From b7cb2084baea658e51c9065dc54ce649f48e972a Mon Sep 17 00:00:00 2001 From: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:22:56 -0700 Subject: [PATCH] chore: DOC-1325 security bulletin component (#3639) * chore: security bulletin * chore: fix gitignore * docs: DOC-1356 * docs: add cve cards * docs: progress on component * docs: progress * docs: working prototype * docs: protype * docs: default sort order * chore: WIP * chore: placeholder * chore: fixed route duplicates * chore: fixed path * chore: adde routing * chore: improve log output * chore: cleaned up global variable * chore: fixed plugin name * chore: fix date to pull data using west coast * chore: update plugin * chore: save * chore: added logic for generating markdown files * docs: add more fields to the markdown template * chore: refactored plugin to node script * chore: added types * chore: prettier ignore * save * docs: fixes * chore: fix table * chore: added sorting for versions * chore: wip * docs: fix CVE redirects * chore: updated to use new API * chore: updated sorting * docs: add affected versions * docs: add revision history * docs: add tests for revision history * docs: change column names and array formatting * chore: updated logic to handle multple product instances * chore: add package name * chore: support for multiple versions without breaking table * chore: update comment * chore: fix jank page behavior issue * chore: CSS cleanup * chore: updated table to sort by version * chore: updated CSS to not display table for small displays * chore: updated view * tests: fixed tests * chore: sort revision history by date * chore: update * chore: add sorting to Third Party Vulnerability * chore: progress * chore: fix revision logic and simplified logic to improve readability * chore: memory optimization * chore: more improvements * chore: ci * chore: fix logger * chore: udate * chore: fixed semver sorting in affected tables * chore: removed newlines from revision * docs: added virtual list with fixed header * docs: added missing columns * chore: fixed broken URL * chore: add ability to link tab * docs: added explenation of status * chore: updated state to status * ci: set logic for skipping security bulletins * chore: add logic for no CVE * docs: updated README * chore: save * ci: test change * ci: bump eslint * chore: fix eslint * chore: ignore eslint * chore: fix jitter --------- Co-authored-by: Lenny Chen --- .github/workflows/api_format.yaml | 2 + .github/workflows/dependabot.yaml | 2 + .github/workflows/nightly-docker-build.yaml | 2 + .github/workflows/post_release.yaml | 2 + .github/workflows/pull_request.yaml | 2 + .github/workflows/release-branch-pr.yaml | 2 + .github/workflows/release-preview.yaml | 2 + .github/workflows/release.yaml | 6 +- .github/workflows/screenshot_capture.yaml | 2 + .github/workflows/versions_robot.yaml | 5 +- .github/workflows/visual-comparison.yaml | 2 + .gitignore | 5 + .prettierignore | 1 + Makefile | 7 +- README.md | 22 + babel.config.js | 4 - .../reports/cve-2005-2541.md | 44 -- .../reports/cve-2012-2663.md | 47 -- .../reports/cve-2015-20107.md | 46 -- .../reports/cve-2015-8855.md | 44 -- .../reports/cve-2016-1585.md | 43 -- .../reports/cve-2016-20013.md | 46 -- .../reports/cve-2017-11164.md | 46 -- .../reports/cve-2018-20225.md | 47 -- .../reports/cve-2018-20657.md | 47 -- .../reports/cve-2018-20796.md | 46 -- .../reports/cve-2018-20839.md | 47 -- .../reports/cve-2019-1010022.md | 47 -- .../reports/cve-2019-12900.md | 45 -- .../reports/cve-2019-17543.md | 44 -- .../reports/cve-2019-19244.md | 44 -- .../reports/cve-2019-9192.md | 47 -- .../reports/cve-2019-9674.md | 44 -- .../reports/cve-2019-9923.md | 44 -- .../reports/cve-2019-9936.md | 44 -- .../reports/cve-2019-9937.md | 44 -- .../reports/cve-2020-35512.md | 46 -- .../reports/cve-2020-36325.md | 46 -- .../reports/cve-2021-3737.md | 45 -- .../reports/cve-2021-39537.md | 45 -- .../reports/cve-2021-42694.md | 56 --- .../reports/cve-2021-46848.md | 47 -- .../reports/cve-2022-0391.md | 47 -- .../reports/cve-2022-23990.md | 43 -- .../reports/cve-2022-25883.md | 44 -- .../reports/cve-2022-28357.md | 47 -- .../reports/cve-2022-28948.md | 46 -- .../reports/cve-2022-41409.md | 46 -- .../reports/cve-2022-41723.md | 47 -- .../reports/cve-2022-41724.md | 49 -- .../reports/cve-2022-41725.md | 63 --- .../reports/cve-2022-45061.md | 53 --- .../reports/cve-2022-48560.md | 46 -- .../reports/cve-2022-48565.md | 48 -- .../reports/cve-2022-4899.md | 46 -- .../reports/cve-2023-0464.md | 48 -- .../reports/cve-2023-24329.md | 47 -- .../reports/cve-2023-24534.md | 53 --- .../reports/cve-2023-24536.md | 60 --- .../reports/cve-2023-24537.md | 46 -- .../reports/cve-2023-24538.md | 55 --- .../reports/cve-2023-24539.md | 48 -- .../reports/cve-2023-24540.md | 50 -- .../reports/cve-2023-26604.md | 48 -- .../reports/cve-2023-27534.md | 45 -- .../reports/cve-2023-29400.md | 50 -- .../reports/cve-2023-29403.md | 49 -- .../reports/cve-2023-29499.md | 43 -- .../reports/cve-2023-32636.md | 45 -- .../reports/cve-2023-37920.md | 48 -- .../reports/cve-2023-39325.md | 48 -- .../reports/cve-2023-4156.md | 43 -- .../reports/cve-2023-44487.md | 44 -- .../reports/cve-2023-45142.md | 48 -- .../reports/cve-2023-45287.md | 50 -- .../reports/cve-2023-47108.md | 48 -- .../reports/cve-2023-49569.md | 51 --- .../reports/cve-2023-52356.md | 48 -- .../reports/cve-2024-0743.md | 47 -- .../reports/cve-2024-0760.md | 51 --- .../reports/cve-2024-1737.md | 54 --- .../reports/cve-2024-1975.md | 52 --- .../reports/cve-2024-21626.md | 52 --- .../reports/cve-2024-24790.md | 45 -- .../reports/cve-2024-32002.md | 53 --- .../reports/cve-2024-35325.md | 47 -- .../reports/cve-2024-3651.md | 51 --- .../reports/cve-2024-37370.md | 48 -- .../reports/cve-2024-37371.md | 49 -- .../reports/cve-2024-38428.md | 51 --- .../reports/cve-2024-45490.md | 50 -- .../reports/cve-2024-45491.md | 50 -- .../reports/cve-2024-45492.md | 51 --- .../reports/cve-2024-6197.md | 52 --- .../reports/cve-2024-6232.md | 53 --- .../reports/cve-2024-7592.md | 49 -- .../reports/ghsa-74fp-r6jw-h4mp.md | 50 -- .../reports/ghsa-m425-mq94-257g.md | 50 -- .../security-bulletins/reports/reports.md | 168 ------- .../security-bulletins/reports/reports.mdx | 50 ++ .../security-bulletins/security-bulletins.md | 11 +- package-lock.json | 426 ++++++++++++------ package.json | 9 +- redirects.js | 85 ++++ .../CveReportTable.module.scss | 35 ++ .../CveReportsTable/CveReportsTable.tsx | 273 +++++++++++ src/components/CveReportsTable/index.ts | 3 + utils/cves/index.js | 283 ++++++++++++ utils/cves/requests.js | 52 +++ utils/helpers/affected-table.js | 48 ++ utils/helpers/affected-table.test.js | 47 ++ utils/helpers/date.js | 23 + utils/helpers/dates.test.js | 51 +++ utils/helpers/revision-history.js | 104 +++++ utils/helpers/revision-history.test.js | 186 ++++++++ utils/helpers/string.js | 16 + utils/helpers/string.test.js | 57 +++ 117 files changed, 1669 insertions(+), 4262 deletions(-) delete mode 100644 babel.config.js delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2005-2541.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2012-2663.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2015-20107.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2015-8855.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2016-1585.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2016-20013.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2017-11164.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2018-20225.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2018-20657.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2018-20796.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2018-20839.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-1010022.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-12900.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-17543.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-19244.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-9192.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-9674.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-9923.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-9936.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2019-9937.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2020-35512.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2020-36325.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-3737.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-39537.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-42694.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2021-46848.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-0391.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-23990.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-25883.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-28357.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-28948.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41409.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41723.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41724.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-41725.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-45061.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-48560.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-48565.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2022-4899.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-0464.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24329.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24534.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24536.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24537.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24538.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24539.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-24540.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-26604.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-27534.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-29400.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-29403.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-29499.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-32636.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-37920.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-39325.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-4156.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-44487.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-45142.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-45287.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-47108.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-49569.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2023-52356.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-0743.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-0760.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-1737.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-1975.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-21626.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-24790.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-32002.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-35325.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-3651.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-37370.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-37371.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-38428.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45490.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45491.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-45492.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-6197.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-6232.md delete mode 100644 docs/docs-content/security-bulletins/reports/cve-2024-7592.md delete mode 100644 docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md delete mode 100644 docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md delete mode 100644 docs/docs-content/security-bulletins/reports/reports.md create mode 100644 docs/docs-content/security-bulletins/reports/reports.mdx create mode 100644 src/components/CveReportsTable/CveReportTable.module.scss create mode 100644 src/components/CveReportsTable/CveReportsTable.tsx create mode 100644 src/components/CveReportsTable/index.ts create mode 100644 utils/cves/index.js create mode 100644 utils/cves/requests.js create mode 100644 utils/helpers/affected-table.js create mode 100644 utils/helpers/affected-table.test.js create mode 100644 utils/helpers/date.js create mode 100644 utils/helpers/dates.test.js create mode 100644 utils/helpers/revision-history.js create mode 100644 utils/helpers/revision-history.test.js create mode 100644 utils/helpers/string.js create mode 100644 utils/helpers/string.test.js diff --git a/.github/workflows/api_format.yaml b/.github/workflows/api_format.yaml index 371526c2ca..df9c1b81e9 100644 --- a/.github/workflows/api_format.yaml +++ b/.github/workflows/api_format.yaml @@ -19,6 +19,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: backport: diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml index 821cf1a663..52e7f2c45d 100644 --- a/.github/workflows/dependabot.yaml +++ b/.github/workflows/dependabot.yaml @@ -23,6 +23,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: dependabot_build: diff --git a/.github/workflows/nightly-docker-build.yaml b/.github/workflows/nightly-docker-build.yaml index b76e0e7c76..1eb4f26c7f 100644 --- a/.github/workflows/nightly-docker-build.yaml +++ b/.github/workflows/nightly-docker-build.yaml @@ -15,6 +15,8 @@ env: ALGOLIA_INDEX_NAME: "madeup-index" PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: build: diff --git a/.github/workflows/post_release.yaml b/.github/workflows/post_release.yaml index 55662514d8..2e3be37168 100644 --- a/.github/workflows/post_release.yaml +++ b/.github/workflows/post_release.yaml @@ -18,6 +18,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 5b00129d6e..df50bfe523 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -22,6 +22,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: run-ci: diff --git a/.github/workflows/release-branch-pr.yaml b/.github/workflows/release-branch-pr.yaml index bbef39f7a0..f429dbf51a 100644 --- a/.github/workflows/release-branch-pr.yaml +++ b/.github/workflows/release-branch-pr.yaml @@ -19,6 +19,8 @@ env: GITHUB_BRANCH: ${{ github.ref_name }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/release-preview.yaml b/.github/workflows/release-preview.yaml index c18e2985d2..65ef0b126d 100644 --- a/.github/workflows/release-preview.yaml +++ b/.github/workflows/release-preview.yaml @@ -18,6 +18,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 668109c70c..3b6a6a32f3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,12 +7,14 @@ on: schedule: - cron: '0 20 * * 1-5' # At 12:00 PM PST (8 PM UTC), Monday through Friday - cron: '0 5 * * 2-6' # At 9:00 PM PST (5 AM UTC next day), Monday through Friday + - cron: '0 20 * * 6' # At 12:00 PM PST (8 PM UTC next day), Saturday - Due to Security Buletin Publication + - cron: '0 20 * * 0' # At 12:00 PM PST (8 PM UTC next day), Sunday - Due to Security Buletin Publication workflow_dispatch: inputs: useGitHubHostedLargeRunner: description: 'Use the GitHub-hosted large runner. Allowed values are true or false. Caution - this results in additional charges to the organization.' required: false - default: false + default: 'false' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -27,6 +29,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.github/workflows/screenshot_capture.yaml b/.github/workflows/screenshot_capture.yaml index 6e599cefbd..23d94271d8 100644 --- a/.github/workflows/screenshot_capture.yaml +++ b/.github/workflows/screenshot_capture.yaml @@ -21,6 +21,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: diff --git a/.github/workflows/versions_robot.yaml b/.github/workflows/versions_robot.yaml index 7db30a1b81..9a5ca6db04 100644 --- a/.github/workflows/versions_robot.yaml +++ b/.github/workflows/versions_robot.yaml @@ -22,7 +22,10 @@ env: ALGOLIA_SEARCH_KEY: ${{ secrets.ALGOLIA_SEARCH_KEY }} ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }} - GITHUB_BRANCH: ${{ github.ref_name }} + GITHUB_BRANCH: ${{ github.ref_name }} + DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} jobs: run-ci: diff --git a/.github/workflows/visual-comparison.yaml b/.github/workflows/visual-comparison.yaml index 9576b49dcf..71768d609b 100644 --- a/.github/workflows/visual-comparison.yaml +++ b/.github/workflows/visual-comparison.yaml @@ -17,6 +17,8 @@ env: ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }} HTML_REPORT_URL_PATH: reports/${{ github.head_ref }}/${{ github.run_id }}/${{ github.run_attempt }} DISABLE_PACKS_INTEGRATIONS: ${{ secrets.DISABLE_PACKS_INTEGRATIONS }} + DISABLE_SECURITY_INTEGRATIONS: ${{ secrets.DISABLE_SECURITY_INTEGRATIONS }} + DSO_AUTH_TOKEN: ${{ secrets.DSO_AUTH_TOKEN }} concurrency: diff --git a/.gitignore b/.gitignore index 327c773f9e..e277103b03 100644 --- a/.gitignore +++ b/.gitignore @@ -40,6 +40,10 @@ docs/api-content/api-docs/v1/sidebar.* docs/api-content/api-docs/edge-v1/*.mdx docs/api-content/api-docs/edge-v1/sidebar.* +# Security Bulletins (Autogenerated) + +docs/docs-content/security-bulletins/reports/*.md + # Versions Content versions.json versioned_docs/ @@ -72,6 +76,7 @@ _partials/index.ts # Ignore statoc/img/packs static/img/packs +static/data/security-bulletins/* .vale-config/ vale/styles/spectrocloud/ diff --git a/.prettierignore b/.prettierignore index 7e33410237..462ae7b456 100644 --- a/.prettierignore +++ b/.prettierignore @@ -13,6 +13,7 @@ docs/api-content/**/*.json tsconfig.json src/components/IconMapper/dynamicFontAwesomeImports.* docs/docs-content/security-bulletins/cve-reports.md +docs/docs-content/security-bulletins/reports/*.md # Ignore partials _partials/ diff --git a/Makefile b/Makefile index 8c13514301..3081b4c6ce 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ initialize: ## Initialize the repository dependencies npx husky-init vale sync -clean: ## Clean common artifacts +clean: clean-security ## Clean common artifacts npm run clear && npm run clean-api-docs rm -rfv build @@ -56,6 +56,10 @@ clean-packs: ## Clean supplemental packs and pack images rm -rf .docusaurus/packs-integrations/api_pack_response.json rm -rf .docusaurus/packs-integrations/api_repositories_response.json +clean-security: ## Clean security bulletins + rm -rf .docusaurus/security-bulletins/default/*.json + rm -rfv docs/docs-content/security-bulletins/reports/*.md + clean-api: ## Clean API docs @echo "cleaning api docs" npm run clean-api-docs @@ -80,6 +84,7 @@ init: ## Initialize npm dependencies start: ## Start a local development server make generate-partials + npm run cves npm run start start-cached-packs: ## Start a local development server with cached packs retry. diff --git a/README.md b/README.md index bc4e8e99bc..af4dbd32f3 100644 --- a/README.md +++ b/README.md @@ -775,6 +775,28 @@ Below is an example of how to use the component when the URLs are different: /> page to learn more about system administrator roles. ``` +## Security Bulletins + +The security bulletins are auto-generated upon server start or the build process. The bulletins are generated by +querying an internal Spectro Cloud API. The bulletins are displayed in the security bulletins page +`https://docs.spectrocloud.com/security-bulletins/reports/`. + +The logic for generated the security bulletins is located in the [cves folder](./utils/cves/index.js). The script is +invoked before a build or a local development server start. The script will fetch the security bulletins and store the +data in the `.docusaurus/security-bulletins/default/` folder. The data is stored in the `data.json` file. + +The script will also generate each markdown file for each security bulletin. The markdown files are stored in the +`/security-bulletins/reports/` folder. + +### Disable Security Bulletins + +To disable the security bulletins, you can set the environment variable `DISABLE_SECURITY_INTEGRATIONS` to `true`. This +will stop the pre-build script from fetching the security bulletins. + +```shell +export DISABLE_SECURITY_INTEGRATIONS=true +``` + ## Packs Component The packs component is a custom component that displays all packs available in Palette SaaS by querying the Palette API diff --git a/babel.config.js b/babel.config.js deleted file mode 100644 index 1b97d0a067..0000000000 --- a/babel.config.js +++ /dev/null @@ -1,4 +0,0 @@ -module.exports = { - plugins: ["macros"], - presets: [require.resolve("@docusaurus/core/lib/babel/preset"), ["@babel/preset-env"], "@babel/preset-typescript"], -}; diff --git a/docs/docs-content/security-bulletins/reports/cve-2005-2541.md b/docs/docs-content/security-bulletins/reports/cve-2005-2541.md deleted file mode 100644 index c871469f74..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2005-2541.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2005-2541" -title: "CVE-2005-2541" -description: "Lifecycle of CVE-2005-2541" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2005-2541](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote -attackers to gain privileges. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2012-2663.md b/docs/docs-content/security-bulletins/reports/cve-2012-2663.md deleted file mode 100644 index 447a7e4f50..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2012-2663.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2012-2663" -title: "CVE-2012-2663" -description: "Lifecycle of CVE-2012-2663" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2012-2663](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow -remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this -issue less relevant. - -## Our Official Summary - -Spectro Cloud Offical Summary Coming Soon - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-20107.md b/docs/docs-content/security-bulletins/reports/cve-2015-20107.md deleted file mode 100644 index 954bc9bfb8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2015-20107.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2015-20107" -title: "CVE-2015-20107" -description: "Lifecycle of CVE-2015-20107" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2015-20107](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the -system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch -with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to -3.7, 3.8, 3.9 - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.6](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md b/docs/docs-content/security-bulletins/reports/cve-2015-8855.md deleted file mode 100644 index d48172d413..