@blamejs/exceptd-skills 0.13.70 → 0.13.71
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/data/_indexes/_meta.json +7 -7
- package/data/_indexes/activity-feed.json +1 -1
- package/data/_indexes/catalog-summaries.json +1 -1
- package/data/_indexes/chains.json +625 -0
- package/data/attack-techniques.json +8 -1
- package/data/cve-catalog.json +406 -1
- package/data/cwe-catalog.json +5 -0
- package/data/framework-control-gaps.json +15 -0
- package/manifest.json +44 -44
- package/package.json +2 -2
- package/sbom.cdx.json +21 -21
|
@@ -17011,6 +17011,601 @@
|
|
|
17011
17011
|
]
|
|
17012
17012
|
}
|
|
17013
17013
|
},
|
|
17014
|
+
"CVE-2008-4250": {
|
|
17015
|
+
"name": "Microsoft Windows Server Service RPC Buffer Overflow (MS08-067)",
|
|
17016
|
+
"rwep": 70,
|
|
17017
|
+
"cvss": 9.3,
|
|
17018
|
+
"cisa_kev": true,
|
|
17019
|
+
"epss_score": null,
|
|
17020
|
+
"referencing_skills": [
|
|
17021
|
+
"kernel-lpe-triage",
|
|
17022
|
+
"coordinated-vuln-disclosure"
|
|
17023
|
+
],
|
|
17024
|
+
"chain": {
|
|
17025
|
+
"cwes": [
|
|
17026
|
+
{
|
|
17027
|
+
"id": "CWE-125",
|
|
17028
|
+
"name": "Out-of-bounds Read",
|
|
17029
|
+
"category": "Memory Safety"
|
|
17030
|
+
},
|
|
17031
|
+
{
|
|
17032
|
+
"id": "CWE-1357",
|
|
17033
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17034
|
+
"category": "Supply Chain"
|
|
17035
|
+
},
|
|
17036
|
+
{
|
|
17037
|
+
"id": "CWE-362",
|
|
17038
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17039
|
+
"category": "Concurrency"
|
|
17040
|
+
},
|
|
17041
|
+
{
|
|
17042
|
+
"id": "CWE-416",
|
|
17043
|
+
"name": "Use After Free",
|
|
17044
|
+
"category": "Memory Safety"
|
|
17045
|
+
},
|
|
17046
|
+
{
|
|
17047
|
+
"id": "CWE-672",
|
|
17048
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17049
|
+
"category": "Memory Safety"
|
|
17050
|
+
},
|
|
17051
|
+
{
|
|
17052
|
+
"id": "CWE-787",
|
|
17053
|
+
"name": "Out-of-bounds Write",
|
|
17054
|
+
"category": "Memory Safety"
|
|
17055
|
+
}
|
|
17056
|
+
],
|
|
17057
|
+
"atlas": [],
|
|
17058
|
+
"d3fend": [
|
|
17059
|
+
{
|
|
17060
|
+
"id": "D3-ASLR",
|
|
17061
|
+
"name": "Address Space Layout Randomization",
|
|
17062
|
+
"tactic": "Harden"
|
|
17063
|
+
},
|
|
17064
|
+
{
|
|
17065
|
+
"id": "D3-EAL",
|
|
17066
|
+
"name": "Executable Allowlisting",
|
|
17067
|
+
"tactic": "Harden"
|
|
17068
|
+
},
|
|
17069
|
+
{
|
|
17070
|
+
"id": "D3-PHRA",
|
|
17071
|
+
"name": "Process Hardware Resource Access",
|
|
17072
|
+
"tactic": "Isolate"
|
|
17073
|
+
},
|
|
17074
|
+
{
|
|
17075
|
+
"id": "D3-PSEP",
|
|
17076
|
+
"name": "Process Segment Execution Prevention",
|
|
17077
|
+
"tactic": "Harden"
|
|
17078
|
+
}
|
|
17079
|
+
],
|
|
17080
|
+
"framework_gaps": [
|
|
17081
|
+
{
|
|
17082
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17083
|
+
"framework": "CIS Controls v8",
|
|
17084
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17085
|
+
},
|
|
17086
|
+
{
|
|
17087
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17088
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17089
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17090
|
+
},
|
|
17091
|
+
{
|
|
17092
|
+
"id": "NIS2-Art21-patch-management",
|
|
17093
|
+
"framework": "EU NIS2 Directive",
|
|
17094
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17095
|
+
},
|
|
17096
|
+
{
|
|
17097
|
+
"id": "NIST-800-218-SSDF",
|
|
17098
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17099
|
+
"control_name": "Secure Software Development Framework"
|
|
17100
|
+
},
|
|
17101
|
+
{
|
|
17102
|
+
"id": "NIST-800-53-SC-8",
|
|
17103
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17104
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17105
|
+
},
|
|
17106
|
+
{
|
|
17107
|
+
"id": "NIST-800-53-SI-2",
|
|
17108
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17109
|
+
"control_name": "Flaw Remediation"
|
|
17110
|
+
},
|
|
17111
|
+
{
|
|
17112
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17113
|
+
"framework": "PCI DSS 4.0",
|
|
17114
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17115
|
+
},
|
|
17116
|
+
{
|
|
17117
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17118
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17119
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17120
|
+
}
|
|
17121
|
+
],
|
|
17122
|
+
"attack_refs": [
|
|
17123
|
+
"T1068",
|
|
17124
|
+
"T1548.001"
|
|
17125
|
+
],
|
|
17126
|
+
"rfc_refs": [
|
|
17127
|
+
"RFC-4301",
|
|
17128
|
+
"RFC-4303",
|
|
17129
|
+
"RFC-7296"
|
|
17130
|
+
]
|
|
17131
|
+
}
|
|
17132
|
+
},
|
|
17133
|
+
"CVE-2009-1537": {
|
|
17134
|
+
"name": "Microsoft DirectShow QuickTime Parsing Memory Corruption",
|
|
17135
|
+
"rwep": 70,
|
|
17136
|
+
"cvss": 8.8,
|
|
17137
|
+
"cisa_kev": true,
|
|
17138
|
+
"epss_score": null,
|
|
17139
|
+
"referencing_skills": [
|
|
17140
|
+
"kernel-lpe-triage",
|
|
17141
|
+
"coordinated-vuln-disclosure"
|
|
17142
|
+
],
|
|
17143
|
+
"chain": {
|
|
17144
|
+
"cwes": [
|
|
17145
|
+
{
|
|
17146
|
+
"id": "CWE-125",
|
|
17147
|
+
"name": "Out-of-bounds Read",
|
|
17148
|
+
"category": "Memory Safety"
|
|
17149
|
+
},
|
|
17150
|
+
{
|
|
17151
|
+
"id": "CWE-1357",
|
|
17152
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17153
|
+
"category": "Supply Chain"
|
|
17154
|
+
},
|
|
17155
|
+
{
|
|
17156
|
+
"id": "CWE-362",
|
|
17157
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17158
|
+
"category": "Concurrency"
|
|
17159
|
+
},
|
|
17160
|
+
{
|
|
17161
|
+
"id": "CWE-416",
|
|
17162
|
+
"name": "Use After Free",
|
|
17163
|
+
"category": "Memory Safety"
|
|
17164
|
+
},
|
|
17165
|
+
{
|
|
17166
|
+
"id": "CWE-672",
|
|
17167
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17168
|
+
"category": "Memory Safety"
|
|
17169
|
+
},
|
|
17170
|
+
{
|
|
17171
|
+
"id": "CWE-787",
|
|
17172
|
+
"name": "Out-of-bounds Write",
|
|
17173
|
+
"category": "Memory Safety"
|
|
17174
|
+
}
|
|
17175
|
+
],
|
|
17176
|
+
"atlas": [],
|
|
17177
|
+
"d3fend": [
|
|
17178
|
+
{
|
|
17179
|
+
"id": "D3-ASLR",
|
|
17180
|
+
"name": "Address Space Layout Randomization",
|
|
17181
|
+
"tactic": "Harden"
|
|
17182
|
+
},
|
|
17183
|
+
{
|
|
17184
|
+
"id": "D3-EAL",
|
|
17185
|
+
"name": "Executable Allowlisting",
|
|
17186
|
+
"tactic": "Harden"
|
|
17187
|
+
},
|
|
17188
|
+
{
|
|
17189
|
+
"id": "D3-PHRA",
|
|
17190
|
+
"name": "Process Hardware Resource Access",
|
|
17191
|
+
"tactic": "Isolate"
|
|
17192
|
+
},
|
|
17193
|
+
{
|
|
17194
|
+
"id": "D3-PSEP",
|
|
17195
|
+
"name": "Process Segment Execution Prevention",
|
|
17196
|
+
"tactic": "Harden"
|
|
17197
|
+
}
|
|
17198
|
+
],
|
|
17199
|
+
"framework_gaps": [
|
|
17200
|
+
{
|
|
17201
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17202
|
+
"framework": "CIS Controls v8",
|
|
17203
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17204
|
+
},
|
|
17205
|
+
{
|
|
17206
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17207
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17208
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17209
|
+
},
|
|
17210
|
+
{
|
|
17211
|
+
"id": "NIS2-Art21-patch-management",
|
|
17212
|
+
"framework": "EU NIS2 Directive",
|
|
17213
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17214
|
+
},
|
|
17215
|
+
{
|
|
17216
|
+
"id": "NIST-800-218-SSDF",
|
|
17217
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17218
|
+
"control_name": "Secure Software Development Framework"
|
|
17219
|
+
},
|
|
17220
|
+
{
|
|
17221
|
+
"id": "NIST-800-53-SC-8",
|
|
17222
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17223
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17224
|
+
},
|
|
17225
|
+
{
|
|
17226
|
+
"id": "NIST-800-53-SI-2",
|
|
17227
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17228
|
+
"control_name": "Flaw Remediation"
|
|
17229
|
+
},
|
|
17230
|
+
{
|
|
17231
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17232
|
+
"framework": "PCI DSS 4.0",
|
|
17233
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17234
|
+
},
|
|
17235
|
+
{
|
|
17236
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17237
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17238
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17239
|
+
}
|
|
17240
|
+
],
|
|
17241
|
+
"attack_refs": [
|
|
17242
|
+
"T1068",
|
|
17243
|
+
"T1548.001"
|
|
17244
|
+
],
|
|
17245
|
+
"rfc_refs": [
|
|
17246
|
+
"RFC-4301",
|
|
17247
|
+
"RFC-4303",
|
|
17248
|
+
"RFC-7296"
|
|
17249
|
+
]
|
|
17250
|
+
}
|
|
17251
|
+
},
|
|
17252
|
+
"CVE-2009-3459": {
|
|
17253
|
+
"name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
|
|
17254
|
+
"rwep": 70,
|
|
17255
|
+
"cvss": 8.8,
|
|
17256
|
+
"cisa_kev": true,
|
|
17257
|
+
"epss_score": null,
|
|
17258
|
+
"referencing_skills": [
|
|
17259
|
+
"kernel-lpe-triage",
|
|
17260
|
+
"coordinated-vuln-disclosure"
|
|
17261
|
+
],
|
|
17262
|
+
"chain": {
|
|
17263
|
+
"cwes": [
|
|
17264
|
+
{
|
|
17265
|
+
"id": "CWE-125",
|
|
17266
|
+
"name": "Out-of-bounds Read",
|
|
17267
|
+
"category": "Memory Safety"
|
|
17268
|
+
},
|
|
17269
|
+
{
|
|
17270
|
+
"id": "CWE-1357",
|
|
17271
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17272
|
+
"category": "Supply Chain"
|
|
17273
|
+
},
|
|
17274
|
+
{
|
|
17275
|
+
"id": "CWE-362",
|
|
17276
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17277
|
+
"category": "Concurrency"
|
|
17278
|
+
},
|
|
17279
|
+
{
|
|
17280
|
+
"id": "CWE-416",
|
|
17281
|
+
"name": "Use After Free",
|
|
17282
|
+
"category": "Memory Safety"
|
|
17283
|
+
},
|
|
17284
|
+
{
|
|
17285
|
+
"id": "CWE-672",
|
|
17286
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17287
|
+
"category": "Memory Safety"
|
|
17288
|
+
},
|
|
17289
|
+
{
|
|
17290
|
+
"id": "CWE-787",
|
|
17291
|
+
"name": "Out-of-bounds Write",
|
|
17292
|
+
"category": "Memory Safety"
|
|
17293
|
+
}
|
|
17294
|
+
],
|
|
17295
|
+
"atlas": [],
|
|
17296
|
+
"d3fend": [
|
|
17297
|
+
{
|
|
17298
|
+
"id": "D3-ASLR",
|
|
17299
|
+
"name": "Address Space Layout Randomization",
|
|
17300
|
+
"tactic": "Harden"
|
|
17301
|
+
},
|
|
17302
|
+
{
|
|
17303
|
+
"id": "D3-EAL",
|
|
17304
|
+
"name": "Executable Allowlisting",
|
|
17305
|
+
"tactic": "Harden"
|
|
17306
|
+
},
|
|
17307
|
+
{
|
|
17308
|
+
"id": "D3-PHRA",
|
|
17309
|
+
"name": "Process Hardware Resource Access",
|
|
17310
|
+
"tactic": "Isolate"
|
|
17311
|
+
},
|
|
17312
|
+
{
|
|
17313
|
+
"id": "D3-PSEP",
|
|
17314
|
+
"name": "Process Segment Execution Prevention",
|
|
17315
|
+
"tactic": "Harden"
|
|
17316
|
+
}
|
|
17317
|
+
],
|
|
17318
|
+
"framework_gaps": [
|
|
17319
|
+
{
|
|
17320
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17321
|
+
"framework": "CIS Controls v8",
|
|
17322
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17323
|
+
},
|
|
17324
|
+
{
|
|
17325
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17326
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17327
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17328
|
+
},
|
|
17329
|
+
{
|
|
17330
|
+
"id": "NIS2-Art21-patch-management",
|
|
17331
|
+
"framework": "EU NIS2 Directive",
|
|
17332
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17333
|
+
},
|
|
17334
|
+
{
|
|
17335
|
+
"id": "NIST-800-218-SSDF",
|
|
17336
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17337
|
+
"control_name": "Secure Software Development Framework"
|
|
17338
|
+
},
|
|
17339
|
+
{
|
|
17340
|
+
"id": "NIST-800-53-SC-8",
|
|
17341
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17342
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17343
|
+
},
|
|
17344
|
+
{
|
|
17345
|
+
"id": "NIST-800-53-SI-2",
|
|
17346
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17347
|
+
"control_name": "Flaw Remediation"
|
|
17348
|
+
},
|
|
17349
|
+
{
|
|
17350
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17351
|
+
"framework": "PCI DSS 4.0",
|
|
17352
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17353
|
+
},
|
|
17354
|
+
{
|
|
17355
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17356
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17357
