@blamejs/exceptd-skills 0.12.41 → 0.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +91 -0
- package/bin/exceptd.js +52 -44
- package/data/_indexes/_meta.json +47 -47
- package/data/_indexes/chains.json +485 -13
- package/data/_indexes/jurisdiction-map.json +15 -4
- package/data/_indexes/section-offsets.json +1244 -1244
- package/data/_indexes/token-budget.json +173 -173
- package/data/atlas-ttps.json +54 -11
- package/data/attack-techniques.json +113 -17
- package/data/cve-catalog.json +17 -24
- package/data/cwe-catalog.json +8 -2
- package/data/framework-control-gaps.json +13 -3
- package/data/playbooks/ai-api.json +5 -0
- package/data/playbooks/cicd-pipeline-compromise.json +970 -0
- package/data/playbooks/cloud-iam-incident.json +4 -1
- package/data/playbooks/cred-stores.json +10 -0
- package/data/playbooks/framework.json +16 -0
- package/data/playbooks/hardening.json +4 -0
- package/data/playbooks/identity-sso-compromise.json +951 -0
- package/data/playbooks/idp-incident.json +3 -0
- package/data/playbooks/kernel.json +6 -0
- package/data/playbooks/llm-tool-use-exfil.json +963 -0
- package/data/playbooks/mcp.json +6 -0
- package/data/playbooks/runtime.json +4 -0
- package/data/playbooks/sbom.json +13 -0
- package/data/playbooks/secrets.json +6 -0
- package/data/playbooks/webhook-callback-abuse.json +916 -0
- package/lib/cross-ref-api.js +33 -13
- package/lib/cve-curation.js +12 -1
- package/lib/exit-codes.js +29 -0
- package/lib/lint-skills.js +24 -2
- package/lib/refresh-external.js +10 -1
- package/lib/scoring.js +55 -0
- package/manifest.json +83 -83
- package/orchestrator/index.js +32 -24
- package/package.json +1 -1
- package/sbom.cdx.json +122 -78
- package/scripts/predeploy.js +7 -13
- package/scripts/refresh-reverse-refs.js +86 -0
- package/scripts/refresh-sbom.js +21 -4
- package/skills/age-gates-child-safety/skill.md +1 -5
- package/skills/ai-attack-surface/skill.md +11 -4
- package/skills/ai-c2-detection/skill.md +11 -2
- package/skills/ai-risk-management/skill.md +4 -2
- package/skills/api-security/skill.md +7 -8
- package/skills/attack-surface-pentest/skill.md +2 -2
- package/skills/cloud-iam-incident/skill.md +1 -5
- package/skills/cloud-security/skill.md +0 -4
- package/skills/compliance-theater/skill.md +10 -2
- package/skills/container-runtime-security/skill.md +1 -3
- package/skills/dlp-gap-analysis/skill.md +3 -4
- package/skills/email-security-anti-phishing/skill.md +1 -8
- package/skills/exploit-scoring/skill.md +7 -2
- package/skills/framework-gap-analysis/skill.md +1 -1
- package/skills/fuzz-testing-strategy/skill.md +1 -2
- package/skills/global-grc/skill.md +3 -2
- package/skills/identity-assurance/skill.md +1 -3
- package/skills/idp-incident-response/skill.md +1 -4
- package/skills/incident-response-playbook/skill.md +1 -5
- package/skills/kernel-lpe-triage/skill.md +2 -2
- package/skills/mcp-agent-trust/skill.md +13 -3
- package/skills/mlops-security/skill.md +2 -3
- package/skills/ot-ics-security/skill.md +0 -3
- package/skills/policy-exception-gen/skill.md +11 -3
- package/skills/pqc-first/skill.md +4 -2
- package/skills/rag-pipeline-security/skill.md +2 -0
- package/skills/ransomware-response/skill.md +1 -5
- package/skills/researcher/skill.md +4 -3
- package/skills/sector-energy/skill.md +0 -4
- package/skills/sector-federal-government/skill.md +2 -3
