@blamejs/exceptd-skills 0.16.7 → 0.16.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -1
- package/bin/exceptd.js +17 -1
- package/data/_indexes/_meta.json +10 -10
- package/data/_indexes/activity-feed.json +18 -18
- package/data/_indexes/catalog-summaries.json +6 -6
- package/data/_indexes/chains.json +1139 -0
- package/data/_indexes/frequency.json +1 -0
- package/data/atlas-ttps.json +8 -3
- package/data/attack-techniques.json +34 -12
- package/data/cve-catalog.json +684 -3
- package/data/cwe-catalog.json +39 -8
- package/data/framework-control-gaps.json +51 -18
- package/data/zeroday-lessons.json +527 -2
- package/lib/collectors/containers.js +23 -1
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +28 -28
|
@@ -79474,6 +79474,1077 @@
|
|
|
79474
79474
|
]
|
|
79475
79475
|
}
|
|
79476
79476
|
},
|
|
79477
|
+
"CVE-2023-51764": {
|
|
79478
|
+
"name": "Postfix SMTP smuggling (non-standard end-of-data sequence enables sender spoofing past SPF/DKIM/DMARC)",
|
|
79479
|
+
"rwep": 35,
|
|
79480
|
+
"cvss": 5.3,
|
|
79481
|
+
"cisa_kev": false,
|
|
79482
|
+
"epss_score": null,
|
|
79483
|
+
"referencing_skills": [
|
|
79484
|
+
"kernel-lpe-triage",
|
|
79485
|
+
"coordinated-vuln-disclosure"
|
|
79486
|
+
],
|
|
79487
|
+
"chain": {
|
|
79488
|
+
"cwes": [
|
|
79489
|
+
{
|
|
79490
|
+
"id": "CWE-125",
|
|
79491
|
+
"name": "Out-of-bounds Read",
|
|
79492
|
+
"category": "Memory Safety"
|
|
79493
|
+
},
|
|
79494
|
+
{
|
|
79495
|
+
"id": "CWE-1357",
|
|
79496
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
79497
|
+
"category": "Supply Chain"
|
|
79498
|
+
},
|
|
79499
|
+
{
|
|
79500
|
+
"id": "CWE-362",
|
|
79501
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
79502
|
+
"category": "Concurrency"
|
|
79503
|
+
},
|
|
79504
|
+
{
|
|
79505
|
+
"id": "CWE-416",
|
|
79506
|
+
"name": "Use After Free",
|
|
79507
|
+
"category": "Memory Safety"
|
|
79508
|
+
},
|
|
79509
|
+
{
|
|
79510
|
+
"id": "CWE-672",
|
|
79511
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
79512
|
+
"category": "Memory Safety"
|
|
79513
|
+
},
|
|
79514
|
+
{
|
|
79515
|
+
"id": "CWE-787",
|
|
79516
|
+
"name": "Out-of-bounds Write",
|
|
79517
|
+
"category": "Memory Safety"
|
|
79518
|
+
}
|
|
79519
|
+
],
|
|
79520
|
+
"atlas": [],
|
|
79521
|
+
"d3fend": [
|
|
79522
|
+
{
|
|
79523
|
+
"id": "D3-ASLR",
|
|
79524
|
+
"name": "Address Space Layout Randomization",
|
|
79525
|
+
"tactic": "Harden"
|
|
79526
|
+
},
|
|
79527
|
+
{
|
|
79528
|
+
"id": "D3-EAL",
|
|
79529
|
+
"name": "Executable Allowlisting",
|
|
79530
|
+
"tactic": "Harden"
|
|
79531
|
+
},
|
|
79532
|
+
{
|
|
79533
|
+
"id": "D3-PHRA",
|
|
79534
|
+
"name": "Process Hardware Resource Access",
|
|
79535
|
+
"tactic": "Isolate"
|
|
79536
|
+
},
|
|
79537
|
+
{
|
|
79538
|
+
"id": "D3-PSEP",
|
|
79539
|
+
"name": "Process Segment Execution Prevention",
|
|
79540
|
+
"tactic": "Harden"
|
|
79541
|
+
}
|
|
79542
|
+
],
|
|
79543
|
+
"framework_gaps": [
|
|
79544
|
+
{
|
|
79545
|
+
"id": "CIS-Controls-v8-Control7",
|
|
79546
|
+
"framework": "CIS Controls v8",
|
|
79547
|
+
"control_name": "Continuous Vulnerability Management"
|
|
79548
|
+
},
|
|
79549
|
+
{
|
|
79550
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
79551
|
+
"framework": "ISO/IEC 27001:2022",
|
|
79552
|
+
"control_name": "Management of technical vulnerabilities"
|
|
79553
|
+
},
|
|
79554
|
+
{
|
|
79555
|
+
"id": "NIS2-Art21-patch-management",
|
|
79556
|
+
"framework": "EU NIS2 Directive",
|
|
79557
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
79558
|
+
},
|
|
79559
|
+
{
|
|
79560
|
+
"id": "NIST-800-218-SSDF",
|
|
79561
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
79562
|
+
"control_name": "Secure Software Development Framework"
|
|
79563
|
+
},
|
|
79564
|
+
{
|
|
79565
|
+
"id": "NIST-800-53-SC-8",
|
|
79566
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79567
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
79568
|
+
},
|
|
79569
|
+
{
|
|
79570
|
+
"id": "NIST-800-53-SI-2",
|
|
79571
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79572
|
+
"control_name": "Flaw Remediation"
|
|
79573
|
+
},
|
|
79574
|
+
{
|
|
79575
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
79576
|
+
"framework": "PCI DSS 4.0",
|
|
79577
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
79578
|
+
},
|
|
79579
|
+
{
|
|
79580
|
+
"id": "SOC2-CC9-vendor-management",
|
|
79581
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
79582
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
79583
|
+
}
|
|
79584
|
+
],
|
|
79585
|
+
"attack_refs": [
|
|
79586
|
+
"T1068",
|
|
79587
|
+
"T1548.001"
|
|
79588
|
+
],
|
|
79589
|
+
"rfc_refs": [
|
|
79590
|
+
"RFC-4301",
|
|
79591
|
+
"RFC-4303",
|
|
79592
|
+
"RFC-7296"
|
|
79593
|
+
]
|
|
79594
|
+
}
|
|
79595
|
+
},
|
|
79596
|
+
"CVE-2023-51765": {
|
|
79597
|
+
"name": "Sendmail SMTP smuggling (non-standard end-of-data sequence enables sender spoofing past SPF/DKIM/DMARC)",
|
|
79598
|
+
"rwep": 29,
|
|
79599
|
+
"cvss": 5.3,
|
|
79600
|
+
"cisa_kev": false,
|
|
79601
|
+
"epss_score": null,
|
|
79602
|
+
"referencing_skills": [
|
|
79603
|
+
"kernel-lpe-triage",
|
|
79604
|
+
"coordinated-vuln-disclosure"
|
|
79605
|
+
],
|
|
79606
|
+
"chain": {
|
|
79607
|
+
"cwes": [
|
|
79608
|
+
{
|
|
79609
|
+
"id": "CWE-125",
|
|
79610
|
+
"name": "Out-of-bounds Read",
|
|
79611
|
+
"category": "Memory Safety"
|
|
79612
|
+
},
|
|
79613
|
+
{
|
|
79614
|
+
"id": "CWE-1357",
|
|
79615
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
