-2020-17526.cve.json
index 3d3017a..73c3446 100644
--- a/static/projects/airflow/CVE-2020-17526.cve.json
+++ b/static/projects/airflow/CVE-2020-17526.cve.json
@@ -53,6 +53,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "Incorrect Session Validation in Airflow Webserver with default config in Apache Airflow",
"workarounds": [
{
"lang": "en",
diff --git a/static/projects/airflow/CVE-2023-36543.cve.json b/static/projects/airflow/CVE-2023-36543.cve.json
index 02eafde..3a29d03 100644
--- a/static/projects/airflow/CVE-2023-36543.cve.json
+++ b/static/projects/airflow/CVE-2023-36543.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-20 Improper Input Validation",
+ "description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
- "cweId": "CWE-20",
+ "cweId": "CWE-1333",
"type": "CWE"
}
]
diff --git a/static/projects/ambari/CVE-2020-13924.cve.json b/static/projects/ambari/CVE-2020-13924.cve.json
index d54ac0c..8bb975e 100644
--- a/static/projects/ambari/CVE-2020-13924.cve.json
+++ b/static/projects/ambari/CVE-2020-13924.cve.json
@@ -53,6 +53,7 @@
"source": {
"discovery": "UNKNOWN"
},
+ "title": "directory traversal in Apache Ambari",
"x_ValidationErrors": [
"$.cveMetadata.assignerOrgId -- validator = pattern",
"$.containers.cna.providerMetadata.orgId -- validator = pattern"
diff --git a/static/projects/any23/CVE-2023-34150.cve.json b/static/projects/any23/CVE-2023-34150.cve.json
index d3da0d5..3bdee37 100644
--- a/static/projects/any23/CVE-2023-34150.cve.json
+++ b/static/projects/any23/CVE-2023-34150.cve.json
@@ -88,6 +88,9 @@
"type": "finder"
}
],
+ "tags": [
+ "unsupported-when-assigned"
+ ],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
diff --git a/static/projects/apr/CVE-2022-28331.cve.json b/static/projects/apr/CVE-2022-28331.cve.json
index 1d5ac27..fcbf6f3 100644
--- a/static/projects/apr/CVE-2022-28331.cve.json
+++ b/static/projects/apr/CVE-2022-28331.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-787 Out-of-bounds Write",
+ "description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
- "cweId": "CWE-787",
+ "cweId": "CWE-190",
"type": "CWE"
}
]
diff --git a/static/projects/bookkeeper/CVE-2022-32531.cve.json b/static/projects/bookkeeper/CVE-2022-32531.cve.json
index 2fa204c..5eef745 100644
--- a/static/projects/bookkeeper/CVE-2022-32531.cve.json
+++ b/static/projects/bookkeeper/CVE-2022-32531.cve.json
@@ -34,8 +34,7 @@
},
{
"status": "affected",
- "version": "4.15.0",
- "versionType": ""
+ "version": "4.15.0"
}
],
"defaultStatus": "unaffected"
diff --git a/static/projects/commons/CVE-2021-29425.osv.json b/static/projects/commons/CVE-2021-29425.osv.json
new file mode 100644
index 0000000..4128681
--- /dev/null
+++ b/static/projects/commons/CVE-2021-29425.osv.json
@@ -0,0 +1 @@
+{"schema_version": "1.6.1", "id": "CVE-2021-29425", "summary": "Possible limited path traversal vulnerabily in Apache Commons IO ", "details": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.\n\n", "affected": [{"package": {"ecosystem": "Maven", "name": "org.apache.commons:commons-io", "purl": "pkg:maven/org.apache.commons/commons-io"}, "ranges": [{"type": "SEMVER", "events": [{"introduced": "2.2"}, {"last_affected": "2.2"}]}, {"type": "SEMVER", "events": [{"introduced": "2.3"}, {"last_affected": "2.3"}]}, {"type": "SEMVER", "events": [{"introduced": "2.4"}, {"last_affected": "2.4"}]}, {"type": "SEMVER", "events": [{"introduced": "2.5"}, {"last_affected": "2.5"}]}, {"type": "SEMVER", "events": [{"introduced": "2.6"}, {"last_affected": "2.6"}]}]}], "references": [{"type": "REPORT", "url": "https://issues.apache.org/jira/browse/IO-556"}, {"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"}]}
\ No newline at end of file
diff --git a/static/projects/dolphinscheduler/CVE-2022-45875.cve.json b/static/projects/dolphinscheduler/CVE-2022-45875.cve.json
index f77de0c..d869bcd 100644
--- a/static/projects/dolphinscheduler/CVE-2022-45875.cve.json
+++ b/static/projects/dolphinscheduler/CVE-2022-45875.cve.json
@@ -43,13 +43,13 @@
],
"descriptions": [
{
- "value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.",
+ "value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.\nThis attack can be performed only by authenticated users which can login to DS.\n\n",
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
- "value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions."