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2015-8855.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2015-8855" -title: "CVE-2015-8855" -description: "Lifecycle of CVE-2015-8855" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2015-8855](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long -version string, aka a "regular expression denial of service (ReDoS)." - -## Our Official Summary - -This is a false positive as the CVE is in a node.js package that has the same name which is being used in the Golang -application. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11 - -## Revision History - -- 1.0 07/31/2024 Initial Publication -- 2.0 08/17/2024 Remediated in Palette VerteX 4.4.14 -- 3.0 09/25/2024 Remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2016-1585.md b/docs/docs-content/security-bulletins/reports/cve-2016-1585.md deleted file mode 100644 index 38b080f02a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2016-1585.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -sidebar_label: "CVE-2016-1585" -title: "CVE-2016-1585" -description: "Lifecycle of CVE-2016-1585" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2016-1585](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -In all versions of AppArmor mount rules are accidentally widened when compiled. - -## Our Official Summary - -Spectro Cloud Official Summary coming soon. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2016-20013.md b/docs/docs-content/security-bulletins/reports/cve-2016-20013.md deleted file mode 100644 index a3b223f2e0..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2016-20013.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2016-20013" -title: "CVE-2016-20013" -description: "Lifecycle of CVE-2016-20013" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2016-20013](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the -algorithm's runtime is proportional to the square of the length of the password. - -## Our Official Summary - -Spectro Cloud Offical Summary Coming Soon - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2017-11164.md b/docs/docs-content/security-bulletins/reports/cve-2017-11164.md deleted file mode 100644 index e045f8f4a4..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2017-11164.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2017-11164" -title: "CVE-2017-11164" -description: "Lifecycle of CVE-2017-11164" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2017-11164](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled -recursion) when processing a crafted regular expression. - -## Our Official Summary - -Spectro Cloud Offical Summary Coming Soon - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20225.md b/docs/docs-content/security-bulletins/reports/cve-2018-20225.md deleted file mode 100644 index ac35328f96..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20225.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2018-20225" -title: "CVE-2018-20225" -description: "Lifecycle of CVE-2018-20225" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20225](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if -the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url -option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can -put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality -and the user is responsible for using --extra-index-url securely - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20657.md b/docs/docs-content/security-bulletins/reports/cve-2018-20657.md deleted file mode 100644 index 85b17e0386..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20657.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2018-20657" -title: "CVE-2018-20657" -description: "Lifecycle of CVE-2018-20657" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20657](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak -via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue -to CVE-2018-12698. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20796.md b/docs/docs-content/security-bulletins/reports/cve-2018-20796.md deleted file mode 100644 index 442cf7f34f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20796.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2018-20796" -title: "CVE-2018-20796" -description: "Lifecycle of CVE-2018-20796" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20796](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled -Recursion, as demonstrated by '(\\227|)(\\1\\1|t1|\\\\2537)+' in grep. - -## Our Official Summary - -Spectro Cloud’s Official Summary Coming Soon - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2018-20839.md b/docs/docs-content/security-bulletins/reports/cve-2018-20839.md deleted file mode 100644 index 1bf53a702f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2018-20839.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2018-20839" -title: "CVE-2018-20839" -description: "Lifecycle of CVE-2018-20839" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2018-20839](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain -circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka -current keyboard mode) check is mishandled. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md b/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md deleted file mode 100644 index 354b317123..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-1010022.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2019-1010022" -title: "CVE-2019-1010022" -description: "Lifecycle of CVE-2019-1010022" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-1010022](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The -component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability -to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-12900.md b/docs/docs-content/security-bulletins/reports/cve-2019-12900.md deleted file mode 100644 index ca1e7f3c8f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-12900.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2019-12900" -title: "CVE-2019-12900" -description: "Lifecycle of CVE-2019-12900" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-12900](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-17543.md b/docs/docs-content/security-bulletins/reports/cve-2019-17543.md deleted file mode 100644 index 89c2a37526..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-17543.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-17543" -title: "CVE-2019-17543" -description: "Lifecycle of CVE-2019-17543" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-17543](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) - -## Last Update - -08/16/2024 - -## NIST CVE Summary - -LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting -applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the -vendor states "only a few specific / uncommon usages of the API are at risk." - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-19244.md b/docs/docs-content/security-bulletins/reports/cve-2019-19244.md deleted file mode 100644 index 2525fab923..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-19244.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-19244" -title: "CVE-2019-19244" -description: "Lifecycle of CVE-2019-19244" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-19244](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and -also has certain ORDER BY usage. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9192.md b/docs/docs-content/security-bulletins/reports/cve-2019-9192.md deleted file mode 100644 index a900a75367..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9192.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2019-9192" -title: "CVE-2019-9192" -description: "Lifecycle of CVE-2019-9192" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9192](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled -Recursion, as demonstrated by '(|)(\\1\\1)\*' in grep, a different issue than CVE-2018-20796. NOTE: the software -maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern - -## Our Official Summary - -Spectro Cloud official summary coming - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9674.md b/docs/docs-content/security-bulletins/reports/cve-2019-9674.md deleted file mode 100644 index 15c1eb524c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9674.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9674" -title: "CVE-2019-9674" -description: "Lifecycle of CVE-2019-9674" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9674](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a -ZIP bomb. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9923.md b/docs/docs-content/security-bulletins/reports/cve-2019-9923.md deleted file mode 100644 index 2d9e1117a6..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9923.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9923" -title: "CVE-2019-9923" -description: "Lifecycle of CVE-2019-9923" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9923](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that -have malformed extended headers. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md b/docs/docs-content/security-bulletins/reports/cve-2019-9936.md deleted file mode 100644 index 4f735f23cb..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9936.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9936" -title: "CVE-2019-9936" -description: "Lifecycle of CVE-2019-9936" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9936](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -In SQLite 3.27.2, using fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in -fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2019-9937.md b/docs/docs-content/security-bulletins/reports/cve-2019-9937.md deleted file mode 100644 index f1fb14419e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2019-9937.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2019-9937" -title: "CVE-2019-9937" -description: "Lifecycle of CVE-2019-9937" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2019-9937](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL -Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-35512.md b/docs/docs-content/security-bulletins/reports/cve-2020-35512.md deleted file mode 100644 index fbb2574806..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2020-35512.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2020-35512" -title: "CVE-2020-35512" -description: "Lifecycle of CVE-2020-35512" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2020-35512](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -A use-after-free flaw was found in D-Bus Development branch \<= 1.13.16, dbus-1.12.x stable branch \<= 1.12.18, and -dbus-1.10.x and older branches \<= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of -policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures -necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 9/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2020-36325.md b/docs/docs-content/security-bulletins/reports/cve-2020-36325.md deleted file mode 100644 index a2c4d1b364..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2020-36325.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2020-36325" -title: "CVE-2020-36325" -description: "Lifecycle of CVE-2020-36325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2020-36325](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds -read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-3737.md b/docs/docs-content/security-bulletins/reports/cve-2021-3737.md deleted file mode 100644 index 63309a282a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-3737.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2021-3737" -title: "CVE-2021-3737" -description: "Lifecycle of CVE-2021-3737" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-3737](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote -attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The -highest threat from this vulnerability is to system availability. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-39537.md b/docs/docs-content/security-bulletins/reports/cve-2021-39537.md deleted file mode 100644 index 3da7519b51..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-39537.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2021-39537" -title: "CVE-2021-39537" -description: "Lifecycle of CVE-2021-39537" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-39537](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue was discovered in ncurses through v6.2-1. \_nc_captoinfo in captoinfo.c has a heap-based buffer overflow. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-42694.md b/docs/docs-content/security-bulletins/reports/cve-2021-42694.md deleted file mode 100644 index 6ef901126c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-42694.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -sidebar_label: "CVE-2021-42694" -title: "CVE-2021-42694" -description: "Lifecycle of CVE-2021-42694" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-42694](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows -an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical -to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream -software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following -alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect -applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could -produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a -target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that -are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has -documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security -Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode -Technical Standard #39, Unicode Security Mechanisms. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2021-46848.md b/docs/docs-content/security-bulletins/reports/cve-2021-46848.md deleted file mode 100644 index 49e8266158..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2021-46848.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2021-46848" -title: "CVE-2021-46848" -description: "Lifecycle of CVE-2021-46848" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2021-46848](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. - -## Our Official Summary - -This is a vulnerability reported in GNU Libtasn1 before version 4.19.0, a library used to manage the ASN.1 data -structure. This vulnerability is caused by an off-by-one array size check issue, leading to an out-of-bounds read. -Impacting systems using GNU Libtasn1 before 4.19.0. Waiting on an upstream fix. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-0391.md b/docs/docs-content/security-bulletins/reports/cve-2022-0391.md deleted file mode 100644 index 3537572f59..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-0391.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2022-0391" -title: "CVE-2022-0391" -description: "Lifecycle of CVE-2022-0391" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-0391](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource -Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows -characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection -attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-23990.md b/docs/docs-content/security-bulletins/reports/cve-2022-23990.md deleted file mode 100644 index 96a589dc0e..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-23990.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -sidebar_label: "CVE-2022-23990" -title: "CVE-2022-23990" -description: "Lifecycle of CVE-2022-23990" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-23990](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publications -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/25/2024 CVE remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md b/docs/docs-content/security-bulletins/reports/cve-2022-25883.md deleted file mode 100644 index 8d8ee6c10b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-25883.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2022-25883" -title: "CVE-2022-25883" -description: "Lifecycle of CVE-2022-25883" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-25883](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - -## Last Update - -9/25/24 - -## NIST CVE Summary - -Versions of the package server before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the -function new Range, when untrusted user data is provided as a range. - -## Our Official Summary - -The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11 - -## Revision History - -- 1.0 07/16/2024 Initial Publication -- 2.0 08/17/2024 Remediated in Palette VerteX 4.4.14 -- 3.0 09/25/2024 Remediated in Palette VerteX 4.4.18 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28357.md b/docs/docs-content/security-bulletins/reports/cve-2022-28357.md deleted file mode 100644 index b8cc29ed2b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-28357.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2022-28357" -title: "CVE-2022-28357" -description: "Lifecycle of CVE-2022-28357" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-28357](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -NATS `nats-server` 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action -from a management account. - -## Our Official Summary - -A vulnerability was found in NATS nats-server up to 2.7.4. The product uses external input to construct a pathname that -is intended to identify a file or directory that is located underneath a restricted parent directory, but the product -does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location -that is outside of the restricted directory. Upgrade of the nats server is needed to fix this vulnerability. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md deleted file mode 100644 index da50bb1d2c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2022-28948" -title: "CVE-2022-28948" -description: "Lifecycle of CVE-2022-28948" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-28948](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid -input. - -## Our Official Summary - -A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to -convert (or deserialize) invalid input data, potentially impacting system stability and reliability. 3rd party images -affected will be upgraded to remove the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18, 4.5.2 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 Added palette VerteX 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41409.md b/docs/docs-content/security-bulletins/reports/cve-2022-41409.md deleted file mode 100644 index 56ea948b49..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41409.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2022-41409" -title: "CVE-2022-41409" -description: "Lifecycle of CVE-2022-41409" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41409](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other -unspecified impacts via negative input. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md b/docs/docs-content/security-bulletins/reports/cve-2022-41723.md deleted file mode 100644 index 2b36489ef7..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41723.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2022-41723" -title: "CVE-2022-41723" -description: "Lifecycle of CVE-2022-41723" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41723](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a -denial of service from a small number of small requests. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11.For customer workload clusters, -workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41724.md b/docs/docs-content/security-bulletins/reports/cve-2022-41724.md deleted file mode 100644 index 260f4f1011..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41724.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2022-41724" -title: "CVE-2022-41724" -description: "Lifecycle of CVE-2022-41724" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41724](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records -which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 -clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil -value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). - -## Our Official Summary - -A vulnerability in crypto-tls in Go affects the component TLS Handshake Handler. The product does not properly control -the allocation and maintenance of a limited resource, when handling large handshake records, thereby enabling an actor -to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. A fix is -available in latest versions of go. All the images affected will be upgraded to the latest versions. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md b/docs/docs-content/security-bulletins/reports/cve-2022-41725.md deleted file mode 100644 index a5264a9d0a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-41725.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -sidebar_label: "CVE-2022-41725" -title: "CVE-2022-41725" -description: "Lifecycle of CVE-2022-41725" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-41725](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form -parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also -affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and -PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved -for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The -unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector -on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry -overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, -ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a -large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and -should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware -that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary -file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation -states, "If stored on disk, the File's underlying concrete type will be an \*os.File.". This is no longer the case when -a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of -using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. -Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk -consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. - -## Our Official Summary - -A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package. -This vulnerability could allow an attacker to conduct a denial-of-service attack through excessive resource consumption -in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer -versions available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md b/docs/docs-content/security-bulletins/reports/cve-2022-45061.md deleted file mode 100644 index b863b86617..