docs: CVE update 8/6/24 (#3559)

* docs: add 2 new cves to security bulletin * 2 new CVEs on 08032024 * Updated with our official summaries * docs: make format --------- Co-authored-by: Lenny Chen <lenny.chen@spectrocloud.com> Co-authored-by: JamieM-Spectro <jamie@spectrocloud.com>
spectrocloud · Aug 17, 2024 · 78adcc7 · 78adcc7
1 parent e658556
commit 78adcc7
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 36 deletions.
diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md b/docs/docs-content/security-bulletins/reports/cve-2024-24790.md
@@ -0,0 +1,35 @@
+---
+sidebar_label: "CVE-2024-24790"
+title: "CVE-2024-24790"
+description: "Lifecycle of CVE-2024-24790"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790)
+
+## Last Update
+
+08/06/2024
+
+## NIST CVE Summary
+
+The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning
+false for addresses which would return true in their traditional IPv4 forms.
+
+## Our Official Summary
+
+Waiting on the 3rd party vendor for a fix. Notes: This vulnerability is reported on the mongodb container. A ticket is
+filed with the vendor to get a new image that addresses the vulnerabilities reported.
+
+## CVE Severity
+
+[9.8](hhttps://nvd.nist.gov/vuln/detail/CVE-2024-24790)
+
+## Status
+
+Ongoing
diff --git a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md b/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md
@@ -0,0 +1,37 @@
+---
+sidebar_label: "GHSA-74fp-r6jw-h4mp"
+title: "GHSA-74fp-r6jw-h4mp"
+description: "Lifecycle of GHSA-74fp-r6jw-h4mp"
+hide_table_of_contents: true
+sidebar_class_name: "hide-from-sidebar"
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[GHSA-m425-mq94-257g](https://github.com/advisories/ghsa-74fp-r6jw-h4mp)
+
+## Last Update
+
+08/06/2024
+
+## NIST CVE Summary
+
+Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing
+
+## Our Official Summary
+
+This vulnerability is reported by govulncheck because of the presence of go library, k8s.io/apimachinery (Affected
+versions: \< 0.0.0-20190927203648-9ce6eca90e73). This is a false positive, because it does not affect latest kubernetes
+versions as indicated here
+([https://nvd.nist.gov/vuln/detail/CVE-2019-11253](https://nvd.nist.gov/vuln/detail/CVE-2019-11253)). Current K8s
+version used: 1.28.11
+
+## CVE Severity
+
+[7.5](https://github.com/advisories/ghsa-74fp-r6jw-h4mp)
+
+## Status
+
+Ongoing
diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md
@@ -51,41 +51,6 @@ Click on the CVE ID to view the full details of the vulnerability.
 | [CVE-2023-44487](./cve-2023-44487.md)           | 10/10/23         | 6/27/24       | Palette 4.4.11 & 4.4.12    | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)   | :mag: Ongoing |
 | [CVE-2022-25883](./cve-2022-25883.md)           | 6/21/23          | 11/6/24       | Palette 4.4.11             | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883)   | :mag: Ongoing |
 | [CVE-2015-8855](./cve-2015-8855.md)             | 1/23/17          | 1/26/12       | Palette 4.4.11             | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855)    | :mag: Ongoing |
-| [CVE-2024-0743](./cve-2024-0743.md)             | 08/09/24         | 08/09/24      | Palette 4.4.11             | Third-party component: TLS              | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743)    | :mag: Ongoing |
-| [CVE-2019-12900](./cve-2019-12900.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: BZ2              | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900)   | :mag: Ongoing |
-| [CVE-2023-37920](./cve-2023-37920.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Certifi          | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920)   | :mag: Ongoing |
-| [CVE-2019-1010022](./cve-2019-1010022.md)       | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: GNU Libc         | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing |
-| [CVE-2016-1585](./cve-2016-1585.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Ubuntu           | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2016-1585)    | :mag: Ongoing |
-| [CVE-2018-20839](./cve-2018-20839.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839)   | :mag: Ongoing |
-| [CVE-2024-38428](./cve-2024-38428.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428)   | :mag: Ongoing |
-| [CVE-2021-42694](./cve-2021-42694.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694)   | :mag: Ongoing |
-| [CVE-2021-39537](./cve-2021-39537.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537)   | :mag: Ongoing |