+ "value": "Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.<br><span style=\"background-color: rgb(255, 255, 255);\">This attack can be performed only by authenticated users which can login to DS.</span><br><br>"
}
]
}
diff --git a/static/projects/inlong/CVE-2023-43668.cve.json b/static/projects/inlong/CVE-2023-43668.cve.json
index bbbd1cb..6fcfa90 100644
--- a/static/projects/inlong/CVE-2023-43668.cve.json
+++ b/static/projects/inlong/CVE-2023-43668.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-502 Deserialization of Untrusted Data",
+ "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
- "cweId": "CWE-502",
+ "cweId": "CWE-639",
"type": "CWE"
}
]
diff --git a/static/projects/james/CVE-2022-45935.cve.json b/static/projects/james/CVE-2022-45935.cve.json
index 79f45f3..40dc187 100644
--- a/static/projects/james/CVE-2022-45935.cve.json
+++ b/static/projects/james/CVE-2022-45935.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-319 Cleartext Transmission of Sensitive Information",
+ "description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
- "cweId": "CWE-319",
+ "cweId": "CWE-668",
"type": "CWE"
}
]
diff --git a/static/projects/kafka/CVE-2023-25194.cve.json b/static/projects/kafka/CVE-2023-25194.cve.json
index 1e6c43c..d62320e 100644
--- a/static/projects/kafka/CVE-2023-25194.cve.json
+++ b/static/projects/kafka/CVE-2023-25194.cve.json
@@ -23,7 +23,7 @@
"affected": [
{
"vendor": "Apache Software Foundation",
- "product": "Apache Kafka",
+ "product": "Apache Kafka Connect API",
"versions": [
{
"status": "affected",
@@ -37,13 +37,13 @@
],
"descriptions": [
{
- "value": "A possible security vulnerability has been identified in Apache Kafka Connect.\nThis requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\nand a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0.\nWhen configuring the connector via the Kafka Connect REST API, an\u00a0authenticated operator\u00a0can set the `sasl.jaas.config`\nproperty for any of the connector's Kafka clients\u00a0to \"com.sun.security.auth.module.JndiLoginModule\", which can be done via the\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\nThis will allow the server to connect to the attacker's LDAP server\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\nAttacker can cause unrestricted deserialization of untrusted data (or)\u00a0RCE vulnerability when there are gadgets in the classpath.\n\nSince Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box\nconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector\nclient override policy that permits them.\n\nSince Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage\nin SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka 3.4.0. \n\nWe advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for \nvulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,\nin addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector\nclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.\n",
+ "value": "A possible security vulnerability has been identified in Apache Kafka Connect API.\nThis requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\nand a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.\nWhen configuring the connector via the Kafka Connect REST API, an\u00a0authenticated operator\u00a0can set the `sasl.jaas.config`\nproperty for any of the connector's Kafka clients\u00a0to \"com.sun.security.auth.module.JndiLoginModule\", which can be done via the\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\nThis will allow the server to connect to the attacker's LDAP server\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\nAttacker can cause unrestricted deserialization of untrusted data (or)\u00a0RCE vulnerability when there are gadgets in the classpath.\n\nSince Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box\nconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector\nclient override policy that permits them.\n\nSince Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage\nin SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka Connect 3.4.0. \n\nWe advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for \nvulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,\nin addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector\nclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.\n",
"lang": "en",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
- "value": "A possible security vulnerability has been identified in Apache Kafka Connect.<br>This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config<br>and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0.<br>When configuring the connector via the Kafka Connect REST API, an <span style=\"background-color: rgb(255, 255, 255);\">authenticated operator</span> can set the <span style=\"background-color: rgb(255, 255, 255);\">`sasl.jaas.config`<br></span>property for any of the connector's Kafka clients to \"com.sun.security.auth.module.JndiLoginModule\", which can be done via the<br>`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>This will allow the server to connect to the attacker's LDAP server<br>and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.<br>Attacker can cause <span style=\"background-color: rgb(255, 255, 255);\">unrestricted deserialization of untrusted data (or) </span>RCE vulnerability when there are gadgets in the classpath.<br><br>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box<br>configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector<br>client override policy that permits them.<br><br>Since Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage<br>in SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka 3.4.0. <br><br>We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for <br>vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,<br><span style=\"background-color: rgb(255, 255, 255);\">in addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector<br>client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.</span><br>"
