docs: 9-20-24 cve updates (#4026)

* 9-20-24 cve updates * ci: auto-formatting prettier issues --------- Co-authored-by: frederickjoi <frederickjoi@users.noreply.github.com> (cherry picked from commit 2d9cfa7)
spectrocloud · Sep 20, 2024 · 99b12df · 99b12df
1 parent 6b31d86
commit 99b12df
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 7 deletions.
diff --git a/docs/docs-content/security-bulletins/reports/cve-2022-28948.md b/docs/docs-content/security-bulletins/reports/cve-2022-28948.md
@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/20/2024
 
 ## NIST CVE Summary
 
@@ -23,7 +23,9 @@ input.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to
+convert (or deserialize) invalid input data, potentially impacting system stability and reliability. 3rd party images
+affected will be upgraded to remove the vulnerability.
 
 ## CVE Severity
 

diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-24534.md b/docs/docs-content/security-bulletins/reports/cve-2023-24534.md
@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/20/2024
 
 ## NIST CVE Summary
 
@@ -27,7 +27,12 @@ parsed headers.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This CVE involves excessive memory allocation in net/http and net/textproto, potentially leading to a denial-of-service
+due to large memory allocation while parsing HTTP and MIME headers even for small inputs. Attackers can exploit this
+vulnerability to exhaust an HTTP server's memory resources, causing a denial of service. By crafting specific input data
+patterns, an attacker can trigger the excessive memory allocation behavior in the HTTP and MIME header parsing
+functions, leading to memory exhaustion. The risk of this vulnerability exploited in Spectro Cloud products is very low.
+3rd party images affected will be upgraded to remove the vulnerability.
 
 ## CVE Severity
 

diff --git a/docs/docs-content/security-bulletins/reports/cve-2023-52356.md b/docs/docs-content/security-bulletins/reports/cve-2023-52356.md
@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/20/2024
 
 ## NIST CVE Summary
 
@@ -24,7 +24,10 @@ service.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and
+denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF
+file is passed to the TIFFReadRGBATileExt() API. Investigating a possible fix for this vulnerability on the affected
+images.
 
 ## CVE Severity
 

diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md
@@ -44,7 +44,7 @@ Click on the CVE ID to view the full details of the vulnerability.
 | [CVE-2023-39325](./cve-2023-39325.md)           | 10/11/23         | 4/28/24       | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: Go project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)   | :mag: Ongoing               |
 | [CVE-2023-47108](./cve-2023-47108.md)           | 11/20/23         | 11/20/23      | 4.4.11 & 4.4.14 & 4.4.18 | Third-party component: OpenTelemetry-Go | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108)   | :mag: Ongoing               |
 | [CVE-2023-44487](./cve-2023-44487.md)           | 10/10/23         | 6/27/24       | 4.4.11 & 4.4.14          | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)   | :mag: Ongoing               |
-| [CVE-2022-25883](./cve-2022-25883.md)           | 6/21/23          | 11/6/24       | 4.4.11                   | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883)   | :mag: Ongoing               |
+| [CVE-2022-25883](./cve-2022-25883.md)           | 6/21/23          | 11/6/24       | 4.4.11 & 4.4.14          | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883)   | :mag: Ongoing               |
 | [CVE-2015-8855](./cve-2015-8855.md)             | 1/23/17          | 1/26/12       | 4.4.11                   | Third-party component: CAPI             | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855)    | :mag: Ongoing               |
 | [CVE-2019-12900](./cve-2019-12900.md)           | 08/16/24         | 08/16/24      | 4.4.14 & 4.4.18          | Third-party component: BZ2              | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2019-12900)   | :mag: Ongoing               |
 | [CVE-2023-37920](./cve-2023-37920.md)           | 08/16/24         | 08/16/24      | 4.4.14 & 4.4.18          | Third-party component: Certifi          | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-37920)   | :mag: Ongoing               |