79616
|
+
"category": "Supply Chain"
|
|
79617
|
+
},
|
|
79618
|
+
{
|
|
79619
|
+
"id": "CWE-362",
|
|
79620
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
79621
|
+
"category": "Concurrency"
|
|
79622
|
+
},
|
|
79623
|
+
{
|
|
79624
|
+
"id": "CWE-416",
|
|
79625
|
+
"name": "Use After Free",
|
|
79626
|
+
"category": "Memory Safety"
|
|
79627
|
+
},
|
|
79628
|
+
{
|
|
79629
|
+
"id": "CWE-672",
|
|
79630
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
79631
|
+
"category": "Memory Safety"
|
|
79632
|
+
},
|
|
79633
|
+
{
|
|
79634
|
+
"id": "CWE-787",
|
|
79635
|
+
"name": "Out-of-bounds Write",
|
|
79636
|
+
"category": "Memory Safety"
|
|
79637
|
+
}
|
|
79638
|
+
],
|
|
79639
|
+
"atlas": [],
|
|
79640
|
+
"d3fend": [
|
|
79641
|
+
{
|
|
79642
|
+
"id": "D3-ASLR",
|
|
79643
|
+
"name": "Address Space Layout Randomization",
|
|
79644
|
+
"tactic": "Harden"
|
|
79645
|
+
},
|
|
79646
|
+
{
|
|
79647
|
+
"id": "D3-EAL",
|
|
79648
|
+
"name": "Executable Allowlisting",
|
|
79649
|
+
"tactic": "Harden"
|
|
79650
|
+
},
|
|
79651
|
+
{
|
|
79652
|
+
"id": "D3-PHRA",
|
|
79653
|
+
"name": "Process Hardware Resource Access",
|
|
79654
|
+
"tactic": "Isolate"
|
|
79655
|
+
},
|
|
79656
|
+
{
|
|
79657
|
+
"id": "D3-PSEP",
|
|
79658
|
+
"name": "Process Segment Execution Prevention",
|
|
79659
|
+
"tactic": "Harden"
|
|
79660
|
+
}
|
|
79661
|
+
],
|
|
79662
|
+
"framework_gaps": [
|
|
79663
|
+
{
|
|
79664
|
+
"id": "CIS-Controls-v8-Control7",
|
|
79665
|
+
"framework": "CIS Controls v8",
|
|
79666
|
+
"control_name": "Continuous Vulnerability Management"
|
|
79667
|
+
},
|
|
79668
|
+
{
|
|
79669
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
79670
|
+
"framework": "ISO/IEC 27001:2022",
|
|
79671
|
+
"control_name": "Management of technical vulnerabilities"
|
|
79672
|
+
},
|
|
79673
|
+
{
|
|
79674
|
+
"id": "NIS2-Art21-patch-management",
|
|
79675
|
+
"framework": "EU NIS2 Directive",
|
|
79676
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
79677
|
+
},
|
|
79678
|
+
{
|
|
79679
|
+
"id": "NIST-800-218-SSDF",
|
|
79680
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
79681
|
+
"control_name": "Secure Software Development Framework"
|
|
79682
|
+
},
|
|
79683
|
+
{
|
|
79684
|
+
"id": "NIST-800-53-SC-8",
|
|
79685
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79686
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
79687
|
+
},
|
|
79688
|
+
{
|
|
79689
|
+
"id": "NIST-800-53-SI-2",
|
|
79690
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79691
|
+
"control_name": "Flaw Remediation"
|
|
79692
|
+
},
|
|
79693
|
+
{
|
|
79694
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
79695
|
+
"framework": "PCI DSS 4.0",
|
|
79696
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
79697
|
+
},
|
|
79698
|
+
{
|
|
79699
|
+
"id": "SOC2-CC9-vendor-management",
|
|
79700
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
79701
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
79702
|
+
}
|
|
79703
|
+
],
|
|
79704
|
+
"attack_refs": [
|
|
79705
|
+
"T1068",
|
|
79706
|
+
"T1548.001"
|
|
79707
|
+
],
|
|
79708
|
+
"rfc_refs": [
|
|
79709
|
+
"RFC-4301",
|
|
79710
|
+
"RFC-4303",
|
|
79711
|
+
"RFC-7296"
|
|
79712
|
+
]
|
|
79713
|
+
}
|
|
79714
|
+
},
|
|
79715
|
+
"CVE-2023-51766": {
|
|
79716
|
+
"name": "Exim SMTP smuggling (non-standard end-of-data sequence enables sender spoofing past SPF/DKIM/DMARC)",
|
|
79717
|
+
"rwep": 33,
|
|
79718
|
+
"cvss": 5.3,
|
|
79719
|
+
"cisa_kev": false,
|
|
79720
|
+
"epss_score": null,
|
|
79721
|
+
"referencing_skills": [
|
|
79722
|
+
"kernel-lpe-triage",
|
|
79723
|
+
"coordinated-vuln-disclosure"
|
|
79724
|
+
],
|
|
79725
|
+
"chain": {
|
|
79726
|
+
"cwes": [
|
|
79727
|
+
{
|
|
79728
|
+
"id": "CWE-125",
|
|
79729
|
+
"name": "Out-of-bounds Read",
|
|
79730
|
+
"category": "Memory Safety"
|
|
79731
|
+
},
|
|
79732
|
+
{
|
|
79733
|
+
"id": "CWE-1357",
|
|
79734
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
79735
|
+
"category": "Supply Chain"
|
|
79736
|
+
},
|
|
79737
|
+
{
|
|
79738
|
+
"id": "CWE-362",
|
|
79739
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
79740
|
+
"category": "Concurrency"
|
|
79741
|
+
},
|
|
79742
|
+
{
|
|
79743
|
+
"id": "CWE-416",
|
|
79744
|
+
"name": "Use After Free",
|
|
79745
|
+
"category": "Memory Safety"
|
|
79746
|
+
},
|
|
79747
|
+
{
|
|
79748
|
+
"id": "CWE-672",
|
|
79749
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
79750
|
+
"category": "Memory Safety"
|
|
79751
|
+
},
|
|
79752
|
+
{
|
|
79753
|
+
"id": "CWE-787",
|
|
79754
|
+
"name": "Out-of-bounds Write",
|
|
79755
|
+
"category": "Memory Safety"
|
|
79756
|
+
}
|
|
79757
|
+
],
|
|
79758
|
+
"atlas": [],
|
|
79759
|
+
"d3fend": [
|
|
79760
|
+
{
|
|
79761
|
+
"id": "D3-ASLR",
|
|
79762
|
+
"name": "Address Space Layout Randomization",
|
|
79763
|
+
"tactic": "Harden"
|
|
79764
|
+
},
|
|
79765
|
+
{
|
|
79766
|
+
"id": "D3-EAL",
|
|
79767
|
+
"name": "Executable Allowlisting",
|
|
79768
|
+
"tactic": "Harden"
|
|
79769
|
+
},
|
|
79770
|
+
{
|
|
79771
|
+
"id": "D3-PHRA",
|
|
79772
|
+
"name": "Process Hardware Resource Access",
|
|
79773
|
+
"tactic": "Isolate"
|
|
79774
|
+
},
|
|
79775
|
+
{
|
|
79776
|
+
"id": "D3-PSEP",
|
|
79777
|
+
"name": "Process Segment Execution Prevention",
|
|
79778
|
+
"tactic": "Harden"
|
|
79779
|
+
}
|
|
79780
|
+
],
|
|
79781
|
+
"framework_gaps": [
|
|
79782
|
+
{
|
|
79783
|
+
"id": "CIS-Controls-v8-Control7",
|
|
79784
|
+
"framework": "CIS Controls v8",
