diff --git a/vulns/.id-allocator b/vulns/.id-allocator index 3217ed38..891f3578 100644 --- a/vulns/.id-allocator +++ b/vulns/.id-allocator @@ -1 +1 @@ -68eaf5059ce6946d2752f5b18ae4d9bc0f9ffe8654234b8ae1581f43116b8a61 \ No newline at end of file +ef3e928de5b854c3a5c9d1680bcc65b44bb311eacd22c1d6fd4cda0418e5a15c \ No newline at end of file diff --git a/vulns/cryptography/PYSEC-0000-CVE-2024-26130.yaml b/vulns/cryptography/PYSEC-2024-225.yaml similarity index 93% rename from vulns/cryptography/PYSEC-0000-CVE-2024-26130.yaml rename to vulns/cryptography/PYSEC-2024-225.yaml index 68988d57..50adb679 100644 --- a/vulns/cryptography/PYSEC-0000-CVE-2024-26130.yaml +++ b/vulns/cryptography/PYSEC-2024-225.yaml @@ -1,4 +1,11 @@ -id: PYSEC-0000-CVE-2024-26130 +id: PYSEC-2024-225 +modified: 2025-02-06T00:34:24.427679Z +published: 2024-02-21T17:15:09Z +aliases: +- CVE-2024-26130 +related: +- GHSA-6vqw-3v5j-54x4 +- GHSA-6vqw-3v5j-54x4 details: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose @@ -7,34 +14,18 @@ details: cryptography is a package designed to expose cryptographic primitives a then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. -aliases: -- CVE-2024-26130 -modified: '2025-02-06T00:34:24.427679Z' -published: '2024-02-21T17:15:09Z' -related: -- GHSA-6vqw-3v5j-54x4 -- GHSA-6vqw-3v5j-54x4 -references: -- type: ADVISORY - url: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 -- type: FIX - url: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 -- type: FIX - url: https://github.com/pyca/cryptography/pull/10423 -- type: REPORT - url: https://github.com/pyca/cryptography/pull/10423 affected: - package: - name: cryptography ecosystem: PyPI + name: cryptography purl: pkg:pypi/cryptography ranges: - type: GIT - repo: https://github.com/pyca/cryptography events: - - introduced: '0' + - introduced: "0" - fixed: 97d231672763cdb5959a3b191e692a362f1b9e55 - fixed: 97d231672763cdb5959a3b191e692a362f1b9e55 + repo: https://github.com/pyca/cryptography - type: ECOSYSTEM events: - introduced: 38.0.0 @@ -66,3 +57,12 @@ affected: severity: - type: CVSS_V3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +references: +- type: ADVISORY + url: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 +- type: FIX + url: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 +- type: FIX + url: https://github.com/pyca/cryptography/pull/10423 +- type: REPORT + url: https://github.com/pyca/cryptography/pull/10423 diff --git a/vulns/pymatgen/PYSEC-0000-CVE-2024-23346.yaml b/vulns/pymatgen/PYSEC-2024-226.yaml similarity index 97% rename from vulns/pymatgen/PYSEC-0000-CVE-2024-23346.yaml rename to vulns/pymatgen/PYSEC-2024-226.yaml index 77dd1c0d..00c261b0 100644 --- a/vulns/pymatgen/PYSEC-0000-CVE-2024-23346.yaml +++ b/vulns/pymatgen/PYSEC-2024-226.yaml @@ -1,44 +1,31 @@ -id: PYSEC-0000-CVE-2024-23346 -details: Pymatgen (Python Materials Genomics) is an open-source Python library for - materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` - method within the `pymatgen` library prior to version 2024.2.20. This method insecurely - utilizes `eval()` for processing input, enabling execution of arbitrary code when - parsing untrusted input. Version 2024.2.20 fixes this issue. +id: PYSEC-2024-226 +modified: 2025-02-06T00:34:28.73473Z +published: 2024-02-21T17:15:09Z aliases: - CVE-2024-23346 -modified: '2025-02-06T00:34:28.734730Z' -published: '2024-02-21T17:15:09Z' related: - GHSA-vgv8-5cpj-qj2f - GHSA-vgv8-5cpj-qj2f -references: -- type: ADVISORY - url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f -- type: EVIDENCE - url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f -- type: EVIDENCE - url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346 -- type: FIX - url: https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a -- type: WEB - url: https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 -- type: WEB - url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346 +details: Pymatgen (Python Materials Genomics) is an open-source Python library for + materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` + method within the `pymatgen` library prior to version 2024.2.20. This method insecurely + utilizes `eval()` for processing input, enabling execution of arbitrary code when + parsing untrusted input. Version 2024.2.20 fixes this issue. affected: - package: - name: pymatgen ecosystem: PyPI + name: pymatgen purl: pkg:pypi/pymatgen ranges: - type: GIT - repo: https://github.com/materialsproject/pymatgen events: - - introduced: '0' + - introduced: "0" - fixed: c231cbd3d5147ee920a37b6ee9dd236b376bcf5a - fixed: c231cbd3d5147ee920a37b6ee9dd236b376bcf5a + repo: https://github.com/materialsproject/pymatgen - type: ECOSYSTEM events: - - introduced: '0' + - introduced: "0" - fixed: 2024.2.20 versions: - 1.0.4 @@ -417,3 +404,16 @@ affected: severity: - type: CVSS_V3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H +references: +- type: ADVISORY + url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f +- type: EVIDENCE + url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f +- type: EVIDENCE + url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346 +- type: FIX + url: https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a +- type: WEB + url: https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 +- type: WEB + url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346