diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/containers.scm | 1 | ||||
| -rw-r--r-- | tests/cve-sample.json | 1279 | ||||
| -rw-r--r-- | tests/cve-sample.xml | 616 | ||||
| -rw-r--r-- | tests/cve.scm | 85 | ||||
| -rw-r--r-- | tests/guix-build.sh | 4 | ||||
| -rw-r--r-- | tests/guix-daemon.sh | 21 | ||||
| -rw-r--r-- | tests/guix-graph.sh | 8 | ||||
| -rw-r--r-- | tests/guix-package.sh | 10 | ||||
| -rw-r--r-- | tests/lint.scm | 40 | ||||
| -rw-r--r-- | tests/networking.scm | 19 | ||||
| -rw-r--r-- | tests/store.scm | 13 |
11 files changed, 1427 insertions, 669 deletions
diff --git a/tests/containers.scm b/tests/containers.scm index 01fbcbb45a..7b63e5c108 100644 --- a/tests/containers.scm +++ b/tests/containers.scm @@ -269,6 +269,7 @@ (lset= string=? (cons* "." ".." (map basename reqs)) (pk (call-with-input-file result read)))))))))) +(skip-if-unsupported) (test-assert "eval/container, non-empty load path" (call-with-temporary-directory (lambda (directory) diff --git a/tests/cve-sample.json b/tests/cve-sample.json new file mode 100644 index 0000000000..39816f9dd4 --- /dev/null +++ b/tests/cve-sample.json @@ -0,0 +1,1279 @@ +{ + "CVE_data_type" : "CVE", + "CVE_data_format" : "MITRE", + "CVE_data_version" : "4.0", + "CVE_data_numberOfCVEs" : "9826", + "CVE_data_timestamp" : "2019-10-17T07:00Z", + "CVE_Items" : [ { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0001", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106541", + "name" : "106541", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://kb.juniper.net/JSA10900", + "name" : "https://kb.juniper.net/JSA10900", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + } ] + } { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.2:*:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s4:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.9, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 2.2, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "baseScore" : 7.1 + }, + "severity" : "HIGH", + "exploitabilityScore" : 8.6, + "impactScore" : 6.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-10-09T23:43Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0005", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106665", + "name" : "106665", + "refsource" : "BID", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://kb.juniper.net/JSA10905", + "name" : "https://kb.juniper.net/JSA10905", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter configuration cannot perform packet matching on any IPv6 extension headers. This issue may allow IPv6 packets that should have been blocked to be forwarded. IPv4 packet filtering is unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS on EX and QFX series;: 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R7; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 series; 15.1X53 versions prior to 15.1X53-D591 on EX2300/EX3400 series; 16.1 versions prior to 16.1R7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d15:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d16:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d25:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d26:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d27:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d35:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d40:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d42:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d43:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d44:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d45:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d46:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r6:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d210:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d230:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d234:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d55:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d57:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d58:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d59:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d590:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3-s10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6-s6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r7:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1-s7:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:gfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseScore" : 5.3, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 3.9, + "impactScore" : 1.4 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "baseScore" : 5.0 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-02-14T18:40Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-14811", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-264" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html", + "name" : "openSUSE-SU-2019:2223", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html", + "name" : "openSUSE-SU-2019:2222", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHBA-2019:2824", + "name" : "RHBA-2019:2824", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHSA-2019:2594", + "name" : "RHSA-2019:2594", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "refsource" : "CONFIRM", + "tags" : [ "Exploit", "Issue Tracking", "Mitigation", "Patch", "Third Party Advisory" ] + }, { + "url" : "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html", + "name" : "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/", + "name" : "FEDORA-2019-ebd6c4f15a", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/", + "name" : "FEDORA-2019-0a9d525d71", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/", + "name" : "FEDORA-2019-953fc0f16d", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://seclists.org/bugtraq/2019/Sep/15", + "name" : "20190910 [SECURITY] [DSA 4518-1] ghostscript security update", + "refsource" : "BUGTRAQ", + "tags" : [ ] + }, { + "url" : "https://www.debian.org/security/2019/dsa-4518", + "name" : "DSA-4518", + "refsource" : "DEBIAN", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.28" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-09-03T16:15Z", + "lastModifiedDate" : "2019-09-10T03:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-17365", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-276" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "name" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "refsource" : "MISC", + "tags" : [ "Exploit", "Mailing List", "Third Party Advisory" ] + }, { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/10/1", + "name" : "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack", + "refsource" : "MLIST", + "tags" : [ "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "2.3" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.1", + "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "accessVector" : "LOCAL", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.6 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 3.9, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-10-09T22:15Z", + "lastModifiedDate" : "2019-10-11T13:19Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010180", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-119" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/109367", + "name" : "109367", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "refsource" : "MISC", + "tags" : [ "Exploit", "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:gdb:*:*:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-24T13:15Z", + "lastModifiedDate" : "2019-08-01T15:39Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010204", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-125" + }, { + "lang" : "en", + "value" : "CWE-20" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "refsource" : "CONFIRM", + "tags" : [ ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "refsource" : "MISC", + "tags" : [ "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.21", + "versionEndIncluding" : "2.31.1" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils_gold:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "1.11", + "versionEndIncluding" : "1.16" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.5, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.3 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-23T14:15Z", + "lastModifiedDate" : "2019-08-22T07:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-18192", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/17/3", + "name" : "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://issues.guix.gnu.org/issue/37744", + "name" : "https://issues.guix.gnu.org/issue/37744", + "refsource" : "MISC", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ ] + }, + "impact" : { }, + "publishedDate" : "2019-10-17T20:15Z", + "lastModifiedDate" : "2019-10-17T20:29Z" + } ] +} diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml deleted file mode 100644 index ce158490f1..0000000000 --- a/tests/cve-sample.xml +++ /dev/null @@ -1,616 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<nvd xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" nvd_xml_version="2.0" pub_date="2015-11-25T08:07:01" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd"> - <entry id="CVE-2003-0001"> - <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.2"/> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.3"/> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.4"/> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.5"/> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.6"/> - <cpe-lang:fact-ref name="cpe:/o:freebsd:freebsd:4.7"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.1"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.10"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.11"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.12"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.13"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.14"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.15"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.16"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.17"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.18"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.19"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.2"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.20"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.3"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.4"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.5"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.6"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.7"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.8"/> - <cpe-lang:fact-ref name="cpe:/o:linux:linux_kernel:2.4.9"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::advanced_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::datacenter_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::professional"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000:::server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:advanced_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:datacenter_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:professional"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp1:server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:advanced_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:datacenter_server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:professional"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000::sp2:server"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services::sp1"/> - <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_2000_terminal_services::sp2"/> - <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5"/> - <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.1"/> - <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.2"/> - <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.5.3"/> - <cpe-lang:fact-ref