cve-2024-23634
Vulnerability from cvelistv5
Published
2024-03-20 15:22
Modified
2024-08-01 23:06
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H
Summary
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn't already have one before unzipping the file. This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style). In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.
References
security-advisories@github.comhttps://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772Patch
security-advisories@github.comhttps://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0aPatch
security-advisories@github.comhttps://github.com/geoserver/geoserver/pull/7289Issue Tracking
security-advisories@github.comhttps://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gxVendor Advisory
security-advisories@github.comhttps://osgeo-org.atlassian.net/browse/GEOS-11213Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0aPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/geoserver/geoserver/pull/7289Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gxExploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://osgeo-org.atlassian.net/browse/GEOS-11213Issue Tracking
Impacted products
Vendor Product Version
geoserver geoserver Version: < 2.23.5
Version: >= 2.24.0, < 2.24.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-23634",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-03-20T19:58:57.582171Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:46:00.499Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T23:06:25.331Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx",
               },
               {
                  name: "https://github.com/geoserver/geoserver/pull/7289",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/geoserver/geoserver/pull/7289",
               },
               {
                  name: "https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772",
               },
               {
                  name: "https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a",
               },
               {
                  name: "https://osgeo-org.atlassian.net/browse/GEOS-11213",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://osgeo-org.atlassian.net/browse/GEOS-11213",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "geoserver",
               vendor: "geoserver",
               versions: [
                  {
                     status: "affected",
                     version: "< 2.23.5",
                  },
                  {
                     status: "affected",
                     version: ">= 2.24.0, < 2.24.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn't already have one before unzipping the file.  This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style).  In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 6,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-20",
                     description: "CWE-20: Improper Input Validation",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-73",
                     description: "CWE-73: External Control of File Name or Path",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-03-20T15:22:41.431Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx",
            },
            {
               name: "https://github.com/geoserver/geoserver/pull/7289",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/geoserver/geoserver/pull/7289",
            },
            {
               name: "https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772",
            },
            {
               name: "https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a",
            },
            {
               name: "https://osgeo-org.atlassian.net/browse/GEOS-11213",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://osgeo-org.atlassian.net/browse/GEOS-11213",
            },
         ],
         source: {
            advisory: "GHSA-75m5-hh4r-q9gx",
            discovery: "UNKNOWN",
         },
         title: "GeoServer arbitrary file renaming vulnerability in REST Coverage/Data Store API",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-23634",
      datePublished: "2024-03-20T15:22:41.431Z",
      dateReserved: "2024-01-19T00:18:53.232Z",
      dateUpdated: "2024-08-01T23:06:25.331Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-23634\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-20T16:15:07.857\",\"lastModified\":\"2024-12-17T20:20:50.693\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn't already have one before unzipping the file.  This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style).  In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.\"},{\"lang\":\"es\",\"value\":\"GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de cambio de nombre de archivo arbitrario en versiones anteriores a 2.23.5 y 2.24.2 que permite a un administrador autenticado con permisos para modificar almacenes a través de la API de almacén de datos o almacén de cobertura REST cambiar el nombre de archivos y directorios arbitrarios con un nombre que no termina en \\\".zip\\\". Las cargas de archivos del almacén cambian el nombre de los archivos zip para que tengan una extensión \\\".zip\\\" si aún no la tienen antes de descomprimir el archivo. Esto está bien para los métodos de carga de archivos y URL donde los archivos estarán en un subdirectorio específico del directorio de datos pero, cuando se utiliza el método de carga externo, esto permite cambiar el nombre de archivos y directorios arbitrarios. Cambiar el nombre de los archivos de GeoServer probablemente resultará en una denegación de servicio, ya sea impidiendo por completo que GeoServer se ejecute o eliminando efectivamente recursos específicos (como un espacio de trabajo, una capa o un estilo). En algunos casos, cambiar el nombre de los archivos de GeoServer podría hacer que se vuelva a la configuración predeterminada de ese archivo, lo que podría ser relativamente inofensivo, como eliminar información de contacto, o tener consecuencias más graves, como permitir que los usuarios realicen solicitudes OGC que la configuración personalizada les habría impedido realizar. El impacto de cambiar el nombre de los archivos que no son de GeoServer depende del entorno específico, aunque es probable que se produzca algún tipo de denegación de servicio. Las versiones 2.23.5 y 2.24.2 contienen una solución para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.23.5\",\"matchCriteriaId\":\"F61A1B3A-DDBD-43E0-8475-BA567DD3528E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.24.0\",\"versionEndExcluding\":\"2.24.2\",\"matchCriteriaId\":\"B4491225-6BEB-4C22-8F05-2C1D37795DE7\"}]}]}],\"references\":[{\"url\":\"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/geoserver/geoserver/pull/7289\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://osgeo-org.atlassian.net/browse/GEOS-11213\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/geoserver/geoserver/pull/7289\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://osgeo-org.atlassian.net/browse/GEOS-11213\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\", \"name\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/geoserver/geoserver/pull/7289\", \"name\": \"https://github.com/geoserver/geoserver/pull/7289\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\", \"name\": \"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\", \"name\": \"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://osgeo-org.atlassian.net/browse/GEOS-11213\", \"name\": \"https://osgeo-org.atlassian.net/browse/GEOS-11213\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:06:25.331Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-23634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-20T19:58:57.582171Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:19.089Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"GeoServer arbitrary file renaming vulnerability in REST Coverage/Data Store API\", \"source\": {\"advisory\": \"GHSA-75m5-hh4r-q9gx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"geoserver\", \"product\": \"geoserver\", \"versions\": [{\"status\": \"affected\", \"version\": \"< 2.23.5\"}, {\"status\": \"affected\", \"version\": \">= 2.24.0, < 2.24.2\"}]}], \"references\": [{\"url\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\", \"name\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/geoserver/geoserver/pull/7289\", \"name\": \"https://github.com/geoserver/geoserver/pull/7289\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\", \"name\": \"https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\", \"name\": \"https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://osgeo-org.atlassian.net/browse/GEOS-11213\", \"name\": \"https://osgeo-org.atlassian.net/browse/GEOS-11213\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn't already have one before unzipping the file.  This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style).  In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-20T15:22:41.431Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-23634\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T23:06:25.331Z\", \"dateReserved\": \"2024-01-19T00:18:53.232Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-20T15:22:41.431Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.