| Repo in the shape of github.com/CVEProject/cvelist, with |
| some actual data. |
| |
| -- README.md -- |
| ignore me please |
| |
| -- 2021/0xxx/CVE-2021-0001.json -- |
| { |
| "data_type": "CVE", |
| "data_format": "MITRE", |
| "data_version": "4.0", |
| "CVE_data_meta": { |
| "ID": "CVE-2021-0001", |
| "ASSIGNER": "secure@intel.com", |
| "STATE": "PUBLIC" |
| }, |
| "affects": { |
| "vendor": { |
| "vendor_data": [ |
| { |
| "vendor_name": "n/a", |
| "product": { |
| "product_data": [ |
| { |
| "product_name": "Intel(R) IPP", |
| "version": { |
| "version_data": [ |
| { |
| "version_value": "before version 2020 update 1" |
| } |
| ] |
| } |
| } |
| ] |
| } |
| } |
| ] |
| } |
| }, |
| "problemtype": { |
| "problemtype_data": [ |
| { |
| "description": [ |
| { |
| "lang": "eng", |
| "value": "information disclosure" |
| } |
| ] |
| } |
| ] |
| }, |
| "references": { |
| "reference_data": [ |
| { |
| "refsource": "MISC", |
| "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html", |
| "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html" |
| }, |
| { |
| "refsource": "*added for testing*", |
| "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html", |
| "url": "https://golang.org/x/mod" |
| } |
| ] |
| }, |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access." |
| } |
| ] |
| } |
| } |
| -- 2021/0xxx/CVE-2021-0010.json -- |
| { |
| "data_type": "CVE", |
| "data_format": "MITRE", |
| "data_version": "4.0", |
| "CVE_data_meta": { |
| "ID": "CVE-2021-0010", |
| "ASSIGNER": "cve@mitre.org", |
| "STATE": "RESERVED" |
| }, |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." |
| } |
| ] |
| } |
| } |
| -- 2021/1xxx/CVE-2021-1384.json -- |
| { |
| "data_type": "CVE", |
| "data_format": "MITRE", |
| "data_version": "4.0", |
| "CVE_data_meta": { |
| "ID": "CVE-2021-1384", |
| "ASSIGNER": "cve@mitre.org", |
| "STATE": "REJECT" |
| }, |
| "references": { |
| "reference_data": [ |
| { |
| "refsource": "*added for testing*", |
| "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html", |
| "url": "https://golang.org/x/sync" |
| } |
| ] |
| }, |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none." |
| } |
| ] |
| } |
| } |
| -- 2020/9xxx/CVE-2020-9283.json -- |
| { |
| "CVE_data_meta": { |
| "ASSIGNER": "cve@mitre.org", |
| "ID": "CVE-2020-9283", |
| "STATE": "PUBLIC" |
| }, |
| "affects": { |
| "vendor": { |
| "vendor_data": [ |
| { |
| "product": { |
| "product_data": [ |
| { |
| "product_name": "n/a", |
| "version": { |
| "version_data": [ |
| { |
| "version_value": "n/a" |
| } |
| ] |
| } |
| } |
| ] |
| }, |
| "vendor_name": "n/a" |
| } |
| ] |
| } |
| }, |
| "data_format": "MITRE", |
| "data_type": "CVE", |
| "data_version": "4.0", |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client." |
| } |
| ] |
| }, |
| "problemtype": { |
| "problemtype_data": [ |
| { |
| "description": [ |
| { |
| "lang": "eng", |
| "value": "n/a" |
| } |
| ] |
| } |
| ] |
| }, |
| "references": { |
| "reference_data": [ |
| { |
| "refsource": "CONFIRM", |
| "name": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", |
| "url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY" |
| }, |
| { |
| "refsource": "*added for testing*", |
| "name": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY", |
| "url": "https://golang.org/x/crypto" |
| } |
| ] |
| } |
| } |
| -- 2022/39xxx/CVE-2022-39213.json -- |
| { |
| "CVE_data_meta": { |
| "ASSIGNER": "security-advisories@github.com", |
| "ID": "CVE-2022-39213", |
| "STATE": "PUBLIC", |
| "TITLE": "Out-of-bounds Read in go-cvss" |
| }, |
| "affects": { |
| "vendor": { |
| "vendor_data": [ |
| { |
| "product": { |
| "product_data": [ |
| { |
| "product_name": "go-cvss", |
| "version": { |
| "version_data": [ |
| { |
| "version_value": ">= 0.2.0, < 0.4.0" |
| } |
| ] |
| } |
| } |
| ] |
| }, |
| "vendor_name": "pandatix" |
| } |
| ] |
| } |
| }, |
| "data_format": "MITRE", |
| "data_type": "CVE", |
| "data_version": "4.0", |
| "description": { |
| "description_data": [ |
| { |
| "lang": "eng", |
| "value": "go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary." |
| } |
| ] |
| }, |
| "impact": { |
| "cvss": { |
| "attackComplexity": "LOW", |
| "attackVector": "NETWORK", |
| "availabilityImpact": "HIGH", |
| "baseScore": 7.5, |
| "baseSeverity": "HIGH", |
| "confidentialityImpact": "NONE", |
| "integrityImpact": "NONE", |
| "privilegesRequired": "NONE", |
| "scope": "UNCHANGED", |
| "userInteraction": "NONE", |
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", |
| "version": "3.1" |
| } |
| }, |
| "problemtype": { |
| "problemtype_data": [ |
| { |
| "description": [ |
| { |
| "lang": "eng", |
| "value": "CWE-125: Out-of-bounds Read" |
| } |
| ] |
| } |
| ] |
| }, |
| "references": { |
| "reference_data": [ |
| { |
| "name": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx", |
| "refsource": "CONFIRM", |
| "url": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx" |
| }, |
| { |
| "name": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4", |
| "refsource": "MISC", |
| "url": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4" |
| }, |
| { |
| "name": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md", |
| "refsource": "MISC", |
| "url": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md" |
| }, |
| { |
| "name": "https://bitbucket.org/foo/bar/baz", |
| "refsource": "*added for testing*", |
| "url": "https://bitbucket.org/foo/bar/baz" |
| } |
| ] |
| }, |
| "source": { |
| "advisory": "GHSA-xhmf-mmv2-4hhx", |
| "discovery": "UNKNOWN" |
| } |
| } |