name="cpe:/o:netbsd:netbsd:1.6"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-software-list> - <vuln:product>cpe:/o:microsoft:windows_2000::sp2:professional</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.4</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services::sp1</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp1:advanced_server</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.19</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp2:advanced_server</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000:::advanced_server</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.20</vuln:product> - <vuln:product>cpe:/o:netbsd:netbsd:1.5.1</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000_terminal_services::sp2</vuln:product> - <vuln:product>cpe:/o:netbsd:netbsd:1.5.3</vuln:product> - <vuln:product>cpe:/o:netbsd:netbsd:1.5.2</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.6</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.9</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000:::datacenter_server</vuln:product> - <vuln:product>cpe:/o:netbsd:netbsd:1.6</vuln:product> - <vuln:product>cpe:/o:netbsd:netbsd:1.5</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.7</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.8</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp1:datacenter_server</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp2:datacenter_server</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.3</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.10</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp1:server</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.5</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.12</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.2</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.7</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.4</vuln:product> - <vuln:product>cpe:/o:freebsd:freebsd:4.6</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp2:server</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.18</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.1</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.15</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000:::server</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.17</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.14</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.2</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000:::professional</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.11</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.5</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.16</vuln:product> - <vuln:product>cpe:/o:microsoft:windows_2000::sp1:professional</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.13</vuln:product> - <vuln:product>cpe:/o:linux:linux_kernel:2.4.3</vuln:product> - </vuln:vulnerable-software-list> - <vuln:cve-id>CVE-2003-0001</vuln:cve-id> - <vuln:published-datetime>2003-01-17T00:00:00.000-05:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-24T13:05:47.073-05:00</vuln:last-modified-datetime> - <vuln:cvss> - <cvss:base_metrics> - <cvss:score>5.0</cvss:score> - <cvss:access-vector>NETWORK</cvss:access-vector> - <cvss:access-complexity>LOW</cvss:access-complexity> - <cvss:authentication>NONE</cvss:authentication> - <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact> - <cvss:integrity-impact>NONE</cvss:integrity-impact> - <cvss:availability-impact>NONE</cvss:availability-impact> - <cvss:source>http://nvd.nist.gov</cvss:source> - <cvss:generated-on-datetime>2015-11-24T12:23:33.593-05:00</cvss:generated-on-datetime> - </cvss:base_metrics> - </vuln:cvss> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2665" name="oval:org.mitre.oval:def:2665"/> - <vuln:cwe id="CWE-200"/> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>CERT-VN</vuln:source> - <vuln:reference href="http://www.kb.cert.org/vuls/id/412115" xml:lang="en">VU#412115</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/307564/30/26270/threaded" xml:lang="en">20030117 Re: More information regarding Etherleak</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/305335/30/26420/threaded" xml:lang="en">20030106 Etherleak: Ethernet frame padding information leakage (A010603-1)</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>REDHAT</vuln:source> - <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2003-088.html" xml:lang="en">RHSA-2003:088</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>REDHAT</vuln:source> - <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2003-025.html" xml:lang="en">RHSA-2003:025</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>OSVDB</vuln:source> - <vuln:reference href="http://www.osvdb.org/9962" xml:lang="en">9962</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf" xml:lang="en">http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>ATSTAKE</vuln:source> - <vuln:reference href="http://www.atstake.com/research/advisories/2003/a010603-1.txt" xml:lang="en">A010603-1</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>FULLDISC</vuln:source> - <vuln:reference href="http://seclists.org/fulldisclosure/2015/Apr/5" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html" xml:lang="en">http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&m=104222046632243&w=2" xml:lang="en">20030110 More information regarding Etherleak</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>VULNWATCH</vuln:source> - <vuln:reference href="http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html" xml:lang="en">20030110 More information regarding Etherleak</vuln:reference> - </vuln:references> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:2665" name="oval:org.mitre.oval:def:2665"/> - </vuln:scanner> - <vuln:summary>Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.