CVE-2023-46167 (GCVE-0-2023-46167)
Vulnerability from
Published
2023-12-04 00:04
Modified
2025-02-13 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 269367.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7087203"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269367"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240112-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 269367."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 269367."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T14:06:24.402Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7087203"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269367"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240112-0003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-46167",
"datePublished": "2023-12-04T00:04:15.436Z",
"dateReserved": "2023-10-17T22:30:15.074Z",
"dateUpdated": "2025-02-13T17:14:18.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45283 (GCVE-0-2023-45283)
Vulnerability from
Published
2023-11-09 16:30
Modified
2025-02-13 17:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Go standard library | path/filepath |
Version: 0 ≤ Version: 1.21.0-0 ≤ |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:15.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/63713"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/540277"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/64028"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/541175"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-2185"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/05/2"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231214-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "path/filepath",
"platforms": [
"windows"
],
"product": "path/filepath",
"programRoutines": [
{
"name": "Clean"
},
{
"name": "volumeNameLen"
},
{
"name": "join"
},
{
"name": "Abs"
},
{
"name": "Base"
},
{
"name": "Dir"
},
{
"name": "EvalSymlinks"
},
{
"name": "Glob"
},
{
"name": "IsLocal"
},
{
"name": "Join"
},
{
"name": "Rel"
},
{
"name": "Split"
},
{
"name": "VolumeName"
},
{
"name": "Walk"
},
{
"name": "WalkDir"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.20.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.4",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "internal/safefilepath",
"platforms": [
"windows"
],
"product": "internal/safefilepath",
"programRoutines": [
{
"name": "fromFS"
},
{
"name": "FromFS"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.20.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.4",
"status": "affected",
"version": "1.21.0-0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "path/filepath",
"platforms": [
"windows"
],
"product": "path/filepath",
"programRoutines": [
{
"name": "volumeNameLen"
},
{
"name": "Abs"
},
{
"name": "Base"
},
{
"name": "Clean"
},
{
"name": "Dir"
},
{
"name": "EvalSymlinks"
},
{
"name": "Glob"
},
{
"name": "IsLocal"
},
{
"name": "Join"
},
{
"name": "Rel"
},
{
"name": "Split"
},
{
"name": "VolumeName"
},
{
"name": "Walk"
},
{
"name": "WalkDir"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.20.12",
"status": "affected",
"version": "1.20.11",
"versionType": "semver"
},
{
"lessThan": "1.21.5",
"status": "affected",
"version": "1.21.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-41: Improper Resolution of Path Equivalence",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T10:06:32.436Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/63713"
},
{
"url": "https://go.dev/cl/540277"
},
{
"url": "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY"
},
{
"url": "https://go.dev/issue/64028"
},
{
"url": "https://go.dev/cl/541175"
},
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2185"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/05/2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231214-0008/"
}
],
"title": "Insecure parsing of Windows paths with a \\??\\ prefix in path/filepath"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-45283",
"datePublished": "2023-11-09T16:30:12.395Z",
"dateReserved": "2023-10-06T17:06:26.220Z",
"dateUpdated": "2025-02-13T17:13:59.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45193 (GCVE-0-2023-45193)
Vulnerability from
Published
2024-01-22 19:02
Modified
2025-02-13 17:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 268759.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7105501"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268759"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240307-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T15:49:12.345235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:42:14.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 268759."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. IBM X-Force ID: 268759."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T17:06:23.194Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7105501"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268759"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240307-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-45193",
"datePublished": "2024-01-22T19:02:09.851Z",
"dateReserved": "2023-10-05T01:39:10.398Z",
"dateUpdated": "2025-02-13T17:13:51.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44372 (GCVE-0-2023-44372)
Vulnerability from
Published
2023-11-16 09:52
Modified
2025-02-13 17:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free ()
Summary
Adobe Acrobat Reader versions 23.006.20360 (and earlier) and 20.005.30524 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Acrobat Reader |
Version: 0 ≤ 23.006.20360 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-54.htm"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1842"
},
{
"tags": [
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-54.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44372",
"options": [
{
"Exploitation": "None"
},
{
"Automatable": "No"
},
{
"Technical Impact": "Total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-11-16T13:58:44.812291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T18:43:17.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Acrobat Reader",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "23.006.20360",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-11-14T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Acrobat Reader versions 23.006.20360 (and earlier) and 20.005.30524 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"exploitCodeMaturity": "NOT_DEFINED",
"integrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "LOCAL",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "NOT_DEFINED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free (CWE-416)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-23T19:06:12.471Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-54.htm"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1842"
},
{
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-54.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TALOS-2023-1842 - Adobe Acrobat Reader U3D page event use-after-free vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2023-44372",