|
|
79785
|
+
"control_name": "Continuous Vulnerability Management"
|
|
79786
|
+
},
|
|
79787
|
+
{
|
|
79788
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
79789
|
+
"framework": "ISO/IEC 27001:2022",
|
|
79790
|
+
"control_name": "Management of technical vulnerabilities"
|
|
79791
|
+
},
|
|
79792
|
+
{
|
|
79793
|
+
"id": "NIS2-Art21-patch-management",
|
|
79794
|
+
"framework": "EU NIS2 Directive",
|
|
79795
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
79796
|
+
},
|
|
79797
|
+
{
|
|
79798
|
+
"id": "NIST-800-218-SSDF",
|
|
79799
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
79800
|
+
"control_name": "Secure Software Development Framework"
|
|
79801
|
+
},
|
|
79802
|
+
{
|
|
79803
|
+
"id": "NIST-800-53-SC-8",
|
|
79804
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79805
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
79806
|
+
},
|
|
79807
|
+
{
|
|
79808
|
+
"id": "NIST-800-53-SI-2",
|
|
79809
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79810
|
+
"control_name": "Flaw Remediation"
|
|
79811
|
+
},
|
|
79812
|
+
{
|
|
79813
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
79814
|
+
"framework": "PCI DSS 4.0",
|
|
79815
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
79816
|
+
},
|
|
79817
|
+
{
|
|
79818
|
+
"id": "SOC2-CC9-vendor-management",
|
|
79819
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
79820
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
79821
|
+
}
|
|
79822
|
+
],
|
|
79823
|
+
"attack_refs": [
|
|
79824
|
+
"T1068",
|
|
79825
|
+
"T1548.001"
|
|
79826
|
+
],
|
|
79827
|
+
"rfc_refs": [
|
|
79828
|
+
"RFC-4301",
|
|
79829
|
+
"RFC-4303",
|
|
79830
|
+
"RFC-7296"
|
|
79831
|
+
]
|
|
79832
|
+
}
|
|
79833
|
+
},
|
|
79834
|
+
"CVE-2021-38371": {
|
|
79835
|
+
"name": "Exim STARTTLS response injection (pre-handshake buffer not drained on the sending MTA path)",
|
|
79836
|
+
"rwep": 21,
|
|
79837
|
+
"cvss": 7.5,
|
|
79838
|
+
"cisa_kev": false,
|
|
79839
|
+
"epss_score": null,
|
|
79840
|
+
"referencing_skills": [
|
|
79841
|
+
"kernel-lpe-triage",
|
|
79842
|
+
"coordinated-vuln-disclosure"
|
|
79843
|
+
],
|
|
79844
|
+
"chain": {
|
|
79845
|
+
"cwes": [
|
|
79846
|
+
{
|
|
79847
|
+
"id": "CWE-125",
|
|
79848
|
+
"name": "Out-of-bounds Read",
|
|
79849
|
+
"category": "Memory Safety"
|
|
79850
|
+
},
|
|
79851
|
+
{
|
|
79852
|
+
"id": "CWE-1357",
|
|
79853
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
79854
|
+
"category": "Supply Chain"
|
|
79855
|
+
},
|
|
79856
|
+
{
|
|
79857
|
+
"id": "CWE-362",
|
|
79858
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
79859
|
+
"category": "Concurrency"
|
|
79860
|
+
},
|
|
79861
|
+
{
|
|
79862
|
+
"id": "CWE-416",
|
|
79863
|
+
"name": "Use After Free",
|
|
79864
|
+
"category": "Memory Safety"
|
|
79865
|
+
},
|
|
79866
|
+
{
|
|
79867
|
+
"id": "CWE-672",
|
|
79868
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
79869
|
+
"category": "Memory Safety"
|
|
79870
|
+
},
|
|
79871
|
+
{
|
|
79872
|
+
"id": "CWE-787",
|
|
79873
|
+
"name": "Out-of-bounds Write",
|
|
79874
|
+
"category": "Memory Safety"
|
|
79875
|
+
}
|
|
79876
|
+
],
|
|
79877
|
+
"atlas": [],
|
|
79878
|
+
"d3fend": [
|
|
79879
|
+
{
|
|
79880
|
+
"id": "D3-ASLR",
|
|
79881
|
+
"name": "Address Space Layout Randomization",
|
|
79882
|
+
"tactic": "Harden"
|
|
79883
|
+
},
|
|
79884
|
+
{
|
|
79885
|
+
"id": "D3-EAL",
|
|
79886
|
+
"name": "Executable Allowlisting",
|
|
79887
|
+
"tactic": "Harden"
|
|
79888
|
+
},
|
|
79889
|
+
{
|
|
79890
|
+
"id": "D3-PHRA",
|
|
79891
|
+
"name": "Process Hardware Resource Access",
|
|
79892
|
+
"tactic": "Isolate"
|
|
79893
|
+
},
|
|
79894
|
+
{
|
|
79895
|
+
"id": "D3-PSEP",
|
|
79896
|
+
"name": "Process Segment Execution Prevention",
|
|
79897
|
+
"tactic": "Harden"
|
|
79898
|
+
}
|
|
79899
|
+
],
|
|
79900
|
+
"framework_gaps": [
|
|
79901
|
+
{
|
|
79902
|
+
"id": "CIS-Controls-v8-Control7",
|
|
79903
|
+
"framework": "CIS Controls v8",
|
|
79904
|
+
"control_name": "Continuous Vulnerability Management"
|
|
79905
|
+
},
|
|
79906
|
+
{
|
|
79907
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
79908
|
+
"framework": "ISO/IEC 27001:2022",
|
|
79909
|
+
"control_name": "Management of technical vulnerabilities"
|
|
79910
|
+
},
|
|
79911
|
+
{
|
|
79912
|
+
"id": "NIS2-Art21-patch-management",
|
|
79913
|
+
"framework": "EU NIS2 Directive",
|
|
79914
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
79915
|
+
},
|
|
79916
|
+
{
|
|
79917
|
+
"id": "NIST-800-218-SSDF",
|
|
79918
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
79919
|
+
"control_name": "Secure Software Development Framework"
|
|
79920
|
+
},
|
|
79921
|
+
{
|
|
79922
|
+
"id": "NIST-800-53-SC-8",
|
|
79923
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79924
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
79925
|
+
},
|
|
79926
|
+
{
|
|
79927
|
+
"id": "NIST-800-53-SI-2",
|
|
79928
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
79929
|
+
"control_name": "Flaw Remediation"
|
|
79930
|
+
},
|
|
79931
|
+
{
|
|
79932
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
79933
|
+
"framework": "PCI DSS 4.0",
|
|
79934
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
79935
|
+
},
|
|
79936
|
+
{
|
|
79937
|
+
"id": "SOC2-CC9-vendor-management",
|
|
79938
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
79939
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
79940
|
+
}
|
|
79941
|
+
],
|
|
79942
|
+
"attack_refs": [
|
|
79943
|
+
"T1068",
|
