diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index bc4a4296d..be084844b 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -74,6 +74,7 @@ from vulnerabilities.pipelines.v2_importers import pysec_importer as pysec_importer_v2 from vulnerabilities.pipelines.v2_importers import redhat_importer as redhat_importer_v2 from vulnerabilities.pipelines.v2_importers import ruby_importer as ruby_importer_v2 +from vulnerabilities.pipelines.v2_importers import ubuntu_osv_importer as ubuntu_osv_importer_v2 from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2 from vulnerabilities.utils import create_registry @@ -107,6 +108,7 @@ debian_importer_v2.DebianImporterPipeline, mattermost_importer_v2.MattermostImporterPipeline, apache_tomcat_v2.ApacheTomcatImporterPipeline, + ubuntu_osv_importer_v2.UbuntuOSVImporterPipeline, nvd_importer.NVDImporterPipeline, github_importer.GitHubAPIImporterPipeline, gitlab_importer.GitLabImporterPipeline, diff --git a/vulnerabilities/migrations/0112_alter_advisoryseverity_scoring_system_and_more.py b/vulnerabilities/migrations/0112_alter_advisoryseverity_scoring_system_and_more.py new file mode 100644 index 000000000..414ff6943 --- /dev/null +++ b/vulnerabilities/migrations/0112_alter_advisoryseverity_scoring_system_and_more.py @@ -0,0 +1,63 @@ +# Generated by Django 4.2.25 on 2026-02-05 10:10 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("vulnerabilities", "0111_alter_advisoryseverity_scoring_system_and_more"), + ] + + operations = [ + migrations.AlterField( + model_name="advisoryseverity", + name="scoring_system", + field=models.CharField( + choices=[ + ("cvssv2", "CVSSv2 Base Score"), + ("cvssv3", "CVSSv3 Base Score"), + ("cvssv3.1", "CVSSv3.1 Base Score"), + ("cvssv4", "CVSSv4 Base Score"), + ("rhbs", "RedHat Bugzilla severity"), + ("rhas", "RedHat Aggregate severity"), + ("archlinux", "Archlinux Vulnerability Group Severity"), + ("cvssv3.1_qr", "CVSSv3.1 Qualitative Severity Rating"), + ("generic_textual", "Generic textual severity rating"), + ("apache_httpd", "Apache Httpd Severity"), + ("apache_tomcat", "Apache Tomcat Severity"), + ("epss", "Exploit Prediction Scoring System"), + ("ssvc", "Stakeholder-Specific Vulnerability Categorization"), + ("openssl", "OpenSSL Severity"), + ("ubuntu-priority", "Ubuntu Priority"), + ], + help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu-priority: Ubuntu Priority ", + max_length=50, + ), + ), + migrations.AlterField( + model_name="vulnerabilityseverity", + name="scoring_system", + field=models.CharField( + choices=[ + ("cvssv2", "CVSSv2 Base Score"), + ("cvssv3", "CVSSv3 Base Score"), + ("cvssv3.1", "CVSSv3.1 Base Score"), + ("cvssv4", "CVSSv4 Base Score"), + ("rhbs", "RedHat Bugzilla severity"), + ("rhas", "RedHat Aggregate severity"), + ("archlinux", "Archlinux Vulnerability Group Severity"), + ("cvssv3.1_qr", "CVSSv3.1 Qualitative Severity Rating"), + ("generic_textual", "Generic textual severity rating"), + ("apache_httpd", "Apache Httpd Severity"), + ("apache_tomcat", "Apache Tomcat Severity"), + ("epss", "Exploit Prediction Scoring System"), + ("ssvc", "Stakeholder-Specific Vulnerability Categorization"), + ("openssl", "OpenSSL Severity"), + ("ubuntu-priority", "Ubuntu Priority"), + ], + help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu-priority: Ubuntu Priority ", + max_length=50, + ), + ), + ] diff --git a/vulnerabilities/pipelines/__init__.py b/vulnerabilities/pipelines/__init__.py index 9efd58c05..fc784e019 100644 --- a/vulnerabilities/pipelines/__init__.py +++ b/vulnerabilities/pipelines/__init__.py @@ -266,6 +266,9 @@ class VulnerableCodeBaseImporterPipelineV2(VulnerableCodePipeline): repo_url = None ignorable_versions = [] + # Control how often progress log is shown (range: 1–100, higher value = less frequent log) + progress_step = 10 + # When set to true pipeline is run only once. # To rerun onetime pipeline reset is_active field to True via migration. run_once = False @@ -301,7 +304,11 @@ def collect_and_store_advisories(self): if estimated_advisory_count > 0: self.log(f"Collecting {estimated_advisory_count:,d} advisories") - progress = LoopProgress(total_iterations=estimated_advisory_count, logger=self.log) + progress = LoopProgress( + total_iterations=estimated_advisory_count, + logger=self.log, + progress_step=self.progress_step, + ) for advisory in progress.iter(self.collect_advisories()): if advisory is None: self.log("Advisory is None, skipping") diff --git a/vulnerabilities/pipelines/v2_importers/ubuntu_osv_importer.py b/vulnerabilities/pipelines/v2_importers/ubuntu_osv_importer.py new file mode 100644 index 000000000..2b4e5527b --- /dev/null +++ b/vulnerabilities/pipelines/v2_importers/ubuntu_osv_importer.py @@ -0,0 +1,79 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +from pathlib import Path +from typing import Iterable + +from fetchcode.vcs import fetch_via_vcs + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 +from vulnerabilities.pipes.osv_v2 import parse_advisory_data_v3 +from vulnerabilities.utils import get_advisory_url +from vulnerabilities.utils import load_json + + +class UbuntuOSVImporterPipeline(VulnerableCodeBaseImporterPipelineV2): + """ + Collect Ubuntu OSV format advisories. + + Collect advisories from the GitHub Ubuntu Vulnerability Data repository. + """ + + pipeline_id = "ubuntu_osv_importer_v2" + spdx_license_expression = "CC-BY-4.0" + license_url = "https://github.com/canonical/ubuntu-security-notices/blob/main/LICENSE" + repo_url = "git+https://github.com/canonical/ubuntu-security-notices/" + + progress_step = 1 + + @classmethod + def steps(cls): + return ( + cls.clone, + cls.collect_and_store_advisories, + cls.clean_downloads, + ) + + def clone(self): + self.log(f"Cloning `{self.repo_url}`") + self.vcs_response = fetch_via_vcs(self.repo_url) + self.advisories_path = Path(self.vcs_response.dest_dir) + + def advisories_count(self): + cve_directory = self.advisories_path / "osv" / "cve" + return sum(1 for _ in cve_directory.rglob("*.json")) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + supported_ecosystems = ["deb"] + cve_directory = self.advisories_path / "osv" / "cve" + + for file in cve_directory.rglob("*.json"): + advisory_url = get_advisory_url( + file=file, + base_path=self.advisories_path, + url="https://github.com/canonical/ubuntu-security-notices/blob/main/", + ) + raw_data = load_json(file) + advisory_text = file.read_text() + + yield parse_advisory_data_v3( + raw_data=raw_data, + supported_ecosystems=supported_ecosystems, + advisory_url=advisory_url, + advisory_text=advisory_text, + ) + + def clean_downloads(self): + if self.vcs_response: + self.log("Removing cloned repository") + self.vcs_response.delete() + + def on_failure(self): + self.clean_downloads() diff --git a/vulnerabilities/pipes/advisory.py b/vulnerabilities/pipes/advisory.py index 9bc935d04..175c1bd1e 100644 --- a/vulnerabilities/pipes/advisory.py +++ b/vulnerabilities/pipes/advisory.py @@ -360,14 +360,14 @@ def insert_advisory_v2( affected_package=affected_pkg, logger=logger, ) - affected_packages_v2 = [ - PackageV2.objects.get_or_create_from_purl(purl=purl)[0] - for purl in package_affected_purls - ] - fixed_packages_v2 = [ - PackageV2.objects.get_or_create_from_purl(purl=purl)[0] - for purl in package_fixed_purls - ] + + affected_packages_v2 = PackageV2.objects.bulk_get_or_create_from_purls( + purls=package_affected_purls + ) + fixed_packages_v2 = PackageV2.objects.bulk_get_or_create_from_purls( + purls=package_fixed_purls + ) + impact.affecting_packages.add(*affected_packages_v2) impact.fixed_by_packages.add(*fixed_packages_v2) diff --git a/vulnerabilities/pipes/osv_v2.py b/vulnerabilities/pipes/osv_v2.py index a98523f29..666927ac3 100644 --- a/vulnerabilities/pipes/osv_v2.py +++ b/vulnerabilities/pipes/osv_v2.py @@ -51,6 +51,12 @@ "crates.io": "cargo", } +OSV_TO_VCIO_SEVERITY_MAP = { + "cvss_v3": "cvssv3.1", + "cvss_v4": "cvssv4", + "ubuntu": "ubuntu-priority", +} + def parse_advisory_data_v3( raw_data: dict, supported_ecosystems, advisory_url: str, advisory_text: str @@ -67,9 +73,10 @@ def parse_advisory_data_v3( details = raw_data.get("details") or "" summary = build_description(summary=summary, description=details) aliases = raw_data.get("aliases") or [] + aliases.extend(raw_data.get("upstream", [])) date_published = get_published_date(raw_data=raw_data) - severities = list(get_severities(raw_data=raw_data)) + severities = list(get_severities(raw_data=raw_data, url=advisory_url)) references = get_references_v2(raw_data=raw_data) patches = [] @@ -236,29 +243,38 @@ def get_published_date(raw_data): return published and dateparser.parse(date_string=published) -def get_severities(raw_data) -> Iterable[VulnerabilitySeverity]: - """ - Yield VulnerabilitySeverity extracted from a mapping of OSV ``raw_data`` - """ +def get_severities(raw_data, url) -> Iterable[VulnerabilitySeverity]: + """Yield VulnerabilitySeverity extracted from a mapping of OSV ``raw_data``""" try: for severity in raw_data.get("severity") or []: - vector = severity.get("score") - valid_vector = vector[:-1] if vector and vector.endswith("/") else vector - - if severity.get("type") == "CVSS_V3": - system = SCORING_SYSTEMS["cvssv3.1"] - score = system.compute(valid_vector) - yield VulnerabilitySeverity(system=system, value=score, scoring_elements=vector) - - elif severity.get("type") == "CVSS_V4": - system = SCORING_SYSTEMS["cvssv4"] - score = system.compute(valid_vector) - yield VulnerabilitySeverity(system=system, value=score, scoring_elements=vector) - - else: + severity_type = severity.get("type") + value = severity.get("score") + severity_type = severity_type.lower() + scoring_element = None + + if ( + severity_type not in SCORING_SYSTEMS + and severity_type not in