From ba99332d25bfea4d82557b6a5f29670fe94c4d4e Mon Sep 17 00:00:00 2001 From: bitnami-bot Date: Thu, 26 Sep 2024 07:51:02 +0000 Subject: [PATCH] feat: Updated at 20240926070247 Signed-off-by: bitnami-bot --- data/envoy/BIT-envoy-2024-45806.json | 6 +-- data/envoy/BIT-envoy-2024-7207.json | 76 ++++++++++++++++++++++++++++ data/vault/BIT-vault-2024-2660.json | 4 +- 3 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 data/envoy/BIT-envoy-2024-7207.json diff --git a/data/envoy/BIT-envoy-2024-45806.json b/data/envoy/BIT-envoy-2024-45806.json index 945b3af7d..fb0c07e41 100644 --- a/data/envoy/BIT-envoy-2024-45806.json +++ b/data/envoy/BIT-envoy-2024-45806.json @@ -15,7 +15,7 @@ "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "ranges": [ @@ -52,7 +52,7 @@ } ], "database_specific": { - "severity": "Medium", + "severity": "Critical", "cpes": [ "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" ] @@ -64,5 +64,5 @@ } ], "published": "2024-09-21T07:10:58.550Z", - "modified": "2024-09-21T07:51:35.919Z" + "modified": "2024-09-26T07:51:02.528Z" } \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2024-7207.json b/data/envoy/BIT-envoy-2024-7207.json new file mode 100644 index 000000000..8ee2f4a94 --- /dev/null +++ b/data/envoy/BIT-envoy-2024-7207.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.5.0", + "id": "BIT-envoy-2024-7207", + "details": "A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487.", + "aliases": [ + "CVE-2024-7207" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.28.7" + }, + { + "introduced": "1.29.0" + }, + { + "fixed": "1.29.9" + }, + { + "introduced": "1.30.0" + }, + { + "fixed": "1.30.6" + }, + { + "introduced": "1.31.0" + }, + { + "fixed": "1.31.2" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Critical", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-7207" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300352" + }, + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf" + } + ], + "published": "2024-09-26T07:10:09.460Z", + "modified": "2024-09-26T07:51:02.528Z" +} \ No newline at end of file diff --git a/data/vault/BIT-vault-2024-2660.json b/data/vault/BIT-vault-2024-2660.json index fc4395bb9..c1fca1d78 100644 --- a/data/vault/BIT-vault-2024-2660.json +++ b/data/vault/BIT-vault-2024-2660.json @@ -1,7 +1,7 @@ { "schema_version": "1.5.0", "id": "BIT-vault-2024-2660", - "details": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.", + "details": "Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.", "aliases": [ "CVE-2024-2660" ], @@ -51,5 +51,5 @@ } ], "published": "2024-05-01T07:38:05.608Z", - "modified": "2024-07-02T07:56:01.842Z" + "modified": "2024-09-26T07:51:02.528Z" } \ No newline at end of file