</vuln:summary> - </entry> - <entry id="CVE-2004-0230"> - <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/a:tcp:tcp"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-software-list> - <vuln:product>cpe:/a:tcp:tcp</vuln:product> - </vuln:vulnerable-software-list> - <vuln:cve-id>CVE-2004-0230</vuln:cve-id> - <vuln:published-datetime>2004-08-18T00:00:00.000-04:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-24T13:06:40.597-05:00</vuln:last-modified-datetime> - <vuln:cvss> - <cvss:base_metrics> - <cvss:score>5.0</cvss:score> - <cvss:access-vector>NETWORK</cvss:access-vector> - <cvss:access-complexity>LOW</cvss:access-complexity> - <cvss:authentication>NONE</cvss:authentication> - <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact> - <cvss:integrity-impact>NONE</cvss:integrity-impact> - <cvss:availability-impact>PARTIAL</cvss:availability-impact> - <cvss:source>http://nvd.nist.gov</cvss:source> - <cvss:generated-on-datetime>2015-11-24T12:17:30.930-05:00</cvss:generated-on-datetime> - </cvss:base_metrics> - </vuln:cvss> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5711" name="oval:org.mitre.oval:def:5711"/> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4791" name="oval:org.mitre.oval:def:4791"/> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3508" name="oval:org.mitre.oval:def:3508"/> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:270" name="oval:org.mitre.oval:def:270"/> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2689" name="oval:org.mitre.oval:def:2689"/> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>CERT</vuln:source> - <vuln:reference href="http://www.us-cert.gov/cas/techalerts/TA04-111A.html" xml:lang="en">TA04-111A</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CERT-VN</vuln:source> - <vuln:reference href="http://www.kb.cert.org/vuls/id/415294" xml:lang="en">VU#415294</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="https://kc.mcafee.com/corporate/index?page=content&id=SB10053" xml:lang="en">https://kc.mcafee.com/corporate/index?page=content&id=SB10053</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>XF</vuln:source> - <vuln:reference href="http://xforce.iss.net/xforce/xfdb/15886" xml:lang="en">tcp-rst-dos(15886)</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>VUPEN</vuln:source> - <vuln:reference href="http://www.vupen.com/english/advisories/2006/3983" xml:lang="en">ADV-2006-3983</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://www.uniras.gov.uk/vuls/2004/236929/index.htm" xml:lang="en">http://www.uniras.gov.uk/vuls/2004/236929/index.htm</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>BID</vuln:source> - <vuln:reference href="http://www.securityfocus.com/bid/10183" xml:lang="en">10183</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>HP</vuln:source> - <vuln:reference href="http://www.securityfocus.com/archive/1/archive/1/449179/100/0/threaded" xml:lang="en">SSRT061264</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>OSVDB</vuln:source> - <vuln:reference href="http://www.osvdb.org/4030" xml:lang="en">4030</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MS</vuln:source> - <vuln:reference href="http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx" xml:lang="en">MS06-064</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MS</vuln:source> - <vuln:reference href="http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx" xml:lang="en">MS05-019</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CISCO</vuln:source> - <vuln:reference href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml" xml:lang="en">20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>FULLDISC</vuln:source> - <vuln:reference href="http://seclists.org/fulldisclosure/2015/Apr/5" xml:lang="en">20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html" xml:lang="en">http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>HP</vuln:source> - <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&m=108506952116653&w=2" xml:lang="en">SSRT4696</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BUGTRAQ</vuln:source> - <vuln:reference href="http://marc.theaimsgroup.com/?l=bugtraq&m=108302060014745&w=2" xml:lang="en">20040425 Perl code exploting TCP not checking RST ACK.</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://kb.juniper.net/JSA10638" xml:lang="en">http://kb.juniper.net/JSA10638</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SGI</vuln:source> - <vuln:reference href="ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A.asc" xml:lang="en">20040403-01-A</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SCO</vuln:source> - <vuln:reference href="ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14/SCOSA-2005.14.txt" xml:lang="en">SCOSA-2005.14</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SCO</vuln:source> - <vuln:reference href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt" xml:lang="en">SCOSA-2005.9</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SCO</vuln:source> - <vuln:reference href="ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt" xml:lang="en">SCOSA-2005.3</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>NETBSD</vuln:source> - <vuln:reference href="ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc" xml:lang="en">NetBSD-SA2004-006</vuln:reference> - </vuln:references> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:3508" name="oval:org.mitre.oval:def:3508"/> - </vuln:scanner> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:270" name="oval:org.mitre.oval:def:270"/> - </vuln:scanner> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:2689" name="oval:org.mitre.oval:def:2689"/> - </vuln:scanner> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:5711" name="oval:org.mitre.oval:def:5711"/> - </vuln:scanner> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:4791" name="oval:org.mitre.oval:def:4791"/> - </vuln:scanner> - <vuln:summary>TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.