pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b1153fc0bf
vuln-list-alt/oval/c10f1/ALT-PU-2024-4187/definitions.json
pepelyaevip 0707cb759b ALT Vulnerability
2024-04-16 14:26:14 +00:00

126 lines
5.2 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20244187",
"Version": "oval:org.altlinux.errata:def:20244187",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-4187: package `vault` update to version 1.13.12-alt2",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f1"
],
"Products": [
"ALT SP Workstation",
"ALT SP Server"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-4187",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-4187",
"Source": "ALTPU"
},
{
"RefID": "BDU:2023-08660",
"RefURL": "https://bdu.fstec.ru/vul/2023-08660",
"Source": "BDU"
},
{
"RefID": "CVE-2023-3775",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-3775",
"Source": "CVE"
},
{
"RefID": "CVE-2023-4680",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-4680",
"Source": "CVE"
},
{
"RefID": "CVE-2023-6337",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337",
"Source": "CVE"
}
],
"Description": "This update upgrades vault to version 1.13.12-alt2. \nSecurity Fix(es):\n\n * BDU:2023-08660: Уязвимость компонента max_request_duration платформ для архивирования корпоративной информации HashiCorp Vault и Vault Enterprise, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2023-3775: A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. Fixed in Vault Enterprise 1.15.0, 1.14.4, 1.13.8.\n\n * CVE-2023-4680: HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.\n\n * CVE-2023-6337: HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.\n\nFixed in Vault 1.15.4, 1.14.8, 1.13.12.\n\n",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-03-25"
},
"Updated": {
"Date": "2024-03-25"
},
"BDUs": [
{
"ID": "BDU:2023-08660",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-770",
"Href": "https://bdu.fstec.ru/vul/2023-08660",
"Impact": "High",
"Public": "20231127"
}
],
"CVEs": [
{
"ID": "CVE-2023-3775",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-3775",
"Impact": "Low",
"Public": "20230929"
},
{
"ID": "CVE-2023-4680",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-4680",
"Impact": "Low",
"Public": "20230915"
},
{
"ID": "CVE-2023-6337",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-770",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-6337",
"Impact": "High",
"Public": "20231208"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20244187001",
"Comment": "vault is earlier than 0:1.13.12-alt2"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink