@blamejs/exceptd-skills 0.15.33 → 0.15.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/data/_indexes/_meta.json +5 -5
- package/data/attack-techniques.json +14 -0
- package/data/cve-catalog.json +237 -83
- package/data/zeroday-lessons.json +581 -189
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +18 -18
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.15.35 — 2026-05-29
|
|
4
|
+
|
|
5
|
+
Draft-curation pass 32 — server-side processing of untrusted data. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. The remote-code-execution set — SAP NetWeaver deserialization (CVE-2025-42999), Wazuh server deserialization (CVE-2025-24016), Meta React Server Components (CVE-2025-55182), and XWiki eval injection (CVE-2025-24893) — maps T1190 and T1059; the forgery/disclosure set — OSGeo GeoServer XXE (CVE-2025-58360), Adminer SSRF (CVE-2021-21311), and Oracle E-Business Suite SSRF (CVE-2025-61884) — maps T1190. The lessons separate the RCE response (web-shell hunting and secret rotation) from the SSRF/XXE response (egress filtering, cloud-metadata blocking, disabling external entities), and flag two amplifiers: a compromised Wazuh monitoring server blinds detection across the estate, and SAP/Oracle E-Business Suite sit adjacent to financial data in PCI scope.
|
|
6
|
+
|
|
7
|
+
## 0.15.34 — 2026-05-29
|
|
8
|
+
|
|
9
|
+
Draft-curation pass 31 — authentication bypass and missing authentication. Seven CISA KEV-listed CVEs that grant access without valid credentials are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Juniper ScreenOS hardcoded-backdoor credential (CVE-2015-7755), Sangoma FreePBX (CVE-2019-19006) and SKYSEA Client View (CVE-2016-7836) improper authentication, AMI MegaRAC SPx baseboard-management-controller authentication bypass by spoofing (CVE-2024-54085), the Erlang/OTP SSH server pre-authentication remote code execution (CVE-2025-32433), Oracle Fusion Middleware missing authentication (CVE-2025-61757), and the TP-Link TL-WA855RE extender missing authentication (CVE-2020-24363). All map T1190 and T1078; the Erlang flaw also maps T1059. The lessons make the load-bearing point that multi-factor authentication and password policy are irrelevant once authentication is bypassed — the compensating control is restricting the management plane to a trusted network — and that below-the-OS targets (the BMC) and planted backdoors require device rebuild, because firmware-level persistence survives an OS reinstall.
|
|
10
|
+
|
|
3
11
|
## 0.15.33 — 2026-05-29
|
|
4
12
|
|
|
5
13
|
Draft-curation pass 30 — unauthenticated command/code-injection RCE. Eight CISA KEV-listed CVEs where attacker input reaches a shell or interpreter are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Array Networks ArrayOS AG (CVE-2025-66644), CWP Control Web Panel (CVE-2025-48703), Libraesva Email Security Gateway (CVE-2025-59689), Trend Micro Apex One console (CVE-2025-54948), GNU Bash Shellshock-family parsing (CVE-2014-6278), PHPMailer sender-address injection (CVE-2016-10033), Jenkins CLI Java deserialization (CVE-2017-1000353), and Fortra GoAnywhere MFT license-servlet deserialization (CVE-2025-10035). All map T1190 and T1059. The lessons highlight a high-fidelity detection signal — a shell or interpreter spawned from a web/daemon process — and stress that bundled-library flaws (Bash, PHPMailer) require updating every consumer, while CI, MFT, and EDR-console compromise carries downstream supply-chain and data reach beyond the patched host.
