From f89d7b5f6c69fe174fcf6d0f0aa962166b6541cf Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Tue, 12 Nov 2024 14:11:13 +0000 Subject: [PATCH] add arbitrary upper bound on ancient Apache http server cves Signed-off-by: Weston Steimel --- data/anchore/1999/CVE-1999-0236.json | 34 ++++++++++++++++++++++++ data/anchore/1999/CVE-1999-1237.json | 35 +++++++++++++++++++++++++ data/anchore/1999/CVE-1999-1412.json | 3 +-- data/anchore/2007/CVE-2007-0086.json | 39 ++++++++++++++++++++++++++++ data/anchore/2015/CVE-2015-8863.json | 1 - 5 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 data/anchore/1999/CVE-1999-0236.json create mode 100644 data/anchore/1999/CVE-1999-1237.json create mode 100644 data/anchore/2007/CVE-2007-0086.json diff --git a/data/anchore/1999/CVE-1999-0236.json b/data/anchore/1999/CVE-1999-0236.json new file mode 100644 index 00000000..0f44ce82 --- /dev/null +++ b/data/anchore/1999/CVE-1999-0236.json @@ -0,0 +1,34 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-1999-0236", + "description": "ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.", + "reason": "Define a sufficiently old upper bound for this ancient CVE with few remaining details", + "references": [ + "https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0236" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*" + ], + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "1.3.42", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/1999/CVE-1999-1237.json b/data/anchore/1999/CVE-1999-1237.json new file mode 100644 index 00000000..67cc99b2 --- /dev/null +++ b/data/anchore/1999/CVE-1999-1237.json @@ -0,0 +1,35 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-1999-1237", + "description": "Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.", + "reason": "Define a sufficiently old upper bound for this ancient CVE with few remaining details", + "references": [ + "http://www.securityfocus.com/archive/1/14384", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/2272" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*" + ], + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "1.3.42", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/1999/CVE-1999-1412.json b/data/anchore/1999/CVE-1999-1412.json index a4f1b5d7..7df68ede 100644 --- a/data/anchore/1999/CVE-1999-1412.json +++ b/data/anchore/1999/CVE-1999-1412.json @@ -3,7 +3,6 @@ "cna": "mitre", "cveId": "CVE-1999-1412", "description": "A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.", - "needsReview": true, "reason": "Mark as specific to MacOS", "references": [ "http://www.securityfocus.com/archive/1/14215", @@ -23,7 +22,7 @@ "vendor": "Apache Software Foundation", "versions": [ { - "lessThanOrEqual": "*", + "lessThanOrEqual": "1.3.42", "status": "affected", "version": "0", "versionType": "custom" diff --git a/data/anchore/2007/CVE-2007-0086.json b/data/anchore/2007/CVE-2007-0086.json new file mode 100644 index 00000000..bc5d2383 --- /dev/null +++ b/data/anchore/2007/CVE-2007-0086.json @@ -0,0 +1,39 @@ +{ + "additionalMetadata": { + "cna": "mitre", + "cveId": "CVE-2007-0086", + "description": "The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal", + "disputed": true, + "reason": "Define a sufficiently old upper bound for this ancient CVE with few remaining details", + "references": [ + "http://osvdb.org/33456", + "http://www.securityfocus.com/archive/1/455833/100/0/threaded", + "http://www.securityfocus.com/archive/1/455879/100/0/threaded", + "http://www.securityfocus.com/archive/1/455882/100/0/threaded", + "http://www.securityfocus.com/archive/1/455920/100/0/threaded" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*" + ], + "product": "Apache HTTP Server", + "vendor": "Apache Software Foundation", + "versions": [ + { + "lessThanOrEqual": "1.3.42", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file diff --git a/data/anchore/2015/CVE-2015-8863.json b/data/anchore/2015/CVE-2015-8863.json index df6b767d..8918d1e4 100644 --- a/data/anchore/2015/CVE-2015-8863.json +++ b/data/anchore/2015/CVE-2015-8863.json @@ -3,7 +3,6 @@ "cna": "debian", "cveId": "CVE-2015-8863", "description": "Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.", - "needsReview": true, "reason": "Added fix version", "references": [ "http://lists.opensuse.org/opensuse-updates/2016-05/msg00012.html",