|
79944
|
+
"T1548.001"
|
|
79945
|
+
],
|
|
79946
|
+
"rfc_refs": [
|
|
79947
|
+
"RFC-4301",
|
|
79948
|
+
"RFC-4303",
|
|
79949
|
+
"RFC-7296"
|
|
79950
|
+
]
|
|
79951
|
+
}
|
|
79952
|
+
},
|
|
79953
|
+
"CVE-2021-33515": {
|
|
79954
|
+
"name": "Dovecot lib-smtp STARTTLS command injection (submission service)",
|
|
79955
|
+
"rwep": 19,
|
|
79956
|
+
"cvss": 4.8,
|
|
79957
|
+
"cisa_kev": false,
|
|
79958
|
+
"epss_score": null,
|
|
79959
|
+
"referencing_skills": [
|
|
79960
|
+
"kernel-lpe-triage",
|
|
79961
|
+
"coordinated-vuln-disclosure"
|
|
79962
|
+
],
|
|
79963
|
+
"chain": {
|
|
79964
|
+
"cwes": [
|
|
79965
|
+
{
|
|
79966
|
+
"id": "CWE-125",
|
|
79967
|
+
"name": "Out-of-bounds Read",
|
|
79968
|
+
"category": "Memory Safety"
|
|
79969
|
+
},
|
|
79970
|
+
{
|
|
79971
|
+
"id": "CWE-1357",
|
|
79972
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
79973
|
+
"category": "Supply Chain"
|
|
79974
|
+
},
|
|
79975
|
+
{
|
|
79976
|
+
"id": "CWE-362",
|
|
79977
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
79978
|
+
"category": "Concurrency"
|
|
79979
|
+
},
|
|
79980
|
+
{
|
|
79981
|
+
"id": "CWE-416",
|
|
79982
|
+
"name": "Use After Free",
|
|
79983
|
+
"category": "Memory Safety"
|
|
79984
|
+
},
|
|
79985
|
+
{
|
|
79986
|
+
"id": "CWE-672",
|
|
79987
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
79988
|
+
"category": "Memory Safety"
|
|
79989
|
+
},
|
|
79990
|
+
{
|
|
79991
|
+
"id": "CWE-787",
|
|
79992
|
+
"name": "Out-of-bounds Write",
|
|
79993
|
+
"category": "Memory Safety"
|
|
79994
|
+
}
|
|
79995
|
+
],
|
|
79996
|
+
"atlas": [],
|
|
79997
|
+
"d3fend": [
|
|
79998
|
+
{
|
|
79999
|
+
"id": "D3-ASLR",
|
|
80000
|
+
"name": "Address Space Layout Randomization",
|
|
80001
|
+
"tactic": "Harden"
|
|
80002
|
+
},
|
|
80003
|
+
{
|
|
80004
|
+
"id": "D3-EAL",
|
|
80005
|
+
"name": "Executable Allowlisting",
|
|
80006
|
+
"tactic": "Harden"
|
|
80007
|
+
},
|
|
80008
|
+
{
|
|
80009
|
+
"id": "D3-PHRA",
|
|
80010
|
+
"name": "Process Hardware Resource Access",
|
|
80011
|
+
"tactic": "Isolate"
|
|
80012
|
+
},
|
|
80013
|
+
{
|
|
80014
|
+
"id": "D3-PSEP",
|
|
80015
|
+
"name": "Process Segment Execution Prevention",
|
|
80016
|
+
"tactic": "Harden"
|
|
80017
|
+
}
|
|
80018
|
+
],
|
|
80019
|
+
"framework_gaps": [
|
|
80020
|
+
{
|
|
80021
|
+
"id": "CIS-Controls-v8-Control7",
|
|
80022
|
+
"framework": "CIS Controls v8",
|
|
80023
|
+
"control_name": "Continuous Vulnerability Management"
|
|
80024
|
+
},
|
|
80025
|
+
{
|
|
80026
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
80027
|
+
"framework": "ISO/IEC 27001:2022",
|
|
80028
|
+
"control_name": "Management of technical vulnerabilities"
|
|
80029
|
+
},
|
|
80030
|
+
{
|
|
80031
|
+
"id": "NIS2-Art21-patch-management",
|
|
80032
|
+
"framework": "EU NIS2 Directive",
|
|
80033
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
80034
|
+
},
|
|
80035
|
+
{
|
|
80036
|
+
"id": "NIST-800-218-SSDF",
|
|
80037
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
80038
|
+
"control_name": "Secure Software Development Framework"
|
|
80039
|
+
},
|
|
80040
|
+
{
|
|
80041
|
+
"id": "NIST-800-53-SC-8",
|
|
80042
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80043
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
80044
|
+
},
|
|
80045
|
+
{
|
|
80046
|
+
"id": "NIST-800-53-SI-2",
|
|
80047
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80048
|
+
"control_name": "Flaw Remediation"
|
|
80049
|
+
},
|
|
80050
|
+
{
|
|
80051
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
80052
|
+
"framework": "PCI DSS 4.0",
|
|
80053
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
80054
|
+
},
|
|
80055
|
+
{
|
|
80056
|
+
"id": "SOC2-CC9-vendor-management",
|
|
80057
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
80058
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
80059
|
+
}
|
|
80060
|
+
],
|
|
80061
|
+
"attack_refs": [
|
|
80062
|
+
"T1068",
|
|
80063
|
+
"T1548.001"
|
|
80064
|
+
],
|
|
80065
|
+
"rfc_refs": [
|
|
80066
|
+
"RFC-4301",
|
|
80067
|
+
"RFC-4303",
|
|
80068
|
+
"RFC-7296"
|
|
80069
|
+
]
|
|
80070
|
+
}
|
|
80071
|
+
},
|
|
80072
|
+
"CVE-2011-0411": {
|
|
80073
|
+
"name": "Postfix STARTTLS plaintext command injection (I/O buffering not reset across TLS handshake)",
|
|
80074
|
+
"rwep": 17,
|
|
80075
|
+
"cvss": 4.8,
|
|
80076
|
+
"cisa_kev": false,
|
|
80077
|
+
"epss_score": null,
|
|
80078
|
+
"referencing_skills": [
|
|
80079
|
+
"kernel-lpe-triage",
|
|
80080
|
+
"coordinated-vuln-disclosure"
|
|
80081
|
+
],
|
|
80082
|
+
"chain": {
|
|
80083
|
+
"cwes": [
|
|
80084
|
+
{
|
|
80085
|
+
"id": "CWE-125",
|
|
80086
|
+
"name": "Out-of-bounds Read",
|
|
80087
|
+
"category": "Memory Safety"
|
|
80088
|
+
},
|
|
80089
|
+
{
|
|
80090
|
+
"id": "CWE-1357",
|
|
80091
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
80092
|
+
"category": "Supply Chain"
|
|
80093
|
+
},
|
|
80094
|
+
{
|
|
80095
|
+
"id": "CWE-362",
|
|
80096
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
80097
|
+
"category": "Concurrency"
|
|
80098
|
+
},
|
|
80099
|
+
{
|
|
80100
|
+
"id": "CWE-416",
|
|
80101
|
+
"name": "Use After Free",
|
|
80102
|
+
"category": "Memory Safety"
|
|
80103
|
+
},
|
|
80104
|
+
{
|
|
80105
|
+
"id": "CWE-672",
|
|
80106
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
80107
|
+
"category": "Memory Safety"
|
|
80108
|
+
},
|
|
80109
|
+
{
|
|
80110
|
+
"id": "CWE-787",
|
|
80111
|
+
"name": "Out-of-bounds Write",
|
|
80112
|
+
"category": "Memory Safety"
