From 404313b092c4bd666bd192ee35c0e7f97365d19b Mon Sep 17 00:00:00 2001 From: cvelistV5 Github Action Date: Tue, 31 Dec 2024 01:35:07 +0000 Subject: [PATCH] 2 changes (2 new | 0 updated): - 2 new CVEs: CVE-2024-12838, CVE-2024-12839 - 0 updated CVEs: --- cves/2024/12xxx/CVE-2024-12838.json | 134 ++++++++++++++++++++++++++ cves/2024/12xxx/CVE-2024-12839.json | 143 ++++++++++++++++++++++++++++ cves/delta.json | 22 ++--- cves/deltaLog.json | 20 ++++ 4 files changed, 308 insertions(+), 11 deletions(-) create mode 100644 cves/2024/12xxx/CVE-2024-12838.json create mode 100644 cves/2024/12xxx/CVE-2024-12839.json diff --git a/cves/2024/12xxx/CVE-2024-12838.json b/cves/2024/12xxx/CVE-2024-12838.json new file mode 100644 index 000000000000..e44515ba3b6c --- /dev/null +++ b/cves/2024/12xxx/CVE-2024-12838.json @@ -0,0 +1,134 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-12838", + "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", + "state": "PUBLISHED", + "assignerShortName": "twcert", + "dateReserved": "2024-12-20T03:29:52.945Z", + "datePublished": "2024-12-31T01:24:48.680Z", + "dateUpdated": "2024-12-31T01:24:48.680Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "CGFIDO", + "vendor": "Changing Information Technology", + "versions": [ + { + "lessThan": "1.1.0", + "status": "affected", + "version": "0.0.1", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2024-12-31T01:21:00.000Z", + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators." + } + ], + "value": "The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators." + } + ], + "impacts": [ + { + "capecId": "CAPEC-233", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-233 Privilege Escalation" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-302", + "description": "CWE-302 Authentication Bypass by Assumed-Immutable Data", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", + "shortName": "twcert", + "dateUpdated": "2024-12-31T01:24:48.680Z" + }, + "references": [ + { + "tags": [ + "third-party-advisory" + ], + "url": "https://www.twcert.org.tw/tw/cp-132-8332-2100f-1.html" + }, + { + "tags": [ + "third-party-advisory" + ], + "url": "https://www.twcert.org.tw/en/cp-139-8333-32cf8-2.html" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update to version 1.2.0 or later.\n\n
" + } + ], + "value": "Update to version 1.2.0 or later." + } + ], + "source": { + "advisory": "TVN-202412008", + "discovery": "EXTERNAL" + }, + "title": "Changing Information Technology CGFIDO - Authentication Bypass", + "x_generator": { + "engine": "Vulnogram 0.2.0" + } + } + } +} \ No newline at end of file diff --git a/cves/2024/12xxx/CVE-2024-12839.json b/cves/2024/12xxx/CVE-2024-12839.json new file mode 100644 index 000000000000..dc08065c2aa7 --- /dev/null +++ b/cves/2024/12xxx/CVE-2024-12839.json @@ -0,0 +1,143 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-12839", + "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", + "state": "PUBLISHED", + "assignerShortName": "twcert", + "dateReserved": "2024-12-20T03:29:54.215Z", + "datePublished": "2024-12-31T01:32:11.422Z", + "dateUpdated": "2024-12-31T01:32:11.422Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "CGFIDO", + "vendor": "Changing Information Technology", + "versions": [ + { + "lessThan": "1.2.1", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "datePublic": "2024-12-31T01:26:00.000Z", + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An unauthenticated remote attacker who obtains this signature can use it to log into the system with any device." + } + ], + "value": "The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An unauthenticated remote attacker who obtains this signature can use it to log into the system with any device." + } + ], + "impacts": [ + { + "capecId": "CAPEC-98", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-98 Phishing" + } + ] + }, + { + "capecId": "CAPEC-22", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-22 Exploiting Trust in Client" + } + ] + } + ], + "metrics": [ + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-294", + "description": "CWE-294 Authentication Bypass by Capture-replay", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", + "shortName": "twcert", + "dateUpdated": "2024-12-31T01:32:11.422Z" + }, + "references": [ + { + "tags": [ + "third-party-advisory" + ], + "url": "https://www.twcert.org.tw/tw/cp-132-8334-8b836-1.html" + }, + { + "tags": [ + "third-party-advisory" + ], + "url": "https://www.twcert.org.tw/en/cp-139-8335-e4a3f-2.html" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "  Update to version 1.2.2 or later" + } + ], + "value": "Update to version 1.2.2 or later" + } + ], + "source": { + "advisory": "TVN-202412009", + "discovery": "EXTERNAL" + }, + "title": "Changing Information Technology CGFIDO - Authentication Bypass", + "x_generator": { + "engine": "Vulnogram 0.2.0" + } + } + } +} \ No newline at end of file diff --git a/cves/delta.json b/cves/delta.json index 395be234629b..00cea4ff07cd 100644 --- a/cves/delta.json +++ b/cves/delta.json @@ -1,20 +1,20 @@ { - "fetchTime": "2024-12-30T23:51:36.591Z", + "fetchTime": "2024-12-31T01:34:52.764Z", "numberOfChanges": 2, - "new": [], - "updated": [ + "new": [ { - "cveId": "CVE-2024-12752", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12752", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12752.json", - "dateUpdated": "2024-12-30T23:48:49.695Z" + "cveId": "CVE-2024-12838", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12838", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12838.json", + "dateUpdated": "2024-12-31T01:24:48.680Z" }, { - "cveId": "CVE-2024-46542", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-46542", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/46xxx/CVE-2024-46542.json", - "dateUpdated": "2024-12-30T23:50:06.199Z" + "cveId": "CVE-2024-12839", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12839", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12839.json", + "dateUpdated": "2024-12-31T01:32:11.422Z" } ], + "updated": [], "error": [] } \ No newline at end of file diff --git a/cves/deltaLog.json b/cves/deltaLog.json index 4cdcefdc5c42..b9b2972aa0dd 100644 --- a/cves/deltaLog.json +++ b/cves/deltaLog.json @@ -1,4 +1,24 @@ [ + { + "fetchTime": "2024-12-31T01:34:52.764Z", + "numberOfChanges": 2, + "new": [ + { + "cveId": "CVE-2024-12838", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12838", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12838.json", + "dateUpdated": "2024-12-31T01:24:48.680Z" + }, + { + "cveId": "CVE-2024-12839", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12839", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12839.json", + "dateUpdated": "2024-12-31T01:32:11.422Z" + } + ], + "updated": [], + "error": [] + }, { "fetchTime": "2024-12-30T23:51:36.591Z", "numberOfChanges": 2,