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17358
|
+
}
|
|
17359
|
+
],
|
|
17360
|
+
"attack_refs": [
|
|
17361
|
+
"T1068",
|
|
17362
|
+
"T1548.001"
|
|
17363
|
+
],
|
|
17364
|
+
"rfc_refs": [
|
|
17365
|
+
"RFC-4301",
|
|
17366
|
+
"RFC-4303",
|
|
17367
|
+
"RFC-7296"
|
|
17368
|
+
]
|
|
17369
|
+
}
|
|
17370
|
+
},
|
|
17371
|
+
"CVE-2010-0249": {
|
|
17372
|
+
"name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
|
|
17373
|
+
"rwep": 70,
|
|
17374
|
+
"cvss": 8.8,
|
|
17375
|
+
"cisa_kev": true,
|
|
17376
|
+
"epss_score": null,
|
|
17377
|
+
"referencing_skills": [
|
|
17378
|
+
"kernel-lpe-triage",
|
|
17379
|
+
"coordinated-vuln-disclosure"
|
|
17380
|
+
],
|
|
17381
|
+
"chain": {
|
|
17382
|
+
"cwes": [
|
|
17383
|
+
{
|
|
17384
|
+
"id": "CWE-125",
|
|
17385
|
+
"name": "Out-of-bounds Read",
|
|
17386
|
+
"category": "Memory Safety"
|
|
17387
|
+
},
|
|
17388
|
+
{
|
|
17389
|
+
"id": "CWE-1357",
|
|
17390
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17391
|
+
"category": "Supply Chain"
|
|
17392
|
+
},
|
|
17393
|
+
{
|
|
17394
|
+
"id": "CWE-362",
|
|
17395
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17396
|
+
"category": "Concurrency"
|
|
17397
|
+
},
|
|
17398
|
+
{
|
|
17399
|
+
"id": "CWE-416",
|
|
17400
|
+
"name": "Use After Free",
|
|
17401
|
+
"category": "Memory Safety"
|
|
17402
|
+
},
|
|
17403
|
+
{
|
|
17404
|
+
"id": "CWE-672",
|
|
17405
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17406
|
+
"category": "Memory Safety"
|
|
17407
|
+
},
|
|
17408
|
+
{
|
|
17409
|
+
"id": "CWE-787",
|
|
17410
|
+
"name": "Out-of-bounds Write",
|
|
17411
|
+
"category": "Memory Safety"
|
|
17412
|
+
}
|
|
17413
|
+
],
|
|
17414
|
+
"atlas": [],
|
|
17415
|
+
"d3fend": [
|
|
17416
|
+
{
|
|
17417
|
+
"id": "D3-ASLR",
|
|
17418
|
+
"name": "Address Space Layout Randomization",
|
|
17419
|
+
"tactic": "Harden"
|
|
17420
|
+
},
|
|
17421
|
+
{
|
|
17422
|
+
"id": "D3-EAL",
|
|
17423
|
+
"name": "Executable Allowlisting",
|
|
17424
|
+
"tactic": "Harden"
|
|
17425
|
+
},
|
|
17426
|
+
{
|
|
17427
|
+
"id": "D3-PHRA",
|
|
17428
|
+
"name": "Process Hardware Resource Access",
|
|
17429
|
+
"tactic": "Isolate"
|
|
17430
|
+
},
|
|
17431
|
+
{
|
|
17432
|
+
"id": "D3-PSEP",
|
|
17433
|
+
"name": "Process Segment Execution Prevention",
|
|
17434
|
+
"tactic": "Harden"
|
|
17435
|
+
}
|
|
17436
|
+
],
|
|
17437
|
+
"framework_gaps": [
|
|
17438
|
+
{
|
|
17439
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17440
|
+
"framework": "CIS Controls v8",
|
|
17441
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17442
|
+
},
|
|
17443
|
+
{
|
|
17444
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17445
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17446
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17447
|
+
},
|
|
17448
|
+
{
|
|
17449
|
+
"id": "NIS2-Art21-patch-management",
|
|
17450
|
+
"framework": "EU NIS2 Directive",
|
|
17451
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17452