- package/skills/sector-financial/skill.md +1 -4
- package/skills/sector-healthcare/skill.md +0 -5
- package/skills/sector-telecom/skill.md +0 -4
- package/skills/security-maturity-tiers/skill.md +1 -2
- package/skills/skill-update-loop/skill.md +4 -3
- package/skills/supply-chain-integrity/skill.md +4 -3
- package/skills/threat-model-currency/skill.md +1 -1
- package/skills/threat-modeling-methodology/skill.md +2 -1
- package/skills/webapp-security/skill.md +0 -5
|
@@ -3183,14 +3183,354 @@
|
|
|
3183
3183
|
"cvss": 10,
|
|
3184
3184
|
"cisa_kev": true,
|
|
3185
3185
|
"epss_score": 0.86,
|
|
3186
|
-
"referencing_skills": [
|
|
3186
|
+
"referencing_skills": [
|
|
3187
|
+
"mcp-agent-trust",
|
|
3188
|
+
"supply-chain-integrity",
|
|
3189
|
+
"identity-assurance",
|
|
3190
|
+
"sector-healthcare",
|
|
3191
|
+
"sector-federal-government",
|
|
3192
|
+
"cloud-security",
|
|
3193
|
+
"container-runtime-security",
|
|
3194
|
+
"mlops-security",
|
|
3195
|
+
"age-gates-child-safety"
|
|
3196
|
+
],
|
|
3187
3197
|
"chain": {
|
|
3188
|
-
"cwes": [
|
|
3189
|
-
|
|
3190
|
-
|
|
3191
|
-
|
|
3192
|
-
|
|
3193
|
-
|
|
3198
|
+
"cwes": [
|
|
3199
|
+
{
|
|
3200
|
+
"id": "CWE-1188",
|
|
3201
|
+
"name": "Initialization of a Resource with an Insecure Default",
|
|
3202
|
+
"category": "Configuration"
|
|
3203
|
+
},
|
|
3204
|
+
{
|
|
3205
|
+
"id": "CWE-1357",
|
|
3206
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
3207
|
+
"category": "Supply Chain"
|
|
3208
|
+
},
|
|
3209
|
+
{
|
|
3210
|
+
"id": "CWE-1395",
|
|
3211
|
+
"name": "Dependency on Vulnerable Third-Party Component",
|
|
3212
|
+
"category": "Supply Chain"
|
|
3213
|
+
},
|
|
3214
|
+
{
|
|
3215
|
+
"id": "CWE-1426",
|
|
3216
|
+
"name": "Improper Validation of Generative AI Output",
|
|
3217
|
+
"category": "AI/ML"
|
|
3218
|
+
},
|
|
3219
|
+
{
|
|
3220
|
+
"id": "CWE-200",
|
|
3221
|
+
"name": "Exposure of Sensitive Information to an Unauthorized Actor",
|
|
3222
|
+
"category": "Information Exposure"
|
|
3223
|
+
},
|
|
3224
|
+
{
|
|
3225
|
+
"id": "CWE-22",
|
|
3226
|
+
"name": "Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)",
|
|
3227
|
+
"category": "Path/Resource"
|
|
3228
|
+
},
|
|
3229
|
+
{
|
|
3230
|
+
"id": "CWE-269",
|
|
3231
|
+
"name": "Improper Privilege Management",
|
|
3232
|
+
"category": "Authorization"
|
|
3233
|
+
},
|
|
3234
|
+
{
|
|
3235
|
+
"id": "CWE-287",
|
|
3236
|
+
"name": "Improper Authentication",
|
|
3237
|
+
"category": "Authentication"
|
|
3238
|
+
},
|
|
3239
|
+
{
|
|
3240
|
+
"id": "CWE-306",
|
|
3241
|
+
"name": "Missing Authentication for Critical Function",
|
|
3242
|
+
"category": "Authentication"
|
|
3243
|
+
},
|
|
3244
|
+
{
|
|
3245
|
+
"id": "CWE-345",
|
|
3246
|
+
"name": "Insufficient Verification of Data Authenticity",
|
|
3247
|
+
"category": "Authenticity / Supply Chain"
|
|
3248
|
+
},
|
|
3249
|
+
{
|
|
3250
|
+
"id": "CWE-352",
|
|
3251
|
+
"name": "Cross-Site Request Forgery (CSRF)",
|
|
3252
|
+
"category": "Session"
|
|
3253
|
+
},
|
|
3254
|
+
{
|
|
3255
|
+
"id": "CWE-434",
|
|
3256
|
+
"name": "Unrestricted Upload of File with Dangerous Type",
|
|
3257
|
+
"category": "File Handling"
|
|
3258
|
+
},
|
|
3259
|
+
{
|
|
3260
|
+
"id": "CWE-494",
|
|
3261
|
+
"name": "Download of Code Without Integrity Check",
|
|
3262
|
+
"category": "Supply Chain"
|
|
3263
|
+
},
|
|
3264
|
+
{
|
|
3265
|
+
"id": "CWE-502",