OSV_TO_VCIO_SEVERITY_MAP + ): logger.error( f"Unsupported severity type: {severity!r} for OSV id: {raw_data.get('id')!r}" ) + continue + + severity_type = OSV_TO_VCIO_SEVERITY_MAP.get(severity_type, severity_type) + system = SCORING_SYSTEMS[severity_type] + + if severity_type in ["cvssv3.1", "cvssv4"]: + scoring_element = value + valid_vector = value[:-1] if value and value.endswith("/") else value + value = system.compute(valid_vector) + + yield VulnerabilitySeverity( + system=system, + value=value, + scoring_elements=scoring_element, + url=url, + ) except (CVSS3MalformedError, CVSS4MalformedError) as e: logger.error(f"Invalid severity {e}") @@ -302,10 +318,11 @@ def get_affected_purl(affected_pkg, raw_id): data and a ``raw_id``. """ package = affected_pkg.get("package") or {} - purl = package.get("purl") - if purl: + if purl := package.get("purl"): try: - purl = PackageURL.from_string(purl) + purl_dict = PackageURL.from_string(purl).to_dict() + del purl_dict["version"] + purl = PackageURL(**purl_dict) except ValueError: logger.error( f"Invalid PackageURL: {purl!r} for OSV " @@ -314,12 +331,17 @@ def get_affected_purl(affected_pkg, raw_id): else: ecosys = package.get("ecosystem") name = package.get("name") + namespace = "" + if ecosys and name: ecosys = ecosys.lower() purl_type = PURL_TYPE_BY_OSV_ECOSYSTEM.get(ecosys) + if ecosys.startswith("ubuntu"): + purl_type = "deb" + namespace = "ubuntu" + if not purl_type: return - namespace = "" if purl_type == "maven": namespace, _, name = name.partition(":") diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py index fbb611ae4..27f9d7d1a 100644 --- a/vulnerabilities/severity_systems.py +++ b/vulnerabilities/severity_systems.py @@ -196,6 +196,19 @@ def get(self, scoring_elements: str) -> dict: "Low", ] +UBUNTU_PRIORITY = ScoringSystem( + identifier="ubuntu-priority", + name="Ubuntu Priority", + url="https://ubuntu.com/security/cves/about#priority", +) +UBUNTU_PRIORITY.choices = [ + "Critical", + "High", + "Medium", + "Low", + "Negligible", +] + @dataclasses.dataclass(order=True) class EPSSScoringSystem(ScoringSystem): @@ -239,5 +252,6 @@ def get(self, scoring_elements: str): EPSS, SSVC, OPENSSL, + UBUNTU_PRIORITY, ) } diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_openssl_importer.py b/vulnerabilities/tests/pipelines/v2_importers/test_openssl_importer.py index 1535f1fe7..3e2bd1b94 100644 --- a/vulnerabilities/tests/pipelines/v2_importers/test_openssl_importer.py +++ b/vulnerabilities/tests/pipelines/v2_importers/test_openssl_importer.py @@ -26,7 +26,7 @@ def setUp(self): self.logger = TestLogger() @patch("vulnerabilities.pipelines.v2_importers.openssl_importer.OpenSSLImporterPipeline.clone") - def test_redhat_advisories_v2(self, mock_clone): + def test_openssl_advisories_v2(self, mock_clone): mock_clone.__name__ = "clone" pipeline = OpenSSLImporterPipeline() pipeline.advisory_path = TEST_DATA diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_ubuntu_osv_importer.py b/vulnerabilities/tests/pipelines/v2_importers/test_ubuntu_osv_importer.py new file mode 100644 index 000000000..d1b6853c2 --- /dev/null +++ b/vulnerabilities/tests/pipelines/v2_importers/test_ubuntu_osv_importer.py @@ -0,0 +1,43 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + + +from pathlib import Path +from unittest.mock import patch + +from django.test import TestCase + +from vulnerabilities.models import AdvisoryV2 +from vulnerabilities.pipelines.v2_importers.ubuntu_osv_importer import UbuntuOSVImporterPipeline +from vulnerabilities.tests import util_tests +from vulnerabilities.tests.pipelines import TestLogger + +TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "ubuntu" + + +class TestUbuntuOSVImporterPipeline(TestCase): + def setUp(self): + self.logger = TestLogger() + + @patch( + "vulnerabilities.pipelines.v2_importers.ubuntu_osv_importer.UbuntuOSVImporterPipeline.clone" + ) + def test_ubuntu_advisories_v2(self, mock_clone): + mock_clone.__name__ = "clone" + pipeline = UbuntuOSVImporterPipeline() + pipeline.advisories_path = TEST_DATA / "ubuntu_security_notices" + pipeline.vcs_response = None + pipeline.log = self.logger.write + pipeline.execute() + + self.assertEqual(AdvisoryV2.objects.count(), 6) + + expected_file = TEST_DATA / "ubuntu_osv_advisoryv2-expected.json" + result = [adv.to_advisory_data().to_dict() for adv in AdvisoryV2.objects.all()] + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_osv_advisoryv2-expected.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_osv_advisoryv2-expected.json new file mode 100644 index 000000000..f1dfe2f5d --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_osv_advisoryv2-expected.json @@ -0,0 +1,468 @@ +[ + { + "advisory_id": "UBUNTU-CVE-2001-1593", + "aliases": [ + "CVE-2001-1593" + ], + "summary": "Jakub Wilk found that a2ps, a tool to convert text and other types of files to PostScript, insecurely used a temporary file in spy_user(). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running a2ps.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "a2ps", + "version": "", + "qualifiers": "arch=source&distro=trusty", + "subpath": "" + }, + "affected_version_range": "vers:deb/1:4.14-1.1", + "fixed_version_range": "vers:deb/1:4.14-1.2", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2001-1593" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2001-1593" + } + ], + "patches": [], + "severities": [ + { + "system": "ubuntu-priority", + "value": "low", + "scoring_elements": null + } + ], + "date_published": "2014-04-05T21:55:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2001/UBUNTU-CVE-2001-1593.json" + }, + { + "advisory_id": "UBUNTU-CVE-2005-1515", + "aliases": [ + "CVE-2005-1515" + ], + "summary": "Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "netqmail", + "version": "", + "qualifiers": "arch=source&distro=trusty/esm", + "subpath": "" + }, + "affected_version_range": "vers:deb/1.06-5", + "fixed_version_range": "vers:deb/1.06-6.2~deb10u1build0.14.04.1+esm1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "netqmail", + "version": "", + "qualifiers": "arch=source&distro=xenial", + "subpath": "" + }, + "affected_version_range": "vers:deb/1.06-5", + "fixed_version_range": "vers:deb/1.06-6.2~deb10u1build0.16.04.1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "netqmail", + "version": "", + "qualifiers": "arch=source&distro=bionic", + "subpath": "" + }, + "affected_version_range": "vers:deb/1.06-6", + "fixed_version_range": "vers:deb/1.06-6.2~deb10u1build0.18.04.1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "netqmail", + "version": "", + "qualifiers": "arch=source&distro=focal", + "subpath": "" + }, + "affected_version_range": "vers:deb/1.06-6.1", + "fixed_version_range": "vers:deb/1.06-6.2~deb10u1build0.20.04.1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2005-1515" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/notices/USN-4556-1" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/notices/USN-4621-1" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2005-1515" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.openwall.com/lists/oss-security/2020/05/19/8" + } + ], + "patches": [], + "severities": [ + { + "system": "ubuntu-priority", + "value": "medium", + "scoring_elements": null + } + ], + "date_published": "2020-05-24T00:00:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2005/UBUNTU-CVE-2005-1515.json" + }, + { + "advisory_id": "UBUNTU-CVE-2010-0751", + "aliases": [ + "CVE-2010-0751" + ], + "summary": "The ip_evictor function in ip_fragment.c in libnids before 1.24, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "libnids", + "version": "", + "qualifiers": "arch=source&distro=trusty", + "subpath": "" + }, + "affected_version_range": "vers:deb/<1.23-2", + "fixed_version_range": "vers:deb/1.23-2", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "libnids", + "version": "", + "qualifiers": "arch=source&distro=xenial", + "subpath": "" + }, + "affected_version_range": "vers:deb/<1.23-2", + "fixed_version_range": "vers:deb/1.23-2", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2010-0751" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2010-0751" + } + ], + "patches": [], + "severities": [ + { + "system": "ubuntu-priority", + "value": "low", + "scoring_elements": null + } + ], + "date_published": "2010-04-06T16:30:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2010/UBUNTU-CVE-2010-0751.json" + }, + { + "advisory_id": "UBUNTU-CVE-2015-0209", + "aliases": [ + "CVE-2015-0209" + ], + "summary": "Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "openssl", + "version": "", + "qualifiers": "arch=source&distro=trusty", + "subpath": "" + }, + "affected_version_range": "vers:deb/1.0.1e-3ubuntu1|1.0.1e-4ubuntu1|1.0.1e-4ubuntu2|1.0.1e-4ubuntu3|1.0.1e-4ubuntu4|1.0.1f-1ubuntu1|1.0.1f-1ubuntu2|1.0.1f-1ubuntu2.1|1.0.1f-1ubuntu2.2|1.0.1f-1ubuntu2.3|1.0.1f-1ubuntu2.4|1.0.1f-1ubuntu2.5|1.0.1f-1ubuntu2.7|1.0.1f-1ubuntu2.8", + "fixed_version_range": "vers:deb/1.0.1f-1ubuntu2.11", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2015-0209" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/notices/USN-2537-1" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2015-0209" + } + ], + "patches": [], + "severities": [ + { + "system": "ubuntu-priority", + "value": "low", + "scoring_elements": null + } + ], + "date_published": "2015-03-17T00:00:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2015/UBUNTU-CVE-2015-0209.json" + }, + { + "advisory_id": "UBUNTU-CVE-2020-1944", + "aliases": [ + "CVE-2020-1944" + ], + "summary": "There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. Upgrade to versions 7.1.9 and 8.0.6 or later versions.