-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f804216
commit dec666d
Showing
5 changed files
with
8 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"cve": {"id": "CVE-2025-2129", "sourceIdentifier": "[email protected]", "published": "2025-03-09T20:15:27.157", "lastModified": "2025-03-09T20:15:27.157", "vulnStatus": "Received", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1188"}]}], "references": [{"url": "https://github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.299049", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.299049", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.510690", "source": "[email protected]"}]}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"cve": {"id": "CVE-2025-26204", "sourceIdentifier": "[email protected]", "published": "2025-03-09T21:15:35.310", "lastModified": "2025-03-09T21:15:35.310", "vulnStatus": "Received", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Lua 5.4.7, when the debug library is used, has a out-of-bounds read and segmentation violation in equalkey in ltable.c. NOTE: this is disputed because the documentation states \"when using [the debug] library ... its functions violate basic assumptions about Lua code (e.g., that ... Lua programs do not crash).\""}], "metrics": {}, "references": [{"url": "https://groups.google.com/u/2/g/lua-l/c/xfmb9mBIIjc", "source": "[email protected]"}]}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"cve": {"id": "CVE-2025-26205", "sourceIdentifier": "[email protected]", "published": "2025-03-09T21:15:35.457", "lastModified": "2025-03-09T21:15:35.457", "vulnStatus": "Received", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Lua 5.4.7, when the debug library is used, has a out-of-bounds read and segmentation violation in mainpositionTV in ltable.c. NOTE: this is disputed because the documentation states \"when using [the debug] library ... its functions violate basic assumptions about Lua code (e.g., that ... Lua programs do not crash).\""}], "metrics": {}, "references": [{"url": "https://groups.google.com/u/2/g/lua-l/c/CmoRk8AAjX0", "source": "[email protected]"}]}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| {"cve": {"id": "CVE-2025-27636", "sourceIdentifier": "[email protected]", "published": "2025-03-09T13:15:34.403", "lastModified": "2025-03-09T17:15:36.580", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components\n\n * camel-servlet\n * camel-jetty\n * camel-undertow\n * camel-platform-http\n * camel-netty-http\n\n\nand in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:\u00a0\n\n * The bean invocation (is only affected if you use any of the above\u00a0together with camel-bean component).\n\n * The bean that can be called, has\u00a0more than 1 method implemented.\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\".\u00a0\n\n\nMitigation:\u00a0You can easily work around this in your Camel applications by removing the\u00a0headers in your Camel routes. There are many ways of doing this, also\u00a0globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\"."}], "metrics": {}, "references": [{"url": "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/09/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}} | ||
| {"cve": {"id": "CVE-2025-27636", "sourceIdentifier": "[email protected]", "published": "2025-03-09T13:15:34.403", "lastModified": "2025-03-09T20:15:26.270", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.\n\nThis issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components\n\n * camel-servlet\n * camel-jetty\n * camel-undertow\n * camel-platform-http\n * camel-netty-http\n\n\nand in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:\u00a0\n\n * The bean invocation (is only affected if you use any of the above\u00a0together with camel-bean component).\n\n * The bean that can be called, has\u00a0more than 1 method implemented.\nIn these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.\n\nThe vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \"Camel\", \"camel\", or \"org.apache.camel.\".\u00a0\n\n\nMitigation:\u00a0You can easily work around this in your Camel applications by removing the\u00a0headers in your Camel routes. There are many ways of doing this, also\u00a0globally or per route. This means you could use the removeHeaders EIP, to filter out anything like \"cAmel, cAMEL\" etc, or in general everything not starting with \"Camel\", \"camel\" or \"org.apache.camel.\"."}], "metrics": {}, "references": [{"url": "https://issues.apache.org/jira/browse/CAMEL-21828", "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/03/09/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,10 @@ | ||
| { | ||
| "vulnerabilities": { | ||
| "lastModStartDate": "2025-03-09T14:02:52.707", | ||
| "lastModEndDate": "2025-03-09T16:02:50.631" | ||
| "lastModStartDate": "2025-03-09T16:02:50.631", | ||
| "lastModEndDate": "2025-03-09T18:02:38.461" | ||
| }, | ||
| "matchStrings": { | ||
| "lastModStartDate": "2025-03-09T18:02:52.223", | ||
| "lastModEndDate": "2025-03-09T20:02:50.567" | ||
| "lastModStartDate": "2025-03-09T20:02:50.567", | ||
| "lastModEndDate": "2025-03-09T22:02:38.013" | ||
| } | ||
| } |