|
+
},
|
|
17453
|
+
{
|
|
17454
|
+
"id": "NIST-800-218-SSDF",
|
|
17455
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17456
|
+
"control_name": "Secure Software Development Framework"
|
|
17457
|
+
},
|
|
17458
|
+
{
|
|
17459
|
+
"id": "NIST-800-53-SC-8",
|
|
17460
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17461
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17462
|
+
},
|
|
17463
|
+
{
|
|
17464
|
+
"id": "NIST-800-53-SI-2",
|
|
17465
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17466
|
+
"control_name": "Flaw Remediation"
|
|
17467
|
+
},
|
|
17468
|
+
{
|
|
17469
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17470
|
+
"framework": "PCI DSS 4.0",
|
|
17471
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17472
|
+
},
|
|
17473
|
+
{
|
|
17474
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17475
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17476
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17477
|
+
}
|
|
17478
|
+
],
|
|
17479
|
+
"attack_refs": [
|
|
17480
|
+
"T1068",
|
|
17481
|
+
"T1548.001"
|
|
17482
|
+
],
|
|
17483
|
+
"rfc_refs": [
|
|
17484
|
+
"RFC-4301",
|
|
17485
|
+
"RFC-4303",
|
|
17486
|
+
"RFC-7296"
|
|
17487
|
+
]
|
|
17488
|
+
}
|
|
17489
|
+
},
|
|
17490
|
+
"CVE-2010-0806": {
|
|
17491
|
+
"name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
|
|
17492
|
+
"rwep": 70,
|
|
17493
|
+
"cvss": 8.8,
|
|
17494
|
+
"cisa_kev": true,
|
|
17495
|
+
"epss_score": null,
|
|
17496
|
+
"referencing_skills": [
|
|
17497
|
+
"kernel-lpe-triage",
|
|
17498
|
+
"coordinated-vuln-disclosure"
|
|
17499
|
+
],
|
|
17500
|
+
"chain": {
|
|
17501
|
+
"cwes": [
|
|
17502
|
+
{
|
|
17503
|
+
"id": "CWE-125",
|
|
17504
|
+
"name": "Out-of-bounds Read",
|
|
17505
|
+
"category": "Memory Safety"
|
|
17506
|
+
},
|
|
17507
|
+
{
|
|
17508
|
+
"id": "CWE-1357",
|
|
17509
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
17510
|
+
"category": "Supply Chain"
|
|
17511
|
+
},
|
|
17512
|
+
{
|
|
17513
|
+
"id": "CWE-362",
|
|
17514
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
17515
|
+
"category": "Concurrency"
|
|
17516
|
+
},
|
|
17517
|
+
{
|
|
17518
|
+
"id": "CWE-416",
|
|
17519
|
+
"name": "Use After Free",
|
|
17520
|
+
"category": "Memory Safety"
|
|
17521
|
+
},
|
|
17522
|
+
{
|
|
17523
|
+
"id": "CWE-672",
|
|
17524
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
17525
|
+
"category": "Memory Safety"
|
|
17526
|
+
},
|
|
17527
|
+
{
|
|
17528
|
+
"id": "CWE-787",
|
|
17529
|
+
"name": "Out-of-bounds Write",
|
|
17530
|
+
"category": "Memory Safety"
|
|
17531
|
+
}
|
|
17532
|
+
],
|
|
17533
|
+
"atlas": [],
|
|
17534
|
+
"d3fend": [
|
|
17535
|
+
{
|
|
17536
|
+
"id": "D3-ASLR",
|
|
17537
|
+
"name": "Address Space Layout Randomization",
|
|
17538
|
+
"tactic": "Harden"
|
|
17539
|
+
},
|
|
17540
|
+
{
|
|
17541
|
+
"id": "D3-EAL",
|
|
17542
|
+
"name": "Executable Allowlisting",
|
|
17543
|
+
"tactic": "Harden"
|
|
17544
|
+
},
|
|
17545
|
+
{
|
|
17546
|
+
"id": "D3-PHRA",