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "trafficserver", + "version": "", + "qualifiers": "arch=source&distro=xenial", + "subpath": "" + }, + "affected_version_range": "vers:deb/5.3.0-2ubuntu1|5.3.0-2ubuntu2", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "trafficserver", + "version": "", + "qualifiers": "arch=source&distro=bionic", + "subpath": "" + }, + "affected_version_range": "vers:deb/7.0.0-5|7.1.2+ds-2|7.1.2+ds-2build1|7.1.2+ds-3", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "trafficserver", + "version": "", + "qualifiers": "arch=source&distro=esm-apps/focal", + "subpath": "" + }, + "affected_version_range": "vers:deb/8.0.5+ds-1|8.0.5+ds-2|8.0.5+ds-2build1|8.0.5+ds-2ubuntu1|8.0.5+ds-3|8.0.5+ds-3ubuntu0.1~esm1", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "trafficserver", + "version": "", + "qualifiers": "arch=source&distro=esm-apps/jammy", + "subpath": "" + }, + "affected_version_range": "vers:deb/8.1.1+ds-1.1|9.1.1+ds-2build1|9.1.1+ds-2ubuntu0.1~esm1", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2020-1944" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1944" + } + ], + "patches": [], + "severities": [ + { + "system": "cvssv3.1", + "value": "9.8", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "system": "ubuntu-priority", + "value": "medium", + "scoring_elements": null + } + ], + "date_published": "2020-03-23T22:15:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-1944.json" + }, + { + "advisory_id": "UBUNTU-CVE-2025-14345", + "aliases": [ + "CVE-2025-14345" + ], + "summary": "A post-authentication\u00a0flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.", + "affected_packages": [ + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "mongodb", + "version": "", + "qualifiers": "arch=source&distro=trusty", + "subpath": "" + }, + "affected_version_range": "vers:deb/1:2.4.6-0ubuntu5|1:2.4.6-0ubuntu6|1:2.4.8-1ubuntu1|1:2.4.8-2|1:2.4.9-1|1:2.4.9-1ubuntu1|1:2.4.9-1ubuntu2", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "mongodb", + "version": "", + "qualifiers": "arch=source&distro=xenial", + "subpath": "" + }, + "affected_version_range": "vers:deb/1:2.6.10-0ubuntu1", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "mongodb", + "version": "", + "qualifiers": "arch=source&distro=bionic", + "subpath": "" + }, + "affected_version_range": "vers:deb/1:3.4.7-1|1:3.4.7-1ubuntu1|1:3.4.7-1ubuntu2|1:3.4.7-1ubuntu4|1:3.4.14-3ubuntu1|1:3.4.14-3ubuntu2|1:3.6.3-0ubuntu1|1:3.6.3-0ubuntu1.1|1:3.6.3-0ubuntu1.3|1:3.6.3-0ubuntu1.4", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + }, + { + "package": { + "type": "deb", + "namespace": "ubuntu", + "name": "mongodb", + "version": "", + "qualifiers": "arch=source&distro=focal", + "subpath": "" + }, + "affected_version_range": "vers:deb/1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu2|1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5|1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2|1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://jira.mongodb.org/browse/SERVER-106075" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://ubuntu.com/security/CVE-2025-14345" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.cve.org/CVERecord?id=CVE-2025-14345" + } + ], + "patches": [], + "severities": [ + { + "system": "cvssv3.1", + "value": "4.2", + "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" + }, + { + "system": "cvssv3.1", + "value": "5.4", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "system": "cvssv4", + "value": "2.3", + "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" + }, + { + "system": "ubuntu-priority", + "value": "medium", + "scoring_elements": null + } + ], + "date_published": "2025-12-09T16:17:00+00:00", + "weaknesses": [], + "url": "https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-14345.json" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2001/UBUNTU-CVE-2001-1593.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2001/UBUNTU-CVE-2001-1593.json new file mode 100644 index 000000000..ff7aac1e0 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2001/UBUNTU-CVE-2001-1593.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2001-1593", + "details": "Jakub Wilk found that a2ps, a tool to convert text and other types of files to PostScript, insecurely used a temporary file in spy_user(). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running a2ps.", + "aliases": [], + "upstream": [ + "CVE-2001-1593" + ], + "related": [], + "severity": [ + { + "type": "Ubuntu", + "score": "low" + } + ], + "published": "2014-04-05T21:55:00Z", + "modified": "2025-07-16T04:49:52Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:14.04:LTS", + "name": "a2ps", + "purl": "pkg:deb/ubuntu/a2ps@1:4.14-1.2?arch=source&distro=trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1:4.14-1.2" + } + ] + } + ], + "versions": [ + "1:4.14-1.1" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "a2ps", + "binary_version": "1:4.14-1.2" + } + ], + "availability": "No subscription required" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2001-1593" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2001-1593" + } + ], + "withdrawn": "2025-07-18T16:42:37Z" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2005/UBUNTU-CVE-2005-1515.