|
|
3266
|
+
"name": "Deserialization of Untrusted Data",
|
|
3267
|
+
"category": "Serialization"
|
|
3268
|
+
},
|
|
3269
|
+
{
|
|
3270
|
+
"id": "CWE-732",
|
|
3271
|
+
"name": "Incorrect Permission Assignment for Critical Resource",
|
|
3272
|
+
"category": "Authorization"
|
|
3273
|
+
},
|
|
3274
|
+
{
|
|
3275
|
+
"id": "CWE-77",
|
|
3276
|
+
"name": "Improper Neutralization of Special Elements used in a Command (Command Injection)",
|
|
3277
|
+
"category": "Injection"
|
|
3278
|
+
},
|
|
3279
|
+
{
|
|
3280
|
+
"id": "CWE-787",
|
|
3281
|
+
"name": "Out-of-bounds Write",
|
|
3282
|
+
"category": "Memory Safety"
|
|
3283
|
+
},
|
|
3284
|
+
{
|
|
3285
|
+
"id": "CWE-798",
|
|
3286
|
+
"name": "Use of Hard-coded Credentials",
|
|
3287
|
+
"category": "Credentials"
|
|
3288
|
+
},
|
|
3289
|
+
{
|
|
3290
|
+
"id": "CWE-829",
|
|
3291
|
+
"name": "Inclusion of Functionality from Untrusted Control Sphere",
|
|
3292
|
+
"category": "Supply Chain"
|
|
3293
|
+
},
|
|
3294
|
+
{
|
|
3295
|
+
"id": "CWE-862",
|
|
3296
|
+
"name": "Missing Authorization",
|
|
3297
|
+
"category": "Authorization"
|
|
3298
|
+
},
|
|
3299
|
+
{
|
|
3300
|
+
"id": "CWE-863",
|
|
3301
|
+
"name": "Incorrect Authorization",
|
|
3302
|
+
"category": "Authorization"
|
|
3303
|
+
},
|
|
3304
|
+
{
|
|
3305
|
+
"id": "CWE-918",
|
|
3306
|
+
"name": "Server-Side Request Forgery (SSRF)",
|
|
3307
|
+
"category": "Network"
|
|
3308
|
+
},
|
|
3309
|
+
{
|
|
3310
|
+
"id": "CWE-94",
|
|
3311
|
+
"name": "Improper Control of Generation of Code (Code Injection)",
|
|
3312
|
+
"category": "Injection"
|
|
3313
|
+
}
|
|
3314
|
+
],
|
|
3315
|
+
"atlas": [
|
|
3316
|
+
{
|
|
3317
|
+
"id": "AML.T0010",
|
|
3318
|
+
"name": "ML Supply Chain Compromise",
|
|
3319
|
+
"tactic": "Initial Access"
|
|
3320
|
+
},
|
|
3321
|
+
{
|
|
3322
|
+
"id": "AML.T0016",
|
|
3323
|
+
"name": "Obtain Capabilities: Develop Capabilities",
|
|
3324
|
+
"tactic": "Resource Development"
|
|
3325
|
+
},
|
|
3326
|
+
{
|
|
3327
|
+
"id": "AML.T0017",
|
|
3328
|
+
"name": "Discover ML Model Ontology",
|
|
3329
|
+
"tactic": "Discovery"
|
|
3330
|
+
},
|
|
3331
|
+
{
|
|
3332
|
+
"id": "AML.T0018",
|
|
3333
|
+
"name": "Backdoor ML Model",
|
|
3334
|
+
"tactic": "Persistence"
|
|
3335
|
+
},
|
|
3336
|
+
{
|
|
3337
|
+
"id": "AML.T0020",
|
|
3338
|
+
"name": "Poison Training Data",
|
|
3339
|
+
"tactic": "ML Attack Staging"
|
|
3340
|
+
},
|
|
3341
|
+
{
|
|
3342
|
+
"id": "AML.T0043",
|
|
3343
|
+
"name": "Craft Adversarial Data",
|
|
3344
|
+
"tactic": "ML Attack Staging"
|
|
3345
|
+
},
|
|
3346
|
+
{
|
|
3347
|
+
"id": "AML.T0051",
|
|
3348
|
+
"name": "LLM Prompt Injection",
|
|
3349
|
+
"tactic": "Execution"
|
|
3350
|
+
},
|
|
3351
|
+
{
|
|
3352
|
+
"id": "AML.T0096",
|
|
3353
|
+
"name": "AI API as Covert C2 Channel",
|
|
3354
|
+
"tactic": "Command and Control"
|
|
3355
|
+
}
|
|
3356
|
+
],
|
|
3357
|
+
"d3fend": [
|
|
3358
|
+
{
|
|
3359
|
+
"id": "D3-CBAN",
|
|
3360
|
+
"name": "Certificate-based Authentication",
|
|
3361
|
+
"tactic": "Harden"
|
|
3362
|
+
},
|
|
3363
|
+
{
|
|
3364
|
+
"id": "D3-CSPP",
|
|
3365
|
+
"name": "Client-server Payload Profiling",
|
|
3366
|
+
"tactic": "Detect"
|
|
3367
|
+
},
|
|
3368
|
+
{
|
|
3369
|
+
"id": "D3-EAL",
|
|
3370
|
+
"name": "Executable Allowlisting",
|
|
3371
|
+
"tactic": "Harden"
|
|
3372
|
+
},
|
|
3373
|
+