|
|
80113
|
+
}
|
|
80114
|
+
],
|
|
80115
|
+
"atlas": [],
|
|
80116
|
+
"d3fend": [
|
|
80117
|
+
{
|
|
80118
|
+
"id": "D3-ASLR",
|
|
80119
|
+
"name": "Address Space Layout Randomization",
|
|
80120
|
+
"tactic": "Harden"
|
|
80121
|
+
},
|
|
80122
|
+
{
|
|
80123
|
+
"id": "D3-EAL",
|
|
80124
|
+
"name": "Executable Allowlisting",
|
|
80125
|
+
"tactic": "Harden"
|
|
80126
|
+
},
|
|
80127
|
+
{
|
|
80128
|
+
"id": "D3-PHRA",
|
|
80129
|
+
"name": "Process Hardware Resource Access",
|
|
80130
|
+
"tactic": "Isolate"
|
|
80131
|
+
},
|
|
80132
|
+
{
|
|
80133
|
+
"id": "D3-PSEP",
|
|
80134
|
+
"name": "Process Segment Execution Prevention",
|
|
80135
|
+
"tactic": "Harden"
|
|
80136
|
+
}
|
|
80137
|
+
],
|
|
80138
|
+
"framework_gaps": [
|
|
80139
|
+
{
|
|
80140
|
+
"id": "CIS-Controls-v8-Control7",
|
|
80141
|
+
"framework": "CIS Controls v8",
|
|
80142
|
+
"control_name": "Continuous Vulnerability Management"
|
|
80143
|
+
},
|
|
80144
|
+
{
|
|
80145
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
80146
|
+
"framework": "ISO/IEC 27001:2022",
|
|
80147
|
+
"control_name": "Management of technical vulnerabilities"
|
|
80148
|
+
},
|
|
80149
|
+
{
|
|
80150
|
+
"id": "NIS2-Art21-patch-management",
|
|
80151
|
+
"framework": "EU NIS2 Directive",
|
|
80152
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
80153
|
+
},
|
|
80154
|
+
{
|
|
80155
|
+
"id": "NIST-800-218-SSDF",
|
|
80156
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
80157
|
+
"control_name": "Secure Software Development Framework"
|
|
80158
|
+
},
|
|
80159
|
+
{
|
|
80160
|
+
"id": "NIST-800-53-SC-8",
|
|
80161
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80162
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
80163
|
+
},
|
|
80164
|
+
{
|
|
80165
|
+
"id": "NIST-800-53-SI-2",
|
|
80166
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80167
|
+
"control_name": "Flaw Remediation"
|
|
80168
|
+
},
|
|
80169
|
+
{
|
|
80170
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
80171
|
+
"framework": "PCI DSS 4.0",
|
|
80172
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
80173
|
+
},
|
|
80174
|
+
{
|
|
80175
|
+
"id": "SOC2-CC9-vendor-management",
|
|
80176
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
80177
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
80178
|
+
}
|
|
80179
|
+
],
|
|
80180
|
+
"attack_refs": [
|
|
80181
|
+
"T1068",
|
|
80182
|
+
"T1548.001"
|
|
80183
|
+
],
|
|
80184
|
+
"rfc_refs": [
|
|
80185
|
+
"RFC-4301",
|
|
80186
|
+
"RFC-4303",
|
|
80187
|
+
"RFC-7296"
|
|
80188
|
+
]
|
|
80189
|
+
}
|
|
80190
|
+
},
|
|
80191
|
+
"CVE-2023-50387": {
|
|
80192
|
+
"name": "KeyTrap — DNSSEC validating-resolver CPU exhaustion via crafted DNSKEY/RRSIG combinations",
|
|
80193
|
+
"rwep": 39,
|
|
80194
|
+
"cvss": 7.5,
|
|
80195
|
+
"cisa_kev": false,
|
|
80196
|
+
"epss_score": null,
|
|
80197
|
+
"referencing_skills": [
|
|
80198
|
+
"kernel-lpe-triage",
|
|
80199
|
+
"coordinated-vuln-disclosure"
|
|
80200
|
+
],
|
|
80201
|
+
"chain": {
|
|
80202
|
+
"cwes": [
|
|
80203
|
+
{
|
|
80204
|
+
"id": "CWE-125",
|
|
80205
|
+
"name": "Out-of-bounds Read",
|
|
80206
|
+
"category": "Memory Safety"
|
|
80207
|
+
},
|
|
80208
|
+
{
|
|
80209
|
+
"id": "CWE-1357",
|
|
80210
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
80211
|
+
"category": "Supply Chain"
|
|
80212
|
+
},
|
|
80213
|
+
{
|
|
80214
|
+
"id": "CWE-362",
|
|
80215
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
80216
|
+
"category": "Concurrency"
|
|
80217
|
+
},
|
|
80218
|
+
{
|
|
80219
|
+
"id": "CWE-416",
|
|
80220
|
+
"name": "Use After Free",
|
|
80221
|
+
"category": "Memory Safety"
|
|
80222
|
+
},
|
|
80223
|
+
{
|
|
80224
|
+
"id": "CWE-672",
|
|
80225
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
80226
|
+
"category": "Memory Safety"
|
|
80227
|
+
},
|
|
80228
|
+
{
|
|
80229
|
+
"id": "CWE-787",
|
|
80230
|
+
"name": "Out-of-bounds Write",
|
|
80231
|
+
"category": "Memory Safety"
|
|
80232
|
+
}
|
|
80233
|
+
],
|
|
80234
|
+
"atlas": [],
|
|
80235
|
+
"d3fend": [
|
|
80236
|
+
{
|
|
80237
|
+
"id": "D3-ASLR",
|
|
80238
|
+
"name": "Address Space Layout Randomization",
|
|
80239
|
+
"tactic": "Harden"
|
|
80240
|
+
},
|
|
80241
|
+
{
|
|
80242
|
+
"id": "D3-EAL",
|
|
80243
|
+
"name": "Executable Allowlisting",
|
|
80244
|
+
"tactic": "Harden"
|
|
80245
|
+
},
|
|
80246
|
+
{
|
|
80247
|
+
"id": "D3-PHRA",
|
|
80248
|
+
"name": "Process Hardware Resource Access",
|
|
80249
|
+
"tactic": "Isolate"
|
|
80250
|
+
},
|
|
80251
|
+
{
|
|
80252
|
+
"id": "D3-PSEP",
|
|
80253
|
+
"name": "Process Segment Execution Prevention",
|
|
80254
|
+
"tactic": "Harden"
|
|
80255
|
+
}
|
|
80256
|
+
],
|
|
80257
|
+
"framework_gaps": [
|
|
80258
|
+
{
|
|
80259
|
+
"id": "CIS-Controls-v8-Control7",
|
|
80260
|
+
"framework": "CIS Controls v8",
|
|
80261
|
+
"control_name": "Continuous Vulnerability Management"
|
|
80262
|
+
},
|
|
80263
|
+
{
|
|
80264
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
80265
|
+
"framework": "ISO/IEC 27001:2022",
|
|
80266
|
+
"control_name": "Management of technical vulnerabilities"
|
|
80267
|
+
},
|
|
80268
|
+
{
|
|
80269
|
+
"id": "NIS2-Art21-patch-management",
|
|
80270
|
+
"framework": "EU NIS2 Directive",
|
|
80271
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
80272
|
+
},
|
|
80273
|
+
{
|
|
80274
|
+
"id": "NIST-800-218-SSDF",
|
|
80275
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
80276
|
+
"control_name": "Secure Software Development Framework"
|
