-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* 9-13-24 4.4.17 cve updates * ci: auto-formatting prettier issues * 9-13-24 addntl cve updates * ci: auto-formatting prettier issues --------- Co-authored-by: frederickjoi <frederickjoi@users.noreply.github.com> Co-authored-by: Karl Cardenas <29551334+karl-cardenas-coding@users.noreply.github.com> (cherry picked from commit b021adf) Co-authored-by: frederickjoi <153292280+frederickjoi@users.noreply.github.com>
- Loading branch information
1 parent
2cece27
commit ef93ecb
Showing
6 changed files
with
329 additions
and
65 deletions.
There are no files selected for viewing
47 changes: 47 additions & 0 deletions
47
docs/docs-content/security-bulletins/reports/cve-2022-45061.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
--- | ||
sidebar_label: "CVE-2022-45061" | ||
title: "CVE-2022-45061" | ||
description: "Lifecycle of CVE-2022-45061" | ||
hide_table_of_contents: true | ||
sidebar_class_name: "hide-from-sidebar" | ||
toc_max_heading_level: 2 | ||
tags: ["security", "cve"] | ||
--- | ||
|
||
## CVE Details | ||
|
||
[CVE-2022-45061](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) | ||
|
||
## Last Update | ||
|
||
9/13/24 | ||
|
||
## NIST CVE Summary | ||
|
||
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing | ||
some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder | ||
could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a | ||
malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use | ||
of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an | ||
HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. | ||
|
||
## Our Official Summary | ||
|
||
Investigation is ongoing to determine how this vulnerability affects our products. | ||
|
||
## CVE Severity | ||
|
||
[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-45061) | ||
|
||
## Status | ||
|
||
Ongoing | ||
|
||
## Affected Products & Versions | ||
|
||
- Palette VerteX 4.4.17 | ||
|
||
## Revision History | ||
|
||
- 1.0 9/13/2024 Initial Publication | ||
- 2.0 9/13/2024 Added Palette VerteX 4.4.17 to Affected Products |
42 changes: 42 additions & 0 deletions
42
docs/docs-content/security-bulletins/reports/cve-2022-48560.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
sidebar_label: "CVE-2022-48560" | ||
title: "CVE-2022-48560" | ||
description: "Lifecycle of CVE-2022-48560" | ||
hide_table_of_contents: true | ||
sidebar_class_name: "hide-from-sidebar" | ||
toc_max_heading_level: 2 | ||
tags: ["security", "cve"] | ||
--- | ||
|
||
## CVE Details | ||
|
||
[CVE-2022-48560](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) | ||
|
||
## Last Update | ||
|
||
9/13/24 | ||
|
||
## NIST CVE Summary | ||
|
||
A use-after-free exists in Python through 3.9 via heappushpop in heapq. | ||
|
||
## Our Official Summary | ||
|
||
Investigation is ongoing to determine how this vulnerability affects our products. | ||
|
||
## CVE Severity | ||
|
||
[7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-48560) | ||
|
||
## Status | ||
|
||
Ongoing | ||
|
||
## Affected Products & Versions | ||
|
||
- Palette VerteX 4.4.17 | ||
|
||
## Revision History | ||
|
||
- 1.0 9/13/2024 Initial Publication | ||
- 2.0 9/13/2024 Added Palette VerteX 4.4.17 to Affected Products |
43 changes: 43 additions & 0 deletions
43
docs/docs-content/security-bulletins/reports/cve-2022-48565.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
sidebar_label: "CVE-2022-48565" | ||
title: "CVE-2022-48565" | ||
description: "Lifecycle of CVE-2022-48565" | ||
hide_table_of_contents: true | ||
sidebar_class_name: "hide-from-sidebar" | ||
toc_max_heading_level: 2 | ||
tags: ["security", "cve"] | ||
--- | ||
|
||
## CVE Details | ||
|
||
[CVE-2022-48565](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) | ||
|
||
## Last Update | ||
|
||
9/13/24 | ||
|
||
## NIST CVE Summary | ||
|
||
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity | ||
declarations in XML plist files to avoid XML vulnerabilities. | ||
|
||
## Our Official Summary | ||
|
||
Investigation is ongoing to determine how this vulnerability affects our products. | ||
|
||
## CVE Severity | ||
|
||
[9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-48565) | ||
|
||
## Status | ||
|
||
Ongoing | ||
|
||
## Affected Products & Versions | ||
|
||
- Palette VerteX 4.4.17 | ||
|
||
## Revision History | ||
|
||
- 1.0 9/13/2024 Initial Publication | ||
- 2.0 9/13/2024 Added Palette VerteX 4.4.17 to Affected Products |
43 changes: 43 additions & 0 deletions
43
docs/docs-content/security-bulletins/reports/cve-2023-24329.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
sidebar_label: "CVE-2023-24329" | ||
title: "CVE-2023-24329" | ||
description: "Lifecycle of CVE-2023-24329" | ||
hide_table_of_contents: true | ||
sidebar_class_name: "hide-from-sidebar" | ||
toc_max_heading_level: 2 | ||
tags: ["security", "cve"] | ||
--- | ||
|
||
## CVE Details | ||
|
||
[CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | ||
|
||
## Last Update | ||
|
||
9/13/24 | ||
|
||
## NIST CVE Summary | ||
|
||
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by | ||
supplying a URL that starts with blank characters. | ||
|
||
## Our Official Summary | ||
|
||
Investigation is ongoing to determine how this vulnerability affects our products. | ||
|
||
## CVE Severity | ||
|
||
[7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) | ||
|
||
## Status | ||
|
||
Ongoing | ||
|
||
## Affected Products & Versions | ||
|
||
- Palette VerteX 4.4.17 | ||
|
||
## Revision History | ||
|
||
- 1.0 9/13/2024 Initial Publication | ||
- 2.0 9/13/2024 Added Palette VerteX 4.4.17 to Affected Products |
46 changes: 46 additions & 0 deletions
46
docs/docs-content/security-bulletins/reports/cve-2024-3651.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
--- | ||
sidebar_label: "CVE-2024-3651" | ||
title: "CVE-2024-3651" | ||
description: "Lifecycle of CVE-2024-3651" | ||
hide_table_of_contents: true | ||
sidebar_class_name: "hide-from-sidebar" | ||
toc_max_heading_level: 2 | ||
tags: ["security", "cve"] | ||
--- | ||
|
||
## CVE Details | ||
|
||
[CVE-2024-3651](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) | ||
|
||
## Last Update | ||
|
||
9/13/24 | ||
|
||
## NIST CVE Summary | ||
|
||
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting | ||
version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic | ||
complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that | ||
causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing | ||
the processing time in a quadratic manner relative to the input size. | ||
|
||
## Our Official Summary | ||
|
||
Investigation is ongoing to determine how this vulnerability affects our products. | ||
|
||
## CVE Severity | ||
|
||
[7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-3651) | ||
|
||
## Status | ||
|
||
Ongoing | ||
|
||
## Affected Products & Versions | ||
|
||
- Palette VerteX 4.4.17 | ||
|
||
## Revision History | ||
|
||
- 1.0 9/13/2024 Initial Publication | ||
- 2.0 9/13/2024 Added Palette VerteX 4.4.17 to Affected Products |
Oops, something went wrong.