{
|
|
3374
|
+
"id": "D3-EHB",
|
|
3375
|
+
"name": "Executable Hashbased Allowlist",
|
|
3376
|
+
"tactic": "Harden"
|
|
3377
|
+
},
|
|
3378
|
+
{
|
|
3379
|
+
"id": "D3-MFA",
|
|
3380
|
+
"name": "Multi-factor Authentication",
|
|
3381
|
+
"tactic": "Harden"
|
|
3382
|
+
}
|
|
3383
|
+
],
|
|
3384
|
+
"framework_gaps": [
|
|
3385
|
+
{
|
|
3386
|
+
"id": "ALL-MCP-TOOL-TRUST",
|
|
3387
|
+
"framework": "ALL",
|
|
3388
|
+
"control_name": "MCP/Agent Tool Trust Boundaries"
|
|
3389
|
+
},
|
|
3390
|
+
{
|
|
3391
|
+
"id": "CMMC-2.0-Level-2",
|
|
3392
|
+
"framework": "CMMC 2.0 (Cybersecurity Maturity Model Certification) Level 2",
|
|
3393
|
+
"control_name": "Level 2 — Advanced (110 NIST 800-171 Rev 2 controls)"
|
|
3394
|
+
},
|
|
3395
|
+
{
|
|
3396
|
+
"id": "CycloneDX-v1.6-SBOM",
|
|
3397
|
+
"framework": "CycloneDX v1.6 (OWASP SBOM standard)",
|
|
3398
|
+
"control_name": "Software Bill of Materials"
|
|
3399
|
+
},
|
|
3400
|
+
{
|
|
3401
|
+
"id": "FedRAMP-Rev5-Moderate",
|
|
3402
|
+
"framework": "FedRAMP Rev 5 Moderate",
|
|
3403
|
+
"control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
|
|
3404
|
+
},
|
|
3405
|
+
{
|
|
3406
|
+
"id": "HIPAA-Security-Rule-164.312(a)(1)",
|
|
3407
|
+
"framework": "HIPAA Security Rule (45 CFR § 164.312)",
|
|
3408
|
+
"control_name": "Access control standard (technical safeguards)"
|
|
3409
|
+
},
|
|
3410
|
+
{
|
|
3411
|
+
"id": "HITRUST-CSF-v11.4-09.l",
|
|
3412
|
+
"framework": "HITRUST CSF v11.4",
|
|
3413
|
+
"control_name": "Outsourced services management"
|
|
3414
|
+
},
|
|
3415
|
+
{
|
|
3416
|
+
"id": "ISO-27001-2022-A.8.28",
|
|
3417
|
+
"framework": "ISO/IEC 27001:2022",
|
|
3418
|
+
"control_name": "Secure coding"
|
|
3419
|
+
},
|
|
3420
|
+
{
|
|
3421
|
+
"id": "ISO-27001-2022-A.8.30",
|
|
3422
|
+
"framework": "ISO/IEC 27001:2022",
|
|
3423
|
+
"control_name": "Outsourced development"
|
|
3424
|
+
},
|
|
3425
|
+
{
|
|
3426
|
+
"id": "ISO-IEC-42001-2023-clause-6.1.2",
|
|
3427
|
+
"framework": "ISO/IEC 42001:2023 (AI Management System)",
|
|
3428
|
+
"control_name": "AI risk assessment"
|
|
3429
|
+
},
|
|
3430
|
+
{
|
|
3431
|
+
"id": "NIST-800-218-SSDF",
|
|
3432
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
3433
|
+
"control_name": "Secure Software Development Framework"
|
|
3434
|
+
},
|
|
3435
|
+
{
|
|
3436
|
+
"id": "NIST-800-53-AC-2",
|
|
3437
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
3438
|
+
"control_name": "Account Management"
|
|
3439
|
+
},
|
|
3440
|
+
{
|
|
3441
|
+
"id": "NIST-800-53-CM-7",
|
|
3442
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
3443
|
+
"control_name": "Least Functionality"
|
|
3444
|
+
},
|
|
3445
|
+
{
|
|
3446
|
+
"id": "NIST-800-53-SA-12",
|
|
3447
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
3448
|
+
"control_name": "Supply Chain Protection"
|
|
3449
|
+
},
|
|
3450
|
+
{
|
|
3451
|
+
"id": "NIST-800-63B-rev4",
|
|
3452
|
+
"framework": "NIST SP 800-63B Rev 4 (Digital Identity Guidelines — Authentication & Lifecycle Mgmt)",
|
|
3453
|
+
"control_name": "Authentication and Lifecycle Management (AAL/IAL/FAL)"
|
|
3454
|
+
},
|
|
3455
|
+
{
|
|
3456
|
+
"id": "NIST-AI-RMF-MEASURE-2.5",
|
|
3457
|
+
"framework": "NIST AI RMF 1.0",
|
|
3458
|
+
"control_name": "AI system to human interaction evaluation"
|
|
3459
|
+
},
|
|
3460
|
+
{
|
|
3461
|
+
"id": "OWASP-LLM-Top-10-2025-LLM06",