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-30T03:
|
|
3
|
+
"generated_at": "2026-05-30T03:45:52.260Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "1883386c234d1c94350e6ecbdbf4decb6b0bf7c280355a2977c89056c3b40f2d",
|
|
8
8
|
"data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
|
|
9
|
-
"data/attack-techniques.json": "
|
|
10
|
-
"data/cve-catalog.json": "
|
|
9
|
+
"data/attack-techniques.json": "14746c8acf8019d2340a93912393c0d5986d9df509ca551d2dae25d199c223de",
|
|
10
|
+
"data/cve-catalog.json": "31c934e524a16a103651ed8f3a76e175dac934886999f9add2ca0633168a9139",
|
|
11
11
|
"data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
|
|
12
12
|
"data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
"data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
|
|
16
16
|
"data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
|
|
17
17
|
"data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
|
|
18
|
-
"data/zeroday-lessons.json": "
|
|
18
|
+
"data/zeroday-lessons.json": "73fd27ed2806eddbd690f58e21c7a8a6d7554283c2a7f9b41ac09b6c3a129da9",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
|
|
20
20
|
"skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
|
|
21
21
|
"skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
|
|
@@ -315,11 +315,14 @@
|
|
|
315
315
|
"CVE-2025-20281",
|
|
316
316
|
"CVE-2025-20337",
|
|
317
317
|
"CVE-2025-23254",
|
|
318
|
+
"CVE-2025-24016",
|
|
319
|
+
"CVE-2025-24893",
|
|
318
320
|
"CVE-2025-26399",
|
|
319
321
|
"CVE-2025-27520",
|
|
320
322
|
"CVE-2025-29635",
|
|
321
323
|
"CVE-2025-30165",
|
|
322
324
|
"CVE-2025-32432",
|
|
325
|
+
"CVE-2025-32433",
|
|
323
326
|
"CVE-2025-32434",
|
|
324
327
|
"CVE-2025-32444",
|
|
325
328
|
"CVE-2025-3248",
|
|
@@ -328,6 +331,7 @@
|
|
|
328
331
|
"CVE-2025-3466",
|
|
329
332
|
"CVE-2025-37164",
|
|
330
333
|
"CVE-2025-40551",
|
|
334
|
+
"CVE-2025-42999",
|
|
331
335
|
"CVE-2025-4428",
|
|
332
336
|
"CVE-2025-47812",
|
|
333
337
|
"CVE-2025-48703",
|
|
@@ -342,6 +346,7 @@
|
|
|
342
346
|
"CVE-2025-54136",
|
|
343
347
|
"CVE-2025-54253",
|
|
344
348
|
"CVE-2025-54948",
|
|
349
|
+
"CVE-2025-55182",
|
|
345
350
|
"CVE-2025-55319",
|
|
346
351
|
"CVE-2025-58034",
|
|
347
352
|
"CVE-2025-59689",
|
|
@@ -598,6 +603,7 @@
|
|
|
598
603
|
"cve_refs": [
|
|
599
604
|
"BUG-2026-NIGHTMARE-ECLIPSE-YELLOWKEY",
|
|
600
605
|
"CVE-2015-7755",
|
|
606
|
+
"CVE-2016-7836",
|
|
601
607
|
"CVE-2017-7921",
|
|
602
608
|
"CVE-2019-19006",
|
|
603
609
|
"CVE-2019-6693",
|
|
@@ -619,6 +625,7 @@
|
|
|
619
625
|
"CVE-2025-2746",
|
|
620
626
|
"CVE-2025-2747",
|
|
621
627
|
"CVE-2025-31161",
|
|
628
|
+
"CVE-2025-32433",
|
|
622
629
|
"CVE-2025-32975",
|
|
623
630
|
"CVE-2025-34026",
|
|
624
631
|
"CVE-2025-3935",
|
|
@@ -954,17 +961,21 @@
|
|
|
954
961
|
"CVE-2008-0015",
|
|
955
962
|
"CVE-2008-4250",
|
|
956
963
|
"CVE-2014-6278",
|
|
964
|
+
"CVE-2015-7755",
|
|
957
965
|
"CVE-2016-10033",
|
|
958
966
|
"CVE-2016-7836",
|
|
959
967
|
"CVE-2017-1000353",
|
|
960
968
|
"CVE-2017-7921",
|
|
961
969
|
"CVE-2018-4063",
|
|
970
|
+
"CVE-2019-19006",
|
|
962
971
|
"CVE-2019-6693",
|
|
963
972
|
"CVE-2019-9621",
|
|
964
973
|
"CVE-2020-10148",
|
|
974
|
+
"CVE-2020-24363",
|
|
965
975
|
"CVE-2020-25078",
|
|
966
976
|
"CVE-2020-25079",
|
|
967
977
|
"CVE-2020-7796",
|
|
978
|
+
"CVE-2021-21311",
|
|
968
979
|
"CVE-2021-22054",
|
|
969
980
|
"CVE-2021-22175",
|
|
970
981
|
"CVE-2021-22681",
|
|
@@ -1017,6 +1028,7 @@
|
|
|
1017
1028
|
"CVE-2024-43468",
|
|
1018
1029
|
"CVE-2024-4889",
|
|
1019
1030
|
"CVE-2024-50050",
|
|
1031
|
+
"CVE-2024-54085",
|
|
1020
1032
|
"CVE-2024-56145",
|
|
1021
1033
|
"CVE-2024-57726",
|
|
1022
1034
|
"CVE-2024-57728",
|
|
@@ -1121,7 +1133,9 @@
|
|
|
1121
1133
|
"CVE-2025-59389",
|
|
1122
1134
|
"CVE-2025-59689",
|
|
1123
1135
|
"CVE-2025-59718",
|
|
1136
|
+
"CVE-2025-61757",
|
|
1124
1137
|
"CVE-2025-61882",
|
|
1138
|
+
"CVE-2025-61884",
|
|
1125
1139
|
"CVE-2025-61932",
|
|
1126
1140
|
"CVE-2025-6204",
|
|
1127
1141
|
"CVE-2025-6205",
|