-
-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add GitHub Advisory Database identifiers to external reports (#138)
See also (github/advisory-database#3536)
- Loading branch information
Showing
47 changed files
with
13,085 additions
and
13,692 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,57 +1,56 @@ | ||
--- | ||
advisories: | ||
- affected_versions: <=1.7.9 | ||
cve: CVE-2019-10768 | ||
description: | | ||
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | ||
fixed_versions: ~ | ||
github_security_advisory: | ||
- GHSA-89mq-4x47-5v83 | ||
references: | ||
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884 | ||
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E | ||
reported: 2019-11-19 | ||
severity: high | ||
- affected_versions: <1.5.1 | ||
cve: CVE-2019-14863 | ||
description: | | ||
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | ||
fixed_versions: ~ | ||
github_security_advisory: | ||
- GHSA-r5fx-8r73-v86c | ||
references: | ||
- https://snyk.io/vuln/npm:angular:20150807 | ||
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 | ||
reported: 2020-01-02 | ||
severity: medium | ||
- affected_versions: <1.8.0 | ||
cve: CVE-2020-7676 | ||
description: | | ||
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. | ||
fixed_versions: '>1.8.0' | ||
github_security_advisory: | ||
- GHSA-mhp6-pxh8-r675 | ||
references: | ||
- https://github.com/angular/angular.js/pull/17028 | ||
- https://snyk.io/vuln/SNYK-JS-ANGULAR-570058 | ||
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E | ||
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E | ||
reported: 2020-06-08 | ||
severity: medium | ||
cpansa_version: 2 | ||
name: angular | ||
url: https://github.com/angular/angular | ||
perl_distributions: | ||
- name: Zonemaster-GUI | ||
affected: | ||
- perl_module_versions: '>=1.0.7,<=1.0.11' | ||
distributed_library_version: '1.2.22' | ||
advisories: | ||
- cve: CVE-2019-10768 | ||
description: > | ||
In AngularJS before 1.7.9 the function `merge()` could be tricked | ||
into adding or modifying properties of `Object.prototype` using a | ||
`__proto__` payload. | ||
affected_versions: '<=1.7.9' | ||
fixed_versions: ~ | ||
references: | ||
- https://snyk.io/vuln/SNYK-JS-ANGULAR-534884 | ||
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E | ||
reported: 2019-11-19 | ||
severity: high | ||
- cve: CVE-2019-14863 | ||
description: > | ||
There is a vulnerability in all angular versions before | ||
1.5.0-beta.0, where after escaping the context of the web application, | ||
the web application delivers data to its users along with other | ||
trusted dynamic content, without validating it. | ||
affected_versions: '<1.5.1' | ||
fixed_versions: ~ | ||
references: | ||
- https://snyk.io/vuln/npm:angular:20150807 | ||
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 | ||
reported: 2020-01-02 | ||
severity: medium | ||
- cve: CVE-2020-7676 | ||
description: > | ||
angular.js prior to 1.8.0 allows cross site scripting. The | ||
regex-based input HTML replacement may turn sanitized code into | ||
unsanitized one. Wrapping "<option>" elements in "<select>" ones | ||
changes parsing behavior, leading to possibly unsanitizing code. | ||
affected_versions: '<1.8.0' | ||
fixed_versions: '>1.8.0' | ||
references: | ||
- https://github.com/angular/angular.js/pull/17028 | ||
- https://snyk.io/vuln/SNYK-JS-ANGULAR-570058 | ||
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E | ||
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E | ||
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E | ||
reported: 2020-06-08 | ||
severity: medium | ||
- affected: | ||
- distributed_library_version: 1.2.22 | ||
perl_module_versions: '>=1.0.7,<=1.0.11' | ||
name: Zonemaster-GUI | ||
url: https://github.com/angular/angular |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,74 +1,73 @@ | ||
--- | ||
advisories: | ||
- affected_versions: '>=1.33,<=1.34' | ||
cve: CVE-2008-0171 | ||
description: | | ||
regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression. | ||
fixed_versions: '>1.34' | ||
github_security_advisory: | ||
- GHSA-mc8j-3vrc-57vf | ||
references: | ||
- http://bugs.gentoo.org/show_bug.cgi?id=205955 | ||
- http://svn.boost.org/trac/boost/changeset/42674 | ||
- http://svn.boost.org/trac/boost/changeset/42745 | ||
- https://issues.rpath.com/browse/RPL-2143 | ||