|
|
3462
|
+
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
3463
|
+
"control_name": "Excessive Agency"
|
|
3464
|
+
},
|
|
3465
|
+
{
|
|
3466
|
+
"id": "OWASP-LLM-Top-10-2025-LLM08",
|
|
3467
|
+
"framework": "OWASP Top 10 for LLM Applications 2025",
|
|
3468
|
+
"control_name": "Vector and Embedding Weaknesses"
|
|
3469
|
+
},
|
|
3470
|
+
{
|
|
3471
|
+
"id": "PSD2-RTS-SCA",
|
|
3472
|
+
"framework": "EU PSD2 Regulatory Technical Standards on Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389)",
|
|
3473
|
+
"control_name": "Strong Customer Authentication and Common and Secure Communication"
|
|
3474
|
+
},
|
|
3475
|
+
{
|
|
3476
|
+
"id": "SLSA-v1.0-Build-L3",
|
|
3477
|
+
"framework": "SLSA v1.0 (Supply-chain Levels for Software Artifacts) — Build Track",
|
|
3478
|
+
"control_name": "Hardened build platform with non-falsifiable provenance"
|
|
3479
|
+
},
|
|
3480
|
+
{
|
|
3481
|
+
"id": "SOC2-CC6-logical-access",
|
|
3482
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3483
|
+
"control_name": "Logical and Physical Access Controls"
|
|
3484
|
+
},
|
|
3485
|
+
{
|
|
3486
|
+
"id": "SOC2-CC9-vendor-management",
|
|
3487
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3488
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
3489
|
+
},
|
|
3490
|
+
{
|
|
3491
|
+
"id": "SPDX-v3.0-SBOM",
|
|
3492
|
+
"framework": "SPDX v3.0 (ISO/IEC 5962-aligned SBOM standard)",
|
|
3493
|
+
"control_name": "Software Package Data Exchange — SBOM"
|
|
3494
|
+
},
|
|
3495
|
+
{
|
|
3496
|
+
"id": "SWIFT-CSCF-v2026-1.1",
|
|
3497
|
+
"framework": "SWIFT Customer Security Controls Framework v2026",
|
|
3498
|
+
"control_name": "SWIFT Environment Protection"
|
|
3499
|
+
},
|
|
3500
|
+
{
|
|
3501
|
+
"id": "VEX-CSAF-v2.1",
|
|
3502
|
+
"framework": "VEX via OASIS CSAF 2.1 (Common Security Advisory Framework)",
|
|
3503
|
+
"control_name": "Vulnerability Exploitability eXchange profile"
|
|
3504
|
+
}
|
|
3505
|
+
],
|
|
3506
|
+
"attack_refs": [
|
|
3507
|
+
"T1059",
|
|
3508
|
+
"T1068",
|
|
3509
|
+
"T1078",
|
|
3510
|
+
"T1110",
|
|
3511
|
+
"T1190",
|
|
3512
|
+
"T1195.001",
|
|
3513
|
+
"T1195.002",
|
|
3514
|
+
"T1530",
|
|
3515
|
+
"T1552",
|
|
3516
|
+
"T1554",
|
|
3517
|
+
"T1556",
|
|
3518
|
+
"T1565",
|
|
3519
|
+
"T1567",
|
|
3520
|
+
"T1610",
|
|
3521
|
+
"T1611"
|
|
3522
|
+
],
|
|
3523
|
+
"rfc_refs": [
|
|
3524
|
+
"RFC-6749",
|
|
3525
|
+
"RFC-7519",
|
|
3526
|
+
"RFC-8032",
|
|
3527
|
+
"RFC-8446",
|
|
3528
|
+
"RFC-8725",
|
|
3529
|
+
"RFC-9114",
|
|
3530
|
+
"RFC-9180",
|
|
3531
|
+
"RFC-9421",
|
|
3532
|
+
"RFC-9700"
|
|
3533
|
+
]
|
|
3194
3534
|
}
|
|
3195
3535
|
},
|
|
3196
3536
|
"CVE-2024-3154": {
|
|
@@ -3471,14 +3811,117 @@
|
|
|
3471
3811
|
"cvss": 9.2,
|
|
3472
3812
|
"cisa_kev": false,
|
|
3473
3813
|
"epss_score": null,
|
|
3474
|
-
"referencing_skills": [
|
|
3814
|
+
"referencing_skills": [
|
|
3815
|
+
"kernel-lpe-triage",
|
|
3816
|
+
"coordinated-vuln-disclosure"
|
|
3817
|
+
],
|
|
3475
3818
|
"chain": {
|
|
3476
|
-
"cwes": [
|
|
3819
|
+
"cwes": [
|
|
3820
|
+
{
|
|
3821
|
+
"id": "CWE-125",
|
|
3822
|
+
"name": "Out-of-bounds Read",
|
|
3823
|
+
"category": "Memory Safety"
|
|
3824
|
+
},
|
|
3825
|
+
{
|
|
3826
|
+
"id": "CWE-1357",
|
|
3827
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
3828
|
+
"category": "Supply Chain"
|
|
3829
|
+
},
|
|
3830
|