|
80277
|
+
},
|
|
80278
|
+
{
|
|
80279
|
+
"id": "NIST-800-53-SC-8",
|
|
80280
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80281
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
80282
|
+
},
|
|
80283
|
+
{
|
|
80284
|
+
"id": "NIST-800-53-SI-2",
|
|
80285
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80286
|
+
"control_name": "Flaw Remediation"
|
|
80287
|
+
},
|
|
80288
|
+
{
|
|
80289
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
80290
|
+
"framework": "PCI DSS 4.0",
|
|
80291
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
80292
|
+
},
|
|
80293
|
+
{
|
|
80294
|
+
"id": "SOC2-CC9-vendor-management",
|
|
80295
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
80296
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
80297
|
+
}
|
|
80298
|
+
],
|
|
80299
|
+
"attack_refs": [
|
|
80300
|
+
"T1068",
|
|
80301
|
+
"T1548.001"
|
|
80302
|
+
],
|
|
80303
|
+
"rfc_refs": [
|
|
80304
|
+
"RFC-4301",
|
|
80305
|
+
"RFC-4303",
|
|
80306
|
+
"RFC-7296"
|
|
80307
|
+
]
|
|
80308
|
+
}
|
|
80309
|
+
},
|
|
80310
|
+
"CVE-2023-50868": {
|
|
80311
|
+
"name": "DNSSEC NSEC3 closest-encloser proof CPU exhaustion (excessive SHA-1 iterations)",
|
|
80312
|
+
"rwep": 37,
|
|
80313
|
+
"cvss": 7.5,
|
|
80314
|
+
"cisa_kev": false,
|
|
80315
|
+
"epss_score": null,
|
|
80316
|
+
"referencing_skills": [
|
|
80317
|
+
"kernel-lpe-triage",
|
|
80318
|
+
"coordinated-vuln-disclosure"
|
|
80319
|
+
],
|
|
80320
|
+
"chain": {
|
|
80321
|
+
"cwes": [
|
|
80322
|
+
{
|
|
80323
|
+
"id": "CWE-125",
|
|
80324
|
+
"name": "Out-of-bounds Read",
|
|
80325
|
+
"category": "Memory Safety"
|
|
80326
|
+
},
|
|
80327
|
+
{
|
|
80328
|
+
"id": "CWE-1357",
|
|
80329
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
80330
|
+
"category": "Supply Chain"
|
|
80331
|
+
},
|
|
80332
|
+
{
|
|
80333
|
+
"id": "CWE-362",
|
|
80334
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
80335
|
+
"category": "Concurrency"
|
|
80336
|
+
},
|
|
80337
|
+
{
|
|
80338
|
+
"id": "CWE-416",
|
|
80339
|
+
"name": "Use After Free",
|
|
80340
|
+
"category": "Memory Safety"
|
|
80341
|
+
},
|
|
80342
|
+
{
|
|
80343
|
+
"id": "CWE-672",
|
|
80344
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
80345
|
+
"category": "Memory Safety"
|
|
80346
|
+
},
|
|
80347
|
+
{
|
|
80348
|
+
"id": "CWE-787",
|
|
80349
|
+
"name": "Out-of-bounds Write",
|
|
80350
|
+
"category": "Memory Safety"
|
|
80351
|
+
}
|
|
80352
|
+
],
|
|
80353
|
+
"atlas": [],
|
|
80354
|
+
"d3fend": [
|
|
80355
|
+
{
|
|
80356
|
+
"id": "D3-ASLR",
|
|
80357
|
+
"name": "Address Space Layout Randomization",
|
|
80358
|
+
"tactic": "Harden"
|
|
80359
|
+
},
|
|
80360
|
+
{
|
|
80361
|
+
"id": "D3-EAL",
|
|
80362
|
+
"name": "Executable Allowlisting",
|
|
80363
|
+
"tactic": "Harden"
|
|
80364
|
+
},
|
|
80365
|
+
{
|
|
80366
|
+
"id": "D3-PHRA",
|
|
80367
|
+
"name": "Process Hardware Resource Access",
|
|
80368
|
+
"tactic": "Isolate"
|
|
80369
|
+
},
|
|
80370
|
+
{
|
|
80371
|
+
"id": "D3-PSEP",
|
|
80372
|
+
"name": "Process Segment Execution Prevention",
|
|
80373
|
+
"tactic": "Harden"
|
|
80374
|
+
}
|
|
80375
|
+
],
|
|
80376
|
+
"framework_gaps": [
|
|
80377
|
+
{
|
|
80378
|
+
"id": "CIS-Controls-v8-Control7",
|
|
80379
|
+
"framework": "CIS Controls v8",
|
|
80380
|
+
"control_name": "Continuous Vulnerability Management"
|
|
80381
|
+
},
|
|
80382
|
+
{
|
|
80383
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
80384
|
+
"framework": "ISO/IEC 27001:2022",
|
|
80385
|
+
"control_name": "Management of technical vulnerabilities"
|
|
80386
|
+
},
|
|
80387
|
+
{
|
|
80388
|
+
"id": "NIS2-Art21-patch-management",
|
|
80389
|
+
"framework": "EU NIS2 Directive",
|
|
80390
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
80391
|
+
},
|
|
80392
|
+
{
|
|
80393
|
+
"id": "NIST-800-218-SSDF",
|
|
80394
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
80395
|
+
"control_name": "Secure Software Development Framework"
|
|
80396
|
+
},
|
|
80397
|
+
{
|
|
80398
|
+
"id": "NIST-800-53-SC-8",
|
|
80399
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80400
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
80401
|
+
},
|
|
80402
|
+
{
|
|
80403
|
+
"id": "NIST-800-53-SI-2",
|
|
80404
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80405
|
+
"control_name": "Flaw Remediation"
|
|
80406
|
+
},
|
|
80407
|
+
{
|
|
80408
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
80409
|
+
"framework": "PCI DSS 4.0",
|
|
80410
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
80411
|
+
},
|
|
80412
|
+
{
|
|
80413
|
+
"id": "SOC2-CC9-vendor-management",
|
|
80414
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
80415
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
80416
|
+
}
|
|
80417
|
+
],
|
|
80418
|
+
"attack_refs": [
|
|
80419
|
+
"T1068",
|
|
80420
|
+
"T1548.001"
|
|
80421
|
+
],
|
|
80422
|
+
"rfc_refs": [
|
|
80423
|
+
"RFC-4301",
|
|
80424
|
+
"RFC-4303",
|
|
80425
|
+
"RFC-7296"
|
|
80426
|
+
]
|
|
80427
|
+
}
|
|
80428
|
+
},
|
|
80429
|
+
"CVE-2023-44487": {
|
|
80430
|
+
"name": "HTTP/2 Rapid Reset — stream open-then-RST_STREAM flood (record-breaking DDoS)",
|
|
80431
|
+
"rwep": 80,
|
|
80432
|
+
"cvss": 7.5,
|
|
80433
|
+
"cisa_kev": true,
|
|
80434
|
+
"epss_score": null,
|
|
80435
|
+
"referencing_skills": [
|
|
80436
|
+
"kernel-lpe-triage",
|
|
80437
|
+
"coordinated-vuln-disclosure"
|
|
80438
|
+
],
|
|
80439
|
+
"chain": {
|
|
80440
|
+
"cwes": [
|
|
80441
|
+
{
|
|
80442
|
+
"id": "CWE-125",
|
|
80443
|
+