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2005/UBUNTU-CVE-2005-1515.json new file mode 100644 index 000000000..3906ad600 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2005/UBUNTU-CVE-2005-1515.json @@ -0,0 +1,189 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2005-1515", + "details": "Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands.", + "aliases": [], + "upstream": [ + "CVE-2005-1515" + ], + "related": [ + "USN-4556-1", + "USN-4621-1" + ], + "severity": [ + { + "type": "Ubuntu", + "score": "medium" + } + ], + "published": "2020-05-24T00:00:00Z", + "modified": "2025-07-16T04:49:52Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:Pro:14.04:LTS", + "name": "netqmail", + "purl": "pkg:deb/ubuntu/netqmail@1.06-6.2~deb10u1build0.14.04.1+esm1?arch=source&distro=trusty/esm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.06-6.2~deb10u1build0.14.04.1+esm1" + } + ] + } + ], + "versions": [ + "1.06-5" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "qmail", + "binary_version": "1.06-6.2~deb10u1build0.14.04.1+esm1" + }, + { + "binary_name": "qmail-uids-gids", + "binary_version": "1.06-6.2~deb10u1build0.14.04.1+esm1" + } + ], + "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro" + } + }, + { + "package": { + "ecosystem": "Ubuntu:16.04:LTS", + "name": "netqmail", + "purl": "pkg:deb/ubuntu/netqmail@1.06-6.2~deb10u1build0.16.04.1?arch=source&distro=xenial" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.06-6.2~deb10u1build0.16.04.1" + } + ] + } + ], + "versions": [ + "1.06-5" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "qmail", + "binary_version": "1.06-6.2~deb10u1build0.16.04.1" + }, + { + "binary_name": "qmail-uids-gids", + "binary_version": "1.06-6.2~deb10u1build0.16.04.1" + } + ], + "availability": "No subscription required" + } + }, + { + "package": { + "ecosystem": "Ubuntu:18.04:LTS", + "name": "netqmail", + "purl": "pkg:deb/ubuntu/netqmail@1.06-6.2~deb10u1build0.18.04.1?arch=source&distro=bionic" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.06-6.2~deb10u1build0.18.04.1" + } + ] + } + ], + "versions": [ + "1.06-6" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "qmail", + "binary_version": "1.06-6.2~deb10u1build0.18.04.1" + }, + { + "binary_name": "qmail-uids-gids", + "binary_version": "1.06-6.2~deb10u1build0.18.04.1" + } + ], + "availability": "No subscription required" + } + }, + { + "package": { + "ecosystem": "Ubuntu:20.04:LTS", + "name": "netqmail", + "purl": "pkg:deb/ubuntu/netqmail@1.06-6.2~deb10u1build0.20.04.1?arch=source&distro=focal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.06-6.2~deb10u1build0.20.04.1" + } + ] + } + ], + "versions": [ + "1.06-6.1" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "qmail", + "binary_version": "1.06-6.2~deb10u1build0.20.04.1" + }, + { + "binary_name": "qmail-uids-gids", + "binary_version": "1.06-6.2~deb10u1build0.20.04.1" + } + ], + "availability": "No subscription required" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2005-1515" + }, + { + "type": "REPORT", + "url": "https://www.openwall.com/lists/oss-security/2020/05/19/8" + }, + { + "type": "ADVISORY", + "url": "https://ubuntu.com/security/notices/USN-4556-1" + }, + { + "type": "ADVISORY", + "url": "https://ubuntu.com/security/notices/USN-4621-1" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2005-1515" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2010/UBUNTU-CVE-2010-0751.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2010/UBUNTU-CVE-2010-0751.json new file mode 100644 index 000000000..3fdb3d292 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2010/UBUNTU-CVE-2010-0751.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2010-0751", + "details": "The ip_evictor function in ip_fragment.c in libnids before 1.24, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets.", + "aliases": [], + "upstream": [ + "CVE-2010-0751" + ], + "related": [], + "severity": [ + { + "type": "Ubuntu", + "score": "low" + } + ], + "published": "2010-04-06T16:30:00Z", + "modified": "2025-07-16T04:49:56Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:14.04:LTS", + "name": "libnids", + "purl": "pkg:deb/ubuntu/libnids@1.23-2?arch=source&distro=trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23-2" + } + ] + } + ], + "versions": [], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "libnids-dev", + "binary_version": "1.23-2" + }, + { + "binary_name": "libnids1.21", + "binary_version": "1.23-2" + } + ], + "availability": "No subscription required" + } + }, + { + "package": { + "ecosystem": "Ubuntu:16.04:LTS", + "name": "libnids", + "purl": "pkg:deb/ubuntu/libnids@1.23-2?arch=source&distro=xenial" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.23-2" + } + ] + } + ], + "versions": [], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "libnids-dev", + "binary_version": "1.23-2" + }, + { + "binary_name": "libnids1.21", + "binary_version": "1.23-2" + }, + { + "binary_name": "libnids1.21-dbgsym", + "binary_version": "1.23-2" + } + ], + "availability": "No subscription required" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2010-0751" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2010-0751" + } + ], + "withdrawn": "2025-07-18T16:42:39Z" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2015/UBUNTU-CVE-2015-0209.