diff --git a/mapping.csv b/mapping.csv index 08efff7869..4a3d08a16b 100644 --- a/mapping.csv +++ b/mapping.csv @@ -262793,3 +262793,5 @@ vulnerability,CVE-2025-21599,vulnerability--6855a997-c49c-4da8-b91c-877cca257cb4 vulnerability,CVE-2025-21593,vulnerability--8f2f4a56-1326-49c7-ae46-ab86b5403104 vulnerability,CVE-2025-21596,vulnerability--c4afa32b-80c1-4fb9-b297-29dbc017c687 vulnerability,CVE-2025-21592,vulnerability--16272ede-835c-4777-bce9-0a1b1c967541 +vulnerability,CVE-2025-21628,vulnerability--84dcb957-adb7-41b4-b405-568bd24ac4de +vulnerability,CVE-2025-22149,vulnerability--8ce9df25-8517-413f-8b9d-6dfe7635752d diff --git a/objects/vulnerability/vulnerability--84dcb957-adb7-41b4-b405-568bd24ac4de.json b/objects/vulnerability/vulnerability--84dcb957-adb7-41b4-b405-568bd24ac4de.json new file mode 100644 index 0000000000..43810bb1a0 --- /dev/null +++ b/objects/vulnerability/vulnerability--84dcb957-adb7-41b4-b405-568bd24ac4de.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--b13dde78-167c-4b94-99cc-eee9125ea466", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--84dcb957-adb7-41b4-b405-568bd24ac4de", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-09T18:27:46.481872Z", + "modified": "2025-01-09T18:27:46.481872Z", + "name": "CVE-2025-21628", + "description": "Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2025-21628" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--8ce9df25-8517-413f-8b9d-6dfe7635752d.json b/objects/vulnerability/vulnerability--8ce9df25-8517-413f-8b9d-6dfe7635752d.json new file mode 100644 index 0000000000..d8e2462537 --- /dev/null +++ b/objects/vulnerability/vulnerability--8ce9df25-8517-413f-8b9d-6dfe7635752d.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--eec91965-a4e1-4917-96bf-9c5983f311c5", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--8ce9df25-8517-413f-8b9d-6dfe7635752d", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-09T18:27:46.531155Z", + "modified": "2025-01-09T18:27:46.531155Z", + "name": "CVE-2025-22149", + "description": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2025-22149" + } + ] + } + ] +} \ No newline at end of file