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-45061.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2022-45061" -title: "CVE-2022-45061" -description: "Lifecycle of CVE-2022-45061" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing -some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder -could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a -malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use -of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an -HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. - -## Our Official Summary - -This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue -lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This -can lead to slow execution times and potential denial of service attacks on systems using affected Python versions. -Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling -user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability. -Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md b/docs/docs-content/security-bulletins/reports/cve-2022-48560.md deleted file mode 100644 index 03319992d8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48560.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2022-48560" -title: "CVE-2022-48560" -description: "Lifecycle of CVE-2022-48560" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-48560](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -A use-after-free exists in Python through 3.9 via heappushpop in heapq. - -## Our Official Summary - -This CVE affects python versions upto 3.9. The use-after-free vulnerability in Python's heapq module allows an attacker -to manipulate memory after it has been freed, potentially leading to arbitrary code execution or a denial of service. -This vulnerability can be exploited by carefully crafting a malicious input that triggers the use-after-free condition. -There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md b/docs/docs-content/security-bulletins/reports/cve-2022-48565.md deleted file mode 100644 index 4498ebd76b..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-48565.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2022-48565" -title: "CVE-2022-48565" -description: "Lifecycle of CVE-2022-48565" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-48565](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity -declarations in XML plist files to avoid XML vulnerabilities. - -## Our Official Summary - -This CVE affects users of Python versions up to 3.9.1. This issue lies in the plistlib module, which used to accept -entity declarations in XML plist files, making it susceptible to XXE attacks. This vulnerability is not listed in CISA's -Known Exploited Vulnerabilities Catalog. The possibility of this vulnerability getting exploited in Spectro Cloud -products is low. Need an update from the 3rd party vendor to fix the vulnerability. Investigating possibility of -updating python version to fix this vulnerability. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-4899.md b/docs/docs-content/security-bulletins/reports/cve-2022-4899.md deleted file mode 100644 index 31bad582a9..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2022-4899.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2022-4899" -title: "CVE-2022-4899" -description: "Lifecycle of CVE-2022-4899" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2022-4899](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line -tool to cause buffer overrun. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md b/docs/docs-content/security-bulletins/reports/cve-2023-0464.md deleted file mode 100644 index 94703b37fa..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-0464.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-0464" -title: "CVE-2023-0464" -description: "Lifecycle of CVE-2023-0464" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0464](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 -certificate chains that include policy constraints. - -## Our Official Summary - -This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version -1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more about this CVE at -[https://ubuntu.com/security/CVE-2023-0464](https://ubuntu.com/security/CVE-2023-0464). - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md b/docs/docs-content/security-bulletins/reports/cve-2023-24329.md deleted file mode 100644 index 7844318458..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24329.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-24329" -title: "CVE-2023-24329" -description: "Lifecycle of CVE-2023-24329" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by -supplying a URL that starts with blank characters. - -## Our Official Summary - -An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by -supplying a URL that starts with blank characters. urlparse has a parsing problem when the entire URL starts with blank -characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods -to fail. Python version needs to be upgraded in the images reported. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md deleted file mode 100644 index 3b45fe73ce..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2023-24534" -title: "CVE-2023-24534" -description: "Lifecycle of CVE-2023-24534" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24534](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading -to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME -headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this -behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory -exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold -parsed headers. - -## Our Official Summary - -This CVE involves excessive memory allocation in net/http and net/textproto, potentially leading to a denial-of-service -due to large memory allocation while parsing HTTP and MIME headers even for small inputs. Attackers can exploit this -vulnerability to exhaust an HTTP server's memory resources, causing a denial of service. By crafting specific input data -patterns, an attacker can trigger the excessive memory allocation behavior in the HTTP and MIME header parsing -functions, leading to memory exhaustion. The risk of this vulnerability exploited in Spectro Cloud products is very low. -3rd party images affected will be upgraded to remove the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24536.md b/docs/docs-content/security-bulletins/reports/cve-2023-24536.md deleted file mode 100644 index e11c1b480c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24536.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -sidebar_label: "CVE-2023-24536" -title: "CVE-2023-24536" -description: "Lifecycle of CVE-2023-24536" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24536](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large -numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed -multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs -than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large -numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, -further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause -an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of -service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package -with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a -better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In -addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with -ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable -GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header -fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This -limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. - -## Our Official Summary - -Golang Go is vulnerable to a denial-of-service, caused by a flaw during multipart form parsing. By sending a specially -crafted input, a remote attacker could exploit this vulnerability to consume large amounts of CPU and memory, and -results in a denial-of-service condition. The risk of this vulnerability exploited in our products is low. The images in -which this is reported will be upgraded to fix the issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24537.md b/docs/docs-content/security-bulletins/reports/cve-2023-24537.md deleted file mode 100644 index a503d5e933..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24537.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -sidebar_label: "CVE-2023-24537" -title: "CVE-2023-24537" -description: "Lifecycle of CVE-2023-24537" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24537](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can -cause an infinite loop due to integer overflow. - -## Our Official Summary - -This is a new golang-related security vulnerability that affects Go languages, which can cause an infinite loop and a -denial-of-service attack, due to a integer overflow. The images in which this is reported will be upgraded to fix the -issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24538.md b/docs/docs-content/security-bulletins/reports/cve-2023-24538.md deleted file mode 100644 index a33eff0582..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24538.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -sidebar_label: "CVE-2023-24538" -title: "CVE-2023-24538" -description: "Lifecycle of CVE-2023-24538" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24538](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Templates do not properly consider backticks `` ` `` as Javascript string delimiters, and do not escape them as -expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a -Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary -Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string -interpolation, the decision was made to simply disallow Go template actions from being used inside of them -e.g.`"var a = {{.}}"`, since there is no safe way to allow this behavior. This takes the same approach as -github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an -ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who -rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks -will now be escaped. This should be used with caution. - -## Our Official Summary - -CVE-2023-24538 is a critical security vulnerability affecting the Go programming language, specifically its handling of -templates with Go template actions within JavaScript template literals. The vulnerability has been addressed in recent -Go releases. The risk of this vulnerability exploited in our products is low. The images in which this is reported will -be upgraded to fix the issue. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md b/docs/docs-content/security-bulletins/reports/cve-2023-24539.md deleted file mode 100644 index 4ffbbfb7b3..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24539.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-24539" -title: "CVE-2023-24539" -description: "Lifecycle of CVE-2023-24539" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24539](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Angle brackets `<>` are not considered dangerous characters when inserted into CSS contexts. Templates containing -multiple actions separated by a `/` character can result in unexpectedly closing the CSS context and allowing for -injection of unexpected HTML, if executed with untrusted input. - -## Our Official Summary - -A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler. -Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special -characters such as `"<", ">"`, and `"&"` that could be interpreted as web-scripting elements when they are sent to a -downstream component that processes web pages. A fix for the images affected will be investigated. - -## CVE Severity - -[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24540.md b/docs/docs-content/security-bulletins/reports/cve-2023-24540.md deleted file mode 100644 index 50d1f6eae7..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-24540.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-24540" -title: "CVE-2023-24540" -description: "Lifecycle of CVE-2023-24540" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-24540](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace -characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions -may not be properly sanitized during execution. - -## Our Official Summary - -This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from -improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems -using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template -package with JavaScript contexts containing actions and specific whitespace characters. The images in which -vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in -Spectro Cloud products is low. There is a upstream fix available, we will upgrade to that version. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-26604.md b/docs/docs-content/security-bulletins/reports/cve-2023-26604.md deleted file mode 100644 index e1123046a7..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-26604.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-26604" -title: "CVE-2023-26604" -description: "Lifecycle of CVE-2023-26604" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-26604](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the -system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch -with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to -3.7, 3.8, 3.9 - -## Our Official Summary - -Spectro Cloud Official Summary Coming Soon - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-27534.md b/docs/docs-content/security-bulletins/reports/cve-2023-27534.md deleted file mode 100644 index 1d24a3af2a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-27534.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2023-27534" -title: "CVE-2023-27534" -description: "Lifecycle of CVE-2023-27534" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-27534](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) - -## Last Update - -08/16/2024 - -## NIST CVE Summary - -A path traversal vulnerability exists in curl \<8.0.0 SFTP implementation causes the tilde (\~) character to be wrongly -replaced when used as a prefix in the first path element, in addition to its intended use as the first element to -indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute -arbitrary code by crafting a path like /\~2/foo while accessing a server with a specific user. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29400.md b/docs/docs-content/security-bulletins/reports/cve-2023-29400.md deleted file mode 100644 index fb8b208f58..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29400.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-29400" -title: "CVE-2023-29400" -description: "Lifecycle of CVE-2023-29400" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29400](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Templates containing actions in unquoted HTML attributes e.g. `"attr={{.}}"` executed with empty input can result in -output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary -attributes into tags. - -## Our Official Summary - -The vulnerability in golang arises from the use of unquoted HTML attributes in templates. When these templates are -executed with empty input, the resulting output may be parsed incorrectly due to HTML normalization rules. This can -enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) -attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do -not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting -on upsteam fixes. - -## CVE Severity - -[7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29403.md b/docs/docs-content/security-bulletins/reports/cve-2023-29403.md deleted file mode 100644 index 59202341a8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29403.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2023-29403" -title: "CVE-2023-29403" -description: "Lifecycle of CVE-2023-29403" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29403](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can -be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file -descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can -result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is -terminated, either via panic or signal, it may leak the contents of its registers. - -## Our Official Summary - -This vulnerability is reported on Go runtime in several older versions. Resources such as files and directories may be -inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the -wrong object. Third party images on which this vulnerability is reported has to be upgraded. - -## CVE Severity - -[7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18, 4.5.2 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette VerteX 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-29499.md b/docs/docs-content/security-bulletins/reports/cve-2023-29499.md deleted file mode 100644 index b3a547d3ce..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-29499.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -sidebar_label: "CVE-2023-29499" -title: "CVE-2023-29499" -description: "Lifecycle of CVE-2023-29499" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-29499](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) - -## Last Update - -08/16/2024 - -## NIST CVE Summary - -A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, -leading to denial of service. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-32636.md b/docs/docs-content/security-bulletins/reports/cve-2023-32636.md deleted file mode 100644 index 1004ae03fc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-32636.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2023-32636" -title: "CVE-2023-32636" -description: "Lifecycle of CVE-2023-32636" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-32636](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) - -## Last Update - -08/16/2024 - -## NIST CVE Summary - -A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by -additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does -not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers -to backport the initial fix for CVE-2023-29499. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-37920.md b/docs/docs-content/security-bulletins/reports/cve-2023-37920.md deleted file mode 100644 index 085c3566d8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-37920.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-37920" -title: "CVE-2023-37920" -description: "Lifecycle of CVE-2023-37920" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-37920](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while -verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. -e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. -Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. - -## Our Official Summary - -Waiting on a fix from third party mongodb & calico vendors. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md b/docs/docs-content/security-bulletins/reports/cve-2023-39325.md deleted file mode 100644 index 87af588c4a..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-39325.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-39325" -title: "CVE-2023-39325" -description: "Lifecycle of CVE-2023-39325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource -consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting -an in-progress request allows the attacker to create a new request while the existing one is still executing. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. For customer workload clusters, workaround is to use k8s version -1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-4156.md b/docs/docs-content/security-bulletins/reports/cve-2023-4156.md deleted file mode 100644 index 02ce5ae46d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-4156.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -sidebar_label: "CVE-2023-4156" -title: "CVE-2023-4156" -description: "Lifecycle of CVE-2023-4156" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-4156](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) - -## Last Update - -08/16/2024 - -## NIST CVE Summary - -A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be -used to read sensitive information. - -## Our Official Summary - -Waiting on a fix from third party mongodb vendor - -## CVE Severity - -[7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md b/docs/docs-content/security-bulletins/reports/cve-2023-44487.md deleted file mode 100644 index 932ef75d30..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-44487.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -sidebar_label: "CVE-2023-44487" -title: "CVE-2023-44487" -description: "Lifecycle of CVE-2023-44487" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) - -## Last Update - -8/16/2024 - -## NIST CVE Summary - -The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many -streams quickly, as exploited in the wild in August through October 2023\. - -## Our Official Summary - -The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11 -- Palette VerteX 4.4.12 - -## Revision History - -- 1.0 07/16/2024 Initial Publication -- 2.0 08/16/2024 Added palette VerteX 4.4.12 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md b/docs/docs-content/security-bulletins/reports/cve-2023-45142.md deleted file mode 100644 index f484938e69..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45142.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-45142" -title: "CVE-2023-45142" -description: "Lifecycle of CVE-2023-45142" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-45142](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box -adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory -exhaustion when many malicious requests are sent to it. - -## Our Official Summary - -CVE exists in k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette -Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md b/docs/docs-content/security-bulletins/reports/cve-2023-45287.md deleted file mode 100644 index b758fa7760..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-45287.