npm - @blamejs/exceptd-skills - Versions diffs - 0.15.31 → 0.15.33 - Mend

@blamejs/exceptd-skills 0.15.31 → 0.15.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +14 -0
package/data/cve-catalog.json +253 -89
package/data/zeroday-lessons.json +616 -196
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.33 — 2026-05-29
+Draft-curation pass 30 — unauthenticated command/code-injection RCE. Eight CISA KEV-listed CVEs where attacker input reaches a shell or interpreter are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Array Networks ArrayOS AG (CVE-2025-66644), CWP Control Web Panel (CVE-2025-48703), Libraesva Email Security Gateway (CVE-2025-59689), Trend Micro Apex One console (CVE-2025-54948), GNU Bash Shellshock-family parsing (CVE-2014-6278), PHPMailer sender-address injection (CVE-2016-10033), Jenkins CLI Java deserialization (CVE-2017-1000353), and Fortra GoAnywhere MFT license-servlet deserialization (CVE-2025-10035). All map T1190 and T1059. The lessons highlight a high-fidelity detection signal — a shell or interpreter spawned from a web/daemon process — and stress that bundled-library flaws (Bash, PHPMailer) require updating every consumer, while CI, MFT, and EDR-console compromise carries downstream supply-chain and data reach beyond the patched host.
+## 0.15.32 — 2026-05-29
+Draft-curation pass 29 — network devices and edge appliances. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning enterprise appliances — F5 BIG-IP stack overflow (CVE-2025-53521), HPE OneView code injection (CVE-2025-37164), Versa Concerto SD-WAN orchestrator authentication bypass (CVE-2025-34026) — and SOHO/embedded devices: ASUS router OS command injection (CVE-2023-39780) and authentication bypass (CVE-2021-32030), Digiever DVR missing authorization (CVE-2023-52163), and Sierra Wireless AirLink ALEOS unrestricted upload (CVE-2018-4063). All map T1190, with per-class T1059, T1078, or T1505.003. The lessons split remediation by device class: enterprise appliances must be rebuilt and re-keyed after compromise, while embedded/SOHO devices — often end-of-life and recruited into botnets — require firmware re-flash or replacement rather than patch-in-place.
 ## 0.15.31 — 2026-05-29
 Draft-curation pass 28 — internet-facing server-side web applications. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: server-side request forgery in GitLab (CVE-2021-22175, CVE-2021-39935) and Omnissa Workspace ONE UEM (CVE-2021-22054), PaperCut NG/MF authentication bypass (CVE-2023-27351), the Adobe Commerce/Magento "SessionReaper" session-takeover flaw (CVE-2025-54236), Adobe Experience Manager Forms code execution (CVE-2025-54253), and Sitecore ViewState deserialization via a known machine key (CVE-2025-53690). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass/session takeover). The lessons separate the SSRF defense (egress filtering and cloud-metadata blocking as compensating controls) from the RCE/auth defense (web-shell hunting, machine-key rotation, and session invalidation beyond the patch).

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T02:25:27.676Z",
+  "generated_at": "2026-05-30T03:05:30.785Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "39901df2e2191434c2001f2d633eec9c78ac5d7878a66447a4ec44fdb71a4d7f",
+    "manifest.json": "9045d51286721985592156db17c8cb917201b948715597901238bda99b99f792",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "fb1569d7aa3426bed85c5e7f641d15eff5a250c8bbccec47e9860739f2d48de3",
-    "data/cve-catalog.json": "e4b099b2454f70a2e4cdd222c82c974480ca68539cb322a8ecc83c48236a652a",
+    "data/attack-techniques.json": "6849ebc7b44fe562f1e2728d1e881d2e9148d8c89b8d6b050b580c5338d3dd23",
+    "data/cve-catalog.json": "b18466211fdd24ed61766573c402cc38324d7fd90ec55a147e7c98a5f6a6444f",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "ffbd67341ec6feb08254dac166499b26c375155d87bd0663620fe5da3d2fffc3",
+    "data/zeroday-lessons.json": "4c41089a5a095fc4be5898833a4f83c0cebe06e5b13f959a022241acb1164dc4",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -272,10 +272,14 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2014-6278",
+      "CVE-2016-10033",
+      "CVE-2017-1000353",
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2022-1471",
       "CVE-2023-33538",
+      "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -302,6 +306,7 @@
       "CVE-2024-5565",
       "CVE-2024-56145",
       "CVE-2024-8069",
+      "CVE-2025-10035",
       "CVE-2025-10164",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -321,9 +326,11 @@
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-3466",
+      "CVE-2025-37164",
       "CVE-2025-40551",
       "CVE-2025-4428",
       "CVE-2025-47812",
+      "CVE-2025-48703",
       "CVE-2025-49113",
       "CVE-2025-49596",
       "CVE-2025-49704",
@@ -334,13 +341,16 @@
       "CVE-2025-54068",
       "CVE-2025-54136",
       "CVE-2025-54253",
+      "CVE-2025-54948",
       "CVE-2025-55319",
       "CVE-2025-58034",
+      "CVE-2025-59689",
       "CVE-2025-60455",
       "CVE-2025-61882",
       "CVE-2025-6204",
       "CVE-2025-64328",
       "CVE-2025-64496",
+      "CVE-2025-66644",
       "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-68664",
@@ -597,6 +607,7 @@
       "CVE-2023-27351",
       "CVE-2023-43791",
       "CVE-2023-50224",
+      "CVE-2023-52163",
       "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-27199",
@@ -959,6 +970,7 @@
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2021-26829",
+      "CVE-2021-32030",
       "CVE-2021-39935",
       "CVE-2021-43798",
       "CVE-2022-1471",
@@ -1058,6 +1070,7 @@
       "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-3466",
       "CVE-2025-35939",
@@ -12125,6 +12138,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2018-4063",
       "CVE-2021-26828",
       "CVE-2024-1708",
       "CVE-2024-7399",