Skip to content

Commit

Permalink
Merge branch 'master' into clarify_alias_modtime
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewpollock
andrewpollock authored Oct 17, 2024
2 parents dcb1d02 + 64cf4ee commit d360762
Show file tree
Hide file tree
Showing 23 changed files with 2,849 additions and 30 deletions.
2 changes: 2 additions & 0 deletions gcp/api/integration_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,11 +344,13 @@ def test_query_comparing_version(self):
alsa_2023_7109 = self._get('ALSA-2023:7109')
alsa_2024_3178 = self._get('ALSA-2024:3178')
alsa_2024_4262 = self._get('ALSA-2024:4262')
alsa_2024_7481 = self._get('ALSA-2024:7481')

expected_vulns = [
alsa_2023_7109,
alsa_2024_3178,
alsa_2024_4262,
alsa_2024_7481,
]

response = requests.post(
Expand Down
131 changes: 130 additions & 1 deletion vulnfeeds/test_data/nvdcve-2.0/CVE-2018-1000500.json
View file
Original file line number Diff line number Diff line change
@@ -1 +1,130 @@
{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2024-03-25T05:17:38.960","vulnerabilities":[{"cve":{"id":"CVE-2018-1000500","sourceIdentifier":"cve@mitre.org","published":"2018-06-26T16:29:00.353","lastModified":"2020-09-24T20:15:12.350","vulnStatus":"Modified","descriptions":[{"lang":"en","value":"Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https:\/\/compromised-domain.com\/important-file\"."},{"lang":"es","value":"Busybox contiene una vulnerabilidad de falta de validación de certificados SSL en el applet \"busybox wget\" que puede resultar en la ejecución de código arbitrario. El ataque parece ser explotable mediante la descarga de cualquier archivo por HTTPS mediante \"busybox wget https:\/\/compromised-domain.com\/important-file\"."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:M\/Au:N\/C:P\/I:P\/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*","versionEndExcluding":"1.32.0","matchCriteriaId":"8E01D2F2-60BE-4135-B94B-76D34EC75060"}]}]}],"references":[{"url":"http:\/\/lists.busybox.net\/pipermail\/busybox\/2018-May\/086462.html","source":"cve@mitre.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https:\/\/git.busybox.net\/busybox\/commit\/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91","source":"cve@mitre.org","tags":["Patch","Vendor Advisory"]},{"url":"https:\/\/usn.ubuntu.com\/4531-1\/","source":"cve@mitre.org"}]}}]}
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2024-03-25T05:17:38.960",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2018-1000500",
"sourceIdentifier": "cve@mitre.org",
"published": "2018-06-26T16:29:00.353",
"lastModified": "2020-09-24T20:15:12.350",
"vulnStatus": "Modified",
"descriptions": [
{
"lang": "en",
"value": "Busybox contains a Missing SSL certificate validation vulnerability in The \"busybox wget\" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using \"busybox wget https:\/\/compromised-domain.com\/important-file\"."
},
{
"lang": "es",
"value": "Busybox contiene una vulnerabilidad de falta de validación de certificados SSL en el applet \"busybox wget\" que puede resultar en la ejecución de código arbitrario. El ataque parece ser explotable mediante la descarga de cualquier archivo por HTTPS mediante \"busybox wget https:\/\/compromised-domain.com\/important-file\"."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9
}
],
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N\/AC:M\/Au:N\/C:P\/I:P\/A:P",
"accessVector": "NETWORK",
"accessComplexity": "MEDIUM",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8
},
"baseSeverity": "MEDIUM",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-295"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.32.0",
"matchCriteriaId": "8E01D2F2-60BE-4135-B94B-76D34EC75060"
}
]
}
]
}
],
"references": [
{
"url": "http:\/\/lists.busybox.net\/pipermail\/busybox\/2018-May\/086462.html",
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
]
},
{
"url": "https:\/\/git.busybox.net\/busybox\/commit\/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91",
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
]
},
{
"url": "https:\/\/usn.ubuntu.com\/4531-1\/",
"source": "cve@mitre.org"
}
]
}
}
]
}
145 changes: 144 additions & 1 deletion vulnfeeds/test_data/nvdcve-2.0/CVE-2020-13595.json
View file
Original file line number Diff line number Diff line change
@@ -1 +1,144 @@
{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2023-11-26T23:14:57.970","vulnerabilities":[{"cve":{"id":"CVE-2020-13595","sourceIdentifier":"cve@mitre.org","published":"2020-08-31T15:15:10.680","lastModified":"2020-09-08T21:09:33.517","vulnStatus":"Analyzed","descriptions":[{"lang":"en","value":"The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets."},{"lang":"es","value":"La implementación del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el número errado de paquetes BLE completados y desencadena una aserción alcanzable en la pila del host cuando está recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserción (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE diseñada"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:A\/AC:L\/Au:N\/C:N\/I:N\/A:P","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":3.3},"baseSeverity":"LOW","exploitabilityScore":6.5,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndIncluding":"4.2","matchCriteriaId":"F8034F36-3371-4111-AE71-573B85934B20"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*","matchCriteriaId":"D1024B06-380B-4116-B7F9-A21A03534B0C"}]}]}],"references":[{"url":"https:\/\/asset-group.github.io\/cves.html","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https:\/\/asset-group.github.io\/disclosures\/sweyntooth\/","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https:\/\/github.com\/espressif\/esp32-bt-lib","source":"cve@mitre.org","tags":["Third Party Advisory"]}]}}]}
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-11-26T23:14:57.970",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2020-13595",
"sourceIdentifier": "cve@mitre.org",
"published": "2020-08-31T15:15:10.680",
"lastModified": "2020-09-08T21:09:33.517",
"vulnStatus": "Analyzed",
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets."
},
{
"lang": "es",
"value": "La implementación del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el número errado de paquetes BLE completados y desencadena una aserción alcanzable en la pila del host cuando está recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserción (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE diseñada"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H",
"attackVector": "ADJACENT_NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
],
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:A\/AC:L\/Au:N\/C:N\/I:N\/A:P",
"accessVector": "ADJACENT_NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3
},
"baseSeverity": "LOW",
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-617"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.0.0",
"versionEndIncluding": "4.2",
"matchCriteriaId": "F8034F36-3371-4111-AE71-573B85934B20"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C"
}
]
}
]
}
],
"references": [
{
"url": "https:\/\/asset-group.github.io\/cves.html",
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https:\/\/asset-group.github.io\/disclosures\/sweyntooth\/",
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https:\/\/github.com\/espressif\/esp32-bt-lib",
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
]
}
]
}
}
]
}
Loading

0 comments on commit d360762

Please sign in to comment.