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2023-45287" -title: "CVE-2023-45287" -description: "Lifecycle of CVE-2023-45287" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-45287](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was -applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears -as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key -bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe -exhibits any timing side channels. - -## Our Official Summary - -This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is -detected are using older versions of Golang with updates available with a fix. In order to exploit the vulnerability, -attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will -be upgraded to newer versions. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md b/docs/docs-content/security-bulletins/reports/cve-2023-47108.md deleted file mode 100644 index b571ebd567..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-47108.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-47108" -title: "CVE-2023-47108" -description: "Lifecycle of CVE-2023-47108" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc -Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound -cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. - -## Our Official Summary - -CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no -workaround. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md b/docs/docs-content/security-bulletins/reports/cve-2023-49569.md deleted file mode 100644 index 3dd4664a33..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-49569.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2023-49569" -title: "CVE-2023-49569" -description: "Lifecycle of CVE-2023-49569" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-49569](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) - -## Last Update - -9/19/24 - -## NIST CVE Summary - -A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker -to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. - -Applications are only affected if they are using the -[ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS) , which is the default when using "Plain" -versions of Open and Clone funcs (e.g. PlainClone). Applications using -[BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by -this issue. - -This is a go-git implementation issue and does not affect the upstream git cli. - -## Our Official Summary - -Investigation is ongoing to determine how this vulnerability affects any of our products. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.14 - -## Revision History - -- 1.0 9/6/24 Initial Publication -- 2.0 9/19/24 Added Palette Enterprise 4.4.14 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md deleted file mode 100644 index 7edacbd5ba..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2023-52356" -title: "CVE-2023-52356" -description: "Lifecycle of CVE-2023-52356" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-52356](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the -TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of -service. - -## Our Official Summary - -This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and -denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF -file is passed to the TIFFReadRGBATileExt() API. Investigating a possible fix for this vulnerability on the affected -images. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0743.md b/docs/docs-content/security-bulletins/reports/cve-2024-0743.md deleted file mode 100644 index 92d0ed8392..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-0743.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2023-0743" -title: "CVE-2023-0743" -description: "Lifecycle of CVE-2023-0743" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2023-0743](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) - -## Last Update - -09/15/2024 - -## NIST CVE Summary - -An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability -affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. - -## Our Official Summary - -An unchecked return value in TLS handshake code could cause a potentially exploitable crash in certain versions of -Firefox. This CVE is reported on container images where there are no reported instances of TLS handshake code causing -crashes. Risk of this vulnerability getting exploited in Spectro Cloud products is low. Need an update from the 3rd -party vendor to fix the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0743) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-0760.md b/docs/docs-content/security-bulletins/reports/cve-2024-0760.md deleted file mode 100644 index 5e251a8d1f..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-0760.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2024-0760" -title: "CVE-2024-0760" -description: "Lifecycle of CVE-2024-0760" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-0760](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the -attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This -issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. - -## Our Official Summary - -A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the -attack is in progress. The server may recover after the attack ceases. In order to exploit this vulnerability, image in -which this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls -in place to consider the probability of occurrence as low. There is a fix available upstream and we are investigating -upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1737.md b/docs/docs-content/security-bulletins/reports/cve-2024-1737.md deleted file mode 100644 index 7b6d2a343d..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-1737.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -sidebar_label: "CVE-2024-1737" -title: "CVE-2024-1737" -description: "Lifecycle of CVE-2024-1737" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-1737](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any -RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries -for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through -9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through -9.18.27-S1. - -## Our Official Summary - -This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs -for the same hostname (of any RTYPE). Services will suffer from degraded performance as content is being added or -updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in which -this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls in -place to consider the probability of occurence as low. There is a fix available upstream and we are investigating -upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-1975.md b/docs/docs-content/security-bulletins/reports/cve-2024-1975.md deleted file mode 100644 index 19b2950428..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-1975.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar_label: "CVE-2024-1975" -title: "CVE-2024-1975" -description: "Lifecycle of CVE-2024-1975" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-1975](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from -a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed -requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, -9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. - -## Our Official Summary - -This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a -resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this -vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. -There are sufficient controls in place to consider the probability of occurence as low. There is a fix available -upstream and we are investigating upgrading to the fixed version. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md b/docs/docs-content/security-bulletins/reports/cve-2024-21626.md deleted file mode 100644 index 65b98e3735..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-21626.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar_label: "CVE-2024-21626" -title: "CVE-2024-21626" -description: "Lifecycle of CVE-2024-21626" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and -earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc -exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to -the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to -gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to -overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc -1.1.12 includes patches for this issue. - -## Our Official Summary - -CVE exists in kube-proxy 1.28.11. Affects only k8s version 1.28.11 For customer workload clusters, workaround is to use -k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. - -## CVE Severity - -[8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md b/docs/docs-content/security-bulletins/reports/cve-2024-24790.md deleted file mode 100644 index ae25cc85bc..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -sidebar_label: "CVE-2024-24790" -title: "CVE-2024-24790" -description: "Lifecycle of CVE-2024-24790" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning -false for addresses which would return true in their traditional IPv4 forms. - -## Our Official Summary - -Waiting on the 3rd party vendor for a fix. Notes: This vulnerability is reported on the mongodb container. A ticket is -filed with the vendor to get a new image that addresses the vulnerabilities reported. - -## CVE Severity - -[9.8](hhttps://nvd.nist.gov/vuln/detail/CVE-2024-24790) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.14, 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/06/2024 Initial Publication -- 2.0 09/17/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-32002.md b/docs/docs-content/security-bulletins/reports/cve-2024-32002.md deleted file mode 100644 index 0693f23029..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-32002.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-32002" -title: "CVE-2024-32002" -description: "Lifecycle of CVE-2024-32002" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-32002](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, -repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing -files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed -while the clone operation is still active, giving the user no opportunity to inspect the code that is being executed. -The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link -support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As -always, it is best to avoid cloning repositories from untrusted sources. - -## Our Official Summary - -A critical vulnerability in Git has recently been published that could lead to remote command injection. The -exploitation occurs when the victim clones a malicious repository recursively, which would execute hooks contained in -the submodules. The vulnerability lies in the way Git handles symbolic links in repository submodules. There are -currently several PoCs with public exploits that expose the vulnerability. This risk of this vulnerability exploited in -spectrocloud products is very low. - -## CVE Severity - -[9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 09/15/2024 Initial Publication -- 2.0 09/15/2024 Added Palette Enterprise 4.4.18 to Affected Products -- 3.0 10/10/2024 CVE remediated in Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-35325.md b/docs/docs-content/security-bulletins/reports/cve-2024-35325.md deleted file mode 100644 index c09bdae652..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-35325.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -sidebar_label: "CVE-2024-35325" -title: "CVE-2024-35325" -description: "Lifecycle of CVE-2024-35325" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-35325](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) - -## Last Update - -8/30/2024 - -## NIST CVE Summary - -A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file -/src/libyaml/src/api.c. The manipulation leads to a double-free. - -NIST Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security -issue. Notes: none. - -## Our Official Summary - -Not applicable. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) - -## Status - -Resolved - -## Affected Products & Versions - -- Palette VerteX 4.4.14 - -## Revision History - -- 1.0 08/27/2024 Initial Publication -- 2.0 08/27/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 08/30/2024 NIST reclassified CVE- not a security issue diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md b/docs/docs-content/security-bulletins/reports/cve-2024-3651.md deleted file mode 100644 index e7f389e1ef..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-3651.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2024-3651" -title: "CVE-2024-3651" -description: "Lifecycle of CVE-2024-3651" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting -version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic -complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that -causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing -the processing time in a quadratic manner relative to the input size. - -## Our Official Summary - -The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It -allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior -to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the -resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application -performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.18, 4.5.2 - -## Revision History - -- 1.0 9/13/2024 Initial Publication -- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products -- 3.0 10/10/2024 Added Palette VerteX 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-37370.md b/docs/docs-content/security-bulletins/reports/cve-2024-37370.md deleted file mode 100644 index e182f0d461..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-37370.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -sidebar_label: "CVE-2024-37370" -title: "CVE-2024-37370" -description: "Lifecycle of CVE-2024-37370" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-37370](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS -krb5 wrap token, causing the unwrapped token to appear truncated to the application. - -## Our Official Summary - -This CVE is a message token handling issue reported on kerboros libraries. This affects krb5 packages in versions less -than 1.21.3-1. Exploitation of this flaw could cause system crashes. Risk of this specific vulnerability for spectro -cloud components is low. Working on removing/upgrading libraries to fix the issue. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-37371.md b/docs/docs-content/security-bulletins/reports/cve-2024-37371.md deleted file mode 100644 index 7d5f732d7c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-37371.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2024-37371" -title: "CVE-2024-37371" -description: "Lifecycle of CVE-2024-37371" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-37371](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling -by sending message tokens with invalid length fields. - -## Our Official Summary - -This CVE is a memory corruption vulnerability reported on kerboros libraries. Attackers could potentially exploit a flaw -within Kerberos' handling of GSS (Generic Security Service) message tokens to cause invalid memory reads, potentially -leading to system crashes. Risk of this specific vulnerability for spectro cloud components is low. Working on -removing/upgrading libraries to fix the issue. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-38428.md b/docs/docs-content/security-bulletins/reports/cve-2024-38428.md deleted file mode 100644 index 7b505b4d5c..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-38428.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2024-38428" -title: "CVE-2024-38428" -description: "Lifecycle of CVE-2024-38428" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-38428](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be -insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the -host subcomponent. - -## Our Official Summary - -This is a critical severity vulnerability that affects any Wget version up to and including 1.24.5. `wget` parses URIs -in a way that causes user information to be considered part of the host if it contains a semicolon. This means that the -host part of the URI could be interpreted incorrectly and be abused by attackers that control the userinfo. The CVE is -only exploitable when a vulnerable `wget` version is used in specific conditions. Risk of this vulnerability getting -exploited in Spectro Cloud products is low. Need updates from the 3rd party vendor to fix the vulnerability. - -## CVE Severity - -[9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18 -- Palette Enterprise 4.4.18 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 CVE remediated in Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45490.md b/docs/docs-content/security-bulletins/reports/cve-2024-45490.md deleted file mode 100644 index 584334ed71..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45490.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2024-45490" -title: "CVE-2024-45490" -description: "Lifecycle of CVE-2024-45490" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45490](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. - -## Our Official Summary - -This CVE is a critical vulnerability affecting images using libexpat libraries versions prior to 2.6.3, where the -function xmlparse.c fails to reject negative lengths in XML_ParseBuffer. This vulnerability can be exploited over a -network without user interaction and has very low attack complexity. Not all of the images affected use the specific -function affected. Exploiting this vulnerable library will require a user to compromise the containers and gain -privileged access. Fix available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected -images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45491.md b/docs/docs-content/security-bulletins/reports/cve-2024-45491.md deleted file mode 100644 index 4d4cda26b4..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45491.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "CVE-2024-45491" -title: "CVE-2024-45491" -description: "Lifecycle of CVE-2024-45491" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45491](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on -32-bit platforms (where UINT_MAX equals SIZE_MAX). - -## Our Official Summary - -This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, specifically in the -dtdCopy function of xmlparse.c on 32-bit platforms. This vulnerability can be exploited over a network without user -interaction and has very low attack complexity. Not all of the images affected use the specific function affected. -Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix -available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-45492.md b/docs/docs-content/security-bulletins/reports/cve-2024-45492.md deleted file mode 100644 index 8aa0b030e6..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-45492.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -sidebar_label: "CVE-2024-45492" -title: "CVE-2024-45492" -description: "Lifecycle of CVE-2024-45492" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-45492](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for -m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). - -## Our Official Summary - -This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an -integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a -network without user interaction and has very low attack complexity. Not all of the images affected use the specific -function affected. Exploiting this vulnerable library will require a user to compromise the containers and gain -privileged access. Fix available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected -images. - -## CVE Severity - -[9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 4.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6197.md b/docs/docs-content/security-bulletins/reports/cve-2024-6197.md deleted file mode 100644 index 43fa59d4b8..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-6197.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -sidebar_label: "CVE-2024-6197" -title: "CVE-2024-6197" -description: "Lifecycle of CVE-2024-6197" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-6197](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid -field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern -malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that -memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the -overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely -outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in -special circumstances. - -## Our Official Summary - -This CVE is reported on nginx-ingress-controller image on the libcurl's ASN1 parser. The vulnerable code path can be -triggered by a malicious operation offering an especially crafted TLS certificate. Problem is fixed in curl -version >=8.9.0. Investigating a possible fix. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.14 -- Palette Enterprise 4.5.2 - -## Revision History - -- 1.0 08/27/2024 Initial Publication -- 2.0 08/27/2024 Added Palette VerteX 4.4.14 to Affected Products -- 3.0 10/10/2024 Added Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md b/docs/docs-content/security-bulletins/reports/cve-2024-6232.md deleted file mode 100644 index 560d6d4232..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-6232.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar_label: "CVE-2024-6232" -title: "CVE-2024-6232" -description: "Lifecycle of CVE-2024-6232" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-6232](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking -during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. - -## Our Official Summary - -This CVE affects all images using the Python's tarfile module. A specificlly crafted tar file which causes excessive -backtracking while tarfile parses headers is needed to exploit this vulnerability. If the vulnerability is exploited, it -can cause a denial of service attack. But from our product point of view, this risk of this vulnerability getting -exploited is very low. This is because it does not enable remote code execution. A user has to compromise of the images -using this library within python module and feed a specially crafted tar file and relies on the underlying system -processing that file, which limits the attack vector. A fix is not available at this time. We will upgrade the library -once the fix becomes available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11, 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-7592.md b/docs/docs-content/security-bulletins/reports/cve-2024-7592.md deleted file mode 100644 index 7fdefbf7f3..0000000000 --- a/docs/docs-content/security-bulletins/reports/cve-2024-7592.