"name": "Out-of-bounds Read",
|
|
80444
|
+
"category": "Memory Safety"
|
|
80445
|
+
},
|
|
80446
|
+
{
|
|
80447
|
+
"id": "CWE-1357",
|
|
80448
|
+
"name": "Reliance on Insufficiently Trustworthy Component",
|
|
80449
|
+
"category": "Supply Chain"
|
|
80450
|
+
},
|
|
80451
|
+
{
|
|
80452
|
+
"id": "CWE-362",
|
|
80453
|
+
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)",
|
|
80454
|
+
"category": "Concurrency"
|
|
80455
|
+
},
|
|
80456
|
+
{
|
|
80457
|
+
"id": "CWE-416",
|
|
80458
|
+
"name": "Use After Free",
|
|
80459
|
+
"category": "Memory Safety"
|
|
80460
|
+
},
|
|
80461
|
+
{
|
|
80462
|
+
"id": "CWE-672",
|
|
80463
|
+
"name": "Operation on a Resource after Expiration or Release",
|
|
80464
|
+
"category": "Memory Safety"
|
|
80465
|
+
},
|
|
80466
|
+
{
|
|
80467
|
+
"id": "CWE-787",
|
|
80468
|
+
"name": "Out-of-bounds Write",
|
|
80469
|
+
"category": "Memory Safety"
|
|
80470
|
+
}
|
|
80471
|
+
],
|
|
80472
|
+
"atlas": [],
|
|
80473
|
+
"d3fend": [
|
|
80474
|
+
{
|
|
80475
|
+
"id": "D3-ASLR",
|
|
80476
|
+
"name": "Address Space Layout Randomization",
|
|
80477
|
+
"tactic": "Harden"
|
|
80478
|
+
},
|
|
80479
|
+
{
|
|
80480
|
+
"id": "D3-EAL",
|
|
80481
|
+
"name": "Executable Allowlisting",
|
|
80482
|
+
"tactic": "Harden"
|
|
80483
|
+
},
|
|
80484
|
+
{
|
|
80485
|
+
"id": "D3-PHRA",
|
|
80486
|
+
"name": "Process Hardware Resource Access",
|
|
80487
|
+
"tactic": "Isolate"
|
|
80488
|
+
},
|
|
80489
|
+
{
|
|
80490
|
+
"id": "D3-PSEP",
|
|
80491
|
+
"name": "Process Segment Execution Prevention",
|
|
80492
|
+
"tactic": "Harden"
|
|
80493
|
+
}
|
|
80494
|
+
],
|
|
80495
|
+
"framework_gaps": [
|
|
80496
|
+
{
|
|
80497
|
+
"id": "CIS-Controls-v8-Control7",
|
|
80498
|
+
"framework": "CIS Controls v8",
|
|
80499
|
+
"control_name": "Continuous Vulnerability Management"
|
|
80500
|
+
},
|
|
80501
|
+
{
|
|
80502
|
+
"id": "ISO-27001-2022-A.8.8",
|
|
80503
|
+
"framework": "ISO/IEC 27001:2022",
|
|
80504
|
+
"control_name": "Management of technical vulnerabilities"
|
|
80505
|
+
},
|
|
80506
|
+
{
|
|
80507
|
+
"id": "NIS2-Art21-patch-management",
|
|
80508
|
+
"framework": "EU NIS2 Directive",
|
|
80509
|
+
"control_name": "Vulnerability handling and disclosure"
|
|
80510
|
+
},
|
|
80511
|
+
{
|
|
80512
|
+
"id": "NIST-800-218-SSDF",
|
|
80513
|
+
"framework": "NIST SP 800-218 (Secure Software Development Framework v1.1)",
|
|
80514
|
+
"control_name": "Secure Software Development Framework"
|
|
80515
|
+
},
|
|
80516
|
+
{
|
|
80517
|
+
"id": "NIST-800-53-SC-8",
|
|
80518
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80519
|
+
"control_name": "Transmission Confidentiality and Integrity"
|
|
80520
|
+
},
|
|
80521
|
+
{
|
|
80522
|
+
"id": "NIST-800-53-SI-2",
|
|
80523
|
+
"framework": "NIST SP 800-53 Rev 5",
|
|
80524
|
+
"control_name": "Flaw Remediation"
|
|
80525
|
+
},
|
|
80526
|
+
{
|
|
80527
|
+
"id": "PCI-DSS-4.0-6.3.3",
|
|
80528
|
+
"framework": "PCI DSS 4.0",
|
|
80529
|
+
"control_name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates"
|
|
80530
|
+
},
|
|
80531
|
+
{
|
|
80532
|
+
"id": "SOC2-CC9-vendor-management",
|
|
80533
|
+
"framework": "SOC 2 (AICPA Trust Services Criteria)",
|
|
80534
|
+
"control_name": "Risk Mitigation — Vendor and Business Partner Risk"
|
|
80535
|
+
}
|
|
80536
|
+
],
|
|
80537
|
+
"attack_refs": [
|
|
80538
|
+
"T1068",
|
|
80539
|
+
"T1548.001"
|
|
80540
|
+
],
|
|
80541
|
+
"rfc_refs": [
|
|
80542
|
+
"RFC-4301",
|
|
80543
|
+
"RFC-4303",
|
|
80544
|
+
"RFC-7296"
|
|
80545
|
+
]
|
|
80546
|
+
}
|
|
80547
|
+
},
|
|
79477
80548
|
"CWE-20": {
|
|
79478
80549
|
"name": "Improper Input Validation",
|
|
79479
80550
|
"category": "Validation",
|
|
@@ -81281,6 +82352,7 @@
|
|
|
81281
82352
|
"CVE-2010-0806",
|
|
81282
82353
|
"CVE-2010-3765",
|
|
81283
82354
|
"CVE-2010-3962",
|
|
82355
|
+
"CVE-2011-0411",
|
|
81284
82356
|
"CVE-2011-3402",
|
|
81285
82357
|
"CVE-2012-1854",
|
|
81286
82358
|
"CVE-2013-3893",
|
|
@@ -81313,6 +82385,8 @@
|
|
|
81313
82385
|
"CVE-2021-26829",
|
|
81314
82386
|
"CVE-2021-30952",
|
|
81315
82387
|
"CVE-2021-32030",
|
|
82388
|
+
"CVE-2021-33515",
|
|
82389
|
+
"CVE-2021-38371",
|
|
81316
82390
|
"CVE-2021-39935",
|
|
81317
82391
|
"CVE-2021-43226",
|
|
81318
82392
|
"CVE-2021-43798",
|
|
@@ -81335,9 +82409,15 @@
|
|
|
81335
82409
|
"CVE-2023-43000",
|
|
81336
82410
|
"CVE-2023-43654",
|
|
81337
82411
|
"CVE-2023-44467",
|
|
82412
|
+
"CVE-2023-44487",
|
|
81338
82413
|
"CVE-2023-48022",
|
|
81339
82414
|
"CVE-2023-50224",
|
|
82415
|
+
"CVE-2023-50387",
|
|
82416
|
+
"CVE-2023-50868",
|
|
81340
82417
|
"CVE-2023-51449",
|
|
82418
|
+
"CVE-2023-51764",
|
|
82419
|
+
"CVE-2023-51765",
|
|
82420
|
+
"CVE-2023-51766",
|
|
81341
82421
|
"CVE-2023-52163",
|
|
81342
82422
|
"CVE-2023-6019",
|
|
81343
82423
|
"CVE-2023-6021",
|
|
@@ -84201,6 +85281,7 @@
|
|
|
84201
85281
|
"CVE-2010-0806",
|
|
84202
85282
|
"CVE-2010-3765",
|
|
84203
85283
|
"CVE-2010-3962",
|
|
85284
|
+
"CVE-2011-0411",
|
|
84204
85285
|
"CVE-2011-3402",
|
|
84205
85286
|
"CVE-2012-1854",
|
|
84206
85287
|
"CVE-2013-3893",
|
|
@@ -84233,6 +85314,8 @@
|
|
|
84233
85314
|
"CVE-2021-26829",
|
|
84234
85315
|
"CVE-2021-30952",
|
|
84235
85316
|
"CVE-2021-32030",
|
|
85317
|
+
"CVE-2021-33515",
|
|
85318
|
+
"CVE-2021-38371",
|
|
84236
85319
|
"CVE-2021-39935",
|
|
84237
85320
|
"CVE-2021-43226",
|
|
84238
85321
|
"CVE-2021-43798",
|
|
@@ -84255,9 +85338,15 @@
|
|
|
84255
85338
|
"CVE-2023-43000",
|
|
84256
85339
|
"CVE-2023-43654",
|
|
84257