- http://www.ubuntu.com/usn/usn-570-1 | ||
- http://www.securityfocus.com/bid/27325 | ||
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html | ||
- http://secunia.com/advisories/28545 | ||
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032 | ||
- http://secunia.com/advisories/28705 | ||
- http://secunia.com/advisories/28511 | ||
- http://secunia.com/advisories/28527 | ||
- http://wiki.rpath.com/Advisories:rPSA-2008-0063 | ||
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml | ||
- http://secunia.com/advisories/28943 | ||
- http://secunia.com/advisories/28860 | ||
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html | ||
- http://secunia.com/advisories/29323 | ||
- http://www.vupen.com/english/advisories/2008/0249 | ||
- http://secunia.com/advisories/48099 | ||
- http://www.securityfocus.com/archive/1/488102/100/0/threaded | ||
reported: 2008-01-17 | ||
severity: ~ | ||
- affected_versions: '>=1.33,<=1.34' | ||
cve: CVE-2008-0172 | ||
description: | | ||
The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression. | ||
fixed_versions: '>1.34' | ||
github_security_advisory: | ||
- GHSA-6rjv-3558-988c | ||
references: | ||
- http://bugs.gentoo.org/show_bug.cgi?id=205955 | ||
- http://svn.boost.org/trac/boost/changeset/42674 | ||
- http://svn.boost.org/trac/boost/changeset/42745 | ||
- https://issues.rpath.com/browse/RPL-2143 | ||
- http://www.ubuntu.com/usn/usn-570-1 | ||
- http://www.securityfocus.com/bid/27325 | ||
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html | ||
- http://secunia.com/advisories/28545 | ||
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032 | ||
- http://secunia.com/advisories/28705 | ||
- http://secunia.com/advisories/28511 | ||
- http://secunia.com/advisories/28527 | ||
- http://wiki.rpath.com/Advisories:rPSA-2008-0063 | ||
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml | ||
- http://secunia.com/advisories/28943 | ||
- http://secunia.com/advisories/28860 | ||
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html | ||
- http://secunia.com/advisories/29323 | ||
- http://www.vupen.com/english/advisories/2008/0249 | ||
- http://secunia.com/advisories/48099 | ||
- http://www.securityfocus.com/archive/1/488102/100/0/threaded | ||
reported: 2008-01-17 | ||
severity: ~ | ||
cpansa_version: 2 | ||
name: boost | ||
url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html | ||
perl_distributions: | ||
- name: Boost-Graph | ||
last_version_checked: '1.4' | ||
affected: | ||
- perl_module_versions: '>=1,1,<=1.4' | ||
distributed_library_version: '1.33' | ||
advisories: | ||
- cve: CVE-2008-0171 | ||
description: > | ||
regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library | ||
(aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent | ||
attackers to cause a denial of service (failed assertion and crash) | ||
via an invalid regular expression. | ||
affected_versions: '>=1.33,<=1.34' | ||
fixed_versions: '>1.34' | ||
references: | ||
- http://bugs.gentoo.org/show_bug.cgi?id=205955 | ||
- http://svn.boost.org/trac/boost/changeset/42674 | ||
- http://svn.boost.org/trac/boost/changeset/42745 | ||
- https://issues.rpath.com/browse/RPL-2143 | ||
- http://www.ubuntu.com/usn/usn-570-1 | ||
- http://www.securityfocus.com/bid/27325 | ||
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html | ||
- http://secunia.com/advisories/28545 | ||
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032 | ||
- http://secunia.com/advisories/28705 | ||
- http://secunia.com/advisories/28511 | ||
- http://secunia.com/advisories/28527 | ||
- http://wiki.rpath.com/Advisories:rPSA-2008-0063 | ||
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml | ||
- http://secunia.com/advisories/28943 | ||
- http://secunia.com/advisories/28860 | ||
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html | ||
- http://secunia.com/advisories/29323 | ||
- http://www.vupen.com/english/advisories/2008/0249 | ||
- http://secunia.com/advisories/48099 | ||
- http://www.securityfocus.com/archive/1/488102/100/0/threaded | ||
reported: 2008-01-17 | ||
severity: ~ | ||
- cve: CVE-2008-0172 | ||
description: > | ||
The get_repeat_type function in basic_regex_creator.hpp in the | ||
Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows | ||
context-dependent attackers to cause a denial of service (NULL | ||
dereference and crash) via an invalid regular expression. | ||
affected_versions: '>=1.33,<=1.34' | ||