|
|
17547
|
+
"name": "Process Hardware Resource Access",
|
|
17548
|
+
"tactic": "Isolate"
|
|
17549
|
+
},
|
|
17550
|
+
{
|
|
17551
|
+
"id": "D3-PSEP",
|
|
17552
|
+
"name": "Process Segment Execution Prevention",
|
|
17553
|
+
"tactic": "Harden"
|
|
17554
|
+
}
|
|
17555
|
+
],
|
|
17556
|
+
"framework_gaps": [
|
|
17557
|
+
{
|
|
17558
|
+
"id": "CIS-Controls-v8-Control7",
|
|
17559
|
+
"framework": "CIS Controls v8",
|
|
17560
|
+
"control_name": "Continuous Vulnerability Management"
|
|
17561
|
+
},
|
|
17562
|
+
{
|
|
17563
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
17564
|
+
"framework": "ISO/IEC 27001:2022",
|
|
17565
|
+
"control_name": "Management of technical vulnerabilities"
|
|
17566
|
+
},
|
|
17567
|
+
{
|
|
17568
|
+
"id": "NIS2-Art21-patch-management",
|
|
17569
|
+
"framework": "EU NIS2 Directive",
|
|
17570
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
17571
|
+
},
|
|
17572
|
+
{
|
|
17573
|
+
"id": "NIST-800-218-SSDF",
|
|
17574
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
17575
|
+
"control_name": "Secure Software Development Framework"
|
|
17576
|
+
},
|
|
17577
|
+
{
|
|
17578
|
+
"id": "NIST-800-53-SC-8",
|
|
17579
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17580
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
17581
|
+
},
|
|
17582
|
+
{
|
|
17583
|
+
"id": "NIST-800-53-SI-2",
|
|
17584
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
17585
|
+
"control_name": "Flaw Remediation"
|
|
17586
|
+
},
|
|
17587
|
+
{
|
|
17588
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
17589
|
+
"framework": "PCI DSS 4.0",
|
|
17590
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
17591
|
+
},
|
|
17592
|
+
{
|
|
17593
|
+
"id": "SOC2-CC9-vendor-management",
|
|
17594
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
17595
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
17596
|
+
}
|
|
17597
|
+
],
|
|
17598
|
+
"attack_refs": [
|
|
17599
|
+
"T1068",
|
|
17600
|
+
"T1548.001"
|
|
17601
|
+
],
|
|
17602
|
+
"rfc_refs": [
|
|
17603
|
+
"RFC-4301",
|
|
17604
|
+
"RFC-4303",
|
|
17605
|
+
"RFC-7296"
|
|
17606
|
+
]
|
|
17607
|
+
}
|
|
17608
|
+
},
|
|
17014
17609
|
"CVE-2025-32432": {
|
|
17015
17610
|
"name": "Craft CMS Code Injection Vulnerability",
|
|
17016
17611
|
"rwep": 77,
|
|
@@ -43080,8 +43675,13 @@
|
|
|
43080
43675
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
43081
43676
|
"CVE-2007-0671",
|
|
43082
43677
|
"CVE-2008-0015",
|
|
43678
|
+
"CVE-2008-4250",
|
|
43083
43679
|
"CVE-2009-0238",
|
|
43084
43680
|
"CVE-2009-0556",
|
|
43681
|
+
"CVE-2009-1537",
|
|
43682
|
+
"CVE-2009-3459",
|
|
43683
|
+
"CVE-2010-0249",
|
|
43684
|
+
"CVE-2010-0806",
|
|
43085
43685
|
"CVE-2010-3765",
|
|
43086
43686
|
"CVE-2010-3962",
|
|
43087
43687
|
"CVE-2011-3402",
|
|
@@ -45520,8 +46120,13 @@
|
|
|
45520
46120
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
45521
46121
|
"CVE-2007-0671",
|
|
45522
46122
|
"CVE-2008-0015",
|
|
46123
|
+
"CVE-2008-4250",
|
|
45523
46124
|