"datePublished": "2023-11-16T09:52:42.757Z",
"dateReserved": "2023-09-28T16:25:40.455Z",
"dateUpdated": "2025-02-13T17:13:39.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4136 (GCVE-0-2023-4136)
Vulnerability from
Published
2023-08-03 13:33
Modified
2025-02-13 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CrafterCMS | CrafterCMS |
Version: 4.0.0 ≤ 4.0.2 Version: 3.1.0 ≤ 3.1.27 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023080301"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/30"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174304/CrafterCMS-4.0.2-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T20:31:02.416127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T20:34:33.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Engine",
"platforms": [
"Windows",
"MacOS",
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "CrafterCMS",
"vendor": "CrafterCMS",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.27",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Egidio Romano \u003cegidio.romano@mindedsecurity.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.\u003cp\u003eThis issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.This issue affects CrafterCMS: from 4.0.0 through 4.0.2, from 3.1.0 through 3.1.27."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-23T14:06:10.349Z",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"url": "https://docs.craftercms.org/en/4.0/security/advisory.html#cv-2023080301"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Aug/30"
},
{
"url": "http://packetstormsecurity.com/files/174304/CrafterCMS-4.0.2-Cross-Site-Scripting.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafter Engine",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAdd a WAF to inspect and filter these types of attacks\u003c/li\u003e\u003cli\u003eDisable external access to these APIs if not in active use by the rendering application\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Add a WAF to inspect and filter these types of attacks\n * Disable external access to these APIs if not in active use by the rendering application"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2023-4136",
"datePublished": "2023-08-03T13:33:10.409Z",
"dateReserved": "2023-08-03T13:08:38.129Z",
"dateUpdated": "2025-02-13T17:09:02.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40687 (GCVE-0-2023-40687)
Vulnerability from
Published
2023-12-04 01:10
Modified
2025-02-13 17:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted RUNSTATS command on an 8TB table. IBM X-Force ID: 264809.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 10.5, 11.1, 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:51.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7087149"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/264809"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240119-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.5, 11.1, 11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted RUNSTATS command on an 8TB table. IBM X-Force ID: 264809."
}
],
"value": "IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted RUNSTATS command on an 8TB table. IBM X-Force ID: 264809."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-19T16:06:56.078Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7087149"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/264809"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240119-0001/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40687",
"datePublished": "2023-12-04T01:10:23.988Z",
"dateReserved": "2023-08-18T15:48:06.502Z",
"dateUpdated": "2025-02-13T17:08:38.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40374 (GCVE-0-2023-40374)
Vulnerability from
Published
2023-10-16 22:47
Modified
2025-02-13 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted query statement. IBM X-Force ID: 263575.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7047261"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263575"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231116-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted query statement. IBM X-Force ID: 263575."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted query statement. IBM X-Force ID: 263575."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-16T15:07:01.160Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7047261"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263575"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231116-0007/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40374",
"datePublished": "2023-10-16T22:47:19.415Z",
"dateReserved": "2023-08-14T20:12:05.636Z",
"dateUpdated": "2025-02-13T17:07:46.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40373 (GCVE-0-2023-40373)
Vulnerability from
Published
2023-10-16 23:08
Modified
2025-02-13 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to denial of service with a specially crafted query containing common table expressions. IBM X-Force ID: 263574.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 10.5, 11.1, 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7047563"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263574"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231116-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T18:58:04.400746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T18:58:22.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.5, 11.1, 11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to denial of service with a specially crafted query containing common table expressions. IBM X-Force ID: 263574."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to denial of service with a specially crafted query containing common table expressions. IBM X-Force ID: 263574."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-16T15:06:56.014Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7047563"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263574"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231116-0006/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40373",
"datePublished": "2023-10-16T23:08:25.937Z",
"dateReserved": "2023-08-14T20:12:05.635Z",
"dateUpdated": "2025-02-13T17:07:45.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40372 (GCVE-0-2023-40372)
Vulnerability from
Published
2023-10-16 23:02
Modified
2025-02-13 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted SQL statement using External Tables. IBM X-Force ID: 263499.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Db2 for Linux, UNIX and Windows |
Version: 11.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7047561"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263499"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231116-0007/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-26T14:40:17.973223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:40:19.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Db2 for Linux, UNIX and Windows",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted SQL statement using External Tables. IBM X-Force ID: 263499."
