diff --git a/advisories/github-reviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json b/advisories/github-reviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json new file mode 100644 index 0000000000000..41d178cd0acc8 --- /dev/null +++ b/advisories/github-reviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json @@ -0,0 +1,81 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cpcw-p965-wpqx", + "modified": "2023-08-02T22:38:29Z", + "published": "2022-05-24T17:21:16Z", + "aliases": [ + "CVE-2020-14019" + ], + "summary": "rtslib-fb weak permissions for /etc/target/saveconfig.json file", + "details": "Python rtslib-fb through 2.1.72 has weak permissions for `/etc/target/saveconfig.json` because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "rtslib-fb" + }, + "ecosystem_specific": { + "affected_functions": [ + "rtslib.root.RTSRoot.save_to_file" + ] + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.73" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.1.72" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14019" + }, + { + "type": "WEB", + "url": "https://github.com/open-iscsi/rtslib-fb/pull/162" + }, + { + "type": "WEB", + "url": "https://github.com/open-iscsi/rtslib-fb/commit/b23d061ee0fa7924d2cdce6194c313b9ee06c468" + }, + { + "type": "PACKAGE", + "url": "https://github.com/open-iscsi/rtslib-fb" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/" + }, + { + "type": "WEB", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00012.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2023-08-02T22:38:29Z", + "nvd_published_at": "2020-06-19T11:15:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json b/advisories/unreviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json deleted file mode 100644 index b2af7821e35b9..0000000000000 --- a/advisories/unreviewed/2022/05/GHSA-cpcw-p965-wpqx/GHSA-cpcw-p965-wpqx.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cpcw-p965-wpqx", - "modified": "2022-05-24T17:21:16Z", - "published": "2022-05-24T17:21:16Z", - "aliases": [ - "CVE-2020-14019" - ], - "details": "Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.", - "severity": [ - - ], - "affected": [ - - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14019" - }, - { - "type": "WEB", - "url": "https://github.com/open-iscsi/rtslib-fb/pull/162" - }, - { - "type": "WEB", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNMCV2DJJTX345YYBXAMJBXNNVUZQ5UH/" - }, - { - "type": "WEB", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00012.html" - } - ], - "database_specific": { - "cwe_ids": [ - - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2020-06-19T11:15:00Z" - } -} \ No newline at end of file