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -sidebar_label: "CVE-2024-7592" -title: "CVE-2024-7592" -description: "Lifecycle of CVE-2024-7592" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[CVE-2024-7592](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When -parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm -with quadratic complexity, resulting in excess CPU resources being used while parsing the value. - -## Our Official Summary - -Some problematic patterns and their application can lead to exponential time complexity under certain conditions, akin -to a Regular Expression Denial of Service (ReDoS) attack. Investigating to see if there is a upstream fix available. - -## CVE Severity - -[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11, 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md b/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md deleted file mode 100644 index 6e09541252..0000000000 --- a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "GHSA-74fp-r6jw-h4mp" -title: "GHSA-74fp-r6jw-h4mp" -description: "Lifecycle of GHSA-74fp-r6jw-h4mp" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[GHSA-74fp-r6jw-h4mp](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) - -## Last Update - -10/10/2024 - -## NIST CVE Summary - -Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing. - -## Our Official Summary - -This vulnerability is reported by govulncheck because of the presence of go library, k8s.io/apimachinery (Affected -versions: \< 0.0.0-20190927203648-9ce6eca90e73). This is a false positive, because it does not affect latest kubernetes -versions as indicated here -([https://nvd.nist.gov/vuln/detail/CVE-2019-11253](https://nvd.nist.gov/vuln/detail/CVE-2019-11253)). Current K8s -version used: 1.28.11 - -## CVE Severity - -[7.5](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11, 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md deleted file mode 100644 index 6b871d6e55..0000000000 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -sidebar_label: "GHSA-m425-mq94-257g" -title: "GHSA-m425-mq94-257g" -description: "Lifecycle of GHSA-m425-mq94-257g" -hide_table_of_contents: true -sidebar_class_name: "hide-from-sidebar" -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -## CVE Details - -[GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) - -## Last Update - -10/10/24 - -## NIST CVE Summary - -The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send -subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent -method handlers than the configured maximum stream limit. - -## Our Official Summary - -CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload -clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to -1.29+. - -## CVE Severity - -[7.5](https://github.com/advisories/GHSA-m425-mq94-257g) - -## Status - -Ongoing - -## Affected Products & Versions - -- Palette VerteX 4.4.11, 4.4.14, 4.4.18, 4.5.2 -- Palette Enterprise 4.4.18, 4.5.2 - -## Revision History - -- 1.0 08/16/2024 Initial Publication -- 2.0 08/16/2024 Added Palette VerteX 4.4.11 to Affected Products -- 3.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products -- 4.0 09/17/2024 Added Palette VerteX 4.4.18 & Palette Enterprise 4.4.18 to Affected Products -- 5.0 10/10/2024 Added Palette VerteX 4.5.2 & Palette Enterprise 4.5.2 to Affected Products diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md deleted file mode 100644 index 90e43c9560..0000000000 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ /dev/null @@ -1,168 +0,0 @@ ---- -sidebar_label: "CVE Reports" -title: "CVE Reports" -description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette and Palette VerteX" -icon: "" -hide_table_of_contents: true -sidebar_position: 0 -toc_max_heading_level: 2 -tags: ["security", "cve"] ---- - -# Security Bulletins - -The vulnerabilities reported in this Security Bulletin include vulnerabilities within the Palette VerteX and Palette -Enterprise airgap solution, and third-party component vulnerabilities, which we have become aware of. These -vulnerabilities are discovered via our Bug Bounty program, our security monitoring program, or reported to us by our -supply chain. - -:::info - -The CVSS Severity is provided by either the third-party service provider, or NIST CVE. We do not provide the criticality -score for third-party components. Previous security bulletins are available in the -[Security Bulletins Archive](../../unlisted/cve-reports.md). - -::: - -To fix all the vulnerabilities impacting your products, we recommend patching your instances to the latest version -regarding any third-party components. For vulnerabilities originating in our products, we will provide mitigations and -workarounds where applicable. - -Click on the CVE ID to view the full details of the vulnerability. - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | -------------------------------- | --------------------------------------- | -------------------------------------------------------- | --------------------------- | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 10/25/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | -| [CVE-2023-45142](./cve-2023-45142.md) | 10/12/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2023-44487](./cve-2023-44487.md) | 10/10/23 | 6/27/24 | 4.4.11 & 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | :mag: Ongoing | -| [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 9/25/24 | 4.4.11 & 4.4.14 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | -| [CVE-2015-8855](./cve-2015-8855.md) | 1/23/17 | 9/25/24 | 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2016-1585](./cve-2016-1585.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: Ubuntu | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2016-1585) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2024-38428](./cve-2024-38428.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: MongoDB | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2019-9923](./cve-2019-9923.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9923) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2005-2541](./cve-2005-2541.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [10.0](https://nvd.nist.gov/vuln/detail/CVE-2005-2541) | :mag: Ongoing | -| [CVE-2019-9937](./cve-2019-9937.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9937) | :mag: Ongoing | -| [CVE-2019-9936](./cve-2019-9936.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9936) | :mag: Ongoing | -| [CVE-2019-19244](./cve-2019-19244.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-19244) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2022-0391](./cve-2022-0391.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-0391) | :mag: Ongoing | -| [CVE-2021-3737](./cve-2021-3737.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2021-3737) | :mag: Ongoing | -| [CVE-2019-9674](./cve-2019-9674.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9674) | :mag: Ongoing | -| [CVE-2023-26604](./cve-2023-26604.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Ubuntu | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) | :mag: Ongoing | -| [CVE-2015-20107](./cve-2015-20107.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.6](https://nvd.nist.gov/vuln/detail/CVE-2015-20107) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [CVE-2018-20225](./cve-2018-20225.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20225) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2019-17543](./cve-2019-17543.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [8.1](https://nvd.nist.gov/vuln/detail/CVE-2019-17543) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2023-27534](./cve-2023-27534.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-27534) | :mag: Ongoing | -| [CVE-2023-32636](./cve-2023-32636.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-32636) | :mag: Ongoing | -| [CVE-2023-29499](./cve-2023-29499.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-29499) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 10/10/24 | 4.4.11 & 4.4.14 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2023-4156](./cve-2023-4156.md) | 08/16/24 | 08/16/24 | 4.4.14 | Third-party component: MongoDB | [7.1](https://nvd.nist.gov/vuln/detail/CVE-2023-4156) | :mag: Ongoing | -| [CVE-2022-23990](./cve-2022-23990.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-23990) | :mag: Ongoing | -| [CVE-2020-35512](./cve-2020-35512.md) | 08/16/24 | 9/25/24 | 4.4.14 | Third-party component: MongoDB | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2020-35512) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/30/24 | 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :white_check_mark: Resolved | -| [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 10/10/24 | 4.4.14 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 9/5/24 | 4.4.14 & 4.4.18 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | -| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | -| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2024-3651](./cve-2024-3651.md) | 9/13/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: kjd | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) | :mag: Ongoing | -| [CVE-2023-24329](./cve-2023-24329.md) | 9/13/24 | 10/10/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | :mag: Ongoing | -| [CVE-2022-45061](./cve-2022-45061.md) | 9/13/24 | 10/10/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) | :mag: Ongoing | -| [CVE-2022-48560](./cve-2022-48560.md) | 9/13/24 | 10/10/24 | 4.4.18 | Third-party component: Python | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) | :mag: Ongoing | -| [CVE-2022-48565](./cve-2022-48565.md) | 9/13/24 | 10/10/24 | 4.4.18 | Third-party component: Python | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) | :mag: Ongoing | - - - - - -| CVE ID | Initial Pub Date | Modified Date | Product Version | Vulnerability Type | CVSS Severity | Status | -| ----------------------------------------------- | ---------------- | ------------- | ------------------------ | --------------------------------------- | -------------------------------------------------------- | ------------- | -| [CVE-2024-37371](./cve-2024-37371.md) | 08/30/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-37371) | :mag: Ongoing | -| [CVE-2019-1010022](./cve-2019-1010022.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: GNU Libc | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-1010022) | :mag: Ongoing | -| [CVE-2024-45490](./cve-2024-45490.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45490) | :mag: Ongoing | -| [CVE-2019-12900](./cve-2019-12900.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: BZ2 | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900) | :mag: Ongoing | -| [CVE-2021-46848](./cve-2021-46848.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: GNU Libtasn1 | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-46848) | :mag: Ongoing | -| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | -| [CVE-2018-20839](./cve-2018-20839.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2018-20839) | :mag: Ongoing | -| [CVE-2023-37920](./cve-2023-37920.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Certifi | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) | :mag: Ongoing | -| [CVE-2024-45491](./cve-2024-45491.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45491) | :mag: Ongoing | -| [CVE-2024-45492](./cve-2024-45492.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Libexpat | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-45492) | :mag: Ongoing | -| [CVE-2024-38428](./cve-2024-38428.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: MongoDB | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2024-38428) | :mag: Ongoing | -| [CVE-2024-6232](./cve-2024-6232.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6232) | :mag: Ongoing | -| [CVE-2020-36325](./cve-2020-36325.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Jansson | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2020-36325) | :mag: Ongoing | -| [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | -| [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | -| [CVE-2012-2663](./cve-2012-2663.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: iPtables | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2012-2663) | :mag: Ongoing | -| [CVE-2023-47108](./cve-2023-47108.md) | 11/20/23 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | :mag: Ongoing | -| [CVE-2023-45142](./cve-2023-45142.md) | 10/12/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45142) | :mag: Ongoing | -| [CVE-2022-41409](./cve-2022-41409.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41409) | :mag: Ongoing | -| [CVE-2017-11164](./cve-2017-11164.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2017-11164) | :mag: Ongoing | -| [GHSA-m425-mq94-257g](./ghsa-m425-mq94-257g.md) | 10/25/23 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: CoreDNS | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | :mag: Ongoing | -| [CVE-2022-4899](./cve-2022-4899.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-4899) | :mag: Ongoing | -| [CVE-2022-41723](./cve-2022-41723.md) | 2/28/23 | 10/10/24 | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: CoreDNS | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41723) | :mag: Ongoing | -| [CVE-2023-0464](./cve-2023-0464.md) | 3/22/23 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: OpenSSL | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0464) | :mag: Ongoing | -| [CVE-2021-39537](./cve-2021-39537.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2021-39537) | :mag: Ongoing | -| [CVE-2018-20657](./cve-2018-20657.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20657) | :mag: Ongoing | -| [CVE-2021-42694](./cve-2021-42694.md) | 08/16/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MongoDB | [8.3](https://nvd.nist.gov/vuln/detail/CVE-2021-42694) | :mag: Ongoing | -| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | -| [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | -| [CVE-2023-26604](./cve-2023-26604.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 | Third-party component: Ubuntu | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-26604) | :mag: Ongoing | -| [CVE-2023-39325](./cve-2023-39325.md) | 10/11/23 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Go project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | :mag: Ongoing | -| [CVE-2024-37370](./cve-2024-37370.md) | 08/30/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: MIT Kerberos | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-37370) | :mag: Ongoing | -| [CVE-2016-20013](./cve-2016-20013.md) | 08/16/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: Ubuntu | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2016-20013) | :mag: Ongoing | -| [CVE-2024-21626](./cve-2024-21626.md) | 1/3/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: kube-proxy | [8.6](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | :mag: Ongoing | -| [CVE-2024-7592](./cve-2024-7592.md) | 9/5/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: CPython | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-7592) | :mag: Ongoing | -| [CVE-2024-0760](./cve-2024-0760.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0760) | :mag: Ongoing | -| [CVE-2024-1737](./cve-2024-1737.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1737) | :mag: Ongoing | -| [CVE-2024-1975](./cve-2024-1975.md) | 9/5/24 | 10/10/24 | 4.4.14 & 4.4.18 & 4.5.2 | Third-party component: ISC | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-1975) | :mag: Ongoing | -| [CVE-2022-28357](./cve-2022-28357.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: NATS | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357) | :mag: Ongoing | -| [CVE-2022-28948](./cve-2022-28948.md) | 9/15/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Go-Yaml | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948) | :mag: Ongoing | -| [CVE-2022-41724](./cve-2022-41724.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724) | :mag: Ongoing | -| [CVE-2022-41725](./cve-2022-41725.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725) | :mag: Ongoing | -| [CVE-2023-24534](./cve-2023-24534.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534) | :mag: Ongoing | -| [CVE-2023-24536](./cve-2023-24536.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536) | :mag: Ongoing | -| [CVE-2023-24537](./cve-2023-24537.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537) | :mag: Ongoing | -| [CVE-2023-24538](./cve-2023-24538.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538) | :mag: Ongoing | -| [CVE-2023-24539](./cve-2023-24539.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539) | :mag: Ongoing | -| [CVE-2023-24540](./cve-2023-24540.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540) | :mag: Ongoing | -| [CVE-2023-29400](./cve-2023-29400.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Go Project | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400) | :mag: Ongoing | -| [CVE-2023-29403](./cve-2023-29403.md) | 9/15/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Go Project | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403) | :mag: Ongoing | -| [CVE-2023-45287](./cve-2023-45287.md) | 9/15/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Go Project | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287) | :mag: Ongoing | -| [CVE-2023-52356](./cve-2023-52356.md) | 9/15/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Libtiff | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356) | :mag: Ongoing | -| [CVE-2024-0743](./cve-2024-0743.md) | 9/15/24 | 10/10/24 | 4.4.18 & 4.5.2 | Third-party component: Mozilla | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743) | :mag: Ongoing | -| [CVE-2024-32002](./cve-2024-32002.md) | 9/15/24 | 10/10/24 | 4.4.18 | Third-party component: Github | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002) | :mag: Ongoing | -| [CVE-2023-49569](./cve-2023-49569.md) | 9/15/24 | 9/19/24 | 4.4.14 | Third-party component: Bitdefender | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569) | :mag: Ongoing | - - - diff --git a/docs/docs-content/security-bulletins/reports/reports.mdx b/docs/docs-content/security-bulletins/reports/reports.mdx new file mode 100644 index 0000000000..34f43f5c75 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/reports.mdx @@ -0,0 +1,50 @@ +--- +sidebar_label: "CVE Reports" +title: "CVE Reports" +description: "Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette and Palette VerteX" +icon: "" +hide_table_of_contents: true +sidebar_position: 0 +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +import CveReportsTable from "@site/src/components/CveReportsTable"; + +# Security Bulletins + +The vulnerabilities reported in this Security Bulletin include vulnerabilities within the Palette VerteX, Palette +Enterprise, and airgap environments. The reported vulnerabilities also include third-party component vulnerabilities, +which we have become aware of. These vulnerabilities are discovered via our Bug Bounty program, our security monitoring +program, or reported to us by our supply chain. + +:::info + +The CVSS Severity is provided by either the third-party service provider, or NIST CVE. We do not provide the criticality +score for third-party components. Previous security bulletins are available in the +[Security Bulletins Archive](../../unlisted/cve-reports.md). + +::: + +To fix all the vulnerabilities impacting your products, we recommend patching your instances to the latest version +regarding any third-party components. For vulnerabilities originating in our products, we will provide mitigations and +workarounds where applicable. + +### Status + +We use the following statuses to track the progress of each vulnerability. N - 2 means two versions behind the latest +versions. + +| Status | Description | +| ------- | ------------------------------------------------------------------------------------------------------------------------------- | +| Open | The vulnerability has been identified and is pending an investigation. | +| Ongoing | The vulnerability is being investigated. | +| Fixed | The vulnerability has been addressed in the latest versions of Palette or Vertex. Previous versions (N -2) are being worked on. | +| Closed | The vulnerability has been addressed in the latest version and in N - 2 versions. | + +### CVE Reports + +By default, the table is sorted to display descending entries that were recently modified. Click on the CVE ID to view +the full details of the vulnerability. + + diff --git a/docs/docs-content/security-bulletins/security-bulletins.md b/docs/docs-content/security-bulletins/security-bulletins.md index 740e161674..16303124de 100644 --- a/docs/docs-content/security-bulletins/security-bulletins.md +++ b/docs/docs-content/security-bulletins/security-bulletins.md @@ -9,6 +9,8 @@ sidebar_custom_props: tags: ["security", "cve"] --- +import CveReportsTable from "@site/src/components/CveReportsTable"; + We aim to provide you with the most up-to-date information about the security of our products and services. No matter how carefully engineered the services are, from time to time, it may be necessary to notify you of security and privacy events with our services, including the security notifications we receive related to the third-party components we @@ -16,9 +18,10 @@ utilize in our products and services. ## Security Bulletins -We release [security bulletins](./reports/reports.md) on regular basis addressing security vulnerabilities in our -software or related third-party components, describing their remediation when available, and providing links to the -applicable updates for affected software when available. + +We release on a daily and ad-hoc basis addressing security vulnerabilities in our software or +related third-party components, describing their remediation when available, and providing links to the applicable +updates for affected software when available. ## Security Advisories @@ -29,4 +32,4 @@ security bulletin. ## Resources -- [Security Bulletins](./reports/reports.md) +- diff --git a/package-lock.json b/package-lock.json index ffea9acbb0..401f030b4c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,7 @@ "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "^0.2.2", "@mdx-js/react": "^3.0.1", - "antd": "^5.6.2", + "antd": "^5.22.2", "axios-retry": "^4.5.0", "babel-plugin-macros": "^3.1.0", "clsx": "^1.2.1", @@ -58,7 +58,7 @@ "@typescript-eslint/parser": "^8.2.0", "babel-jest": "^29.6.2", "dotenv": "^16.3.1", - "eslint": "^8.45.0", + "eslint": "^8.57.0", "eslint-config-prettier": "^9.1.0", "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.9.0", @@ -499,32 +499,59 @@ } }, "node_modules/@ant-design/colors": { - "version": "7.0.0", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/@ant-design/colors/-/colors-7.1.0.tgz", + "integrity": "sha512-MMoDGWn1y9LdQJQSHiCC20x3uZ3CwQnv9QMz6pCmJOrqdgM9YxsoVVY0wtrdXbmfSgnV0KNk6zi09NAhMR2jvg==", "license": "MIT", "dependencies": { - "@ctrl/tinycolor": "^3.4.0" + "@ctrl/tinycolor": "^3.6.1" } }, "node_modules/@ant-design/cssinjs": { - "version": "1.18.1", + "version": "1.22.0", + "resolved": "https://registry.npmjs.org/@ant-design/cssinjs/-/cssinjs-1.22.0.tgz", + "integrity": "sha512-W9XSFeRPR0mAN3OuxfuS/xhENCYKf+8s+QyNNER0FSWoK9OpISTag6CCweg6lq0hASQ/2Vcza0Z8/kGivCP0Ng==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", "@emotion/hash": "^0.8.0", "@emotion/unitless": "^0.7.5", "classnames": "^2.3.1", - "csstype": "3.1.2", + "csstype": "^3.1.3", "rc-util": "^5.35.0", - "stylis": "^4.0.13" + "stylis": "^4.3.4" }, "peerDependencies": { "react": ">=16.0.0", "react-dom": ">=16.0.0" } }, - "node_modules/@ant-design/cssinjs/node_modules/csstype": { - "version": "3.1.2", - "license": "MIT" + "node_modules/@ant-design/cssinjs-utils": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@ant-design/cssinjs-utils/-/cssinjs-utils-1.1.1.tgz", + "integrity": "sha512-2HAiyGGGnM0es40SxdszeQAU5iWp41wBIInq+ONTCKjlSKOrzQfnw4JDtB8IBmqE6tQaEKwmzTP2LGdt5DSwYQ==", + "license": "MIT", + "dependencies": { + "@ant-design/cssinjs": "^1.21.0", + "@babel/runtime": "^7.23.2", + "rc-util": "^5.38.0" + }, + "peerDependencies": { + "react": ">=16.9.0", + "react-dom": ">=16.9.0" + } + }, + "node_modules/@ant-design/fast-color": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/@ant-design/fast-color/-/fast-color-2.0.6.tgz", + "integrity": "sha512-y2217gk4NqL35giHl72o6Zzqji9O7vHh9YmhUVkPtAOpoTCH4uWxo/pr4VE8t0+ChEPs0qo4eJRC5Q1eXWo3vA==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.7" + }, + "engines": { + "node": ">=8.x" + } }, "node_modules/@ant-design/icons": { "version": "5.5.1", @@ -550,7 +577,9 @@ "license": "MIT" }, "node_modules/@ant-design/react-slick": { - "version": "1.0.2", + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@ant-design/react-slick/-/react-slick-1.1.2.tgz", + "integrity": "sha512-EzlvzE6xQUBrZuuhSAFTdsr4P2bBBHGZwKFemEfq8gIGyIQCxalYfZW/T2ORbtQx5rU69o+WycP3exY/7T1hGA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.4", @@ -7296,6 +7325,8 @@ }, "node_modules/@emotion/hash": { "version": "0.8.0", + "resolved": "https://registry.npmjs.org/@emotion/hash/-/hash-0.8.0.tgz", + "integrity": "sha512-kBJtf7PH6aWwZ6fka3zQ0p6SBYzx4fl1LoZXE2RrnYST9Xljm7WfKJrU4g/Xr3Beg72MLrp1AWNUmuYJTL7Cow==", "license": "MIT" }, "node_modules/@emotion/memoize": { @@ -7349,6 +7380,8 @@ }, "node_modules/@emotion/unitless": { "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@emotion/unitless/-/unitless-0.7.5.tgz", + "integrity": "sha512-OWORNpfjMsSSUBVrRBVGECkhWcULOAJz9ZW8uK9qgxD+87M7jHRcvh/A96XXNhXTLmKcoYSQtBEX7lHMO7YRwg==", "license": "MIT" }, "node_modules/@emotion/use-insertion-effect-with-fallbacks": { @@ -9804,14 +9837,28 @@ "version": "1.0.0-next.24", "license": "MIT" }, + "node_modules/@rc-component/async-validator": { + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/@rc-component/async-validator/-/async-validator-5.0.4.tgz", + "integrity": "sha512-qgGdcVIF604M9EqjNF0hbUTz42bz/RDtxWdWuU5EQe3hi7M8ob54B6B35rOsvX5eSvIHIzT9iH1R3n+hk3CGfg==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.4" + }, + "engines": { + "node": ">=14.x" + } + }, "node_modules/@rc-component/color-picker": { - "version": "1.4.1", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/@rc-component/color-picker/-/color-picker-2.0.1.tgz", + "integrity": "sha512-WcZYwAThV/b2GISQ8F+7650r5ZZJ043E57aVBFkQ+kSY4C6wdofXgB0hBx+GPGpIU0Z81eETNoDUJMr7oy/P8Q==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", - "@ctrl/tinycolor": "^3.6.0", + "@ant-design/fast-color": "^2.0.6", + "@babel/runtime": "^7.23.6", "classnames": "^2.2.6", - "rc-util": "^5.30.0" + "rc-util": "^5.38.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -9820,6 +9867,8 @@ }, "node_modules/@rc-component/context": { "version": "1.4.0", + "resolved": "https://registry.npmjs.org/@rc-component/context/-/context-1.4.0.tgz", + "integrity": "sha512-kFcNxg9oLRMoL3qki0OMxK+7g5mypjgaaJp/pkOis/6rVxma9nJBF/8kCIuTYHUQNr0ii7MxqE33wirPZLJQ2w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -9832,6 +9881,8 @@ }, "node_modules/@rc-component/mini-decimal": { "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@rc-component/mini-decimal/-/mini-decimal-1.1.0.tgz", + "integrity": "sha512-jS4E7T9Li2GuYwI6PyiVXmxTiM6b07rlD9Ge8uGZSCz3WlzcG5ZK7g5bbuKNeZ9pgUuPK/5guV781ujdVpm4HQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0" @@ -9858,6 +9909,8 @@ }, "node_modules/@rc-component/portal": { "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@rc-component/portal/-/portal-1.1.2.tgz", + "integrity": "sha512-6f813C0IsasTZms08kfA8kPAGxbbkYToa8ALaiDIGGECU4i9hj8Plgbx0sNJDrey3EtHO30hmdaxtT0138xZcg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", @@ -9872,13 +9925,33 @@ "react-dom": ">=16.9.0" } }, + "node_modules/@rc-component/qrcode": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/@rc-component/qrcode/-/qrcode-1.0.0.tgz", + "integrity": "sha512-L+rZ4HXP2sJ1gHMGHjsg9jlYBX/SLN2D6OxP9Zn3qgtpMWtO2vUfxVFwiogHpAIqs54FnALxraUy/BCO1yRIgg==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.24.7", + "classnames": "^2.3.2", + "rc-util": "^5.38.0" + }, + "engines": { + "node": ">=8.x" + }, + "peerDependencies": { + "react": ">=16.9.0", + "react-dom": ">=16.9.0" + } + }, "node_modules/@rc-component/tour": { - "version": "1.11.1", + "version": "1.15.1", + "resolved": "https://registry.npmjs.org/@rc-component/tour/-/tour-1.15.1.tgz", + "integrity": "sha512-Tr2t7J1DKZUpfJuDZWHxyxWpfmj8EZrqSgyMZ+BCdvKZ6r1UDsfU46M/iWAAFBy961Ssfom2kv5f3UcjIL2CmQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", "@rc-component/portal": "^1.0.0-9", - "@rc-component/trigger": "^1.3.6", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.3.2", "rc-util": "^5.24.4" }, @@ -9891,7 +9964,9 @@ } }, "node_modules/@rc-component/trigger": { - "version": "1.18.2", + "version": "2.2.5", + "resolved": "https://registry.npmjs.org/@rc-component/trigger/-/trigger-2.2.5.tgz", + "integrity": "sha512-F1EJ4KjFpGAHAjuKvOyZB/6IZDkVx0bHl0M4fQM5wXcmm7lgTgVSSnR3bXwdmS6jOJGHOqfDxIJW3WUvwMIXhQ==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.23.2", @@ -13195,57 +13270,60 @@ } }, "node_modules/antd": { - "version": "5.12.2", + "version": "5.22.2", + "resolved": "https://registry.npmjs.org/antd/-/antd-5.22.2.tgz", + "integrity": "sha512-vihhiJbm9VG3d6boUeD1q2MXMax+qBrXhgqCEC+45v8iGUF6m4Ct+lFiCW4oWaN3EABOsbVA6Svy3Rj/QkQFKw==", "license": "MIT", "dependencies": { - "@ant-design/colors": "^7.0.0", - "@ant-design/cssinjs": "^1.18.1", - "@ant-design/icons": "^5.2.6", - "@ant-design/react-slick": "~1.0.2", - "@babel/runtime": "^7.23.4", + "@ant-design/colors": "^7.1.0", + "@ant-design/cssinjs": "^1.21.1", + "@ant-design/cssinjs-utils": "^1.1.1", + "@ant-design/icons": "^5.5.1", + "@ant-design/react-slick": "~1.1.2", + "@babel/runtime": "^7.25.7", "@ctrl/tinycolor": "^3.6.1", - "@rc-component/color-picker": "~1.4.1", + "@rc-component/color-picker": "~2.0.1", "@rc-component/mutate-observer": "^1.1.0", - "@rc-component/tour": "~1.11.1", - "@rc-component/trigger": "^1.18.2", - "classnames": "^2.3.2", + "@rc-component/qrcode": "~1.0.0", + "@rc-component/tour": "~1.15.1", + "@rc-component/trigger": "^2.2.5", + "classnames": "^2.5.1", "copy-to-clipboard": "^3.3.3", - "dayjs": "^1.11.1", - "qrcode.react": "^3.1.0", - "rc-cascader": "~3.20.0", - "rc-checkbox": "~3.1.0", - "rc-collapse": "~3.7.2", - "rc-dialog": "~9.3.4", - "rc-drawer": "~6.5.2", - "rc-dropdown": "~4.1.0", - "rc-field-form": "~1.41.0", - "rc-image": "~7.5.1", - "rc-input": "~1.3.6", - "rc-input-number": "~8.4.0", - "rc-mentions": "~2.9.1", - "rc-menu": "~9.12.4", - "rc-motion": "^2.9.0", - "rc-notification": "~5.3.0", - "rc-pagination": "~4.0.3", - "rc-picker": "~3.14.6", - "rc-progress": "~3.5.1", - "rc-rate": "~2.12.0", + "dayjs": "^1.11.11", + "rc-cascader": "~3.30.0", + "rc-checkbox": "~3.3.0", + "rc-collapse": "~3.9.0", + "rc-dialog": "~9.6.0", + "rc-drawer": "~7.2.0", + "rc-dropdown": "~4.2.0", + "rc-field-form": "~2.5.1", + "rc-image": "~7.11.0", + "rc-input": "~1.6.3", + "rc-input-number": "~9.3.0", + "rc-mentions": "~2.17.0", + "rc-menu": "~9.16.0", + "rc-motion": "^2.9.3", + "rc-notification": "~5.6.2", + "rc-pagination": "~4.3.0", + "rc-picker": "~4.8.1", + "rc-progress": "~4.0.0", + "rc-rate": "~2.13.0", "rc-resize-observer": "^1.4.0", - "rc-segmented": "~2.2.2", - "rc-select": "~14.10.0", - "rc-slider": "~10.5.0", + "rc-segmented": "~2.5.0", + "rc-select": "~14.16.3", + "rc-slider": "~11.1.7", "rc-steps": "~6.0.1", "rc-switch": "~4.1.0", - "rc-table": "~7.36.0", - "rc-tabs": "~12.14.1", - "rc-textarea": "~1.5.3", - "rc-tooltip": "~6.1.2", - "rc-tree": "~5.8.2", - "rc-tree-select": "~5.15.0", - "rc-upload": "~4.3.5", - "rc-util": "^5.38.1", + "rc-table": "~7.48.1", + "rc-tabs": "~15.4.0", + "rc-textarea": "~1.8.2", + "rc-tooltip": "~6.2.1", + "rc-tree": "~5.10.1", + "rc-tree-select": "~5.24.4", + "rc-upload": "~4.8.1", + "rc-util": "^5.43.0", "scroll-into-view-if-needed": "^3.1.0", - "throttle-debounce": "^5.0.0" + "throttle-debounce": "^5.0.2" }, "funding": { "type": "opencollective", @@ -13514,10 +13592,6 @@ "node": ">=0.10.0" } }, - "node_modules/array-tree-filter": { - "version": "2.1.0", - "license": "MIT" - }, "node_modules/array-union": { "version": "2.1.0", "license": "MIT", @@ -13750,10 +13824,6 @@ "node": ">= 0.10" } }, - "node_modules/async-validator": { - "version": "4.2.5", - "license": "MIT" - }, "node_modules/asynckit": { "version": "0.4.0", "dev": true, @@ -15864,7 +15934,9 @@ } }, "node_modules/classnames": { - "version": "2.3.2", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/classnames/-/classnames-2.5.1.tgz", + "integrity": "sha512-saHYOzhIQs6wy2sVxTM6bUDsQO4F50V9RQ22qBpEdCW+I+/Wmke2HOl6lS6dTpdxVhb88/I6+Hs+438c3lfUow==", "license": "MIT" }, "node_modules/clean-css": { @@ -30786,6 +30858,8 @@ }, "node_modules/json2mq": { "version": "0.2.0", + "resolved": "https://registry.npmjs.org/json2mq/-/json2mq-0.2.0.tgz", + "integrity": "sha512-SzoRg7ux5DWTII9J2qkrZrqV1gt+rTaoufMxEzXbS26Uid0NwaJd123HcoB80TgubEppxxIGdNxCx50fEoEWQA==", "license": "MIT", "dependencies": { "string-convert": "^0.2.0" @@ -59666,13 +59740,6 @@ ], "license": "MIT" }, - "node_modules/qrcode.react": { - "version": "3.1.0", - "license": "ISC", - "peerDependencies": { - "react": "^16.8.0 || ^17.0.0 || ^18.0.0" - } - }, "node_modules/qs": { "version": "6.5.3", "dev": true, @@ -59815,15 +59882,16 @@ } }, "node_modules/rc-cascader": { - "version": "3.20.0", + "version": "3.30.0", + "resolved": "https://registry.npmjs.org/rc-cascader/-/rc-cascader-3.30.0.tgz", + "integrity": "sha512-rrzSbk1Bdqbu+pDwiLCLHu72+lwX9BZ28+JKzoi0DWZ4N29QYFeip8Gctl33QVd2Xg3Rf14D3yAOG76ElJw16w==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.12.5", - "array-tree-filter": "^2.1.0", + "@babel/runtime": "^7.25.7", "classnames": "^2.3.1", - "rc-select": "~14.10.0", - "rc-tree": "~5.8.1", - "rc-util": "^5.37.0" + "rc-select": "~14.16.2", + "rc-tree": "~5.10.1", + "rc-util": "^5.43.0" }, "peerDependencies": { "react": ">=16.9.0", @@ -59831,7 +59899,9 @@ } }, "node_modules/rc-checkbox": { - "version": "3.1.0", + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/rc-checkbox/-/rc-checkbox-3.3.0.tgz", + "integrity": "sha512-Ih3ZaAcoAiFKJjifzwsGiT/f/quIkxJoklW4yKGho14Olulwn8gN7hOBve0/WGDg5o/l/5mL0w7ff7/YGvefVw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59844,7 +59914,9 @@ } }, "node_modules/rc-collapse": { - "version": "3.7.2", + "version": "3.9.0", + "resolved": "https://registry.npmjs.org/rc-collapse/-/rc-collapse-3.9.0.tgz", + "integrity": "sha512-swDdz4QZ4dFTo4RAUMLL50qP0EY62N2kvmk2We5xYdRwcRn8WcYtuetCJpwpaCbUfUt5+huLpVxhvmnK+PHrkA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59858,7 +59930,9 @@ } }, "node_modules/rc-dialog": { - "version": "9.3.4", + "version": "9.6.0", + "resolved": "https://registry.npmjs.org/rc-dialog/-/rc-dialog-9.6.0.tgz", + "integrity": "sha512-ApoVi9Z8PaCQg6FsUzS8yvBEQy0ZL2PkuvAgrmohPkN3okps5WZ5WQWPc1RNuiOKaAYv8B97ACdsFU5LizzCqg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -59873,14 +59947,16 @@ } }, "node_modules/rc-drawer": { - "version": "6.5.2", + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/rc-drawer/-/rc-drawer-7.2.0.tgz", + "integrity": "sha512-9lOQ7kBekEJRdEpScHvtmEtXnAsy+NGDXiRWc2ZVC7QXAazNVbeT4EraQKYwCME8BJLa8Bxqxvs5swwyOepRwg==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", + "@babel/runtime": "^7.23.9", "@rc-component/portal": "^1.1.1", "classnames": "^2.2.6", "rc-motion": "^2.6.1", - "rc-util": "^5.36.0" + "rc-util": "^5.38.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -59888,11 +59964,13 @@ } }, "node_modules/rc-dropdown": { - "version": "4.1.0", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/rc-dropdown/-/rc-dropdown-4.2.0.tgz", + "integrity": "sha512-odM8Ove+gSh0zU27DUj5cG1gNKg7mLWBYzB5E4nNLrLwBmYEgYP43vHKDGOVZcJSVElQBI0+jTQgjnq0NfLjng==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", - "@rc-component/trigger": "^1.7.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.6", "rc-util": "^5.17.0" }, @@ -59902,11 +59980,13 @@ } }, "node_modules/rc-field-form": { - "version": "1.41.0", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/rc-field-form/-/rc-field-form-2.5.1.tgz", + "integrity": "sha512-33hunXwynQJyeae7LS3hMGTXNeRBjiPyPYgB0824EbmLHiXC1EBGyUwRh6xjLRy9c+en5WARYN0gJz5+JAqwig==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.0", - "async-validator": "^4.1.0", + "@rc-component/async-validator": "^5.0.3", "rc-util": "^5.32.2" }, "engines": { @@ -59918,13 +59998,15 @@ } }, "node_modules/rc-image": { - "version": "7.5.1", + "version": "7.11.0", + "resolved": "https://registry.npmjs.org/rc-image/-/rc-image-7.11.0.tgz", + "integrity": "sha512-aZkTEZXqeqfPZtnSdNUnKQA0N/3MbgR7nUnZ+/4MfSFWPFHZau4p5r5ShaI0KPEMnNjv4kijSCFq/9wtJpwykw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", "@rc-component/portal": "^1.0.2", "classnames": "^2.2.6", - "rc-dialog": "~9.3.4", + "rc-dialog": "~9.6.0", "rc-motion": "^2.6.2", "rc-util": "^5.34.1" }, @@ -59934,7 +60016,9 @@ } }, "node_modules/rc-input": { - "version": "1.3.11", + "version": "1.6.3", + "resolved": "https://registry.npmjs.org/rc-input/-/rc-input-1.6.3.tgz", + "integrity": "sha512-wI4NzuqBS8vvKr8cljsvnTUqItMfG1QbJoxovCgL+DX4eVUcHIjVwharwevIxyy7H/jbLryh+K7ysnJr23aWIA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -59947,14 +60031,16 @@ } }, "node_modules/rc-input-number": { - "version": "8.4.0", + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/rc-input-number/-/rc-input-number-9.3.0.tgz", + "integrity": "sha512-JQ363ywqRyxwgVxpg2z2kja3CehTpYdqR7emJ/6yJjRdbvo+RvfE83fcpBCIJRq3zLp8SakmEXq60qzWyZ7Usw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "@rc-component/mini-decimal": "^1.0.1", "classnames": "^2.2.5", - "rc-input": "~1.3.5", - "rc-util": "^5.28.0" + "rc-input": "~1.6.0", + "rc-util": "^5.40.1" }, "peerDependencies": { "react": ">=16.9.0", @@ -59962,15 +60048,17 @@ } }, "node_modules/rc-mentions": { - "version": "2.9.1", + "version": "2.17.0", + "resolved": "https://registry.npmjs.org/rc-mentions/-/rc-mentions-2.17.0.tgz", + "integrity": "sha512-sfHy+qLvc+p8jx8GUsujZWXDOIlIimp6YQz7N5ONQ6bHsa2kyG+BLa5k2wuxgebBbH97is33wxiyq5UkiXRpHA==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.22.5", - "@rc-component/trigger": "^1.5.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.6", - "rc-input": "~1.3.5", - "rc-menu": "~9.12.0", - "rc-textarea": "~1.5.0", + "rc-input": "~1.6.0", + "rc-menu": "~9.16.0", + "rc-textarea": "~1.8.0", "rc-util": "^5.34.1" }, "peerDependencies": { @@ -59979,11 +60067,13 @@ } }, "node_modules/rc-menu": { - "version": "9.12.4", + "version": "9.16.0", + "resolved": "https://registry.npmjs.org/rc-menu/-/rc-menu-9.16.0.tgz", + "integrity": "sha512-vAL0yqPkmXWk3+YKRkmIR8TYj3RVdEt3ptG2jCJXWNAvQbT0VJJdRyHZ7kG/l1JsZlB+VJq/VcYOo69VR4oD+w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.17.0", + "@rc-component/trigger": "^2.0.0", "classnames": "2.x", "rc-motion": "^2.4.3", "rc-overflow": "^1.3.1", @@ -59995,12 +60085,14 @@ } }, "node_modules/rc-motion": { - "version": "2.9.0", + "version": "2.9.3", + "resolved": "https://registry.npmjs.org/rc-motion/-/rc-motion-2.9.3.tgz", + "integrity": "sha512-rkW47ABVkic7WEB0EKJqzySpvDqwl60/tdkY7hWP7dYnh5pm0SzJpo54oW3TDUGXV5wfxXFmMkxrzRRbotQ0+w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", "classnames": "^2.2.1", - "rc-util": "^5.21.0" + "rc-util": "^5.43.0" }, "peerDependencies": { "react": ">=16.9.0", @@ -60008,7 +60100,9 @@ } }, "node_modules/rc-notification": { - "version": "5.3.0", + "version": "5.6.2", + "resolved": "https://registry.npmjs.org/rc-notification/-/rc-notification-5.6.2.tgz", + "integrity": "sha512-Id4IYMoii3zzrG0lB0gD6dPgJx4Iu95Xu0BQrhHIbp7ZnAZbLqdqQ73aIWH0d0UFcElxwaKjnzNovTjo7kXz7g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60026,6 +60120,8 @@ }, "node_modules/rc-overflow": { "version": "1.3.2", + "resolved": "https://registry.npmjs.org/rc-overflow/-/rc-overflow-1.3.2.tgz", + "integrity": "sha512-nsUm78jkYAoPygDAcGZeC2VwIg/IBGSodtOY3pMof4W3M9qRJgqaDYm03ZayHlde3I6ipliAxbN0RUcGf5KOzw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -60039,7 +60135,9 @@ } }, "node_modules/rc-pagination": { - "version": "4.0.3", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/rc-pagination/-/rc-pagination-4.3.0.tgz", + "integrity": "sha512-UubEWA0ShnroQ1tDa291Fzw6kj0iOeF26IsUObxYTpimgj4/qPCWVFl18RLZE+0Up1IZg0IK4pMn6nB3mjvB7g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60052,13 +60150,17 @@ } }, "node_modules/rc-picker": { - "version": "3.14.6", + "version": "4.8.2", + "resolved": "https://registry.npmjs.org/rc-picker/-/rc-picker-4.8.2.tgz", + "integrity": "sha512-I6Nn4ngkRskSD//rsXDvjlEQ8CzX9kPQrUIb7+qTY49erJaa3/oKJWmi6JIxo/A7gy59phNmPTdhKosAa/NrQQ==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.5.0", + "@babel/runtime": "^7.24.7", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.2.1", - "rc-util": "^5.30.0" + "rc-overflow": "^1.3.2", + "rc-resize-observer": "^1.4.0", + "rc-util": "^5.43.0" }, "engines": { "node": ">=8.x" @@ -60087,7 +60189,9 @@ } }, "node_modules/rc-progress": { - "version": "3.5.1", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/rc-progress/-/rc-progress-4.0.0.tgz", + "integrity": "sha512-oofVMMafOCokIUIBnZLNcOZFsABaUw8PPrf1/y0ZBvKZNpOiu5h4AO9vv11Sw0p4Hb3D0yGWuEattcQGtNJ/aw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60100,7 +60204,9 @@ } }, "node_modules/rc-rate": { - "version": "2.12.0", + "version": "2.13.0", + "resolved": "https://registry.npmjs.org/rc-rate/-/rc-rate-2.13.0.tgz", + "integrity": "sha512-oxvx1Q5k5wD30sjN5tqAyWTvJfLNNJn7Oq3IeS4HxWfAiC4BOXMITNAsw7u/fzdtO4MS8Ki8uRLOzcnEuoQiAw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60117,6 +60223,8 @@ }, "node_modules/rc-resize-observer": { "version": "1.4.0", + "resolved": "https://registry.npmjs.org/rc-resize-observer/-/rc-resize-observer-1.4.0.tgz", + "integrity": "sha512-PnMVyRid9JLxFavTjeDXEXo65HCRqbmLBw9xX9gfC4BZiSzbLXKzW3jPz+J0P71pLbD5tBMTT+mkstV5gD0c9Q==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.20.7", @@ -60130,7 +60238,9 @@ } }, "node_modules/rc-segmented": { - "version": "2.2.2", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/rc-segmented/-/rc-segmented-2.5.0.tgz", + "integrity": "sha512-B28Fe3J9iUFOhFJET3RoXAPFJ2u47QvLSYcZWC4tFYNGPEjug5LAxEasZlA/PpAxhdOPqGWsGbSj7ftneukJnw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.1", @@ -60144,11 +60254,13 @@ } }, "node_modules/rc-select": { - "version": "14.10.0", + "version": "14.16.3", + "resolved": "https://registry.npmjs.org/rc-select/-/rc-select-14.16.3.tgz", + "integrity": "sha512-51+j6s3fJJJXB7E+B6W1hM4Tjzv1B/Decooz9ilgegDBt3ZAth1b/xMwYCTrT5BbG2e53XACQsyDib2+3Ro1fg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", - "@rc-component/trigger": "^1.5.0", + "@rc-component/trigger": "^2.1.1", "classnames": "2.x", "rc-motion": "^2.0.1", "rc-overflow": "^1.3.1", @@ -60164,12 +60276,14 @@ } }, "node_modules/rc-slider": { - "version": "10.5.0", + "version": "11.1.7", + "resolved": "https://registry.npmjs.org/rc-slider/-/rc-slider-11.1.7.tgz", + "integrity": "sha512-ytYbZei81TX7otdC0QvoYD72XSlxvTihNth5OeZ6PMXyEDq/vHdWFulQmfDGyXK1NwKwSlKgpvINOa88uT5g2A==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "classnames": "^2.2.5", - "rc-util": "^5.27.0" + "rc-util": "^5.36.0" }, "engines": { "node": ">=8.x" @@ -60209,15 +60323,17 @@ } }, "node_modules/rc-table": { - "version": "7.36.0", + "version": "7.48.1", + "resolved": "https://registry.npmjs.org/rc-table/-/rc-table-7.48.1.tgz", + "integrity": "sha512-Z4mDKjWg+xz/Ezdw6ivWcbqRpaJ0QfCORRoRrlrw65KSGZLK8OcTdacH22/fyGb8L4It/0/9qcMm8VrVAk/WBw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "@rc-component/context": "^1.4.0", "classnames": "^2.2.5", "rc-resize-observer": "^1.1.0", - "rc-util": "^5.37.0", - "rc-virtual-list": "^3.11.1" + "rc-util": "^5.41.0", + "rc-virtual-list": "^3.14.2" }, "engines": { "node": ">=8.x" @@ -60228,13 +60344,15 @@ } }, "node_modules/rc-tabs": { - "version": "12.14.1", + "version": "15.4.0", + "resolved": "https://registry.npmjs.org/rc-tabs/-/rc-tabs-15.4.0.tgz", + "integrity": "sha512-llKuyiAVqmXm2z7OrmhX5cNb2ueZaL8ZyA2P4R+6/72NYYcbEgOXibwHiQCFY2RiN3swXl53SIABi2CumUS02g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", "classnames": "2.x", - "rc-dropdown": "~4.1.0", - "rc-menu": "~9.12.0", + "rc-dropdown": "~4.2.0", + "rc-menu": "~9.16.0", "rc-motion": "^2.6.2", "rc-resize-observer": "^1.0.0", "rc-util": "^5.34.1" @@ -60248,12 +60366,14 @@ } }, "node_modules/rc-textarea": { - "version": "1.5.3", + "version": "1.8.2", + "resolved": "https://registry.npmjs.org/rc-textarea/-/rc-textarea-1.8.2.tgz", + "integrity": "sha512-UFAezAqltyR00a8Lf0IPAyTd29Jj9ee8wt8DqXyDMal7r/Cg/nDt3e1OOv3Th4W6mKaZijjgwuPXhAfVNTN8sw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", "classnames": "^2.2.1", - "rc-input": "~1.3.5", + "rc-input": "~1.6.0", "rc-resize-observer": "^1.0.0", "rc-util": "^5.27.0" }, @@ -60263,11 +60383,13 @@ } }, "node_modules/rc-tooltip": { - "version": "6.1.2", + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/rc-tooltip/-/rc-tooltip-6.2.1.tgz", + "integrity": "sha512-rws0duD/3sHHsD905Nex7FvoUGy2UBQRhTkKxeEvr2FB+r21HsOxcDJI0TzyO8NHhnAA8ILr8pfbSBg5Jj5KBg==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.11.2", - "@rc-component/trigger": "^1.18.0", + "@rc-component/trigger": "^2.0.0", "classnames": "^2.3.1" }, "peerDependencies": { @@ -60276,7 +60398,9 @@ } }, "node_modules/rc-tree": { - "version": "5.8.2", + "version": "5.10.1", + "resolved": "https://registry.npmjs.org/rc-tree/-/rc-tree-5.10.1.tgz", + "integrity": "sha512-FPXb3tT/u39mgjr6JNlHaUTYfHkVGW56XaGDahDpEFLGsnPxGcVLNTjcqoQb/GNbSCycl7tD7EvIymwOTP0+Yw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.10.1", @@ -60294,14 +60418,16 @@ } }, "node_modules/rc-tree-select": { - "version": "5.15.0", + "version": "5.24.5", + "resolved": "https://registry.npmjs.org/rc-tree-select/-/rc-tree-select-5.24.5.tgz", + "integrity": "sha512-PnyR8LZJWaiEFw0SHRqo4MNQWyyZsyMs8eNmo68uXZWjxc7QqeWcjPPoONN0rc90c3HZqGF9z+Roz+GLzY5GXA==", "license": "MIT", "dependencies": { - "@babel/runtime": "^7.10.1", + "@babel/runtime": "^7.25.7", "classnames": "2.x", - "rc-select": "~14.10.0", - "rc-tree": "~5.8.1", - "rc-util": "^5.16.1" + "rc-select": "~14.16.2", + "rc-tree": "~5.10.1", + "rc-util": "^5.43.0" }, "peerDependencies": { "react": "*", @@ -60309,7 +60435,9 @@ } }, "node_modules/rc-upload": { - "version": "4.3.5", + "version": "4.8.1", + "resolved": "https://registry.npmjs.org/rc-upload/-/rc-upload-4.8.1.tgz", + "integrity": "sha512-toEAhwl4hjLAI1u8/CgKWt30BR06ulPa4iGQSMvSXoHzO88gPCslxqV/mnn4gJU7PDoltGIC9Eh+wkeudqgHyw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", @@ -60322,7 +60450,9 @@ } }, "node_modules/rc-util": { - "version": "5.38.1", + "version": "5.43.0", + "resolved": "https://registry.npmjs.org/rc-util/-/rc-util-5.43.0.tgz", + "integrity": "sha512-AzC7KKOXFqAdIBqdGWepL9Xn7cm3vnAmjlHqUnoQaTMZYhM4VlXGLkkHHxj/BZ7Td0+SOPKB4RGPboBVKT9htw==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.18.3", @@ -60338,7 +60468,9 @@ "license": "MIT" }, "node_modules/rc-virtual-list": { - "version": "3.11.3", + "version": "3.15.0", + "resolved": "https://registry.npmjs.org/rc-virtual-list/-/rc-virtual-list-3.15.0.tgz", + "integrity": "sha512-dF2YQztqrU3ijAeWOqscTshCEr7vpimzSqAVjO1AyAmaqcHulaXpnGR0ptK5PXfxTUy48VkJOiglMIxlkYGs0w==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.20.0", @@ -60350,8 +60482,8 @@ "node": ">=8.x" }, "peerDependencies": { - "react": "*", - "react-dom": "*" + "react": ">=16.9.0", + "react-dom": ">=16.9.0" } }, "node_modules/rc/node_modules/strip-json-comments": { @@ -61802,6 +61934,8 @@ }, "node_modules/resize-observer-polyfill": { "version": "1.5.1", + "resolved": "https://registry.npmjs.org/resize-observer-polyfill/-/resize-observer-polyfill-1.5.1.tgz", + "integrity": "sha512-LwZrotdHOo12nQuZlHEmtuXdqGoOD0OhaxopaNFxWzInpEgaLWoVuAMbTzixuosCx2nEG58ngzW3vxdWoxIgdg==", "license": "MIT" }, "node_modules/resolve": { @@ -63976,6 +64110,8 @@ }, "node_modules/string-convert": { "version": "0.2.1", + "resolved": "https://registry.npmjs.org/string-convert/-/string-convert-0.2.1.tgz", + "integrity": "sha512-u/1tdPl4yQnPBjnVrmdLo9gtuLvELKsAoRapekWggdiQNvvvum+jYF329d84NAa660KQw7pB2n36KrIKVoXa3A==", "license": "MIT" }, "node_modules/string-length": { @@ -64340,7 +64476,9 @@ } }, "node_modules/stylis": { - "version": "4.3.0", + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.4.tgz", + "integrity": "sha512-osIBl6BGUmSfDkyH2mB7EFvCJntXDrLhKjHTRj/rK6xLH0yuPrHULDRQzKokSOD4VoorhtKpfcfW1GAntu8now==", "license": "MIT" }, "node_modules/stylus": { @@ -65329,7 +65467,9 @@ } }, "node_modules/throttle-debounce": { - "version": "5.0.0", + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/throttle-debounce/-/throttle-debounce-5.0.2.tgz", + "integrity": "sha512-B71/4oyj61iNH0KeCamLuE2rmKuTO5byTOSVwECM5FA7TiAiAW+UqTKZ9ERueC4qvgSttUhdmq1mXC3kJqGX7A==", "license": "MIT", "engines": { "node": ">=12.22" diff --git a/package.json b/package.json index 036f52f1e5..12188dfaed 100644 --- a/package.json +++ b/package.json @@ -5,8 +5,9 @@ "scripts": { "docusaurus": "docusaurus", "start": "docusaurus start --host 0.0.0.0 --port 9000", - "build": "npm run generate-api-docs && npm run generate-partials && docusaurus build", + "build": "npm run generate-api-docs && npm run cves && npm run generate-partials && docusaurus build", "swizzle": "docusaurus swizzle", + "cves": "node utils/cves/index.js", "deploy": "docusaurus deploy", "clear": "docusaurus clear", "serve": "docusaurus serve", @@ -19,7 +20,7 @@ "clean-api-docs": "docusaurus clean-api-docs palette && docusaurus clean-api-docs emc", "run-api-parser": "node utils/api-parser/index.js", "generate-partials": "./scripts/generate-partials.sh", - "lint": "eslint . --ext .js,.ts,.jsx,.tsx", + "lint": "eslint . -c .eslintrc.js --ext .js,.ts,.jsx,.tsx", "lint:fix": "npm run lint -- --fix", "format": "prettier --write \"**/*.{js,jsx,json,ts,tsx,md,mdx,css}\"", "format-check": "prettier . --check" @@ -47,7 +48,7 @@ "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "^0.2.2", "@mdx-js/react": "^3.0.1", - "antd": "^5.6.2", + "antd": "^5.22.2", "axios-retry": "^4.5.0", "babel-plugin-macros": "^3.1.0", "clsx": "^1.2.1", @@ -84,7 +85,7 @@ "@typescript-eslint/parser": "^8.2.0", "babel-jest": "^29.6.2", "dotenv": "^16.3.1", - "eslint": "^8.45.0", + "eslint": "^8.57.0", "eslint-config-prettier": "^9.1.0", "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.9.0", diff --git a/redirects.js b/redirects.js index 46e0cc47b8..540407df81 100644 --- a/redirects.js +++ b/redirects.js @@ -665,6 +665,91 @@ let redirects = [ from: "/user-management/project-association/", to: "/user-management/palette-rbac/assign-a-role/", }, + { + from: [ + "/security-bulletins/reports/cve-2005-2541", + "/security-bulletins/reports/cve-2012-2663", + "/security-bulletins/reports/cve-2015-20107", + "/security-bulletins/reports/cve-2015-8855", + "/security-bulletins/reports/cve-2016-1585", + "/security-bulletins/reports/cve-2016-20013", + "/security-bulletins/reports/cve-2017-11164", + "/security-bulletins/reports/cve-2018-20225", + "/security-bulletins/reports/cve-2018-20657", + "/security-bulletins/reports/cve-2018-20796", + "/security-bulletins/reports/cve-2018-20839", + "/security-bulletins/reports/cve-2019-1010022", + "/security-bulletins/reports/cve-2019-12900", + "/security-bulletins/reports/cve-2019-17543", + "/security-bulletins/reports/cve-2019-19244", + "/security-bulletins/reports/cve-2019-9192", + "/security-bulletins/reports/cve-2019-9674", + "/security-bulletins/reports/cve-2019-9923", + "/security-bulletins/reports/cve-2019-9936", + "/security-bulletins/reports/cve-2019-9937", + "/security-bulletins/reports/cve-2020-35512", + "/security-bulletins/reports/cve-2020-36325", + "/security-bulletins/reports/cve-2021-3737", + "/security-bulletins/reports/cve-2021-39537", + "/security-bulletins/reports/cve-2021-42694", + "/security-bulletins/reports/cve-2021-46848", + "/security-bulletins/reports/cve-2022-0391", + "/security-bulletins/reports/cve-2022-23990", + "/security-bulletins/reports/cve-2022-25883", + "/security-bulletins/reports/cve-2022-28357", + "/security-bulletins/reports/cve-2022-28948", + "/security-bulletins/reports/cve-2022-41409", + "/security-bulletins/reports/cve-2022-41723", + "/security-bulletins/reports/cve-2022-41724", + "/security-bulletins/reports/cve-2022-41725", + "/security-bulletins/reports/cve-2022-45061", + "/security-bulletins/reports/cve-2022-48560", + "/security-bulletins/reports/cve-2022-48565", + "/security-bulletins/reports/cve-2022-4899", + "/security-bulletins/reports/cve-2023-0464", + "/security-bulletins/reports/cve-2023-24329", + "/security-bulletins/reports/cve-2023-24534", + "/security-bulletins/reports/cve-2023-24536", + "/security-bulletins/reports/cve-2023-24537", + "/security-bulletins/reports/cve-2023-24538", + "/security-bulletins/reports/cve-2023-24539", + "/security-bulletins/reports/cve-2023-24540", + "/security-bulletins/reports/cve-2023-26604", + "/security-bulletins/reports/cve-2023-27534", + "/security-bulletins/reports/cve-2023-29400", + "/security-bulletins/reports/cve-2023-29403", + "/security-bulletins/reports/cve-2023-29499", + "/security-bulletins/reports/cve-2023-32636", + "/security-bulletins/reports/cve-2023-37920", + "/security-bulletins/reports/cve-2023-39325", + "/security-bulletins/reports/cve-2023-4156", + "/security-bulletins/reports/cve-2023-44487", + "/security-bulletins/reports/cve-2023-45142", + "/security-bulletins/reports/cve-2023-45287", + "/security-bulletins/reports/cve-2023-47108", + "/security-bulletins/reports/cve-2023-49569", + "/security-bulletins/reports/cve-2023-52356", + "/security-bulletins/reports/cve-2024-0743", + "/security-bulletins/reports/cve-2024-0760", + "/security-bulletins/reports/cve-2024-1737", + "/security-bulletins/reports/cve-2024-1975", + "/security-bulletins/reports/cve-2024-21626", + "/security-bulletins/reports/cve-2024-24790", + "/security-bulletins/reports/cve-2024-32002", + "/security-bulletins/reports/cve-2024-35325", + "/security-bulletins/reports/cve-2024-3651", + "/security-bulletins/reports/cve-2024-37370", + "/security-bulletins/reports/cve-2024-37371", + "/security-bulletins/reports/cve-2024-38428", + "/security-bulletins/reports/cve-2024-45490", + "/security-bulletins/reports/cve-2024-45491", + "/security-bulletins/reports/cve-2024-45492", + "/security-bulletins/reports/cve-2024-6197", + "/security-bulletins/reports/cve-2024-6232", + "/security-bulletins/reports/cve-2024-7592", + ], + to: "/security-bulletins/reports/", + }, ]; if (packRedirects.length > 0) { diff --git a/src/components/CveReportsTable/CveReportTable.module.scss b/src/components/CveReportsTable/CveReportTable.module.scss new file mode 100644 index 0000000000..c83c25192c --- /dev/null +++ b/src/components/CveReportsTable/CveReportTable.module.scss @@ -0,0 +1,35 @@ +.wrapper { + display: flex; + flex-direction: column; + align-items: center; + justify-content: center; + + .tabPane { + padding-top: 15px; + font-size: 16px; + width: 100%; + // Karl's workaround for reducing the jank issue where the tabs disappear when refreshing the page. + // The spinner is displayed while the page is loading, and the entire table is hidden until the page is fully loaded. + min-height: 300px; + } +} + +.tableContainer { + display: block; + + @media (max-width: 768px) { + display: none; + } +} + +.unsupportedMessage { + display: none; + + @media (max-width: 768px) { + display: block; + text-align: center; + padding: 20px; + font-size: 1.2em; + color: #555; + } +} diff --git a/src/components/CveReportsTable/CveReportsTable.tsx b/src/components/CveReportsTable/CveReportsTable.tsx new file mode 100644 index 0000000000..324a92a862 --- /dev/null +++ b/src/components/CveReportsTable/CveReportsTable.tsx @@ -0,0 +1,273 @@ +import React, { useState, useEffect, useMemo } from "react"; +import { Tabs, ConfigProvider, Table, theme, Spin } from "antd"; +import { useColorMode } from "@docusaurus/theme-common"; +import useIsBrowser from "@docusaurus/useIsBrowser"; +import Link from "@docusaurus/Link"; +import type { ColumnsType } from "antd/es/table"; +import Admonition from "@theme/Admonition"; +import styles from "./CveReportTable.module.scss"; +import semver from "semver"; + +interface CveData { + palette: Cve[]; + paletteAirgap: Cve[]; + vertex: Cve[]; + vertexAirgap: Cve[]; +} + +interface Cve { + metadata: { + uid: string; + cve: string; + summary: string; + cvssScore: number; + nistSeverity: string; + trivySeverity: string; + grypeSeverity: string; + cvePublishedTimestamp: string; + cveLastModifiedTimestamp: string; + advCreatedTimestamp: string; + advLastModifiedTimestamp: string; + }; + spec: { + assessment: { + thirdParty: { + isDependentOnThirdParty: boolean; + }; + }; + impact: { + impactedVersions: string[]; + }; + }; + status: { + status: string; + }; +} + +interface MinimizedCve { + metadata: { + uid: string; + cve: string; + cvssScore: number; + cvePublishedTimestamp: string; + cveLastModifiedTimestamp: string; + }; + spec: { + assessment: { + thirdParty: { + isDependentOnThirdParty: boolean; + }; + }; + impact: { + impactedVersions: string[]; + }; + }; + status: { + status: string; + }; +} + +type CveDataUnion = + | CveData + | { + palette: MinimizedCve[]; + paletteAirgap: MinimizedCve[]; + vertex: MinimizedCve[]; + vertexAirgap: MinimizedCve[]; + }; + +export default function CveReportsTable() { + const [data, setData] = useState(null); + const [loading, setLoading] = useState(true); + const isBrowser = useIsBrowser(); + const [activeTabKey, setActiveTabKey] = useState("palette"); + const { colorMode } = useColorMode(); + const { defaultAlgorithm, darkAlgorithm } = theme; + + useEffect(() => { + if (isBrowser) { + const hash = window.location.hash?.replace("#", "") || "palette"; + setActiveTabKey(hash); + } + }, [isBrowser]); + + useEffect(() => { + const minimizeData = (entry: Cve): MinimizedCve => ({ + metadata: { + uid: entry.metadata.uid, + cve: entry.metadata.cve, + cvssScore: entry.metadata.cvssScore, + cvePublishedTimestamp: entry.metadata.cvePublishedTimestamp, + cveLastModifiedTimestamp: entry.metadata.cveLastModifiedTimestamp, + }, + spec: { + assessment: { + thirdParty: { isDependentOnThirdParty: entry.spec.assessment.thirdParty.isDependentOnThirdParty }, + }, + impact: { impactedVersions: entry.spec.impact.impactedVersions }, + }, + status: { status: entry.status.status }, + }); + + const loadData = async () => { + try { + const response = (await import("../../../.docusaurus/security-bulletins/default/data.json")).default; // eslint-disable-line @typescript-eslint/no-unsafe-member-access + const responseData = response as CveData; + + const reducedData: CveDataUnion = { + palette: responseData.palette.map(minimizeData), + paletteAirgap: responseData.paletteAirgap.map(minimizeData), + vertex: responseData.vertex.map(minimizeData), + vertexAirgap: responseData.vertexAirgap.map(minimizeData), + }; + setData(reducedData); + } catch (error) { + console.error("Error loading data:", error); + } finally { + setLoading(false); + } + }; + + loadData().catch((error) => console.error("Error loading data:", error)); + }, []); + + useEffect(() => { + if (isBrowser) { + window.location.hash = activeTabKey; + } + }, [activeTabKey, isBrowser]); + + const columns: ColumnsType = useMemo( + () => [ + { + title: "CVE ID", + dataIndex: ["metadata", "cve"], + key: "cve", + sorter: (a, b) => a.metadata.cve.localeCompare(b.metadata.cve), + render: (cve: string, record) => ( + + {cve} + + ), + }, + { + title: "Initial Pub Date", + dataIndex: ["metadata", "cvePublishedTimestamp"], + key: "publishedDateTime", + sorter: (a, b) => + new Date(a.metadata.cvePublishedTimestamp).getTime() - new Date(b.metadata.cvePublishedTimestamp).getTime(), + render: (text: string) => new Date(text).toLocaleDateString(), + }, + { + title: "Modified Date", + dataIndex: ["metadata", "cveLastModifiedTimestamp"], + key: "modifiedDateTime", + sorter: (a, b) => + new Date(a.metadata.cveLastModifiedTimestamp).getTime() - + new Date(b.metadata.cveLastModifiedTimestamp).getTime(), + render: (text: string) => new Date(text).toLocaleDateString(), + defaultSortOrder: "descend", + }, + { + title: "Product Version", + dataIndex: ["spec", "impact", "impactedVersions"], + key: "productVersion", + sorter: (a, b) => { + const versionsA = a.spec.impact.impactedVersions.sort(semver.compare).reverse(); + const versionsB = b.spec.impact.impactedVersions.sort(semver.compare).reverse(); + return semver.compare(versionsB[0] || "0.0.0", versionsA[0] || "0.0.0"); + }, + render: (impactedVersions: string[]) => { + const sortedVersions = impactedVersions.sort(semver.compare).reverse().slice(0, 3); + return sortedVersions.join(", ") + (impactedVersions.length > 3 ? ", ..." : ""); + }, + }, + { + title: "Third Party Vulnerability", + dataIndex: ["spec", "assessment", "thirdParty", "isDependentOnThirdParty"], + key: "vulnerabilityType", + sorter: (a, b) => + a.spec.assessment.thirdParty.isDependentOnThirdParty === b.spec.assessment.thirdParty.isDependentOnThirdParty + ? 0 + : 1, + render: (record) => (record ? "Yes" : "No"), + }, + { + title: "CVSS Severity", + dataIndex: ["metadata", "cvssScore"], + key: "baseScore", + sorter: (a, b) => a.metadata.cvssScore - b.metadata.cvssScore, + render: (baseScore: number, record) => ( + {baseScore} + ), + }, + { + title: "Status", + key: "status", + sorter: (a, b) => a.status.status.localeCompare(b.status.status), + render: (record: MinimizedCve) => { + const status = record.status.status; + return status === "Open" || status === "Ongoing" ? 🔍 {status} : ✅ {status}; + }, + }, + ], + [] + ); + + const renderCveTable = (cveList: MinimizedCve[]) => ( +
+ record.metadata.uid} + pagination={{ + pageSizeOptions: ["25", "50", "100", "500", "1000"], + defaultPageSize: 100, + showSizeChanger: true, + }} + scroll={{ y: 800 }} + bordered={true} + tableLayout="fixed" + sticky={true} + /> + + ); + + const tabs = useMemo( + () => [ + { label: "Palette Enterprise", key: "palette", children: renderCveTable(data?.palette || []) }, + { label: "Palette Enterprise Airgap", key: "paletteAirgap", children: renderCveTable(data?.paletteAirgap || []) }, + { label: "VerteX", key: "vertex", children: renderCveTable(data?.vertex || []) }, + { label: "VerteX Airgap", key: "vertexAirgap", children: renderCveTable(data?.vertexAirgap || []) }, + ], + [data] + ); + + if (loading) { + return ( + + ); + } + + return ( +
+ +
+ + The current screen size is not supported. Use a larger display to access the CVE table. + +
+
+ setActiveTabKey(key)} + items={tabs} + destroyInactiveTabPane={false} + type="card" + /> +
+ +
+ ); +} diff --git a/src/components/CveReportsTable/index.ts b/src/components/CveReportsTable/index.ts new file mode 100644 index 0000000000..0cfd2630e3 --- /dev/null +++ b/src/components/CveReportsTable/index.ts @@ -0,0 +1,3 @@ +import CveReportsTable from "./CveReportsTable"; + +export default CveReportsTable; diff --git a/utils/cves/index.js b/utils/cves/index.js new file mode 100644 index 0000000000..43d6b10281 --- /dev/null +++ b/utils/cves/index.js @@ -0,0 +1,283 @@ +const { api, callRateLimitAPI } = require("./requests"); +const { existsSync, mkdirSync } = require("node:fs"); +const { logger } = require("@docusaurus/logger"); +const fs = require("fs").promises; +const path = require("path"); +const { formatDateCveDetails } = require("../helpers/date"); +const { escapeMDXSpecialChars } = require("../helpers/string"); +const { generateMarkdownTable } = require("../helpers/affected-table"); +const { generateRevisionHistory } = require("../helpers/revision-history"); + +async function getSecurityBulletins(payload) { + try { + return await callRateLimitAPI(() => api.post(`https://dso.teams.spectrocloud.com/v1/advisories`, payload)); + } catch (error) { + logger.error(error); + logger.error("Error:", error.response ? error.response.data || error.response.status : error.message); + } +} + +async function generateCVEs() { + let GlobalCVEData = {}; + + const securityBulletins = new Map(); + const dirname = path.join(".docusaurus", "security-bulletins", "default"); + const filename = path.join(dirname, "data.json"); + + if (process.env.DISABLE_SECURITY_INTEGRATIONS === "true") { + logger.info("Security integrations are disabled. Skipping generation of security bulletins."); + if (!existsSync(dirname) || !existsSync(filename)) { + // Write the security bulletins data to a JSON file + mkdirSync(dirname, { recursive: true }); + await fs.writeFile(filename, JSON.stringify({}, null, 2)); + } + return; + } + + if (existsSync(dirname) && existsSync(filename)) { + logger.info("Security bulletins JSON file already exists. Skipping fetching."); + GlobalCVEData = JSON.parse(await fs.readFile(filename, "utf-8")); + } else { + logger.info("Fetching security bulletins..."); + + try { + const palette = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.palette", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.connected", + operator: "ex", + }, + ], + }); + const paletteAirgap = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.palette", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.airgap", + operator: "ex", + }, + ], + }); + const vertex = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.vertex", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.connected", + operator: "ex", + }, + ], + }); + const vertexAirgap = await getSecurityBulletins({ + filters: [ + { + field: "metadata.nistSeverity", + operator: "in", + options: ["CRITICAL", "HIGH"], + }, + { + field: "spec.impact.impactedProducts.vertex", + operator: "ex", + }, + { + field: "spec.impact.impactedDeployments.airgap", + operator: "ex", + }, + ], + }); + + securityBulletins.set("palette", palette); + securityBulletins.set("paletteAirgap", paletteAirgap); + securityBulletins.set("vertex", vertex); + securityBulletins.set("vertexAirgap", vertexAirgap); + + // const plainObject = Object.fromEntries(securityBulletins); + const plainObject = Object.fromEntries( + Array.from(securityBulletins.entries()).map(([key, value]) => [key, value.data]) + ); + GlobalCVEData = plainObject; + + // Write the security bulletins data to a JSON file + mkdirSync(dirname, { recursive: true }); + await fs.writeFile(filename, JSON.stringify(GlobalCVEData, null, 2)); + + logger.info("Finished fetching security bulletins data."); + } catch (error) { + logger.error(error); + logger.error("Error:", error.response ? error.response.status : error.message); + } + } + + await generateMarkdownForCVEs(GlobalCVEData); +} + +async function generateMarkdownForCVEs(GlobalCVEData) { + const allCVEs = Object.values(GlobalCVEData).reduce((acc, curr) => acc.concat(curr), []); + + // To generate the Impact Product & Versions table we need to track all the instances of the same CVE + // The following hashmap will store the data for each CVE and aggregate the impact data for each product + const cveImpactMap = {}; + + for (const item of allCVEs) { + // Let's add the CVE to the map if it doesn't exist + // We can take all of the values from the first instance of the CVE + // Future instances will update the values if they are true + if (!cveImpactMap[item.metadata.cve]) { + cveImpactMap[item.metadata.cve] = { + versions: item.spec.impact.impactedVersions, + impactsPaletteEnterprise: item.spec.impact.impactedProducts.palette, + impactsPaletteEnterpriseAirgap: item.spec.impact.impactedDeployments.airgap, + impactsVerteX: item.spec.impact.impactedProducts.vertex, + impactsVerteXAirgap: item.spec.impact.impactedDeployments.airgap, + }; + } + + // If the CVE already exists in the map, we need to update the values + // But only if the value is true. If the value is false, we don't need to update it. + if (cveImpactMap[item.metadata.cve]) { + cveImpactMap[item.metadata.cve].versions = [ + ...cveImpactMap[item.metadata.cve].versions, + ...item.spec.impact.impactedVersions, + ]; + + if (item.spec.impact.impactedProducts.palette) { + cveImpactMap[item.metadata.cve].impactsPaletteEnterprise = true; + } + + if (item.spec.impact.impactedDeployments.airgap) { + cveImpactMap[item.metadata.cve].impactsPaletteEnterpriseAirgap = true; + } + + if (item.spec.impact.impactedProducts.vertex) { + cveImpactMap[item.metadata.cve].impactsVerteX = true; + } + + if (item.spec.impact.impactedDeployments.airgap) { + cveImpactMap[item.metadata.cve].impactsVerteXAirgap = true; + } + } + } + + const markdownPromises = allCVEs.map((item) => + createCveMarkdown(item, cveImpactMap[item.metadata.cve], "docs/docs-content/security-bulletins/reports/") + ); + + const results = await Promise.all(markdownPromises); + + const failedFiles = results.filter((result) => !result.success); + + if (failedFiles.length > 0) { + logger.error("Failed to generate the following markdown files:"); + failedFiles.forEach((failure) => { + logger.error(`File: ${failure.file}, Error: ${failure.error.message}`); + }); + } + + logger.success("All security bulletin markdown files generated."); +} + +function createCveMarkdown(item, cveImpactData, location) { + const upperCaseCve = item.metadata.cve.toUpperCase(); + const revisions = item.spec.revision; + const uid = item.metadata.uid.toLowerCase(); + + // Generate a table of impacted products + let table = generateMarkdownTable(cveImpactData); + let revisionHistory = generateRevisionHistory(revisions); + + const content = `--- +sidebar_label: "${upperCaseCve}" +title: "${upperCaseCve}" +description: "Lifecycle of ${upperCaseCve}" +sidebar_class_name: "hide-from-sidebar" +hide_table_of_contents: false +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[${upperCaseCve}](https://nvd.nist.gov/vuln/detail/${upperCaseCve}) + +## Initial Publication + +${formatDateCveDetails(item.metadata.advCreatedTimestamp)} + +## Last Update + +${formatDateCveDetails(item.metadata.advLastModifiedTimestamp)} + +${item.spec.assessment?.thirdParty?.dependentPackage != "" ? `## Third Party Dependency \n\n${item.spec.assessment.thirdParty.dependentPackage}` : "This CVE does not have a third party dependency."