"CVE-2009-0238",
|
|
45524
46125
|
"CVE-2009-0556",
|
|
46126
|
+
"CVE-2009-1537",
|
|
46127
|
+
"CVE-2009-3459",
|
|
46128
|
+
"CVE-2010-0249",
|
|
46129
|
+
"CVE-2010-0806",
|
|
45525
46130
|
"CVE-2010-3765",
|
|
45526
46131
|
"CVE-2010-3962",
|
|
45527
46132
|
"CVE-2011-3402",
|
|
@@ -45914,8 +46519,13 @@
|
|
|
45914
46519
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
45915
46520
|
"CVE-2007-0671",
|
|
45916
46521
|
"CVE-2008-0015",
|
|
46522
|
+
"CVE-2008-4250",
|
|
45917
46523
|
"CVE-2009-0238",
|
|
45918
46524
|
"CVE-2009-0556",
|
|
46525
|
+
"CVE-2009-1537",
|
|
46526
|
+
"CVE-2009-3459",
|
|
46527
|
+
"CVE-2010-0249",
|
|
46528
|
+
"CVE-2010-0806",
|
|
45919
46529
|
"CVE-2010-3765",
|
|
45920
46530
|
"CVE-2010-3962",
|
|
45921
46531
|
"CVE-2011-3402",
|
|
@@ -47111,8 +47721,13 @@
|
|
|
47111
47721
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
47112
47722
|
"CVE-2007-0671",
|
|
47113
47723
|
"CVE-2008-0015",
|
|
47724
|
+
"CVE-2008-4250",
|
|
47114
47725
|
"CVE-2009-0238",
|
|
47115
47726
|
"CVE-2009-0556",
|
|
47727
|
+
"CVE-2009-1537",
|
|
47728
|
+
"CVE-2009-3459",
|
|
47729
|
+
"CVE-2010-0249",
|
|
47730
|
+
"CVE-2010-0806",
|
|
47116
47731
|
"CVE-2010-3765",
|
|
47117
47732
|
"CVE-2010-3962",
|
|
47118
47733
|
"CVE-2011-3402",
|
|
@@ -47897,8 +48512,13 @@
|
|
|
47897
48512
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
47898
48513
|
"CVE-2007-0671",
|
|
47899
48514
|
"CVE-2008-0015",
|
|
48515
|
+
"CVE-2008-4250",
|
|
47900
48516
|
"CVE-2009-0238",
|
|
47901
48517
|
"CVE-2009-0556",
|
|
48518
|
+
"CVE-2009-1537",
|
|
48519
|
+
"CVE-2009-3459",
|
|
48520
|
+
"CVE-2010-0249",
|
|
48521
|
+
"CVE-2010-0806",
|
|
47902
48522
|
"CVE-2010-3765",
|
|
47903
48523
|
"CVE-2010-3962",
|
|
47904
48524
|
"CVE-2011-3402",
|
|
@@ -49943,8 +50563,13 @@
|
|
|
49943
50563
|
"BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
|
|
49944
50564
|
"CVE-2007-0671",
|
|
49945
50565
|
"CVE-2008-0015",
|
|
50566
|
+
"CVE-2008-4250",
|
|
49946
50567
|
"CVE-2009-0238",
|
|
49947
50568
|
"CVE-2009-0556",
|
|
50569
|
+
"CVE-2009-1537",
|
|
50570
|
+
"CVE-2009-3459",
|
|
50571
|
+
"CVE-2010-0249",
|
|
50572
|
+
"CVE-2010-0806",
|
|
49948
50573
|
"CVE-2010-3765",
|
|
49949
50574
|
"CVE-2010-3962",
|
|
49950
50575
|
"CVE-2011-3402",
|
|
@@ -1080,6 +1080,10 @@
|
|
|
1080
1080
|
"name": "Exploitation for Client Execution",
|
|
1081
1081
|
"version": "v19",
|
|
1082
1082
|
"cve_refs": [
|
|
1083
|
+
"CVE-2009-1537",
|
|
1084
|
+
"CVE-2009-3459",
|
|
1085
|
+
"CVE-2010-0249",
|
|
1086
|
+
"CVE-2010-0806",
|
|
1083
1087
|
"CVE-2014-3931",
|
|
1084
1088
|
"CVE-2018-14634",
|
|
1085
1089
|
"CVE-2020-9715",
|
|
@@ -4249,7 +4253,10 @@
|
|
|
4249
4253
|
"ESXi"
|
|
4250
4254
|
],
|
|
4251
4255
|
"stix_id": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
4252
|
-
"is_subtechnique": false
|
|
4256
|
+
"is_subtechnique": false,
|
|
4257
|
+
"cve_refs": [
|
|
4258
|
+
"CVE-2008-4250"
|
|
4259
|
+
]
|
|
4253
4260
|
},
|
|
4254
4261
|
"T1211": {
|
|
4255
4262
|
"id": "T1211",
|