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2015/UBUNTU-CVE-2015-0209.json new file mode 100644 index 000000000..4889fd822 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2015/UBUNTU-CVE-2015-0209.json @@ -0,0 +1,89 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2015-0209", + "details": "Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.", + "aliases": [], + "upstream": [ + "CVE-2015-0209" + ], + "related": [ + "USN-2537-1" + ], + "severity": [ + { + "type": "Ubuntu", + "score": "low" + } + ], + "published": "2015-03-17T00:00:00Z", + "modified": "2025-09-08T16:43:18Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:14.04:LTS", + "name": "openssl", + "purl": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.11?arch=source&distro=trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1f-1ubuntu2.11" + } + ] + } + ], + "versions": [ + "1.0.1e-3ubuntu1", + "1.0.1e-4ubuntu1", + "1.0.1e-4ubuntu2", + "1.0.1e-4ubuntu3", + "1.0.1e-4ubuntu4", + "1.0.1f-1ubuntu1", + "1.0.1f-1ubuntu2", + "1.0.1f-1ubuntu2.1", + "1.0.1f-1ubuntu2.2", + "1.0.1f-1ubuntu2.3", + "1.0.1f-1ubuntu2.4", + "1.0.1f-1ubuntu2.5", + "1.0.1f-1ubuntu2.7", + "1.0.1f-1ubuntu2.8" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "libssl-dev", + "binary_version": "1.0.1f-1ubuntu2.11" + }, + { + "binary_name": "libssl1.0.0", + "binary_version": "1.0.1f-1ubuntu2.11" + }, + { + "binary_name": "openssl", + "binary_version": "1.0.1f-1ubuntu2.11" + } + ], + "availability": "No subscription required" + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2015-0209" + }, + { + "type": "ADVISORY", + "url": "https://ubuntu.com/security/notices/USN-2537-1" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2015-0209" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2020/UBUNTU-CVE-2020-1944.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2020/UBUNTU-CVE-2020-1944.json new file mode 100644 index 000000000..6fd4fc4a5 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2020/UBUNTU-CVE-2020-1944.json @@ -0,0 +1,193 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2020-1944", + "details": "There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. Upgrade to versions 7.1.9 and 8.0.6 or later versions.", + "aliases": [], + "upstream": [ + "CVE-2020-1944" + ], + "related": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "Ubuntu", + "score": "medium" + } + ], + "published": "2020-03-23T22:15:00Z", + "modified": "2025-10-24T04:48:15Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:16.04:LTS", + "name": "trafficserver", + "purl": "pkg:deb/ubuntu/trafficserver@5.3.0-2ubuntu2?arch=source&distro=xenial" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "5.3.0-2ubuntu1", + "5.3.0-2ubuntu2" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "trafficserver", + "binary_version": "5.3.0-2ubuntu2" + }, + { + "binary_name": "trafficserver-dev", + "binary_version": "5.3.0-2ubuntu2" + }, + { + "binary_name": "trafficserver-experimental-plugins", + "binary_version": "5.3.0-2ubuntu2" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:18.04:LTS", + "name": "trafficserver", + "purl": "pkg:deb/ubuntu/trafficserver@7.1.2+ds-3?arch=source&distro=bionic" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "7.0.0-5", + "7.1.2+ds-2", + "7.1.2+ds-2build1", + "7.1.2+ds-3" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "trafficserver", + "binary_version": "7.1.2+ds-3" + }, + { + "binary_name": "trafficserver-dev", + "binary_version": "7.1.2+ds-3" + }, + { + "binary_name": "trafficserver-experimental-plugins", + "binary_version": "7.1.2+ds-3" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:Pro:20.04:LTS", + "name": "trafficserver", + "purl": "pkg:deb/ubuntu/trafficserver@8.0.5+ds-3ubuntu0.1~esm1?arch=source&distro=esm-apps/focal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "8.0.5+ds-1", + "8.0.5+ds-2", + "8.0.5+ds-2build1", + "8.0.5+ds-2ubuntu1", + "8.0.5+ds-3", + "8.0.5+ds-3ubuntu0.1~esm1" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "trafficserver", + "binary_version": "8.0.5+ds-3ubuntu0.1~esm1" + }, + { + "binary_name": "trafficserver-dev", + "binary_version": "8.0.5+ds-3ubuntu0.1~esm1" + }, + { + "binary_name": "trafficserver-experimental-plugins", + "binary_version": "8.0.5+ds-3ubuntu0.1~esm1" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:Pro:22.04:LTS", + "name": "trafficserver", + "purl": "pkg:deb/ubuntu/trafficserver@9.1.1+ds-2ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "8.1.1+ds-1.1", + "9.1.1+ds-2build1", + "9.1.1+ds-2ubuntu0.1~esm1" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "trafficserver", + "binary_version": "9.1.1+ds-2ubuntu0.1~esm1" + }, + { + "binary_name": "trafficserver-dev", + "binary_version": "9.1.1+ds-2ubuntu0.1~esm1" + }, + { + "binary_name": "trafficserver-experimental-plugins", + "binary_version": "9.1.1+ds-2ubuntu0.1~esm1" + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2020-1944" + }, + { + "type": "REPORT", + "url": "https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1944" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2025/UBUNTU-CVE-2025-14345.json b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2025/UBUNTU-CVE-2025-14345.json new file mode 100644 index 000000000..6ac194559 --- /dev/null +++ b/vulnerabilities/tests/test_data/ubuntu/ubuntu_security_notices/osv/cve/2025/UBUNTU-CVE-2025-14345.json @@ -0,0 +1,220 @@ +{ + "schema_version": "1.7.0", + "id": "UBUNTU-CVE-2025-14345", + "details": "A post-authentication\u00a0flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.", + "aliases": [], + "upstream": [ + "CVE-2025-14345" + ], + "related": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" + }, + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" + }, + { + "type": "Ubuntu", + "score": "medium" + } + ], + "published": "2025-12-09T16:17:00Z", + "modified": "2025-12-16T05:43:18Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:14.04:LTS", + "name": "mongodb", + "purl": "pkg:deb/ubuntu/mongodb@1:2.4.9-1ubuntu2?arch=source&distro=trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "1:2.4.6-0ubuntu5", + "1:2.4.6-0ubuntu6", + "1:2.4.8-1ubuntu1", + "1:2.4.8-2", + "1:2.4.9-1", + "1:2.4.9-1ubuntu1", + "1:2.4.9-1ubuntu2" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "mongodb", + "binary_version": "1:2.4.9-1ubuntu2" + }, + { + "binary_name": "mongodb-clients", + "binary_version": "1:2.4.9-1ubuntu2" + }, + { + "binary_name": "mongodb-dev", + "binary_version": "1:2.4.9-1ubuntu2" + }, + { + "binary_name": "mongodb-server", + "binary_version": "1:2.4.9-1ubuntu2" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:16.04:LTS", + "name": "mongodb", + "purl": "pkg:deb/ubuntu/mongodb@1:2.6.10-0ubuntu1?arch=source&distro=xenial" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "1:2.6.10-0ubuntu1" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "mongodb", + "binary_version": "1:2.6.10-0ubuntu1" + }, + { + "binary_name": "mongodb-clients", + "binary_version": "1:2.6.10-0ubuntu1" + }, + { + "binary_name": "mongodb-server", + "binary_version": "1:2.6.10-0ubuntu1" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:18.04:LTS", + "name": "mongodb", + "purl": "pkg:deb/ubuntu/mongodb@1:3.6.3-0ubuntu1.4?arch=source&distro=bionic" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "1:3.4.7-1", + "1:3.4.7-1ubuntu1", + "1:3.4.7-1ubuntu2", + "1:3.4.7-1ubuntu4", + "1:3.4.14-3ubuntu1", + "1:3.4.14-3ubuntu2", + "1:3.6.3-0ubuntu1", + "1:3.6.3-0ubuntu1.1", + "1:3.6.3-0ubuntu1.3", + "1:3.6.3-0ubuntu1.4" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "mongodb", + "binary_version": "1:3.6.3-0ubuntu1.4" + }, + { + "binary_name": "mongodb-clients", + "binary_version": "1:3.6.3-0ubuntu1.4" + }, + { + "binary_name": "mongodb-server", + "binary_version": "1:3.6.3-0ubuntu1.4" + }, + { + "binary_name": "mongodb-server-core", + "binary_version": "1:3.6.3-0ubuntu1.4" + } + ] + } + }, + { + "package": { + "ecosystem": "Ubuntu:20.04:LTS", + "name": "mongodb", + "purl": "pkg:deb/ubuntu/mongodb@1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3?arch=source&distro=focal" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu2", + "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5", + "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2", + "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3" + ], + "ecosystem_specific": { + "binaries": [ + { + "binary_name": "mongodb", + "binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3" + }, + { + "binary_name": "mongodb-clients", + "binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3" + }, + { + "binary_name": "mongodb-server", + "binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3" + }, + { + "binary_name": "mongodb-server-core", + "binary_version": "1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.3" + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2025-14345" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2025-14345" + }, + { + "type": "REPORT", + "url": "https://jira.mongodb.org/browse/SERVER-106075" + } + ] +} \ No newline at end of file