+
{
|
|
3831
|
+
"id": "CWE-362",
|
|
3832
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
3833
|
+
"category": "Concurrency"
|
|
3834
|
+
},
|
|
3835
|
+
{
|
|
3836
|
+
"id": "CWE-416",
|
|
3837
|
+
"name": "Use After Free",
|
|
3838
|
+
"category": "Memory Safety"
|
|
3839
|
+
},
|
|
3840
|
+
{
|
|
3841
|
+
"id": "CWE-672",
|
|
3842
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
3843
|
+
"category": "Memory Safety"
|
|
3844
|
+
},
|
|
3845
|
+
{
|
|
3846
|
+
"id": "CWE-787",
|
|
3847
|
+
"name": "Out-of-bounds Write",
|
|
3848
|
+
"category": "Memory Safety"
|
|
3849
|
+
}
|
|
3850
|
+
],
|
|
3477
3851
|
"atlas": [],
|
|
3478
|
-
"d3fend": [
|
|
3479
|
-
|
|
3480
|
-
|
|
3481
|
-
|
|
3852
|
+
"d3fend": [
|
|
3853
|
+
{
|
|
3854
|
+
"id": "D3-ASLR",
|
|
3855
|
+
"name": "Address Space Layout Randomization",
|
|
3856
|
+
"tactic": "Harden"
|
|
3857
|
+
},
|
|
3858
|
+
{
|
|
3859
|
+
"id": "D3-EAL",
|
|
3860
|
+
"name": "Executable Allowlisting",
|
|
3861
|
+
"tactic": "Harden"
|
|
3862
|
+
},
|
|
3863
|
+
{
|
|
3864
|
+
"id": "D3-PHRA",
|
|
3865
|
+
"name": "Process Hardware Resource Access",
|
|
3866
|
+
"tactic": "Isolate"
|
|
3867
|
+
},
|
|
3868
|
+
{
|
|
3869
|
+
"id": "D3-PSEP",
|
|
3870
|
+
"name": "Process Segment Execution Prevention",
|
|
3871
|
+
"tactic": "Harden"
|
|
3872
|
+
}
|
|
3873
|
+
],
|
|
3874
|
+
"framework_gaps": [
|
|
3875
|
+
{
|
|
3876
|
+
"id": "CIS-Controls-v8-Control7",
|
|
3877
|
+
"framework": "CIS Controls v8",
|
|
3878
|
+
"control_name": "Continuous Vulnerability Management"
|
|
3879
|
+
},
|
|
3880
|
+
{
|
|
3881
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
3882
|
+
"framework": "ISO/IEC 27001:2022",
|
|
3883
|
+
"control_name": "Management of technical vulnerabilities"
|
|
3884
|
+
},
|
|
3885
|
+
{
|
|
3886
|
+
"id": "NIS2-Art21-patch-management",
|
|
3887
|
+
"framework": "EU NIS2 Directive",
|
|
3888
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
3889
|
+
},
|
|
3890
|
+
{
|
|
3891
|
+
"id": "NIST-800-218-SSDF",
|
|
3892
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
3893
|
+
"control_name": "Secure Software Development Framework"
|
|
3894
|
+
},
|
|
3895
|
+
{
|
|
3896
|
+
"id": "NIST-800-53-SC-8",
|
|
3897
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
3898
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
3899
|
+
},
|
|
3900
|
+
{
|
|
3901
|
+
"id": "NIST-800-53-SI-2",
|
|
3902
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
3903
|
+
"control_name": "Flaw Remediation"
|
|
3904
|
+
},
|
|
3905
|
+
{
|
|
3906
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
3907
|
+
"framework": "PCI DSS 4.0",
|
|
3908
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
3909
|
+
},
|
|
3910
|
+
{
|
|
3911
|
+
"id": "SOC2-CC9-vendor-management",
|
|
3912
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
3913
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
3914
|
+
}
|
|
3915
|
+
],
|
|
3916
|
+
"attack_refs": [
|
|
3917
|
+
"T1068",
|
|
3918
|
+
"T1548.001"
|
|
3919
|
+
],
|
|
3920
|
+
"rfc_refs": [
|
|
3921
|
+
"RFC-4301",
|
|
3922
|
+
"RFC-4303",
|
|
3923
|
+
"RFC-7296"
|
|
3924
|
+
]
|
|
3482
3925
|
}
|
|
3483
3926
|
},
|
|
3484
3927
|
"CVE-2026-0300": {
|
|
@@ -5173,6 +5616,7 @@
|
|
|
5173
5616
|
]
|
|
5174
5617
|
},
|
|
5175
5618
|
"related_cves": [
|
|
5619
|
+
"CVE-2024-3094",
|
|
5176
5620
|
"CVE-2025-53773",
|
|