-| [CVE-2019-9923](./cve-2019-9923.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9923)    | :mag: Ongoing |
-| [CVE-2020-36325](./cve-2020-36325.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Jansson          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325)   | :mag: Ongoing |
-| [CVE-2005-2541](./cve-2005-2541.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541)   | :mag: Ongoing |
-| [CVE-2019-9937](./cve-2019-9937.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937)    | :mag: Ongoing |
-| [CVE-2019-9936](./cve-2019-9936.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936)    | :mag: Ongoing |
-| [CVE-2019-19244](./cve-2019-19244.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-19244)   | :mag: Ongoing |
-| [CVE-2016-20013](./cve-2016-20013.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Ubuntu           | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013)   | :mag: Ongoing |
-| [CVE-2022-0391](./cve-2022-0391.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0391)    | :mag: Ongoing |
-| [CVE-2021-3737](./cve-2021-3737.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-3737)    | :mag: Ongoing |
-| [CVE-2019-9674](./cve-2019-9674.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9674)    | :mag: Ongoing |
-| [CVE-2023-26604](./cve-2023-26604.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Ubuntu           | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604)   | :mag: Ongoing |
-| [CVE-2015-20107](./cve-2015-20107.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.6](https://nvd.nist.gov/vuln/detail/CVE-2015-20107)   | :mag: Ongoing |
-| [CVE-2017-11164](./cve-2017-11164.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: Ubuntu           | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164)   | :mag: Ongoing |
-| [CVE-2018-20225](./cve-2018-20225.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225)   | :mag: Ongoing |
-| [CVE-2022-41409](./cve-2022-41409.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409)   | :mag: Ongoing |
-| [CVE-2019-17543](./cve-2019-17543.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543)   | :mag: Ongoing |
-| [CVE-2022-4899](./cve-2022-4899.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899)    | :mag: Ongoing |
-| [CVE-2018-20657](./cve-2018-20657.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657)   | :mag: Ongoing |
-| [CVE-2023-27534](./cve-2023-27534.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534)   | :mag: Ongoing |
-| [CVE-2023-32636](./cve-2023-32636.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636)   | :mag: Ongoing |
-| [CVE-2023-29499](./cve-2023-29499.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499)   | :mag: Ongoing |
 | [CVE-2024-24790](./cve-2024-24790.md)           | 8/6/24           | 8/6/24        | Palette 4.4.11             | Third-party component: Go Project       | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790)   | :mag: Ongoing |
-| [CVE-2023-4156](./cve-2023-4156.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156)    | :mag: Ongoing |
-| [CVE-2022-23990](./cve-2022-23990.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-23990)   | :mag: Ongoing |
-| [CVE-2020-35512](./cve-2020-35512.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: MongoDB          | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2020-35512)   | :mag: Ongoing |
-| [CVE-2012-2663](./cve-2012-2663.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: iPtables         | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663)    | :mag: Ongoing |
-| [CVE-2019-9192](./cve-2019-9192.md)             | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: GNU C Library    | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192)    | :mag: Ongoing |
-| [CVE-2018-20796](./cve-2018-20796.md)           | 08/16/24         | 08/16/24      | Palette 4.4.12             | Third-party component: GNU C Library    | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796)   | :mag: Ongoing |
+| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp)    | 8/6/24           | 8/6/24        | Palette 4.4.11             | Third-party component: GitHub           | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing |
 | [PRISMA-2022-0227](./prisma-2022-0227.md)       | 9/12/23          | 9/12/23       | Palette 4.4.11             | Third-party component: vSphere-CSI      | N/A                                                      | :mag: Ongoing |