} + + +## NIST CVE Summary + +${escapeMDXSpecialChars(item.metadata.summary)} + +## CVE Severity + +${item.metadata.cvssScore} + +## Our Official Summary + +${item.spec.assessment.justification ? escapeMDXSpecialChars(item.spec.assessment.justification) : "Investigation is ongoing to determine how this vulnerability affects our products."} + +## Status + +${item.status.status} + +## Affected Products & Versions + +${item.spec.impact.isImpacting ? table : "This CVE is non-impacting as the impacting symbol and/or function is not used in the product"} + + +## Revision History + +${revisionHistory ? revisionHistory : "No revision history available."} +`; + + const filePath = path.join(location, `${uid}.md`); + + // Return a promise and include the CVE or file path in the error log + return fs + .writeFile(filePath, content) + .then(() => ({ + success: true, + file: filePath, + })) + .catch((err) => { + console.error(`Error writing file for ${upperCaseCve} at ${filePath}:`, err); + return { + success: false, + file: filePath, + error: err, + }; + }); +} + +// Call the main function to generate CVEs +generateCVEs(); diff --git a/utils/cves/requests.js b/utils/cves/requests.js new file mode 100644 index 0000000000..1d240728ef --- /dev/null +++ b/utils/cves/requests.js @@ -0,0 +1,52 @@ +const axios = require("axios"); +const axiosRetry = require("axios-retry").default; +const { pRateLimit } = require("p-ratelimit"); +require("dotenv").config(); + +const SECURITY_BULLETIN_URL = "https://dso.teams.spectrocloud.com"; + +// Ensure that the authentication token is available in the environment +const authToken = process.env.DSO_AUTH_TOKEN; +if (!authToken) { + throw new Error("DSO_AUTH_TOKEN must be set in the environment to use this plugin."); +} + +const api = axios.create({ + baseURL: SECURITY_BULLETIN_URL, + timeout: 120000, // 2 minutes timeout + headers: { + "Content-Type": "application/json", + Authorization: "Basic " + authToken, // Use the environment variable for auth token + }, +}); + +// Set up rate limiting using pRateLimit +const limit = pRateLimit({ + interval: 2000, // 2 seconds + rate: 10, // 10 API calls per interval + concurrency: 1, // no more than 1 running at once +}); + +axiosRetry(api, { + retries: 3, // Retry up to 3 times + retryDelay: axiosRetry.exponentialDelay, // Exponential backoff starting with 1 second + retryCondition(error) { + // Retry based on status codes + switch (error.response?.status) { + case 500: + case 404: + case 501: + case 429: + return true; + default: + return false; + } + }, +}); + +// Function to handle API calls with rate limiting +function callRateLimitAPI(delayedApiCall) { + return limit(delayedApiCall); +} + +module.exports = { api, callRateLimitAPI }; diff --git a/utils/helpers/affected-table.js b/utils/helpers/affected-table.js new file mode 100644 index 0000000000..da23a3d27b --- /dev/null +++ b/utils/helpers/affected-table.js @@ -0,0 +1,48 @@ +const semver = require("semver"); + +function generateMarkdownTable(cveImpactMap) { + if (!cveImpactMap || typeof cveImpactMap !== "object") { + throw new Error("Invalid input: cveImpactMap must be an object."); + } + + const impactData = { + "Palette Enterprise": cveImpactMap.impactsPaletteEnterprise, + "Palette Enterprise Airgap": cveImpactMap.impactsPaletteEnterpriseAirgap, + VerteX: cveImpactMap.impactsVerteX, + "VerteX Airgap": cveImpactMap.impactsVerteXAirgap, + }; + + const allProductsFalse = Object.values(impactData).every((value) => value === false); + if (allProductsFalse) { + return "Investigation is ongoing to determine how this vulnerability affects our products"; + } + + const anyProductTrue = Object.values(impactData).some((value) => value === true); + if (anyProductTrue && (!cveImpactMap.versions || cveImpactMap.versions.length === 0)) { + throw new Error("Error: Data inconsistency - Products impacted but no versions provided."); + } + + // Create the header row with the specified order + const header = `| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |\n`; + const separator = `| - | -------- | -------- | -------- | -------- |\n`; + + // const uniqueVersions = Array.from(new Set(cveImpactMap.versions)).sort((a, b) => b.localeCompare(a)); + const uniqueVersions = Array.from(new Set(cveImpactMap.versions)).sort(semver.rcompare); + + const rows = uniqueVersions + .map((version) => { + const row = [ + `| ${version}`, + impactData["Palette Enterprise"] ? "Impacted" : "No Impact", + impactData["Palette Enterprise Airgap"] ? "Impacted" : "No Impact", + impactData["VerteX"] ? "Impacted" : "No Impact", + impactData["VerteX Airgap"] ? "Impacted" : "No Impact", + ].join(" | "); + return row + " |"; + }) + .join("\n"); + + return header + separator + rows; +} + +module.exports = { generateMarkdownTable }; diff --git a/utils/helpers/affected-table.test.js b/utils/helpers/affected-table.test.js new file mode 100644 index 0000000000..5cda941769 --- /dev/null +++ b/utils/helpers/affected-table.test.js @@ -0,0 +1,47 @@ +const { generateMarkdownTable } = require("./affected-table"); + +describe("generateMarkdownTable", () => { + it("should generate a markdown table for two products with mixed impact", () => { + const cveImpactMap = { + versions: ["4.4.20", "4.5.3"], + impactsPaletteEnterprise: true, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + const expectedTable = `| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap | +|-|--------|--------|--------|--------| +| 4.5.3 | Impacted | No Impact | No Impact | No Impact | +| 4.4.20 | Impacted | No Impact | No Impact | No Impact |`; + + expect(generateMarkdownTable(cveImpactMap).replace(/\s+/g, "")).toBe(expectedTable.replace(/\s+/g, "")); + }); + + it("should return investigation message when all products are not impacted", () => { + const cveImpactMap = { + versions: ["4.4.20", "4.5.3"], + impactsPaletteEnterprise: false, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + const expectedMessage = "Investigation is ongoing to determine how this vulnerability affects our products"; + expect(generateMarkdownTable(cveImpactMap)).toBe(expectedMessage); + }); + + it("should throw an error when products are impacted but no versions are provided", () => { + const cveImpactMap = { + versions: [], + impactsPaletteEnterprise: true, + impactsPaletteEnterpriseAirgap: false, + impactsVerteX: false, + impactsVerteXAirgap: false, + }; + + expect(() => generateMarkdownTable(cveImpactMap)).toThrow( + "Error: Data inconsistency - Products impacted but no versions provided." + ); + }); +}); diff --git a/utils/helpers/date.js b/utils/helpers/date.js new file mode 100644 index 0000000000..d49b8dcb84 --- /dev/null +++ b/utils/helpers/date.js @@ -0,0 +1,23 @@ +function getTodayFormattedDate() { + const options = { timeZone: "America/Los_Angeles", year: "numeric", month: "2-digit", day: "2-digit" }; + const formattedDate = new Date().toLocaleDateString("en-CA", options); + return formattedDate; +} + +function formatDateCveDetails(isoString) { + const date = new Date(isoString); + + // Check if the date is valid + if (isNaN(date.getTime())) { + console.warn(`Invalid date string: ${isoString}`); + return "N/A"; // or an appropriate placeholder for invalid dates + } + + const month = String(date.getUTCMonth() + 1).padStart(2, "0"); // Pad month to 2 digits + const day = String(date.getUTCDate()).padStart(2, "0"); // Pad day to 2 digits + const year = date.getUTCFullYear(); + + return `${month}/${day}/${year}`; +} + +module.exports = { getTodayFormattedDate, formatDateCveDetails }; diff --git a/utils/helpers/dates.test.js b/utils/helpers/dates.test.js new file mode 100644 index 0000000000..d06e062284 --- /dev/null +++ b/utils/helpers/dates.test.js @@ -0,0 +1,51 @@ +const { getTodayFormattedDate, formatDateCveDetails } = require("./date"); + +describe("getTodayFormattedDate", () => { + it("should return today's date formatted as YYYY-MM-DD in America/Los_Angeles timezone", () => { + const options = { timeZone: "America/Los_Angeles", year: "numeric", month: "2-digit", day: "2-digit" }; + const expectedDate = new Date().toLocaleDateString("en-CA", options); + + expect(getTodayFormattedDate()).toBe(expectedDate); + }); + + it("should return the date in YYYY-MM-DD format", () => { + const formattedDate = getTodayFormattedDate(); + expect(formattedDate).toMatch(/^\d{4}-\d{2}-\d{2}$/); // Check for correct format + }); +}); + +describe("formatDateCveDetails", () => { + it("should format ISO string date to MM/DD/YYYY with zero-padded month and day", () => { + const isoString = "2023-09-05T00:00:00Z"; + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("09/05/2023"); + }); + + it("should handle leap years correctly", () => { + const isoString = "2024-02-29T00:00:00Z"; + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("02/29/2024"); + }); + + it("should return the correct date even with different time zones in the input", () => { + const isoString = "2023-09-20T15:00:00Z"; // Time zone is UTC but should still give the same day in UTC + const formattedDate = formatDateCveDetails(isoString); + + expect(formattedDate).toBe("09/20/2023"); + }); + + it("should return 'N/A' for an invalid date string", () => { + const invalidDate = "invalid-date"; + const formattedDate = formatDateCveDetails(invalidDate); + + expect(formattedDate).toBe("N/A"); + }); + + it("should return 'N/A' for undefined input", () => { + const formattedDate = formatDateCveDetails(undefined); + + expect(formattedDate).toBe("N/A"); + }); +}); diff --git a/utils/helpers/revision-history.js b/utils/helpers/revision-history.js new file mode 100644 index 0000000000..29f9a36647 --- /dev/null +++ b/utils/helpers/revision-history.js @@ -0,0 +1,104 @@ +const { formatDateCveDetails } = require("./date"); + +/** + * Generates a markdown table for revision history, sorted by newest entries first + * @param {Array} revisions - An array of revision objects + * @returns {string} - The markdown table as a string + */ +function generateRevisionHistory(revisions) { + const headers = ["Date", "Revision"]; + const headerRow = `| ${headers.join(" | ")} |`; + const separatorRow = `| ${headers.map(() => "---").join(" | ")} |`; + + // Sort revisions by timestamp in descending order, only if revisions array is not empty + const sortedRevisions = revisions.length + ? [...revisions].sort((a, b) => new Date(b.revisionTimestamp) - new Date(a.revisionTimestamp)) + : []; + + const rows = sortedRevisions.reduce((acc, { revisionTimestamp, revisedField, revisedFrom, revisedTo }) => { + const description = getItemDescription(revisedField, revisedFrom, revisedTo); + + if (!description) return acc; + + const formattedDate = formatDateCveDetails(revisionTimestamp); + acc.push(`| ${formattedDate} | ${description} |`); + return acc; + }, []); + + return `${headerRow}\n${separatorRow}\n${rows.join("\n")}`; +} + +/** + * Generates a description for a revision item based on field, from, and to values + * @param {string} revisedField - The field that was revised + * @param {string} revisedFrom - The previous value of the field + * @param {string} revisedTo - The new value of the field + * @returns {string} - A human-readable description of the revision + */ +function getItemDescription(revisedField, revisedFrom, revisedTo) { + let itemDescription = ""; + + revisedField = revisedField.replace(/(\r\n|\n|\r)/gm, ""); + revisedFrom = revisedFrom.replace(/(\r\n|\n|\r)/gm, ""); + revisedTo = revisedTo.replace(/(\r\n|\n|\r)/gm, ""); + + switch (revisedField) { + case "spec.assessment.justification": + itemDescription = getJustificationDescription(revisedFrom, revisedTo); + break; + + case "metadata.nistSeverity": + itemDescription = getSeverityDescription(revisedFrom, revisedTo); + break; + + case "spec.impact.impactedVersions": + itemDescription = getImpactedVersionsDescription(revisedFrom, revisedTo); + break; + + case "status.status": + itemDescription = revisedFrom !== revisedTo ? `Status changed from ${revisedFrom} to ${revisedTo}` : ""; + break; + + case "spec.impact.isImpacting": + itemDescription = + revisedFrom === "false" && revisedTo === "true" + ? "Advisory is now impacting." + : revisedFrom === "true" && revisedTo === "false" + ? "Advisory is no longer impacting." + : ""; + break; + + default: + return ""; // Return early if no matching case + } + + return itemDescription; +} + +function getJustificationDescription(revisedFrom, revisedTo) { + if (!revisedFrom && revisedTo) return "Official summary added"; + if (revisedFrom && !revisedTo) return "Official summary removed"; + if (revisedFrom && revisedTo) return `Official summary revised: ${revisedTo}`; + return ""; +} + +function getSeverityDescription(revisedFrom, revisedTo) { + if (revisedFrom === "UNKNOWN") return `Advisory assigned with ${revisedTo} severity`; + if (revisedFrom !== revisedTo) return `Advisory severity revised to ${revisedTo} from ${revisedFrom}`; + return ""; +} + +function getImpactedVersionsDescription(revisedFrom, revisedTo) { + const formattedFrom = formatArray(revisedFrom); + const formattedTo = formatArray(revisedTo); + + return revisedFrom === "[]" + ? `Added impacted versions: ${formattedTo}` + : `Impacted versions changed from ${formattedFrom} to ${formattedTo}`; +} + +function formatArray(value) { + return value.replace(/\s+/g, ", ").replace(/^\[|\]$/g, ""); +} + +module.exports = { generateRevisionHistory }; diff --git a/utils/helpers/revision-history.test.js b/utils/helpers/revision-history.test.js new file mode 100644 index 0000000000..396cf48a4c --- /dev/null +++ b/utils/helpers/revision-history.test.js @@ -0,0 +1,186 @@ +const { generateRevisionHistory } = require("./revision-history"); + +describe("generateRevisionHistory", () => { + it("should generate history for justification field changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "", + revisedTo: "Summary text added", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Summary text added", + revisedTo: "Revised summary text", + }, + { + revisionTimestamp: "2024-10-18T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Revised summary text", + revisedTo: "", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/18/2024 | Official summary removed |", + "| 10/17/2024 | Official summary revised: Revised summary text |", + "| 10/16/2024 | Official summary added |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for NIST severity changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "metadata.nistSeverity", + revisedFrom: "UNKNOWN", + revisedTo: "CRITICAL", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "metadata.nistSeverity", + revisedFrom: "CRITICAL", + revisedTo: "HIGH", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Advisory severity revised to HIGH from CRITICAL |", + "| 10/16/2024 | Advisory assigned with CRITICAL severity |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for impacted versions changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.impact.impactedVersions", + revisedFrom: "[]", + revisedTo: "[4.4.20]", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.impact.impactedVersions", + revisedFrom: "[4.4.20]", + revisedTo: "[4.4.20 4.5.3]", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Impacted versions changed from 4.4.20 to 4.4.20, 4.5.3 |", + "| 10/16/2024 | Added impacted versions: 4.4.20 |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for status changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "status.status", + revisedFrom: "OPEN", + revisedTo: "CLOSED", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/16/2024 | Status changed from OPEN to CLOSED |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should generate history for isImpacting changes", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.impact.isImpacting", + revisedFrom: "false", + revisedTo: "true", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.impact.isImpacting", + revisedFrom: "true", + revisedTo: "false", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Advisory is no longer impacting. |", + "| 10/16/2024 | Advisory is now impacting. |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("should sort revisions with newest entries at the top", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-15T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "", + revisedTo: "Initial summary", + }, + { + revisionTimestamp: "2024-10-17T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Initial summary", + revisedTo: "Updated summary", + }, + { + revisionTimestamp: "2024-10-16T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Updated summary", + revisedTo: "Final summary", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/17/2024 | Official summary revised: Updated summary |", + "| 10/16/2024 | Official summary revised: Final summary |", + "| 10/15/2024 | Official summary added |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); + + it("newlines are removed from description", () => { + const revisionHistory = [ + { + revisionTimestamp: "2024-10-15T05:50:00.194Z", + revisedField: "spec.assessment.justification", + revisedFrom: "Investigation is ongoing to determine how this vulnerability impacts our products.\n", + revisedTo: + "This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. \n\nThis is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface.\n", + }, + ]; + + const expectedOutput = [ + "| Date | Revision |", + "| --- | --- |", + "| 10/15/2024 | Official summary revised: This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. This is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface. |", + ].join("\n"); + + expect(generateRevisionHistory(revisionHistory)).toBe(expectedOutput); + }); +}); diff --git a/utils/helpers/string.js b/utils/helpers/string.js new file mode 100644 index 0000000000..dbbe068ba5 --- /dev/null +++ b/utils/helpers/string.js @@ -0,0 +1,16 @@ +function escapeMDXSpecialChars(str) { + if (typeof str !== "string") { + return ""; + } + + // Escape special MDX characters by adding a backslash in front of them + return str + .replace(/\\/g, "\\\\") // Escape backslash + .replace(/{/g, "\\{") // Escape opening curly brace + .replace(/}/g, "\\}") // Escape closing curly brace + .replace(/`/g, "\\`") // Escape backticks + .replace(//g, "\\>"); // Escape greater-than sign +} + +module.exports = { escapeMDXSpecialChars }; diff --git a/utils/helpers/string.test.js b/utils/helpers/string.test.js new file mode 100644 index 0000000000..f2e54ee3b1 --- /dev/null +++ b/utils/helpers/string.test.js @@ -0,0 +1,57 @@ +const { escapeMDXSpecialChars } = require("./string"); + +describe("escapeMDXSpecialChars", () => { + it("should escape all special MDX characters", () => { + const input = "\\ { } ` < >"; + const expectedOutput = "\\\\ \\{ \\} \\` \\< \\>"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle strings without special characters", () => { + const input = "Hello World"; + const expectedOutput = "Hello World"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should return an empty string if input is not a string", () => { + expect(escapeMDXSpecialChars(null)).toBe(""); + expect(escapeMDXSpecialChars(123)).toBe(""); + expect(escapeMDXSpecialChars({})).toBe(""); + expect(escapeMDXSpecialChars([])).toBe(""); + expect(escapeMDXSpecialChars(undefined)).toBe(""); + }); + + it("should escape only MDX special characters and leave others intact", () => { + const input = "Hello {world} is a `test` \\ string!"; + const expectedOutput = "Hello \\{world\\} \\ is a \\`test\\` \\\\ string!"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle a string with only backslashes correctly", () => { + const input = "\\\\"; + const expectedOutput = "\\\\\\\\"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should escape MDX special characters when they appear multiple times", () => { + const input = "{}{}<<>>``"; + const expectedOutput = "\\{\\}\\{\\}\\<\\<\\>\\>\\`\\`"; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); + + it("should handle an empty string input", () => { + expect(escapeMDXSpecialChars("")).toBe(""); + }); + + it("should not modify numeric characters or punctuation marks other than MDX special characters", () => { + const input = "12345 ,.!? "; + const expectedOutput = "12345 ,.!? "; + + expect(escapeMDXSpecialChars(input)).toBe(expectedOutput); + }); +});