+ "value": "A possible security vulnerability has been identified in Apache Kafka Connect API.<br>This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config<br>and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.<br>When configuring the connector via the Kafka Connect REST API, an <span style=\"background-color: rgb(255, 255, 255);\">authenticated operator</span> can set the <span style=\"background-color: rgb(255, 255, 255);\">`sasl.jaas.config`<br></span>property for any of the connector's Kafka clients to \"com.sun.security.auth.module.JndiLoginModule\", which can be done via the<br>`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.<br>This will allow the server to connect to the attacker's LDAP server<br>and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.<br>Attacker can cause <span style=\"background-color: rgb(255, 255, 255);\">unrestricted deserialization of untrusted data (or) </span>RCE vulnerability when there are gadgets in the classpath.<br><br>Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box<br>configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector<br>client override policy that permits them.<br><br>Since Apache Kafka 3.4.0, we have added a system property (\"-Dorg.apache.kafka.disallowed.login.modules\") to disable the problematic login modules usage<br>in SASL JAAS configuration. Also by default \"com.sun.security.auth.module.JndiLoginModule\" is disabled in Apache Kafka Connect 3.4.0. <br><br>We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for <br>vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,<br><span style=\"background-color: rgb(255, 255, 255);\">in addition to leveraging the \"org.apache.kafka.disallowed.login.modules\" system property, Kafka Connect users can also implement their own connector<br>client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.</span><br>"
}
]
}
@@ -60,6 +60,9 @@
"tags": [
"vendor-advisory"
]
+ },
+ {
+ "url": "http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html"
}
],
"metrics": [
diff --git a/static/projects/mina/CVE-2023-35887.cve.json b/static/projects/mina/CVE-2023-35887.cve.json
index d474311..5481891 100644
--- a/static/projects/mina/CVE-2023-35887.cve.json
+++ b/static/projects/mina/CVE-2023-35887.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
+ "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"lang": "en",
- "cweId": "CWE-200",
+ "cweId": "CWE-22",
"type": "CWE"
}
]
diff --git a/static/projects/streampark/CVE-2022-45802.cve.json b/static/projects/streampark/CVE-2022-45802.cve.json
index d93c135..640d698 100644
--- a/static/projects/streampark/CVE-2022-45802.cve.json
+++ b/static/projects/streampark/CVE-2022-45802.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+ "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
- "cweId": "CWE-22",
+ "cweId": "CWE-434",
"type": "CWE"
}
]
diff --git a/static/projects/superset/CVE-2023-30776.cve.json b/static/projects/superset/CVE-2023-30776.cve.json
index 47122df..07e4ad5 100644
--- a/static/projects/superset/CVE-2023-30776.cve.json
+++ b/static/projects/superset/CVE-2023-30776.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
+ "description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
- "cweId": "CWE-200",
+ "cweId": "CWE-522",
"type": "CWE"
}
]
@@ -54,6 +54,9 @@
"tags": [
"vendor-advisory"
]
+ },
+ {
+ "url": "http://www.openwall.com/lists/oss-security/2023/04/24/3"
}
],
"metrics": [
diff --git a/static/projects/trafficserver/CVE-2022-40743.cve.json b/static/projects/trafficserver/CVE-2022-40743.cve.json
index 16f0029..10d13e0 100644
--- a/static/projects/trafficserver/CVE-2022-40743.cve.json
+++ b/static/projects/trafficserver/CVE-2022-40743.cve.json
@@ -9,9 +9,9 @@
{
"descriptions": [
{
- "description": "CWE-20 Improper Input Validation",
+ "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"lang": "en",
- "cweId": "CWE-20",
+ "cweId": "CWE-79",
"type": "CWE"
}
]
@@ -37,7 +37,7 @@
],
"descriptions": [
{
- "value": "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.\n\n\n",
+ "value": "Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.\n\n",
"lang": "en",
"supportingMedia": [
{
diff --git a/static/projects/trafficserver/CVE-2023-33933.cve.json b/static/projects/trafficserver/CVE-2023-33933.cve.json
index 814d968..fb8d7f9 100644
--- a/static/projects/trafficserver/CVE-2023-33933.cve.json
+++ b/static/projects/trafficserver/CVE-2023-33933.cve.json
@@ -37,7 +37,7 @@
],
"descriptions": [
{
- "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\n\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions\n\n\n",
+ "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 9.2.0.\n\n8.x users should upgrade to 8.1.7 or later versions\n9.x users should upgrade to 9.2.1 or later versions\n\n",
"lang": "en",
"supportingMedia": [
{