fixed_versions: '>1.34' | ||
references: | ||
- http://bugs.gentoo.org/show_bug.cgi?id=205955 | ||
- http://svn.boost.org/trac/boost/changeset/42674 | ||
- http://svn.boost.org/trac/boost/changeset/42745 | ||
- https://issues.rpath.com/browse/RPL-2143 | ||
- http://www.ubuntu.com/usn/usn-570-1 | ||
- http://www.securityfocus.com/bid/27325 | ||
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html | ||
- http://secunia.com/advisories/28545 | ||
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032 | ||
- http://secunia.com/advisories/28705 | ||
- http://secunia.com/advisories/28511 | ||
- http://secunia.com/advisories/28527 | ||
- http://wiki.rpath.com/Advisories:rPSA-2008-0063 | ||
- http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml | ||
- http://secunia.com/advisories/28943 | ||
- http://secunia.com/advisories/28860 | ||
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html | ||
- http://secunia.com/advisories/29323 | ||
- http://www.vupen.com/english/advisories/2008/0249 | ||
- http://secunia.com/advisories/48099 | ||
- http://www.securityfocus.com/archive/1/488102/100/0/threaded | ||
reported: 2008-01-17 | ||
severity: ~ | ||
- affected: | ||
- distributed_library_version: '1.33' | ||
perl_module_versions: '>=1,1,<=1.4' | ||
last_version_checked: '1.4' | ||
name: Boost-Graph | ||
url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,23 @@ | ||
--- | ||
advisories: | ||
- affected_versions: '>=0' | ||
cve: X-CVE-2014-0001 | ||
description: | | ||
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the editor box. | ||
fixed_versions: ~ | ||
github_security_advisory: | ||
- ~ | ||
references: | ||
- https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826 | ||
- https://cwe.mitre.org/data/definitions/79.html | ||
reported: 2014-08-25 | ||
severity: ~ | ||
cpansa_version: 2 | ||
name: bootstrap-markdown-editor | ||
url: https://github.com/inacho/bootstrap-markdown-editor | ||
perl_distributions: | ||
- name: MySQL-Admin | ||
last_version_checked: '1.18' | ||
affected: | ||
- perl_module_versions: '>=1.14,<=1.18' | ||
distributed_library_version: '2.0.2' | ||
advisories: | ||
- cve: X-CVE-2014-0001 | ||
description: > | ||
Affected versions of the package are vulnerable to Cross-site | ||
Scripting (XSS) via the editor box. | ||
affected_versions: '>=0' | ||
fixed_versions: ~ | ||
references: | ||
- https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826 | ||
- https://cwe.mitre.org/data/definitions/79.html | ||
reported: 2014-08-25 | ||
severity: ~ | ||
- affected: | ||
- distributed_library_version: 2.0.2 | ||
perl_module_versions: '>=1.14,<=1.18' | ||
last_version_checked: '1.18' | ||
name: MySQL-Admin | ||
url: https://github.com/inacho/bootstrap-markdown-editor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,24 @@ | ||
--- | ||
advisories: | ||
- affected_versions: <1.13.6 | ||
cve: CVE-2019-20921 | ||
description: | | ||
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser. | ||
fixed_versions: '>=1.13.6' | ||
github_security_advisory: | ||
- GHSA-7c82-mp33-r854 | ||
references: | ||
- https://github.com/advisories/GHSA-9r7h-6639-v5mw | ||
- https://github.com/snapappointments/bootstrap-select/issues/2199 | ||
- https://www.npmjs.com/advisories/1522 | ||
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457 | ||
reported: 2020-09-30 | ||
severity: medium | ||
cpansa_version: 2 | ||
name: bootstrap-select | ||
url: | ||
perl_distributions: | ||
- name: MySQL-Admin | ||
affected: | ||
- perl_module_versions: '>=1.16,<=1.18' | ||
distributed_library_version: '1.12.4' | ||
advisories: | ||
- cve: CVE-2019-20921 | ||
description: > | ||
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). | ||
It does not escape title values in OPTION elements. This may allow | ||
attackers to execute arbitrary JavaScript in a victim's browser. | ||
affected_versions: '<1.13.6' | ||
fixed_versions: '>=1.13.6' | ||
references: | ||
- https://github.com/advisories/GHSA-9r7h-6639-v5mw | ||
- https://github.com/snapappointments/bootstrap-select/issues/2199 | ||
- https://www.npmjs.com/advisories/1522 | ||
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457 | ||
reported: 2020-09-30 | ||
severity: medium | ||
- affected: | ||
- distributed_library_version: 1.12.4 | ||
perl_module_versions: '>=1.16,<=1.18' | ||
name: MySQL-Admin | ||
url: ~ |
Oops, something went wrong.