From 2ec24cedea70006ec299e10d38e1a8c13600150d Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Wed, 16 Oct 2024 11:51:54 +0100 Subject: [PATCH] add openjfx related data Signed-off-by: Weston Steimel --- data/anchore/2023/CVE-2023-42950.json | 202 ++++++++++++++++++++++++++ data/anchore/2024/CVE-2024-25062.json | 127 ++++++++++++++++ data/anchore/2024/CVE-2024-36138.json | 35 ++++- 3 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 data/anchore/2023/CVE-2023-42950.json create mode 100644 data/anchore/2024/CVE-2024-25062.json diff --git a/data/anchore/2023/CVE-2023-42950.json b/data/anchore/2023/CVE-2023-42950.json new file mode 100644 index 00000000..f08c8037 --- /dev/null +++ b/data/anchore/2023/CVE-2023-42950.json @@ -0,0 +1,202 @@ +{ + "additionalMetadata": { + "cna": "apple", + "cveId": "CVE-2023-42950", + "description": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2, watchOS 10.2, macOS Sonoma 14.2. Processing maliciously crafted web content may lead to arbitrary code execution.", + "needsReview": true, + "reason": "Adds additional affected products per Oracle patch advisory", + "references": [ + "http://www.openwall.com/lists/oss-security/2024/03/26/1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXLXIOAH5S7J22LJTCIAVFVVJ4TESAX4/", + "https://support.apple.com/en-us/HT214035", + "https://support.apple.com/en-us/HT214036", + "https://support.apple.com/en-us/HT214039", + "https://support.apple.com/en-us/HT214040", + "https://support.apple.com/en-us/HT214041", + "https://support.apple.com/kb/HT214039" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*" + ], + "product": "Safari", + "vendor": "Apple", + "versions": [ + { + "lessThan": "17.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*" + ], + "product": "iPadOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "17.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*" + ], + "product": "iOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "17.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*" + ], + "product": "tvOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "17.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*" + ], + "product": "macOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "14.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*" + ], + "product": "watchOS", + "vendor": "Apple", + "versions": [ + { + "lessThan": "10.2", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:openjdk:jfx:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:oracle:openjfx:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.openjfx:javafx-web:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.openjfx:javafx-web", + "packageType": "maven", + "product": "OpenJFX", + "repo": "https://github.com/openjdk/jfx", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "17.0.13", + "status": "affected", + "version": "0", + "versionType": "semver" + }, + { + "lessThan": "21.0.5", + "status": "affected", + "version": "18-ea", + "versionType": "semver" + }, + { + "lessThan": "23.0.1", + "status": "affected", + "version": "22-ea", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*", + "cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", + "cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*" + ], + "product": "Java SE", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "1.8.0_431", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "8.0.431", + "status": "affected", + "version": "1.9-ea", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:oracle:graalvm_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GraalVM Enterprise", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "20.3.16", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "21.3.12", + "status": "affected", + "version": "21-ea", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.oracle.com/security-alerts/cpuoct2024.html" + }, + { + "url": "https://openjdk.org/groups/vulnerability/advisories/2024-10-15" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-25062.json b/data/anchore/2024/CVE-2024-25062.json new file mode 100644 index 00000000..00ee71e8 --- /dev/null +++ b/data/anchore/2024/CVE-2024-25062.json @@ -0,0 +1,127 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2024-25062", + "description": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", + "reason": "Add additional affected entries per Oracle patch advisories", + "references": [ + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604", + "https://gitlab.gnome.org/GNOME/libxml2/-/tags" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*" + ], + "product": "libxml2", + "repo": "https://gitlab.gnome.org/GNOME/libxml2", + "vendor": "xmlsoft", + "versions": [ + { + "lessThan": "2.11.7", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "2.12.5", + "status": "affected", + "version": "2.12.0", + "versionType": "custom" + } + ] + }, + { + "collectionURL": "https://repo.maven.apache.org/maven2", + "cpes": [ + "cpe:2.3:a:openjdk:jfx:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:oracle:openjfx:*:*:*:*:*:maven:*:*", + "cpe:2.3:a:org.openjfx:javafx-web:*:*:*:*:*:maven:*:*" + ], + "packageName": "org.openjfx:javafx-web", + "packageType": "maven", + "product": "OpenJFX", + "repo": "https://github.com/openjdk/jfx", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "17.0.13", + "status": "affected", + "version": "0", + "versionType": "semver" + }, + { + "lessThan": "21.0.5", + "status": "affected", + "version": "18-ea", + "versionType": "semver" + }, + { + "lessThan": "23.0.1", + "status": "affected", + "version": "22-ea", + "versionType": "semver" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*", + "cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", + "cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*" + ], + "product": "Java SE", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "1.8.0_431", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "8.0.431", + "status": "affected", + "version": "1.9-ea", + "versionType": "custom" + } + ] + }, + { + "cpes": [ + "cpe:2.3:a:oracle:graalvm_enterprise:*:*:*:*:*:*:*:*" + ], + "product": "GraalVM Enterprise", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "20.3.16", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "21.3.12", + "status": "affected", + "version": "21-ea", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + }, + "references": [ + { + "url": "https://www.oracle.com/security-alerts/cpuoct2024.html" + }, + { + "url": "https://openjdk.org/groups/vulnerability/advisories/2024-10-15" + } + ] + } +} \ No newline at end of file diff --git a/data/anchore/2024/CVE-2024-36138.json b/data/anchore/2024/CVE-2024-36138.json index ec4f7204..527a1959 100644 --- a/data/anchore/2024/CVE-2024-36138.json +++ b/data/anchore/2024/CVE-2024-36138.json @@ -39,11 +39,44 @@ "versionType": "semver" } ] + }, + { + "cpes": [ + "cpe:2.3:a:oracle:graalvm:*:*:*:*:*:*:*:*", + "cpe:2.3:a:oracle:graalvm_for_jdk:*:*:*:*:*:*:*:*" + ], + "product": "GraalVM For JDK", + "vendor": "Oracle Corporation", + "versions": [ + { + "lessThan": "17.0.13", + "status": "affected", + "version": "0", + "versionType": "custom" + }, + { + "lessThan": "21.0.5", + "status": "affected", + "version": "18-ea", + "versionType": "custom" + }, + { + "lessThan": "23.0.1", + "status": "affected", + "version": "22-ea", + "versionType": "custom" + } + ] } ], "providerMetadata": { "orgId": "00000000-0000-4000-8000-000000000000", "shortName": "anchoreadp" - } + }, + "references": [ + { + "url": "https://www.oracle.com/security-alerts/cpuoct2024.html" + } + ] } } \ No newline at end of file