diff options
| author | Dave Cottlehuber <dch@FreeBSD.org> | 2021-10-12 12:40:10 +0000 |
|---|---|---|
| committer | Dave Cottlehuber <dch@FreeBSD.org> | 2021-10-12 13:16:54 +0000 |
| commit | e349d6c6c52214a48c57142cf6223d55d75e5b76 (patch) | |
| tree | 386572504004959ecd191aabf6c6a8600cad6498 /security/vuxml/vuln-2021.xml | |
| parent | 0ff56a87ff3ce6189d8d17b364a40e548d600f7b (diff) | |
| download | ports-e349d6c6c52214a48c57142cf6223d55d75e5b76.tar.gz ports-e349d6c6c52214a48c57142cf6223d55d75e5b76.zip | |
security/vuxml: add CouchDB CVE details
while here, appease `make validate` indentation
Security: https://docs.couchdb.org/en/stable/cve/2021-38295.html
Sponsored by: SkunkWerks, GmbH
Diffstat (limited to 'security/vuxml/vuln-2021.xml')
| -rw-r--r-- | security/vuxml/vuln-2021.xml | 43 |
1 files changed, 38 insertions, 5 deletions
diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 1f31be2f4016..82095255b54d 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,36 @@ + <vuln vid="a7dd4c2d-77e4-46de-81a2-c453c317f9de"> + <topic>couchdb -- user privilege escalation</topic> + <affects> + <package> + <name>couchdb</name> + <range><lt>3.1.2,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Cory Sabol reports:</p> + <blockquote cite="https://docs.couchdb.org/en/stable/cve/2021-38295.html"> + <p>A malicious user with permission to create documents in a + database is able to attach a HTML attachment to a document. + If a CouchDB admin opens that attachment in a browser, e.g. + via the CouchDB admin interface Fauxton, any JavaScript code + embedded in that HTML attachment will be executed within the + security context of that admin. A similar route is available + with the already deprecated _show and _list functionality. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-39205</cvename> + <url>https://docs.couchdb.org/en/stable/cve/2021-38295.html</url> + </references> + <dates> + <discovery>2021-08-09</discovery> + <entry>2021-10-12</entry> + </dates> + </vuln> + <vuln vid="9a8514f3-2ab8-11ec-b3a1-8c164582fbac"> <topic>Ansible -- Ansible user credentials disclosure in ansible-connection module</topic> <affects> @@ -38,11 +71,11 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>Red Hat reports:</p> <blockquote cite=""> - <p>A flaw was found in Ansible Engine's ansible-connection - module, where sensitive information such as the Ansible - user credentials is disclosed by default in the traceback - error message. The highest threat from this vulnerability - is to confidentiality.</p> + <p>A flaw was found in Ansible Engine's ansible-connection + module, where sensitive information such as the Ansible + user credentials is disclosed by default in the traceback + error message. The highest threat from this vulnerability + is to confidentiality.</p> </blockquote> </body> </description> |