5177
5621
|
"CVE-2026-30615",
|
|
5178
5622
|
"CVE-2026-31431",
|
|
@@ -5357,6 +5801,7 @@
|
|
|
5357
5801
|
]
|
|
5358
5802
|
},
|
|
5359
5803
|
"related_cves": [
|
|
5804
|
+
"CVE-2024-3094",
|
|
5360
5805
|
"CVE-2025-53773",
|
|
5361
5806
|
"CVE-2026-30615",
|
|
5362
5807
|
"CVE-2026-39884",
|
|
@@ -5998,6 +6443,7 @@
|
|
|
5998
6443
|
]
|
|
5999
6444
|
},
|
|
6000
6445
|
"related_cves": [
|
|
6446
|
+
"CVE-2024-3094",
|
|
6001
6447
|
"CVE-2025-53773",
|
|
6002
6448
|
"CVE-2026-30615",
|
|
6003
6449
|
"CVE-2026-32202",
|
|
@@ -6143,6 +6589,7 @@
|
|
|
6143
6589
|
"CVE-2026-33825",
|
|
6144
6590
|
"CVE-2026-39884",
|
|
6145
6591
|
"CVE-2026-42897",
|
|
6592
|
+
"CVE-2026-42945",
|
|
6146
6593
|
"CVE-2026-43284",
|
|
6147
6594
|
"CVE-2026-43500",
|
|
6148
6595
|
"CVE-2026-45321",
|
|
@@ -6361,6 +6808,7 @@
|
|
|
6361
6808
|
]
|
|
6362
6809
|
},
|
|
6363
6810
|
"related_cves": [
|
|
6811
|
+
"CVE-2024-3094",
|
|
6364
6812
|
"CVE-2025-53773",
|
|
6365
6813
|
"CVE-2026-30615",
|
|
6366
6814
|
"CVE-2026-39884",
|
|
@@ -6703,6 +7151,7 @@
|
|
|
6703
7151
|
]
|
|
6704
7152
|
},
|
|
6705
7153
|
"related_cves": [
|
|
7154
|
+
"CVE-2024-3094",
|
|
6706
7155
|
"CVE-2025-53773",
|
|
6707
7156
|
"CVE-2026-30615",
|
|
6708
7157
|
"CVE-2026-31431",
|
|
@@ -7261,6 +7710,7 @@
|
|
|
7261
7710
|
]
|
|
7262
7711
|
},
|
|
7263
7712
|
"related_cves": [
|
|
7713
|
+
"CVE-2024-3094",
|
|
7264
7714
|
"CVE-2025-53773",
|
|
7265
7715
|
"CVE-2026-30615",
|
|
7266
7716
|
"CVE-2026-31431",
|
|
@@ -7460,6 +7910,7 @@
|
|
|
7460
7910
|
]
|
|
7461
7911
|
},
|
|
7462
7912
|
"related_cves": [
|
|
7913
|
+
"CVE-2024-3094",
|
|
7463
7914
|
"CVE-2025-53773",
|
|
7464
7915
|
"CVE-2026-30615",
|
|
7465
7916
|
"CVE-2026-31431",
|
|
@@ -7856,6 +8307,7 @@
|
|
|
7856
8307
|
]
|
|
7857
8308
|
},
|
|
7858
8309
|
"related_cves": [
|
|
8310
|
+
"CVE-2024-3094",
|
|
7859
8311
|
"CVE-2025-53773",
|
|
7860
8312
|
"CVE-2026-30615",
|
|
7861
8313
|
"CVE-2026-45321",
|
|
@@ -8080,6 +8532,7 @@
|
|
|
8080
8532
|
]
|
|
8081
8533
|
},
|
|
8082
8534
|
"related_cves": [
|
|
8535
|
+
"CVE-2024-3094",
|
|
8083
8536
|
"CVE-2025-53773",
|
|
8084
8537
|
"CVE-2026-30615",
|
|
8085
8538
|
"CVE-2026-31431",
|
|
@@ -8225,6 +8678,7 @@
|
|
|
8225
8678
|
"CVE-2026-33825",
|
|
8226
8679
|
"CVE-2026-39884",
|
|
8227
8680
|
"CVE-2026-42897",
|
|
8681
|
+
"CVE-2026-42945",
|
|
8228
8682
|
"CVE-2026-43284",
|
|
8229
8683
|
"CVE-2026-43500",
|
|
8230
8684
|
"CVE-2026-45321",
|
|
@@ -8354,6 +8808,7 @@
|
|
|
8354
8808
|
"CVE-2026-33825",
|
|
8355
8809
|
"CVE-2026-39884",
|
|
8356
8810
|
"CVE-2026-42897",
|
|
8811
|
+
"CVE-2026-42945",
|
|
8357
8812
|
"CVE-2026-43284",
|
|
8358
8813
|
"CVE-2026-43500",
|
|
8359
8814
|
"CVE-2026-45321",
|
|
@@ -8570,6 +9025,7 @@
|
|
|
8570
9025
|
]
|
|
8571
9026
|
},
|
|
8572
9027
|
"related_cves": [
|
|
9028
|
+
"CVE-2024-3094",
|
|
8573
9029
|
"CVE-2025-53773",
|
|
8574
9030
|
"CVE-2026-30615",
|
|
8575
9031
|
"CVE-2026-31431",
|
|
@@ -8767,6 +9223,7 @@
|
|
|
8767
9223
|
]
|
|
8768
9224
|
},
|
|
8769
9225
|
"related_cves": [
|
|
9226
|
+
"CVE-2024-3094",
|
|
8770
9227
|
"CVE-2025-53773",
|
|
8771
9228
|
"CVE-2026-30615",
|
|
8772
9229
|
"CVE-2026-45321",
|
|
@@ -8953,6 +9410,7 @@
|
|
|
8953
9410
|
]
|
|
8954
9411
|
},
|
|
8955
9412
|
"related_cves": [
|
|
9413
|
+
"CVE-2024-3094",
|
|
8956
9414
|
"CVE-2026-30615",
|
|
8957
9415
|
"CVE-2026-39884",
|
|
8958
9416