</vuln:summary> - </entry> - <entry id="CVE-2008-2335"> - <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/a:vastal:phpvid:1.2"/> - <cpe-lang:fact-ref name="cpe:/a:vastal:phpvid:1.1"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-software-list> - <vuln:product>cpe:/a:vastal:phpvid:1.1</vuln:product> - <vuln:product>cpe:/a:vastal:phpvid:1.2</vuln:product> - </vuln:vulnerable-software-list> - <vuln:cve-id>CVE-2008-2335</vuln:cve-id> - <vuln:published-datetime>2008-05-19T09:20:00.000-04:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-24T11:45:25.057-05:00</vuln:last-modified-datetime> - <vuln:cvss> - <cvss:base_metrics> - <cvss:score>4.3</cvss:score> - <cvss:access-vector>NETWORK</cvss:access-vector> - <cvss:access-complexity>MEDIUM</cvss:access-complexity> - <cvss:authentication>NONE</cvss:authentication> - <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact> - <cvss:integrity-impact>PARTIAL</cvss:integrity-impact> - <cvss:availability-impact>NONE</cvss:availability-impact> - <cvss:source>http://nvd.nist.gov</cvss:source> - <cvss:generated-on-datetime>2015-11-24T10:50:05.737-05:00</cvss:generated-on-datetime> - </cvss:base_metrics> - </vuln:cvss> - <vuln:cwe id="CWE-79"/> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>XF</vuln:source> - <vuln:reference href="http://xforce.iss.net/xforce/xfdb/42450" xml:lang="en">phpvid-query-xss(42450)</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>VUPEN</vuln:source> - <vuln:reference href="http://www.vupen.com/english/advisories/2008/2552" xml:lang="en">ADV-2008-2552</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BID</vuln:source> - <vuln:reference href="http://www.securityfocus.com/bid/29238" xml:lang="en">29238</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MILW0RM</vuln:source> - <vuln:reference href="http://www.milw0rm.com/exploits/6422" xml:lang="en">6422</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>EXPLOIT-DB</vuln:source> - <vuln:reference href="http://www.exploit-db.com/exploits/27519" xml:lang="en">27519</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/" xml:lang="en">http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>FULLDISC</vuln:source> - <vuln:reference href="http://seclists.org/fulldisclosure/2015/Mar/59" xml:lang="en">20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html" xml:lang="en">http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html" xml:lang="en">http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>OSVDB</vuln:source> - <vuln:reference href="http://osvdb.org/show/osvdb/45171" xml:lang="en">45171</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://holisticinfosec.org/content/view/65/45/" xml:lang="en">http://holisticinfosec.org/content/view/65/45/</vuln:reference> - </vuln:references> - <vuln:summary>Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected.</vuln:summary> - </entry> - <entry id="CVE-2008-3522"> - <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/a:redhat:enterprise_virtualization:3.5"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-configuration id="http://nvd.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/a:jasper_project:jasper:1.900.1"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-software-list> - <vuln:product>cpe:/a:redhat:enterprise_virtualization:3.5</vuln:product> - <vuln:product>cpe:/a:jasper_project:jasper:1.900.1</vuln:product> - </vuln:vulnerable-software-list> - <vuln:cve-id>CVE-2008-3522</vuln:cve-id> - <vuln:published-datetime>2008-10-02T14:18:05.790-04:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-24T11:46:04.933-05:00</vuln:last-modified-datetime> - <vuln:cvss> - <cvss:base_metrics> - <cvss:score>10.0</cvss:score> - <cvss:access-vector>NETWORK</cvss:access-vector> - <cvss:access-complexity>LOW</cvss:access-complexity> - <cvss:authentication>NONE</cvss:authentication> - <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact> - <cvss:integrity-impact>COMPLETE</cvss:integrity-impact> - <cvss:availability-impact>COMPLETE</cvss:availability-impact> - <cvss:source>http://nvd.nist.gov</cvss:source> - <cvss:generated-on-datetime>2015-11-24T10:05:46.467-05:00</cvss:generated-on-datetime> - </cvss:base_metrics> - </vuln:cvss> - <vuln:security-protection>ALLOWS_ADMIN_ACCESS</vuln:security-protection> - <vuln:cwe id="CWE-119"/> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>XF</vuln:source> - <vuln:reference href="http://xforce.iss.net/xforce/xfdb/45623" xml:lang="en">jasper-jasstreamprintf-bo(45623)</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>UBUNTU</vuln:source> - <vuln:reference href="http://www.ubuntu.com/usn/USN-742-1" xml:lang="en">USN-742-1</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BID</vuln:source> - <vuln:reference href="http://www.securityfocus.com/bid/31470" xml:lang="en">31470</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MANDRIVA</vuln:source> - <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:164" xml:lang="en">MDVSA-2009:164</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MANDRIVA</vuln:source> - <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:144" xml:lang="en">MDVSA-2009:144</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MANDRIVA</vuln:source> - <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2009:142" xml:lang="en">MDVSA-2009:142</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>GENTOO</vuln:source> - <vuln:reference href="http://security.gentoo.org/glsa/glsa-200812-18.xml" xml:lang="en">GLSA-200812-18</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>REDHAT</vuln:source> - <vuln:reference href="http://rhn.redhat.com/errata/RHSA-2015-0698.html" xml:lang="en">RHSA-2015:0698</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://bugs.gentoo.org/show_bug.cgi?id=222819" xml:lang="en">http://bugs.gentoo.org/show_bug.cgi?id=222819</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://bugs.gentoo.org/attachment.cgi?id=163282&action=view" xml:lang="en">http://bugs.gentoo.org/attachment.cgi?id=163282&action=view</vuln:reference> - </vuln:references> - <vuln:summary>Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf.</vuln:summary> - </entry> - <entry id="CVE-2009-3301"> - <vuln:vulnerable-configuration id="http://www.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.1.1"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.1.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.0.1"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:3.0.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.1"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.1.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:1.1.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.2"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.4.3"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.3.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.3.1"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.2.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.2.1"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.0.0"/> - <cpe-lang:fact-ref name="cpe:/a:sun:openoffice.org:2.0.3"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-configuration id="http://www.nist.gov/"> - <cpe-lang:logical-test operator="OR" negate="false"> - <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~"/> - <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:10.10"/> - <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:9.10"/> - <cpe-lang:fact-ref name="cpe:/o:canonical:ubuntu_linux:8.04:-:lts"/> - </cpe-lang:logical-test> - </vuln:vulnerable-configuration> - <vuln:vulnerable-software-list> - <vuln:product>cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~</vuln:product> - <vuln:product>cpe:/o:canonical:ubuntu_linux:8.04:-:lts</vuln:product> - <vuln:product>cpe:/o:canonical:ubuntu_linux:10.10</vuln:product> - <vuln:product>cpe:/a:sun:openoffice.org:2.1.0</vuln:product> - <vuln:product>cpe:/a:sun:openoffice.org:2.3.0</vuln:product> - <vuln:product>cpe:/a:sun:openoffice.org:2.2.1</vuln:product> - <!-- snipped --> - </vuln:vulnerable-software-list> - <vuln:cve-id>CVE-2009-3301</vuln:cve-id> - <vuln:published-datetime>2010-02-16T14:30:00.533-05:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-17T10:59:44.723-05:00</vuln:last-modified-datetime> - <vuln:cvss> - <cvss:base_metrics> - <cvss:score>9.3</cvss:score> - <cvss:access-vector>NETWORK</cvss:access-vector> - <cvss:access-complexity>MEDIUM</cvss:access-complexity> - <cvss:authentication>NONE</cvss:authentication> - <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact> - <cvss:integrity-impact>COMPLETE</cvss:integrity-impact> - <cvss:availability-impact>COMPLETE</cvss:availability-impact> - <cvss:source>http://nvd.nist.gov</cvss:source> - <cvss:generated-on-datetime>2015-11-17T10:02:50.097-05:00</cvss:generated-on-datetime> - </cvss:base_metrics> - </vuln:cvss> - <vuln:assessment_check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10423" name="oval:org.mitre.oval:def:10423"/> - <vuln:cwe id="CWE-189"/> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>CERT</vuln:source> - <vuln:reference href="http://www.us-cert.gov/cas/techalerts/TA10-287A.html" xml:lang="en">TA10-287A</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="https://bugzilla.redhat.com/show_bug.cgi?id=533038" xml:lang="en">https://bugzilla.redhat.com/show_bug.cgi?id=533038</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>XF</vuln:source> - <vuln:reference href="http://xforce.iss.net/xforce/xfdb/56240" xml:lang="en">openoffice-word-sprmtdeftable-bo(56240)</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>VUPEN</vuln:source> - <vuln:reference href="http://www.vupen.com/english/advisories/2010/2905" xml:lang="en">ADV-2010-2905</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>VUPEN</vuln:source> - <vuln:reference href="http://www.vupen.com/english/advisories/2010/0635" xml:lang="en">ADV-2010-0635</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>VUPEN</vuln:source> - <vuln:reference href="http://www.vupen.com/english/advisories/2010/0366" xml:lang="en">ADV-2010-0366</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>UBUNTU</vuln:source> - <vuln:reference href="http://www.ubuntu.com/usn/USN-903-1" xml:lang="en">USN-903-1</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>BID</vuln:source> - <vuln:reference href="http://www.securityfocus.com/bid/38218" xml:lang="en">38218</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>REDHAT</vuln:source> - <vuln:reference href="http://www.redhat.com/support/errata/RHSA-2010-0101.html" xml:lang="en">RHSA-2010:0101</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html" xml:lang="en">http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html" xml:lang="en">http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="VENDOR_ADVISORY"> - <vuln:source>CONFIRM</vuln:source> - <vuln:reference href="http://www.openoffice.org/security/bulletin.html" xml:lang="en">http://www.openoffice.org/security/bulletin.html</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MANDRIVA</vuln:source> - <vuln:reference href="http://www.mandriva.com/security/advisories?name=MDVSA-2010:221" xml:lang="en">MDVSA-2010:221</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>GENTOO</vuln:source> - <vuln:reference href="http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml" xml:lang="en">GLSA-201408-19</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>DEBIAN</vuln:source> - <vuln:reference href="http://www.debian.org/security/2010/dsa-1995" xml:lang="en">DSA-1995</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SECTRACK</vuln:source> - <vuln:reference href="http://securitytracker.com/id?1023591" xml:lang="en">1023591</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>SUSE</vuln:source> - <vuln:reference href="http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html" xml:lang="en">SUSE-SA:2010:017</vuln:reference> - </vuln:references> - <vuln:scanner> - <vuln:definition system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10423" name="oval:org.mitre.oval:def:10423"/> - </vuln:scanner> - <vuln:summary>Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.