Date: Tue, 12 Oct 2021 13:17:08 GMT From: Dave Cottlehuber <dch@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e349d6c6c522 - main - security/vuxml: add CouchDB CVE details Message-ID: <202110121317.19CDH84S049840@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dch: URL: https://cgit.FreeBSD.org/ports/commit/?id=e349d6c6c52214a48c57142cf6223d55d75e5b76 commit e349d6c6c52214a48c57142cf6223d55d75e5b76 Author: Dave Cottlehuber <dch@FreeBSD.org> AuthorDate: 2021-10-12 12:40:10 +0000 Commit: Dave Cottlehuber <dch@FreeBSD.org> CommitDate: 2021-10-12 13:16:54 +0000 security/vuxml: add CouchDB CVE details while here, appease `make validate` indentation Security: https://docs.couchdb.org/en/stable/cve/2021-38295.html Sponsored by: SkunkWerks, GmbH --- security/vuxml/vuln-2021.xml | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 1f31be2f4016..82095255b54d 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,36 @@ + <vuln vid="a7dd4c2d-77e4-46de-81a2-c453c317f9de"> + <topic>couchdb -- user privilege escalation</topic> + <affects> + <package> + <name>couchdb</name> + <range><lt>3.1.2,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Cory Sabol reports:</p> + <blockquote cite="https://docs.couchdb.org/en/stable/cve/2021-38295.html">; + <p>A malicious user with permission to create documents in a + database is able to attach a HTML attachment to a document. + If a CouchDB admin opens that attachment in a browser, e.g. + via the CouchDB admin interface Fauxton, any JavaScript code + embedded in that HTML attachment will be executed within the + security context of that admin. A similar route is available + with the already deprecated _show and _list functionality. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-39205</cvename> + <url>https://docs.couchdb.org/en/stable/cve/2021-38295.html</url>; + </references> + <dates> + <discovery>2021-08-09</discovery> + <entry>2021-10-12</entry> + </dates> + </vuln> + <vuln vid="9a8514f3-2ab8-11ec-b3a1-8c164582fbac"> <topic>Ansible -- Ansible user credentials disclosure in ansible-connection module</topic> <affects> @@ -38,11 +71,11 @@ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Red Hat reports:</p> <blockquote cite=""> - <p>A flaw was found in Ansible Engine's ansible-connection - module, where sensitive information such as the Ansible - user credentials is disclosed by default in the traceback - error message. The highest threat from this vulnerability - is to confidentiality.</p> + <p>A flaw was found in Ansible Engine's ansible-connection + module, where sensitive information such as the Ansible + user credentials is disclosed by default in the traceback + error message. The highest threat from this vulnerability + is to confidentiality.</p> </blockquote> </body> </description>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202110121317.19CDH84S049840>