|
"CVE-2026-42208",
|
|
@@ -9254,6 +9712,7 @@
|
|
|
9254
9712
|
"CVE-2026-33825",
|
|
9255
9713
|
"CVE-2026-39884",
|
|
9256
9714
|
"CVE-2026-42897",
|
|
9715
|
+
"CVE-2026-42945",
|
|
9257
9716
|
"CVE-2026-43284",
|
|
9258
9717
|
"CVE-2026-43500",
|
|
9259
9718
|
"CVE-2026-45321",
|
|
@@ -9534,6 +9993,7 @@
|
|
|
9534
9993
|
]
|
|
9535
9994
|
},
|
|
9536
9995
|
"related_cves": [
|
|
9996
|
+
"CVE-2024-3094",
|
|
9537
9997
|
"CVE-2025-53773",
|
|
9538
9998
|
"CVE-2026-30615",
|
|
9539
9999
|
"CVE-2026-31431",
|
|
@@ -9749,6 +10209,7 @@
|
|
|
9749
10209
|
]
|
|
9750
10210
|
},
|
|
9751
10211
|
"related_cves": [
|
|
10212
|
+
"CVE-2024-3094",
|
|
9752
10213
|
"CVE-2025-53773",
|
|
9753
10214
|
"CVE-2026-0300",
|
|
9754
10215
|
"CVE-2026-30615",
|
|
@@ -9757,6 +10218,7 @@
|
|
|
9757
10218
|
"CVE-2026-33825",
|
|
9758
10219
|
"CVE-2026-39884",
|
|
9759
10220
|
"CVE-2026-42897",
|
|
10221
|
+
"CVE-2026-42945",
|
|
9760
10222
|
"CVE-2026-43284",
|
|
9761
10223
|
"CVE-2026-43500",
|
|
9762
10224
|
"CVE-2026-45321",
|
|
@@ -10049,6 +10511,7 @@
|
|
|
10049
10511
|
]
|
|
10050
10512
|
},
|
|
10051
10513
|
"related_cves": [
|
|
10514
|
+
"CVE-2024-3094",
|
|
10052
10515
|
"CVE-2025-53773",
|
|
10053
10516
|
"CVE-2026-30615",
|
|
10054
10517
|
"CVE-2026-31431",
|
|
@@ -10168,6 +10631,7 @@
|
|
|
10168
10631
|
]
|
|
10169
10632
|
},
|
|
10170
10633
|
"related_cves": [
|
|
10634
|
+
"CVE-2024-3094",
|
|
10171
10635
|
"CVE-2026-30615",
|
|
10172
10636
|
"CVE-2026-45321",
|
|
10173
10637
|
"MAL-2026-3083",
|
|
@@ -10349,6 +10813,7 @@
|
|
|
10349
10813
|
]
|
|
10350
10814
|
},
|
|
10351
10815
|
"related_cves": [
|
|
10816
|
+
"CVE-2024-3094",
|
|
10352
10817
|
"CVE-2025-53773",
|
|
10353
10818
|
"CVE-2026-30615",
|
|
10354
10819
|
"CVE-2026-39884",
|
|
@@ -10624,6 +11089,7 @@
|
|
|
10624
11089
|
]
|
|
10625
11090
|
},
|
|
10626
11091
|
"related_cves": [
|
|
11092
|
+
"CVE-2024-3094",
|
|
10627
11093
|
"CVE-2025-53773",
|
|
10628
11094
|
"CVE-2026-30615",
|
|
10629
11095
|
"CVE-2026-39884",
|
|
@@ -10927,6 +11393,7 @@
|
|
|
10927
11393
|
]
|
|
10928
11394
|
},
|
|
10929
11395
|
"related_cves": [
|
|
11396
|
+
"CVE-2024-3094",
|
|
10930
11397
|
"CVE-2025-53773",
|
|
10931
11398
|
"CVE-2026-30615",
|
|
10932
11399
|
"CVE-2026-31431",
|
|
@@ -11278,6 +11745,7 @@
|
|
|
11278
11745
|
]
|
|
11279
11746
|
},
|
|
11280
11747
|
"related_cves": [
|
|
11748
|
+
"CVE-2024-3094",
|
|
11281
11749
|
"CVE-2025-53773",
|
|
11282
11750
|
"CVE-2026-30615",
|
|
11283
11751
|
"CVE-2026-39884",
|
|
@@ -11440,9 +11908,11 @@
|
|
|
11440
11908
|
]
|
|
11441
11909
|
},
|
|
11442
11910
|
"related_cves": [
|
|
11911
|
+
"CVE-2024-3094",
|
|
11443
11912
|
"CVE-2026-0300",
|
|
11444
11913
|
"CVE-2026-30615",
|
|
11445
11914
|
"CVE-2026-31431",
|
|
11915
|
+
"CVE-2026-42945",
|
|
11446
11916
|
"CVE-2026-45321",
|
|
11447
11917
|
"CVE-2026-46300",
|
|
11448
11918
|
"MAL-2026-3083",
|
|
@@ -11660,6 +12130,7 @@
|
|
|
11660
12130
|
]
|
|
11661
12131
|
},
|
|
11662
12132
|
"related_cves": [
|
|
12133
|
+
"CVE-2024-3094",
|
|
11663
12134
|
"CVE-2025-53773",
|
|
11664
12135
|
"CVE-2026-30615",
|
|
11665
12136
|
"CVE-2026-31431",
|
|
@@ -11910,6 +12381,7 @@
|
|
|
11910
12381
|
]
|
|
11911
12382
|
},
|
|
11912
12383
|
"related_cves": [
|
|
12384
|
+
"CVE-2024-3094",
|
|
11913
12385
|
"CVE-2025-53773",
|
|
11914
12386
|
"CVE-2026-30615",
|
|
11915
12387
|
"CVE-2026-32202",
|