</vuln:summary> - </entry> - <entry id="CVE-2015-8330"> - <vuln:cve-id>CVE-2015-8330</vuln:cve-id> - <vuln:published-datetime>2015-11-24T15:59:25.897-05:00</vuln:published-datetime> - <vuln:last-modified-datetime>2015-11-24T15:59:26.930-05:00</vuln:last-modified-datetime> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015" xml:lang="en">https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015</vuln:reference> - </vuln:references> - <vuln:references xml:lang="en" reference_type="UNKNOWN"> - <vuln:source>MISC</vuln:source> - <vuln:reference href="http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/" xml:lang="en">http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/</vuln:reference> - </vuln:references> - <vuln:summary>The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619.</vuln:summary> - </entry> -</nvd> diff --git a/tests/cve.scm b/tests/cve.scm index 3fbb22d3c6..b69da0e120 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,45 +19,88 @@ (define-module (test-cve) #:use-module (guix cve) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-19) #:use-module (srfi srfi-64)) (define %sample - (search-path %load-path "tests/cve-sample.xml")) + (search-path %load-path "tests/cve-sample.json")) (define (vulnerability id packages) - (make-struct (@@ (guix cve) <vulnerability>) 0 id packages)) + (make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages)) (define %expected-vulnerabilities ;; What we should get when reading %SAMPLE. (list - ;; CVE-2003-0001 has no "/a" in its product list so it is omitted. - ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number. - (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1"))) - (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5") - ("jasper" "1.900.1"))) - (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0"))) - ;; CVE-2015-8330 has no software list. + (vulnerability "CVE-2019-0001" + ;; Only the "a" CPE configurations are kept; the "o" + ;; configurations are discarded. + '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + (vulnerability "CVE-2019-0005" + '(("junos" (or "18.11" "18.1")))) + ;; CVE-2019-0005 has no "a" configurations. + (vulnerability "CVE-2019-14811" + '(("ghostscript" (< "9.28")))) + (vulnerability "CVE-2019-17365" + '(("nix" (<= "2.3")))) + (vulnerability "CVE-2019-1010180" + '(("gdb" _))) ;any version + (vulnerability "CVE-2019-1010204" + '(("binutils" (and (>= "2.21") (<= "2.31.1"))) + ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + ;; CVE-2019-18192 has no associated configurations. )) (test-begin "cve") -(test-equal "xml->vulnerabilities" +(test-equal "json->cve-items" + '("CVE-2019-0001" + "CVE-2019-0005" + "CVE-2019-14811" + "CVE-2019-17365" + "CVE-2019-1010180" + "CVE-2019-1010204" + "CVE-2019-18192") + (map (compose cve-id cve-item-cve) + (call-with-input-file %sample json->cve-items))) + +(test-equal "cve-item-published-date" + '(2019) + (delete-duplicates + (map (compose date-year cve-item-published-date) + (call-with-input-file %sample json->cve-items)))) + +(test-equal "json->vulnerabilities" %expected-vulnerabilities - (call-with-input-file %sample xml->vulnerabilities)) + (call-with-input-file %sample json->vulnerabilities)) (test-equal "vulnerabilities->lookup-proc" - (list (list (first %expected-vulnerabilities)) + (list (list (third %expected-vulnerabilities)) ;ghostscript + (list (third %expected-vulnerabilities)) + '() + + (list (fifth %expected-vulnerabilities)) ;gdb + (list (fifth %expected-vulnerabilities)) + + (list (fourth %expected-vulnerabilities)) ;nix '() + + (list (sixth %expected-vulnerabilities)) ;binutils '() - (list (second %expected-vulnerabilities)) - (list (third %expected-vulnerabilities))) - (let* ((vulns (call-with-input-file %sample xml->vulnerabilities)) + (list (sixth %expected-vulnerabilities)) + '()) + (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) - (list (lookup "phpvid") - (lookup "jasper" "2.0") - (lookup "foobar") - (lookup "jasper" "1.900.1") - (lookup "openoffice.org" "2.3.0")))) + (list (lookup "ghostscript") + (lookup "ghostscript" "9.27") + (lookup "ghostscript" "9.28") + (lookup "gdb") + (lookup "gdb" "42.0") + (lookup "nix") + (lookup "nix" "2.4") + (lookup "binutils" "2.31.1") + (lookup "binutils" "2.10") + (lookup "binutils_gold" "1.11") + (lookup "binutils" "2.32")))) (test-end "cve") diff --git a/tests/guix-build.sh b/tests/guix-build.sh index 37666ffd01..52feda9d3a 100644 --- a/tests/guix-build.sh +++ b/tests/guix-build.sh @@ -226,6 +226,10 @@ rmdir "$result" # Cross building. guix build coreutils --target=mips64el-linux-gnu --dry-run --no-substitutes +# Likewise, but with '-e' (see <https://bugs.gnu.org/38093>). +guix build --target=arm-linux-gnueabihf --dry-run \ + -e '(@ (gnu packages base) coreutils)' + # Replacements. drv1=`guix build guix --with-input=guile@2.0=guile@2.2 -d` drv2=`guix build guix -d` diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.sh index 758f18cc36..b58500966b 100644 --- a/tests/guix-daemon.sh +++ b/tests/guix-daemon.sh @@ -94,6 +94,27 @@ done kill "$daemon_pid" +# Make sure 'profiles/per-user' is created when connecting over TCP. + +orig_GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY" +GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY-2" + +guix-daemon --disable-chroot --listen="localhost:9877" & +daemon_pid=$! + +GUIX_DAEMON_SOCKET="guix://localhost:9877" +export GUIX_DAEMON_SOCKET + +test ! -d "$GUIX_STATE_DIRECTORY/profiles/per-user" + +guix build guile-bootstrap -d + +test -d "$GUIX_STATE_DIRECTORY/profiles/per-user/$USER" + +kill "$daemon_pid" +unset GUIX_DAEMON_SOCKET +GUIX_STATE_DIRECTORY="$orig_GUIX_STATE_DIRECTORY" + # Check the failed build cache. guix-daemon --no-substitutes --listen="$socket" --disable-chroot \ diff --git a/tests/guix-graph.sh b/tests/guix-graph.sh index 1ec99706fd..2d4b3fac3f 100644 --- a/tests/guix-graph.sh +++ b/tests/guix-graph.sh @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> +# Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org> # # This file is part of GNU Guix. # @@ -53,3 +53,9 @@ cmp "$tmpfile1" "$tmpfile2" guix graph -t derivation coreutils > "$tmpfile1" guix graph -t derivation `guix build -d coreutils` > "$tmpfile2" cmp "$tmpfile1" "$tmpfile2" + +# Try package transformation options. +guix graph git | grep 'label = "openssl' +guix graph git --with-input=openssl=libressl | grep 'label = "libressl' +if guix graph git --with-input=openssl=libressl | grep 'label = "openssl' +then false; else true; fi diff --git a/tests/guix-package.sh b/tests/guix-package.sh index 0de30bf6c1..7ad0699380 100644 --- a/tests/guix-package.sh +++ b/tests/guix-package.sh @@ -33,7 +33,7 @@ profile="t-profile-$$" tmpfile="t-guix-package-file-$$" rm -f "$profile" "$tmpfile" -trap 'rm -f "$profile" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT +trap 'rm -f "$profile" "$profile.lock" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT # Use `-e' with a non-package expression. if guix package --bootstrap -e +; @@ -452,3 +452,11 @@ rm -rf "$module_dir" # Make sure we can see user profiles. guix package --list-profiles | grep "$profile" guix package --list-profiles | grep '\.guix-profile' + +# Make sure we can properly lock a profile. +mkdir "$module_dir" +echo '(sleep 60)' > "$module_dir/manifest.scm" +guix package -m "$module_dir/manifest.scm" -p "$module_dir/profile" & +pid=$! +if guix install emacs -p "$module_dir/profile"; then kill $pid; false; else true; fi +kill $pid diff --git a/tests/lint.scm b/tests/lint.scm index 1b92f02b85..3a9b539a24 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -758,10 +758,10 @@ "probably vulnerable to CVE-2015-1234" (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) <vulnerability>) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) <vulnerability>) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (single-lint-warning-message (check-vulnerabilities (dummy-package "pi" (version "3.14")))))) @@ -769,10 +769,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) <vulnerability>) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) <vulnerability>) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") @@ -785,10 +785,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) <vulnerability>) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) <vulnerability>) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") @@ -800,10 +800,10 @@ (lambda (package) (match (package-version package) ("0" - (list (make-struct (@@ (guix cve) <vulnerability>) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package)))))) + (list (make-struct/no-tail (@@ (guix cve) <vulnerability>) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package)))))) ("1" '())))) (check-vulnerabilities @@ -815,10 +815,10 @@ '() (mock ((guix lint) package-vulnerabilities (lambda (package) - (list (make-struct (@@ (guix cve) <vulnerability>) 0 - "CVE-2015-1234" - (list (cons (package-name package) - (package-version package))))))) + (list (make-struct/no-tail (@@ (guix cve) <vulnerability>) + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) (check-vulnerabilities (dummy-package "pi" (version "3.14") (source (dummy-origin)) diff --git a/tests/networking.scm b/tests/networking.scm index 439cca5ffc..c494a48067 100644 --- a/tests/networking.scm +++ b/tests/networking.scm @@ -36,22 +36,23 @@ (ntp-server (type 'server) (address "some.ntp.server.org") - (options `(iburst (version 3) (maxpoll 16) prefer)))) + ;; Using either strings or symbols for option names is accepted. + (options `("iburst" (version 3) (maxpoll 16) prefer)))) (test-equal "ntp-server->string" - (ntp-server->string %ntp-server-sample) - "server some.ntp.server.org iburst version 3 maxpoll 16 prefer") + "server some.ntp.server.org iburst version 3 maxpoll 16 prefer" + (ntp-server->string %ntp-server-sample)) (test-equal "ntp configuration servers deprecated form" (ntp-configuration-servers (ntp-configuration + (servers (list "example.pool.ntp.org")))) + (ntp-configuration-servers + (ntp-configuration (servers (list (ntp-server (type 'server) (address "example.pool.ntp.org") - (options '())))))) - (ntp-configuration-servers - (ntp-configuration - (servers (list "example.pool.ntp.org"))))) + (options '()))))))) ;;; @@ -106,8 +107,8 @@ the sanity check:\n~a~%" config) #t)))) (test-equal "openntpd generated config string ends with a newline" + "\n" (let ((config (openntpd-configuration->string %openntpd-conf-sample))) - (string-take-right config 1)) - "\n") + (string-take-right config 1))) (test-end "networking") diff --git a/tests/store.scm b/tests/store.scm index 518750d26a..2b14a4af0a 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -18,6 +18,7 @@ (define-module (test-store) #:use-module (guix tests) + #:use-module (guix config) #:use-module (guix store) #:use-module (guix utils) #:use-module (guix monads) @@ -102,7 +103,17 @@ "/283gqy39v3g9dxjy26rynl0zls82fmcg-guile-2.0.7/bin/guile"))) (not (direct-store-path? (%store-prefix))))) -(test-skip (if %store 0 13)) +(test-skip (if %store 0 15)) + +(test-equal "profiles/per-user exists and is not writable" + #o755 + (stat:perms (stat (string-append %state-directory "/profiles/per-user")))) + +(test-equal "profiles/per-user/$USER exists" + (list (getuid) #o755) + (let ((s (stat (string-append %state-directory "/profiles/per-user/" + (passwd:name (getpwuid (getuid))))))) + (list (stat:uid s) (stat:perms s)))) (test-equal "add-data-to-store" #vu8(1 2 3 4 5) |