85340
|
"CVE-2023-44467",
|
|
85341
|
+
"CVE-2023-44487",
|
|
84258
85342
|
"CVE-2023-48022",
|
|
84259
85343
|
"CVE-2023-50224",
|
|
85344
|
+
"CVE-2023-50387",
|
|
85345
|
+
"CVE-2023-50868",
|
|
84260
85346
|
"CVE-2023-51449",
|
|
85347
|
+
"CVE-2023-51764",
|
|
85348
|
+
"CVE-2023-51765",
|
|
85349
|
+
"CVE-2023-51766",
|
|
84261
85350
|
"CVE-2023-52163",
|
|
84262
85351
|
"CVE-2023-6019",
|
|
84263
85352
|
"CVE-2023-6021",
|
|
@@ -84673,6 +85762,7 @@
|
|
|
84673
85762
|
"CVE-2010-0806",
|
|
84674
85763
|
"CVE-2010-3765",
|
|
84675
85764
|
"CVE-2010-3962",
|
|
85765
|
+
"CVE-2011-0411",
|
|
84676
85766
|
"CVE-2011-3402",
|
|
84677
85767
|
"CVE-2012-1854",
|
|
84678
85768
|
"CVE-2013-3893",
|
|
@@ -84705,6 +85795,8 @@
|
|
|
84705
85795
|
"CVE-2021-26829",
|
|
84706
85796
|
"CVE-2021-30952",
|
|
84707
85797
|
"CVE-2021-32030",
|
|
85798
|
+
"CVE-2021-33515",
|
|
85799
|
+
"CVE-2021-38371",
|
|
84708
85800
|
"CVE-2021-39935",
|
|
84709
85801
|
"CVE-2021-43226",
|
|
84710
85802
|
"CVE-2021-43798",
|
|
@@ -84727,9 +85819,15 @@
|
|
|
84727
85819
|
"CVE-2023-43000",
|
|
84728
85820
|
"CVE-2023-43654",
|
|
84729
85821
|
"CVE-2023-44467",
|
|
85822
|
+
"CVE-2023-44487",
|
|
84730
85823
|
"CVE-2023-48022",
|
|
84731
85824
|
"CVE-2023-50224",
|
|
85825
|
+
"CVE-2023-50387",
|
|
85826
|
+
"CVE-2023-50868",
|
|
84732
85827
|
"CVE-2023-51449",
|
|
85828
|
+
"CVE-2023-51764",
|
|
85829
|
+
"CVE-2023-51765",
|
|
85830
|
+
"CVE-2023-51766",
|
|
84733
85831
|
"CVE-2023-52163",
|
|
84734
85832
|
"CVE-2023-6019",
|
|
84735
85833
|
"CVE-2023-6021",
|
|
@@ -86082,6 +87180,7 @@
|
|
|
86082
87180
|
"CVE-2010-0806",
|
|
86083
87181
|
"CVE-2010-3765",
|
|
86084
87182
|
"CVE-2010-3962",
|
|
87183
|
+
"CVE-2011-0411",
|
|
86085
87184
|
"CVE-2011-3402",
|
|
86086
87185
|
"CVE-2012-1854",
|
|
86087
87186
|
"CVE-2013-3893",
|
|
@@ -86114,6 +87213,8 @@
|
|
|
86114
87213
|
"CVE-2021-26829",
|
|
86115
87214
|
"CVE-2021-30952",
|
|
86116
87215
|
"CVE-2021-32030",
|
|
87216
|
+
"CVE-2021-33515",
|
|
87217
|
+
"CVE-2021-38371",
|
|
86117
87218
|
"CVE-2021-39935",
|
|
86118
87219
|
"CVE-2021-43226",
|
|
86119
87220
|
"CVE-2021-43798",
|
|
@@ -86135,9 +87236,15 @@
|
|
|
86135
87236
|
"CVE-2023-43000",
|
|
86136
87237
|
"CVE-2023-43654",
|
|
86137
87238
|
"CVE-2023-44467",
|
|
87239
|
+
"CVE-2023-44487",
|
|
86138
87240
|
"CVE-2023-48022",
|
|
86139
87241
|
"CVE-2023-50224",
|
|
87242
|
+
"CVE-2023-50387",
|
|
87243
|
+
"CVE-2023-50868",
|
|
86140
87244
|
"CVE-2023-51449",
|
|
87245
|
+
"CVE-2023-51764",
|
|
87246
|
+
"CVE-2023-51765",
|
|
87247
|
+
"CVE-2023-51766",
|
|
86141
87248
|
"CVE-2023-52163",
|
|
86142
87249
|
"CVE-2023-6019",
|
|
86143
87250
|
"CVE-2023-6021",
|
|
@@ -87033,6 +88140,7 @@
|
|
|
87033
88140
|
"CVE-2010-0806",
|
|
87034
88141
|
"CVE-2010-3765",
|
|
87035
88142
|
"CVE-2010-3962",
|
|
88143
|
+
"CVE-2011-0411",
|
|
87036
88144
|
"CVE-2011-3402",
|
|
87037
88145
|
"CVE-2012-1854",
|
|
87038
88146
|
"CVE-2013-3893",
|
|
@@ -87065,6 +88173,8 @@
|
|
|
87065
88173
|
"CVE-2021-26829",
|
|
87066
88174
|
"CVE-2021-30952",
|
|
87067
88175
|
"CVE-2021-32030",
|
|
88176
|
+
"CVE-2021-33515",
|
|
88177
|
+
"CVE-2021-38371",
|
|
87068
88178
|
"CVE-2021-39935",
|
|
87069
88179
|
"CVE-2021-43226",
|
|
87070
88180
|
"CVE-2021-43798",
|
|
@@ -87088,9 +88198,15 @@
|
|
|
87088
88198
|
"CVE-2023-43472",
|
|
87089
88199
|
"CVE-2023-43654",
|
|
87090
88200
|
"CVE-2023-44467",
|
|
88201
|
+
"CVE-2023-44487",
|
|
87091
88202
|
"CVE-2023-48022",
|
|
87092
88203
|
"CVE-2023-50224",
|
|
88204
|
+
"CVE-2023-50387",
|
|
88205
|
+
"CVE-2023-50868",
|
|
87093
88206
|
"CVE-2023-51449",
|
|
88207
|
+
"CVE-2023-51764",
|
|
88208
|
+
"CVE-2023-51765",
|
|
88209
|
+
"CVE-2023-51766",
|
|
87094
88210
|
"CVE-2023-52163",
|
|
87095
88211
|
"CVE-2023-6016",
|
|
87096
88212
|
"CVE-2023-6019",
|
|
@@ -89591,6 +90707,7 @@
|
|
|
89591
90707
|
"CVE-2010-0806",
|
|
89592
90708
|
"CVE-2010-3765",
|
|
89593
90709
|
"CVE-2010-3962",
|
|
90710
|
+
"CVE-2011-0411",
|
|
89594
90711
|
"CVE-2011-3402",
|
|
89595
90712
|
"CVE-2012-1854",
|
|
89596
90713
|
"CVE-2013-3893",
|
|
@@ -89623,6 +90740,8 @@
|
|
|
89623
90740
|
"CVE-2021-26829",
|
|
89624
90741
|
"CVE-2021-30952",
|
|
89625
90742
|
"CVE-2021-32030",
|
|
90743
|
+
"CVE-2021-33515",
|
|
90744
|
+
"CVE-2021-38371",
|
|
89626
90745
|
"CVE-2021-39935",
|
|
89627
90746
|
"CVE-2021-43226",
|
|
89628
90747
|
"CVE-2021-43798",
|
|
@@ -89644,8 +90763,14 @@
|
|
|
89644
90763
|
"CVE-2023-43000",
|
|
89645
90764
|
"CVE-2023-43654",
|
|
89646
90765
|
"CVE-2023-44467",
|
|
90766
|
+
"CVE-2023-44487",
|
|
89647
90767
|
"CVE-2023-50224",
|
|
90768
|
+
"CVE-2023-50387",
|
|
90769
|
+
"CVE-2023-50868",
|
|
89648
90770
|
"CVE-2023-51449",
|
|
90771
|
+
"CVE-2023-51764",
|
|
90772
|
+
"CVE-2023-51765",
|
|
90773
|
+
"CVE-2023-51766",
|
|
89649
90774
|
"CVE-2023-52163",
|
|
89650
90775
|
"CVE-2023-6019",
|
|
89651
90776
|
"CVE-2023-6021",
|
|
@@ -92269,5 +93394,19 @@
|
|
|
92269
93394
|
"rfc_refs": []
|
|
92270
93395
|
},
|
|
92271
93396
|
"related_cves": []
|
|
93397
|
+
},
|
|
93398
|
+
"CWE-93": {
|
|
93399
|
+
"name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')",
|
|
93400
|
+
"category": "Injection",
|
|
93401
|
+
"referencing_skills": [],
|
|
93402
|
+
"skill_count": 0,
|
|
93403
|
+
"chain": {
|
|
93404
|
+
"atlas": [],
|
|
93405
|
+
"attack_refs": [],
|
|
93406
|
+
"framework_gaps": [],
|
|
93407
|
+
"d3fend": [],
|
|
93408
|
+
"rfc_refs": []
|
|
93409
|
+
},
|
|
93410
|
+
"related_cves": []
|
|
92272
93411
|
}
|
|
92273
93412
|
}
|