}
],
"value": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted SQL statement using External Tables. IBM X-Force ID: 263499."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-16T15:06:57.706Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7047561"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263499"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231116-0007/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40372",
"datePublished": "2023-10-16T23:02:30.073Z",
"dateReserved": "2023-08-14T20:12:04.115Z",
"dateUpdated": "2025-02-13T17:07:45.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3955 (GCVE-0-2023-3955)
Vulnerability from
Published
2023-10-31 20:36
Modified
2025-02-13 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | kubelet |
Version: v1.28.0 Version: v1.27.0 ≤ v1.27.4 Version: v1.26.0 ≤ v1.26.7 Version: v1.25.0 ≤ v1.25.12 Version: 0 ≤ v1.24.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/kubernetes/kubernetes/issues/119595"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231221-0002/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kubernetes:kubelet:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kubelet",
"vendor": "kubernetes",
"versions": [
{
"status": "affected",
"version": "1.28.0"
},
{
"lessThanOrEqual": "1.27.4",
"status": "affected",
"version": "1.27.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.26.7",
"status": "affected",
"version": "1.26.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.25.12",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.28.1"
},
{
"status": "unaffected",
"version": "1.27.5"
},
{
"status": "unaffected",
"version": "1.26.8"
},
{
"status": "unaffected",
"version": "1.25.13"
},
{
"status": "unaffected",
"version": "1.24.17"
},
{
"lessThanOrEqual": "1.24.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:32.217974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:57:40.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "kubelet",
"repo": "https://github.com/kubernetes/kubernetes",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "v1.28.0"
},
{
"lessThanOrEqual": "v1.27.4",
"status": "affected",
"version": "v1.27.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v1.26.7",
"status": "affected",
"version": "v1.26.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "v1.25.12",
"status": "affected",
"version": "v1.25.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "v1.28.1"
},
{
"status": "unaffected",
"version": "v1.27.5"
},
{
"status": "unaffected",
"version": "v1.26.8"
},
{
"status": "unaffected",
"version": "v1.25.13"
},
{
"status": "unaffected",
"version": "v1.24.17"
},
{
"lessThanOrEqual": "v1.24.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "James Sturtevant"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mark Rossetti"
}
],
"datePublic": "2023-08-23T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A security issue was discovered in Kubernetes where a user\n that can create pods on Windows nodes may be able to escalate to admin \nprivileges on those nodes. Kubernetes clusters are only affected if they\n include Windows nodes.\u003cbr\u003e"
}
],
"value": "A security issue was discovered in Kubernetes where a user\n that can create pods on Windows nodes may be able to escalate to admin \nprivileges on those nodes. Kubernetes clusters are only affected if they\n include Windows nodes."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T22:06:20.809Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kubernetes/kubernetes/issues/119595"
},
{
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231221-0002/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2023-3955",
"datePublished": "2023-10-31T20:36:54.352Z",
"dateReserved": "2023-07-26T13:51:11.192Z",
"dateUpdated": "2025-02-13T17:03:13.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
displaying 1581 - 1590 organizations in total 1855