-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrestic.csaf_v1.json
1 lines (1 loc) · 8.93 KB
/
restic.csaf_v1.json
1
{"document":{"aggregate_severity":{"text":"High"},"category":"csaf_vex","csaf_version":"2.0","lang":"en","notes":[{"category":"legal_disclaimer","text":"Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}],"publisher":{"category":"vendor","contact_details":"vendor@mcvendorson.com","name":"Vendor McVendorson","namespace":"https://appthreat.com"},"title":"Your Title","tracking":{"current_release_date":"2024-11-08T05:57:23","id":"2024-11-08T05:57:23_v1","initial_release_date":"2024-11-08T05:57:23","revision_history":[],"status":"draft","version":"1"}},"product_tree":{"full_product_names":[{"name":"github.com/restic/restic","product_id":"github.com/restic/restic:","product_identification_helper":{"purl":"pkg:golang/github.com/restic/restic"}}]},"vulnerabilities":[{"acknowledgements":[{"organization":"Microsoft","urls":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"]}],"cve":"CVE-2024-35255","cwe":{"id":"362","name":"Concurrent Execution using Shared Resource with Improper Synchronization"},"discovery_date":"2024-06-11T18:30:50","ids":[{"system_name":"CVE Record","text":"CVE-2024-35255"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. ## Related CVE(s) CVE-2024-35255, GO-2024-2918"},{"category":"other","text":"Update to version 1.6.0.","title":"Recommended Action"}],"product_status":{"known_affected":["github.com/Azure/azure-sdk-for-go/sdk/azidentity@vers:golang/>=0.0.0|<1.6.0"],"known_not_affected":["github.com/Azure/azure-sdk-for-go/sdk/azidentity@1.6.0"]},"references":[{"summary":"CVE Record","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35255"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["github.com/Azure/azure-sdk-for-go/sdk/azidentity@vers:golang/>=0.0.0|<1.6.0"]}],"title":"CVE-2024-35255/pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.4.0"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-45288"]}],"cve":"CVE-2023-45288","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2024-04-04T21:30:32","ids":[{"system_name":"CVE Record","text":"CVE-2023-45288"},{"system_name":"NetApp Advisory","text":"NTAP-20240419-0009"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"net/http, x/net/http2: close connections when receiving too many headers"},{"category":"details","details":"Vulnerability Details","text":"# net/http, x/net/http2: close connections when receiving too many headers An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. ## Related CVE(s) BIT-golang-2023-45288, CGA-8q47-wf6v-wqg5, CGA-c6f9-jh7g-69mj, CGA-grww-v9jg-rhw2, CVE-2023-45288, GO-2024-2687"},{"category":"other","text":"Update to version 0.23.0.","title":"Recommended Action"}],"product_status":{"known_affected":["golang.org/x/net@vers:golang/>=0.0.0|<0.23.0"],"known_not_affected":["golang.org/x/net@0.23.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/04/03/16"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/04/05/4"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45288"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20240419-0009"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"products":["golang.org/x/net@vers:golang/>=0.0.0|<0.23.0"]}],"title":"CVE-2023-45288/pkg:golang/golang.org/x/net@v0.19.0"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-24786"]}],"cve":"CVE-2024-24786","cwe":{"id":"835","name":"Loop with Unreachable Exit Condition"},"discovery_date":"2024-03-06T00:31:27","ids":[{"system_name":"CVE Record","text":"CVE-2024-24786"},{"system_name":"NetApp Advisory","text":"NTAP-20240517-0002"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON"},{"category":"details","details":"Vulnerability Details","text":"# Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. ## Related CVE(s) CGA-2vgr-6mqh-4r48, CGA-v9cm-f6x8-5vj7, CVE-2024-24786, GO-2024-2611"},{"category":"other","text":"Update to version 1.33.0.","title":"Recommended Action"}],"product_status":{"known_affected":["google.golang.org/protobuf@vers:golang/>=0.0.0|<1.33.0"],"known_not_affected":["google.golang.org/protobuf@1.33.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/03/08/4"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24786"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20240517-0002"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["google.golang.org/protobuf@vers:golang/>=0.0.0|<1.33.0"]}],"title":"CVE-2024-24786/pkg:golang/google.golang.org/protobuf@v1.31.0"}]}